Applies To:

Show Versions Show Versions

Release Note: BIG-IP LTM and TMOS 12.0.0
Release Note

Original Publication Date: 10/06/2016

Summary:

This release note documents the version 12.0.0 release of BIG-IP Local Traffic Manager and TMOS. You can apply the software upgrade to systems running software versions 10.1.0 (or later) or 11.x.

Contents:

- Platform support
- Configuration utility browser support
- BIG-IQ – BIG-IP Compatibility
- User documentation for this release
- New in 12.0.0
- Fixed CVE issues in 12.0.0
- Installation overview
     - Installation checklist
     - Installing the software
     - Post-installation tasks
     - Installation tips
- Upgrading from earlier versions
- Upgrading earlier configurations
- Fixes in 12.0.0
- Behavior changes in 12.0.0
- Known issues
- Contacting F5 Networks
- Legal notices

Platform support

This version of the software is supported on the following platforms:

Platform name Platform ID
BIG-IP 800 (LTM only) C114
BIG-IP 1600 C102
BIG-IP 3600 C103
BIG-IP 3900 C106
BIG-IP 6900 D104
BIG-IP 8900 D106
BIG-IP 8950 D107
BIG-IP 11000 E101
BIG-IP 11050 E102
BIG-IP 2000s, BIG-IP 2200s C112
BIG-IP 4000s, BIG-IP 4200v C113
BIG-IP 5000s, 5050s, 5200v, 5250v C109
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 D110
BIG-IP 12250v D111
BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1) D112
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 D113
VIPRION B2100 Blade A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION B4200, B4200N Blade A107, A111
VIPRION B4300, B4340N Blade A108, A110
VIPRION C2200 Chassis D114
VIPRION C2400 Chassis F100
VIPRION C4400, C4400N Chassis J100, J101
VIPRION C4480, C4480N Chassis J102, J103
VIPRION C4800, C4800N Chassis S100, S101
Virtual Edition (VE) Z100
vCMP Guest Z101

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200, B4300, B4340N
    • BIG-IP 5200v, 7200v, 10200v
  • PEM and CGNAT supported platforms
    • VIPRION B2100, B2150, B2250, B4300, B4340N
    • BIG-IP 5x00v(s), 7x00v(s), 10x00v(s)
    • BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition) (3 GB, 10 GB production and combination lab models)
    • PEM and CGNAT may be provisioned on the VIPRION B4200, but it is not recommended for production, only for evaluation. PEM may be provisioned on the VIPRION B2100, but it is not recommended for production, only for evaluation. Use the B4300 or B4340N instead.
  • BIG-IP 800 platform support
    • The BIG-IP 800 platform supports Local Traffic Manager (LTM) only, and no other modules.

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • In the case of Access Policy Manager (APM) and SWG together, no module other than LTM may be provisioned, and LTM provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 8.x, 11.x
  • Mozilla Firefox 27.x
  • Google Chrome 32.x

BIG-IQ – BIG-IP Compatibility

SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP LTM / VE 12.0.0 Documentation page.

New in 12.0.0

HTTP

Expanded cookie parsing

Cookie parsing and handling now supports RFC 2109, 2965, and Netscape formats, in addition to RFC 6265. Extra attributes within the setcookie header can now be parsed and used for routing decisions.

Networking

Support for large routing tables

Dynamic routing on the BIG-IP system now supports a full Internet routing table. This increase in table size accommodates customers who may want to deploy the BIG-IP system as an edge router.

HTTP Strict Transport Security (HSTS) functionality

In this release, an HTTP profile provides HTTP Strict Transport Security (HSTS) settings that apply HSTS security functionality. This functionality requires all non-secure HTTP traffic to use secure HTTPS connections for both a domain (and optionally its subdomains) and persisting client HSTS security functionality, for a specified period. Using this feature requires administrative access to the BIG-IP system.

OSPFv3 Graceful Restart

This release supports the use of the OSPFv3 Graceful Restart feature (RFC 5187) to enable blade failover with minimal disruption to the forwarding plane. For more information, see BIG-IP Advanced Routing Open Shortest Path First Command Line Interface Reference Guide, version 7.10.4.

TCP Fast Open

This feature minimizes the amount of time needed for the initial TCP handshake on small transmissions. TCP Fast Open is a standard that allows properly configured clients to transmit some of the data in the initial SYN portion of the handshake to open the connection. This standard saves some round trips, which speeds transmission.

Ephemeral port exhaustion

In this release, you can configure the BIG-IP system to accumulate real-time ephemeral-port statistics. When usage exceeds a specified threshold level, the BIG-IP system can log an error and provide a Simple Network Management Protocol (SNMP) alert notification, which enables you to assess an approaching exhaustion of ephemeral ports and respond accordingly.

Diameter protocol message routing

This release provides Diameter protocol high-speed message routing functionality for routing peer-to-peer messages and load balancing diameter traffic. This new functionality allows the BIG-IP system to route all messages through a single connection between the BIG-IP system and its peers, improving performance. Furthermore, the BIG-IP system now responds to a capabilities exchange as a Diameter node with its own configurable identity and supported applications instead of masquerading as the first server in the pool.

Multicast routing

This release supports IGMP (RFC 2236, RFC3376), MLD (RFC2710, RFC3810), and IPv4/IPv6 RFC 3973 Protocol Independent Multicast Dense Mode (PIM-DM)

vCMP

vCMP per-guest SSL rate limiting

For VIPRION systems that use the B2250 blade model or the BIG-IP 5000-Series, 7000-Series, 10000-Series, and 12000-Series appliances, and are provisioned for vCMP, the system can now allocate specific hardware-based SSL resource to each guest, according to an SSL mode that you assign to a guest. The available modes are: Shared, Dedicated, and None. For other blade models that include SSL hardware processors, the vCMP feature continues to share these hardware resources among all guests in a round robin fashion.

vCMP per-guest network rate limiting

vCMP-enabled systems can now have network rate limiting applied on a per-guest basis at the switch-level. There are three parameters which can be configured for each guest: Committed Information Rate (maximum bandwidth), Committed Burst Size (amount of bandwidth for bursting above CIR), and Excess Burst Size (total amount of bursted bandwidth in bytes).

Traffic Policies

Tcl command substitutions

In this release, certain BIG-IP local traffic policy actions support Tcl command substitutions, giving you significant flexibility in configuring policies. Tcl command substitutions provide quick, read-only access to immediately available runtime data, such as information about a current request’s URI, or a header or cookie in the request or response.

Persistence Profile Selection

This release provides functionality to programmatically set the persistence type as an action. This includes all persistence types supported by iRules: persist none, hash, srcaddr, destaddr, and universal commands in any circumstance, even if a corresponding persistence profile is not configured and assigned to the virtual server. Note: The persist ssl, cookie, msrdp, and sip commands require that you assign a corresponding persistence profile to the virtual server.

TLS/SSL

Encryption using Camellia cipher suites in NATIVE (default) mode

The BIG-IP system now allows encryption using the Camellia cipher suites in NATIVE (default) mode. In 12.0.0 release, the TLS cipher suites with Camellia cipher that are supported by the BIG-IP system match the cipher suites supported by OpenSSL. You can view the Camellia cipher suites that are supported in OpenSSL by using the Bash shell command *'*openssl ciphers -v | grep CAMELLIA'.

Suite B: 384-Prime Curve Modulus Support

Suite B is the recommended set of cipher families for protecting data at various classification levels. These levels include Confidential, Secret, and Top Secret. Protection at these levels is required for certain U.S. Federal Government institutions. The BIG-IP system now supports the 384-bit prime modulus curve and SHA-384.”

SSL connection mirroring support

When you enable connection mirroring on a virtual server that references an SSL profile, the BIG-IP system now mirrors SSL-specific data to its next-active device in the device group. This preserves in-process SSL connections when failover occurs.

Support for arbitrary certificate fields for client certificate authentication for administrative BIG-IP access

To ensure remote authentication of user certificates for administrative access to the BIG-IP system, the BIG-IP system can now extract an arbitrary certificate field from a user certificate. This arbitrary field is then translated to a user name for BIG-IP user authentication.

Per-profile maximum SSL renegotiation limit

To enhance the BIG-IP system’s denial of service (DoS) protection, you can now configure a separate per-flow SSL renegotiation limit within each Client SSL profile instead of globally on the BIG-IP system. When you specify a maximum number of aggregate renegotiations per profile instead of globally, perpetrators can no longer open new connections to bypass a global per-flow renegotiation limit.

BIG-IP External Crypto-offload

This release provides the ability to leverage SSL Crypto operations from one BIG-IP system (client) to other BIG-IP systems (hosts/providers). For example, this feature allows an LTM Virtual Editions (VE) instance (the crypto client) to offload RSA asymmetric operations (SSL handshake) to an another BIG-IP system with RSA hardware acceleration (the crypto provider). Note: In 12.0.0 this feature supports only VE as offload clients and only hardware platforms as offload servers. You must have an appropriate VE license to use this feature.

CGNAT

TFTP-ALG profile support

The Trivial File Transfer Protocol application layer gateway (TFTP ALG) profile enables you to configure the BIG-IP system to read and write files from or to a remote server. You can configure ALG logging on the profile.

FTP-ALG profile -- support for FTPS pass-through

The FTP ALG profile now supports the pass-through of encrypted File Transfer Protocol Secure (FTPS) traffic between a client and server when operating in FTP passive mode.

PIM protocol dynamic routing

This release provides Protocol Independent Multicast Dense Mode (PIM-DM) protocol routing, which supports dense multicast routing.

Software

SCTP profile

Support for Stream Control Transmission Protocol (SCTP) multi-homing and multi-streaming has now been improved. The BIG-IP system can now advertise secondary addresses to clients and servers and pass SCTP metadata (including the stream ID) transparently.

Global DAG Round Robin disaggregation

The DAG Round Robin feature for VLANs is now enhanced to load balance traffic across blades/high-speed bridges (HSBs) in the system. The DAG tunnel feature, configured using the VLAN dag-tunnel field, is supported on VIPRION blades B2100, B2150, B2250, the B4300 blade on the VIPRION 4-blade chassis, and on BIG-IP platforms 5000s, 5200v, 7000s, 7200v, 10000s, and 10200v. Note: the DAG tunnel feature is not supported on vCMP guests configured on any those platforms, or on B4300 blades in a VIPRION 8-slot chassis.

Enhanced performance on FPGA platforms for BIG-IP virtualization tunnel traffic

On FPGA platforms, the BIG-IP system now includes hardware-based disaggregation and hardware checksum offloading for various types of virtualized network tunnel traffic. With this feature, the BIG-IP system can inspect encapsulated inner packet headers as well as outer packet headers, eliminating the need for internal CMP processing redirection that degrades performance. The types of tunnel traffic that this feature supports are VXLAN, NVGRE, and EtherIP.

Passphrase backup to encrypt Secure Vault master key

Administrators may specify an optional passphrase when they create a Secure Vault master key. This master key will be used to encrypt sensitive data when a UCS file is created. In this release administrators can then use that passphrase to load the encrypted data even if the current master key is different. This allows data recovery in the event of an RMA or when installing a UCS on a different BIG-IP device of the same type.

Kernel Upgraded to RHEL 6.5

The kernel on the BIG-IP system is now upgraded to Red Hat Enterprise Linux Release 6.5.

Hardware Support

VIPRION 2200 DC-powered chassis

This release provides support for the new VIPRION 2200 DC-powered platform, a two-blade chassis that supports B2000 Series blades. You must install BIG-IP version 11.5.0 or greater on all blades used in this chassis. For more information, see Platform Guide: VIPRION 2200.

7000 and 10000 Series platforms

The 7000 and 10000 Series platforms now have an option for RAID 1 mirroring with Dual SSD drives with the 7055, 7255, 10055 and 10255 platforms. For more information, see Platform Guide: 7000 Series and Platform Guide: 10000 Series.

Storage drive firmware upgrade utility

About upgrading storage drive firmware: If you are running BIG-IP software version 12.0.0 or later, you can use the disk-firmware-update.pl script to update the firmware on storage drives, that is, hard disk drives (HDDs) or solid-state drives (SSDs), that are installed in a BIG-IP platform or VIPRION blade.

10000 Series platforms (requires 12.0.0. HF1)

With the introduction of the 10150s and 10350v AC models, there was a need to change the faceplate of the existing 10350v-N (DC) model to provide consistency across the product line. There are no internal differences between the 10350v models which have the original "10350v" faceplate and the models which have the "10150 Series" faceplates. Should a replacement 10350v be required, a new one will be shipped with the appropriate license on it to make it perform like the 10350v it replaces, though the faceplate will state "10150 Series."

Fixed CVE issues in 12.0.0

ID Number CVE Number
416372 CVE-2012-2677
416734 CVE-2012-5195 CVE-2012-5526 CVE-2012-6329 CVE-2013-1667
427174 CVE-2013-1620 CVE-2013-0791
439063 CVE-2013-4238
451020 CVE-2009-5138 CVE-2014-0092
451218 CVE-2014-8730
476738 CVE-2007-6199
477274 CVE-2014-6031
479429 CVE-2014-0205 CVE-2014-3535 CVE-2014-3917 CVE-2014-4667
479431 CVE-2014-3596
480931 CVE-2014-6271 CVE-2014-7169 CVE-2014-7187 CVE-2014-7186 CVE-2014-6277 CVE-2014-6278
484318 CVE-2014-2532 CVE-2014-2653
485762 CVE-2015-4040
485812 CVE-2014-3660
485917 CVE-2004-1060
489323 CVE-2015-8098
492367 CVE-2014-8500
492368 CVE-2014-8602
493091 CVE-2010-1623
494078 CVE-2014-9326
496845 CVE-2014-9342
498784 CVE-2014-6040 CVE-2014-7817
500088 CVE-2014-3571
501666 CVE-2014-8139 CVE-2014-8140 CVE-2014-8141
503237 CVE-2015-0235
507842 CVE-2015-1349
511651 CVE-2015-5058
513034 CVE-2015-4638
518411 CVE-2013-2596 CVE-2014-3690 CVE-2014-5471 CVE-2014-5472 CVE-2014-8159 CVE-2014-8884 CVE-2015-1421
520466 CVE-2015-3628
523032 CVE-2015-3456
525232 CVE-2015-4024
528681 CVE-2011-1098
528682 CVE-2011-1154
528683 CVE-2011-1155
529509 CVE-2015-4620
534630 CVE-2015-5477

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  • Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
  • Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 11.2.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference the information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility.
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
  6. Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Note: You can find information about running the Setup utility and provisioning the modules in the BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 10.1.0 (or later) or 11.x

When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.1.0

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading earlier configurations

When you upgrade from an earlier versions of the software, you might need to know about or take care of these configuration-specific issues.

ID Number Description
ID 223704 When you import a single configuration file (SCF file) that contain VLANs of the same name that exist in different administrative partitions, the operation fails with a unknown operation error. Upgrading configurations with VLANs of the same name in different administrative partitions. Upgrade operation fails with a unknown operation error. Workaround: Before installing an SCF file, run the tmsh load sys config default command. This returns the system to the default configuration, so subsequent configuration import operations should succeed as expected.
ID 401828 The following configurations are invalid for a SIP virtual server: a) TCP virtual server with a UDP profile and a SIP profile. b) UDP virtual server with a TCP profile and a SIP profile. TCP virtual server with a UDP profile and a SIP profile, or a UDP virtual server with a TCP profile and a SIP profile. If such a configuration exists in previous versions, it loads in 11.3.x but may cause a core. Workaround: "Fix the configuration manually, as follows: a) A SIP TCP virtual server must have TCP as one of its profile type. b) A SIP UDP virtual server must have UDP as one of its profile type."
ID 415961 Unused HTTP Class profiles are not rolled forward during upgrade or UCS restore. If you have defined HTTP Class profiles but have not assigned them to virtual servers, the system does not bring forward those profiles into the new configuration when you upgrade. No Policy is created from the HTTP Class profile and the profile does not appear in the new configuration. This occurs when upgrading a pre-v11.4.0 configuration with a HTTP Class profile not attached to a virtual server. You might lose unused HTTP Class profiles in the configuration. Workaround: Attach all HTTP Class profiles to a virtual server before upgrade or save of a UCS.
ID 434364 "When upgrading from 10.x or installing a 10.x originated UCS on 11.x, bigpipe is used to parse the newly created file-object definitions which had been generated from files in the 10.x install. If the filename being upgraded to file-object starts with a '.', then on initial load, bigpipe will give an error while trying to load the generated configuration, resulting in an error message similar to: BIGpipe parsing error (/config/bigpipe/bigip.conf Line 107): 012e0017:3: The requested item (.myfile.txt {) is invalid (external_monitor_file_object_key | show | list | help) for 'external monitor file object'" The installation of a UCS or configuration roll-forward from 10.x to 11.x in which the previous install had files that were upgraded to file-objects, but whose filename started with a '.' The UCS will not install properly, and/or the configuration on initial boot will not load. Workaround: Edit the name of the file-object in question which would be found in /config/bigpipe/bigip.conf to remove the leading '.' character from the object name, and make any references to the file-object match that change.
ID 435332 If there are users defined on a version 10.2.1 BIG-IP system to have administrator or resource-admin roles, and they have partition access to a single partition, these user config objects fail to load during an upgrade to version 11.x. "Here is a sample user config from 10.2.1: user v-abban { password crypt '$1$UIPmGYdY$yewCx.a2qNDauz/UB1Jbp/' description 'v-abban' group 500 home '/home/v-abban' shell '/bin/false' role administrator in Common }" Upgrade or load UCS fails with the following error: 01070821:3: User Restriction Error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition. Workaround: Prior to upgrade, edit the bigip_sys.conf to have the role line as follows: ... role administrator in [All] }
ID 435482 In versions prior to 11.4.0, the UCS does not save files containing spaces in the names. That means that any files that had spaces in the name would not be written to the UCS file and the UCS save would appear to succeed. When a UCS file which was saved in this manner is subsequently applied to 11.4.0 or greater, the configuration load will fail because the referenced file(s) (with spaces in their names) are not present in the UCS. "1. The UCS being applied was saved in a release prior to 11.4.0. 2. The configuration contained config objects with spaces in their names. 3. The UCS is being applied to 11.4.0 or greater." After upgrading into the newer release, the initial config load will fail. Alternatively, manually loading any UCS saved in this manner will result in a similar configuration load failure. Workaround: Boot back to the previous version and rename all the files in question so they don't have spaces in their names. Save the UCS again, and upgrade.
ID 436075 Using syslog include field when the command 'syslog-ng -s' does not succeed before the upgrade. Using syslog include field. It is possible to roll forward an include field with invalid syntax. This will cause the configuration to fail to load. Workaround: When using the syslog include field, ensure that the command 'syslog-ng -s' succeeds before the upgrade.
ID 436212 "If a copper SFP module is installed and a configuration is loaded which sets that module's speed and duplex, this configuration might fail to load. The /var/log/ltm file shows an error similar to the following and the config fails to load. 01070318:3: The requested media for interface 1.1 is invalid." "The system being upgraded needs to have a copper SFP module installed in order to encounter this issue. There are two ways to arrive at this state: when upgrading and at runtime. This runtime error and its workaround is covered in SOL14556, available at http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14556.html. When applying a UCS from a previous version of TMOS, this condition can also be triggered." The upgrade fails after booting into TMOS for the first time. Workaround: "To work around this issue, edit /config/bigip_base.conf so that the lines specifying the 'media-sfp' setting are set to 'auto', similar to the following example. Once all interfaces using a non-auto setting are changed, the configuration should load. net interface 1.1 { media-sfp auto }"
ID 436825 Under certain conditions, nodes (or any other object with an IP address) in a partition that belong to route domain 0 will be treated as part of the default route domain for the partition after an upgrade. "All of these conditions must be true: - A system is being upgraded from any TMOS v10.x release to any TMOS v11.x release after 11.1. Upgrading to 11.0 or 11.1 is not affected, but the upgrade process resets the partition's default-route-domain setting to 0. - It has a partition that has its default route domain set to a nonzero route domain - That partition contains nodes with no route domain set (so the default is used) - That partition contains other nodes in route domain 0" Those objects may no longer be addressable or able to connect. Workaround: "Set the partition's default route domain ID to 0 before upgrading, then set it back to its previous value after the upgrade. This field is only used by the GUI and shell, so temporarily changing it to 0 will have no effect on the dataplane."
ID 448409 The command 'load sys config verify' causes loss of sync configuration and initiates a provisioning cycle. The 'verify' option on the 'load sys config' command is designed to ensure that a configuration (either from a file or pasted to the terminal) is valid, but not have it take effect. This affects the ConfigSync communication channel if configured. The ConfigSync connection, including the connections to other devices, might be lost. In addition, provisioning might be impacted. Workaround: You can avoid this issue by using the 'load sys config verify' command 'merge' option, which keeps the current configuration during the validation step. Once affected by this issue, the workaround is to re-load the full configuration using the command: tmsh load sys config partitions all.
ID 449617 If a configuration file includes a passphrase for an ssl-key file object, the object may fail to validate when loading the configuration. Passphrase present in ssl-key file object Configuration fails to load Workaround: Remove passphrase line from the file object.
ID 450050 "Following upgrade from 10.x to 11.x, the config file fails to load. An error similar to the following is logged: ""load_config_files: ""/usr/libexec/bigpipe load"" - failed. -- BIGpipe parsing error (/config/bigpipe/bigip.conf Line xxxx): 012e0020:3: The requested item (respondasm {) is invalid (<profile arg> | show | list | edit | delete | stats reset) for 'profile'.""" "- Upgrading from 10.x to 11.x - respondclass configuration directives were introduced into the customer's /config/bigip.conf profile respondclass XXXX { ... }" Configuration fails to load. Workaround: It is safe in version 11.0 onwards to manually delete a "profile respondclass XXXX {" block.
ID 488417 Cannot load config after upgrade if the admin account is disabled and replaced with a custom user. The system posts the message: 01070829:5: Input error: can't create user, role partition mapping, user does not exist, username, Unexpected Error: Loading configuration process failed. This occurs when upgrading a system on which the root admin account is disabled and replaced with a custom admin user account. You cannot upgrade if the root admin account is disabled. Workaround: Switch back to the volume where you disabled the root admin account, and load the configuration from there. You can then disable root access and create a custom admin user account.
ID 489015 An LTM request-log profile that references a non-existent pool can pass validation in 11.1, but fails beyond 11.2 with an error similar to "The requested Pool (/Common/poolname) was not found." This can cause a load failure when rolling forward the configuration. An invalid request-log profile referencing a non-existent pool, upgrading from 11.1. Failure to load config post-upgrade. Workaround: Correct the request-log profile in the config either prior to upgrade or by editing the config after.
ID 490139 Loading iRules from the iRules file deletes last few comment lines immediately preceding the closing bracket. This occurs when loading an iRule file from versions prior to 11.5.1. Although the comments are removed, this does not affect iRule functionality. Workaround: Put comments in places other than immediately above the closing bracket.
ID 496663 iRule object in non-Common partition referenced from another partition results in upgrade/configuration load failure in 11.x. This occurs when upgrading/loading a configuration containing an iRule in one non-Common partition that references an object in another non-Common partition. A configuration of this type can be saved only using pre-11.x versions of the software. The config upgrade fails, and the UCS/configuration files cannot be loaded. The system posts an error message similar to the following: 'myucs.ucs' failed with the following error message: 'Rule [/UNCOMMONPARTITION/RULEABC] error: Unable to find rule_object (...) referenced at line xyz: [element]'. Workaround: None.
ID 513239 The configuration might fail to load upon upgrade from 10.x to 11.x if the configured SSL profile cache-size value exceeds the maximum supported value on 11.x. SSL profile exists with cache-size greater than 262144 (if upgrading to version 11.0.0 though version 11.4.1) or greater than 4194304 (if upgrading to version 11.5.0 and later). Upgrade from version 10.x to version 11.x fails. The system posts an version-specific error: -- If upgrading to version 11.0.0 through version 11.4.1: 01071313:3: The requested cache size value (4294967295) is out of range for client SSL profile (/Common/my_large_cache); should be in range from 0 to 262144. -- If upgrading to version 11.5.0 and later: 01071313:3: The requested cache size value (4294967295) is out of range for client SSL profile (/Common/my_large_cache); should be in range from 0 to 4194304. Workaround: Prior to upgrade, change the version 10.x cache-size to a value that is supported on the upgraded version. On versions 11.0.0 through 11.4.1, the supported range is from 0 to 262144; on version 11.5.0 and later, the supported range is from 0 to 4194304.
ID 513501 "When upgrading from a version prior to 11.5 to 11.5 or newer, the configuration may fail to load with and error similar to: ""LSN pool is configured with a prefix address that overlaps with a prefix address on another LSN pool"" If the configuration contains an overlapping DNAT and NAPT lsn pool." "On versions prior to 11.5, tmsh would allow users to configure overlapping DNAT and NAPT pools despite this configuration being invalid and non functional. Fixes to the validation were added in 11.5. However when upgrading from previous versions, if a configuration contains overlapping DNAT and NAPT pools it will fail to load the configuration on versions newer than 11.5." Configuration will fail to load on upgrade. Workaround: Edit bigip.conf and find the overlapping LSN pools. Either remove one of the pools or change the mode on the DNAT pool to NAPT.
ID 523797 The upgrade script failed to update the file path name for snmp.process_name, causing a validation error. Workaround: Edit the process name path to reflect the location.
ID 528881 When upgrading to an affected version, if a NAT has a name with spaces in it, the upgraded configuration does not load. The BIG-IP system must be configured with NATs that have spaces in their names. The configuration does not load on the upgraded system. Workaround: Remove spaces in NAT names before upgrading. Specifically: the initial letter must be a letter, underscore ( _ ), or forward slash ( / ), and subsequent characters may be letters, numbers, periods ( . ), hyphens ( - ), underscores ( _ ), or forward slashes ( / ).
ID 530011 Upgrading from 10.2.x to 11.x and see that iRule causes error when iRule event triggered: CLIENT_ACCEPTED - Illegal argument. TCP::option get on profile without tcp option setting (line 1) invoked from within 'TCP::option get 8'. Using rules.tcpoption.settings set specifying tcp option to collect. iRules that use TCP::option and depend on rules.tcpoption.settings do not work as expected when upgrading from 10.2.x to 11.x. Workaround: Configure TCP profile after upgrade that collects appropriate tcp option for iRule: create ltm profile tcp profile_name tcp-options "{8 last}".
ID 532559 If the client-ssl profile is /Common/clientssl, its parent profile is itself. But the configuration uses 'defaults-from none'. Add 'defaults-from none' under client-ssl profile '/Common/clientssl'. The upgrade fails. This occurs because the script extracts the line 'defaults-from none' and treats 'none' is its parent profile. Workaround: None.

Fixes in 12.0.0

ID Number Description
224131 GTM global setting send-wildcard-rrs now triggers resource record auto-creation in BIND when creating wildcard wide IPs.
226892 Resolved intermittent issue when return packets were dropped after configuring packet filters for DNS traffic or traffic with IP fragments.
248678 Bridging loops no longer occur due to bridge_in_standby. This issue has been ameliorated by changing the default value for vlangroup's bridge_in_standby setting to disabled. To have the standby systems perform bridging packets across vlangroups, enable bridge_in_standby directly.
250670 Unnecessary trailing semicolons are no longer appended to cookie headers.
273847 The HTTP filter now handles blank lines between requests correctly by ignoring them.
342013 This is fixed by sending keepalives even in half close state, as idle connections intentionally left open will still be allowed, and clients will be detected disappearing.
343455 The cookie handling code no longer uses case-sensitivity of attributes to determine cookie RFC version.
348000 HTTP response status 408 request timeout no longer results in error being logged.
348194 Allow configuration of FIN_WAIT2 timeout
352925 Updating a suspended iRule no longer results in TMM process restart.
356658 The system no longer logs alert-level log when remote authenticated users that do not have local account login. The notice-level error is written to /var/log/secure, as expected.
359774 Upgrade script has been updated to append the full partition path names to pools in ha-groups when upgrading from 10.x to 11.x and ha-groups are defined. If the same pool name is used in multiple partitions, the pool in /Common will be used first. If the name exists in multiple partitions other than /Common, the first match is used, and a warning will be logged by the upgrade script.
360526 Removed unnecessary whitespace.
364978 Active/standby system configured with unit 2 failover objects now create one traffic group, which is correct behavior.
374067 A virtual server no longer intermittently causes HTTP Keep-Alive connections to use a self IP address as the secure network address translation (SNAT) address.
374339 HTTP::respond/redirect no longer crashes TMM under low-memory conditions.
375246 "When set_member_session_enabled_state sets a pool member to disabled, then current connections will be maintained, but no more connections will be allowed. When set_member_monitor_state sets a pool member to disabled, then all connections will be killed immediately and no more connections will be allowed."
375887 Cluster member disable or reboot no longer leaks a few cross-blade trunk packets.
376120 tmrouted no longer restarts when reconfiguring a previously deleted route domain.
382157 The IF-MIB::ifXTable was implemented to use the same stats as sflow. The F5-BIGIP-SYSTEM-MIB::sysVlanStatTable is obsolete.
383784 Remote user authentication now allows blank space in user names.
384451 Improved memory management when there are duplicated keys or certs.
385274 Policy flow's nexthop is now correctly updated when route pool member status changes.
387863 When configured remote user authentication with TACACS+, an optional port number may be appended to the server address, in the format IP_address:port_number. If only the address is specified, the system will use the standard TACACS+ port.
391976 When rate-limit is exceeded, multiple counters are incremented correctly.
392794 The system now reads pluggable module media ability at module detect time. This fixes the behavior where this info was incorrectly read and cached prior to module probing and caused CuSFP to fail auto-negotiating to 10/100 speeds.
393647 Objects configured with a connection rate-limit will now show status available whenever the connection rate falls below the configured value.
394236 Changed ordering of shutdown operations to avoid MCP error message for benign condition.
394789 On a VLAN with VLAN failsafe configured, the system now prevents the currently active vCMP guest from sending itself a probe to which it responds (which might have prevented the VLAN failsafe from triggering).
397218 Stream filter no longer loops indefinitely.
398067 Support configuration upgrades on systems with mismatching unicast failover and management IP addresses.
400945 Errors reported when vdisk volume is corrupted/unmountable have been clarified.
401852 csyncd no longer dumps core if the kernel event queue is full. It will still generate a log message and restart, which is intentional.
402412 FastL4 no longer switches to idle timeout before data is received, so the 5-second TCP handshake timeout holds until the first data arrives, at which time it switches to idle timeout.
402510 Pool members are properly counted when using TCP connection queueing and OneConnect together.
403002 The system now prevents configuration of nonzero route domain.
403829 When editing the configuration of a SNAT, changing the Translation type from IP Address to SNAT Pool no longer results in an error.
404668 Device sync is now retained between GTM and LTM systems.
404716 Decapsulated tunnel packets are correctly handled by packet filter.
405752 Monitors using TCP transport sourced from certain ports now handle traffic as expected.
406878 TMOS version/build number now updates after upgrade in device group.
411233 The system now initializes lb_value to the minimum current lb_value for unused pool members. This is correct behavior.
411723 There is now a message alerting the user when adding a new device when that device already has trust configured, which redefines the trust group. The message is 'Devices (IP list) already have a non-standalone trust domain. This operation will destroy and replace that domain. Continue?'
414732 On the Traffic Groups page, a traffic group configured to use serial failover now shows the correct message in the 'Next Active Device' column.
416292 Ensured that the active CMI connection is destroyed when mcpd is shutting down.
417068 FIPS key labels longer than 32 characters now get truncated to 32 characters. Those keys with the same first 32 characters are truncated, and the system attaches an underscore and number to a total of 32 characters; for example fipssamplekeylabelof32characte_1, fipssamplekeylabelof32characte_2, and so on. BIG-IP uses the FIPS handles when querying the FIPS cards for keys, so the fact that the FIPS key labels are different from the BIG-IP key names does not matter and does not affect traffic.
418329 Correct calculation of limitalert and limitwarn variables in diskmonitor script.
420107 Fixed an issue in HTML profile which could cause a tmm crash during configuration change on a virtual with open connections.
420204 The BIG-IP system now posts an error if the user tries to manually delete a particular FIPS key by-handle while its corresponding key object exists in BIG-IP configuration, regardless of the length of the key name. IMPORTANT: FIPS key deletion by-handle should still be executed with caution because the FIPS handle might belong to keys in different boot locations of the BIG-IP configuration. Deleting those FIPS keys does not throw an error, but will make FIPS keys in the other boot locations invalid and unusable.
420341 Connection Rate Limit Mode when limit is exceeded by one client no longer throttles others.
420438 There are now no default routes from the standby BIG-IP system in an HA pair. This is correct behavior.
420848 Root user description is now retained.
421971 Renewing an existing certificate now succeeds if a user provides Subject Alternative Name (SAN) as input in the GUI.
422087 Tmm no longer crashes in certain low memory conditions with Ram Cache enabled.
422107 Queries answered by DNS transparent cache will no longer add RRSIG to the response if DO bit is not set in the query.
422554 "The tmm/ready_for_world_stat tmstat table now list the components upon which TMM depends to become Ready For World, and indicates whether each is currently in a 'ready' versus 'not_ready' state. For example: # tmctl -d blade tmm/ready_for_world_stat name ready not_ready ---- -------------------------------------------------- --------- tmm0 platform_msg,shared_random,cmp_mpi,dag_transition,"
425008 This release provides multi-streaming support for SCTP profiles when handling stream id values.
425124 Wildcard IP tunnels now handle internal flows as expected.
425817 The boot_marker entries found in system logs now accurately reflect the version of the software in the active slot.
426328 Updating an iRule that uses sideband connections no longer causes TMM to core.
428163 Deleting a cache resolver no longer results in outstanding packet issues.
428864 Lowering the virtual server connection limit now works, even when traffic is already being processed
429018 TMIPSECD logs a critical message instead of coring, and IPsec tunnel flapping and core dump no longer occurs when deleting a non-existing traffic selector.
430117 A double-free condition in the Diameter profile has been fixed.
430323 VXLAN daemon does not restart when 8000 VXLAN tunnels are configured.
431283 Check the offset value before moving the cursor.
431343 Fixed a situation where TMM may core when printing a URL processed by AAM in debug mode.
431634 Fixed replace-all-with command in relation to GTM Virtual Servers.
433087 Question mark in query component no longer prevents correct URL parsing.
434096 The BIG-IP system now allows up to an 8 KB log message size.
435055 The system now supports ECDHE-ECDSA ciphers with hybrid certificate (RSA signed EC cert).
435555 Although in this case, you cannot load a UCS from one device to another without intervention, the admin can now change the master key and then successfully load the configuration onto a different device. 1. Before taking the UCS to a different system, set the master key from a passphrase using the following command: tmsh modify sys crypto master-key prompt-for-password. 2. On the system where the UCS will be restored, load the UCS. (Here, it fails to load due to encrypted attributes which cannot be decrypted.) 3. On the new system with the failed UCS load, set the master key using the previously specified passphrase, by running the command: tmsh modify sys crypto master-key prompt-for-password. 4. Load the configuration with the command: tmsh load sys config. The configuration loads and the encrypted attributes are accessible.
435670 Persist.WellKnownProxyClass referencing missing object no longer fails with object-not-found error.
436682 Some SFP modules now show the correct optical power output for disabled switch ports, which no longer attributes to false link states.
437637 The 7000 Series platform no longer reports a false positive sensor out-of-range error when the Host is powered off using the AOM.
438674 The BIG-IP system no longer sends tamd log messages to the configured remote log destinations.
438792 The system now deletes a persist entry from all peer TMMs when it is deleted in any TMM, so no conflicts occur.
439119 The command 'tmsh run sys crypto check-cert' now correctly reports the validity of certificate bundles.
439343 LDAP client certificate SSL authentication sends correct bind password to LDAP server
439399 ePVA statistics is included with the Throughput data to accurately match Detailed Throughput data.
440154 User can associate multiple Traffic Selector MCP objects with one IKE Peer object
440346 Monitors are no longer removed from a pool on the devices that received a sync.
440752 Qkview MCP module has been corrected to prevent qkview from looping infinitely when failing to connect to MCPD.
441297 LACP trunk now becomes active after restarting mcpd on 2000/4000 series platforms.
441512 Sync now completes successfully, without sflow error.
442322 vCMP guest names in statistics are no longer limited to 32 characters. The maximum limit of vCMP guest names has been increased to 255 characters.
442477 'Over allocation of disk has been detected' error message has been reduced from emergency to warning, the appropriate level. The message now includes information about potential consequences of the condition and a reference to the Solution: SOL15915: Reallocating disk resources when upgrading a vCMP system at https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15915.html.
442647 iRules now uses a 64-bit object
443298 FW Release: Incorporate Victoria2 LOP firmware v1.20 into BIG-IP
444710 Out-of-order segments received before 3WHS is completed are no longer dropped.
445911 TMM fast forwarded flows are no longer offloaded to ePVA, which is correct behavior.
446396 "1. Set UDP as the only valid option to a stateless virtual server 2. Disabled translate port for a stateless virtual server"
446526 Non-datagram-LB mode and DNS iRule suspension no longer cause TMM crash.
447043 "LTM policies now allow for rules to have multiple conditions on the same operand and same match type so that 'user-agent contains 'Android' AND 'Mobile' can now be expressed by specifying: conditions { 0 { http-header name User-Agent contains values { Android } } 1 { http-header name User-Agent contains values { Mobile } }"
447075 A remote network connection no longer shows as Up/Link when a CuSFP module is plugged into a port on a BIG-IP or VIPRION device that is in a links-down state, while connected via a cable to the remote switch/other network connection.
447132 OneConnect is now packet-mirroring aware. HA has improved in reliability, which fixes the race condition in packet mirroring when OneConnect and high availability are both configured.
447272 If mcpd audit logging is enabled on a chassis, updates to device group state were in past versions recorded on every configuration change, even if CMI was not configured or no synchronizable object was modified. This no longer happens, and these log messages are now only generated if the state actually changes.
447874 HTTP pipeline request no longer causes TCP window stay at 0 when HTTP pipeline requests are sent, and those requests use the GET method.
448493 iRules node/snat command in the iRule SIP_RESPONSE event now works correctly.
449848 Diameter Monitor now handles fragments as expected.
449891 Fallback source persistence entry is now used when primary SSL persistence fails.
449891 Fallback source persistence entry is now used when primary SSL persistence fails.
450654 After loading UCS or configuration file with syntax error, the TMSH command 'reset cm trust domain-all' now successfully completes without the validation error.
450814 HTTP will not cause a "server drained" assertion if a server ends a connection in an early server response.
451224 tm.pathmtudontfragoverride dbvar introduced. If the value is changed from 'disable' (this is the default) to 'enable', then DF bit will not be set in IP fragments generated by TMM.
451433 If a device goes to standby due to a failsafe operation, the HA Group Scores on that device are forced to zero, so that the traffic groups can become active on an active device. This is the correct behavior.
451494 You can now create an SSL Key/Certificate in partition other than Common, with Subject Alternative Name (SAN).
452293 Monitors now work on the Standby devices in an HA configuration.
452443 DNS cache resolver or validating resolver now functions properly, successfully resolving DNS requests when using non-default cmp hashes configured on its egress VLANs.
452482 Cookie persistence records are ignored when the connection limit of the persisted pool member has been reached. This results in incoming connections to be offloaded to another pool member (if available).
452837 "New TMSH commands/iControl REST APIs to add/remove a device to/from trust domain. Here are the details of the new call: ****************************************** TMSH commands ****************************************** -- tmsh run cm add-to-trust Root ca-device/non-ca-device device fqdn_address or management-ip_address device-name name-of-device username user_name password password_string. -- tmsh run cm remove-from-trust Root ca-device/non-ca-device device-name name-of-device. ****************************************** iControl REST APIs ****************************************** # curl -sk -u admin:admin -X POST -H ""Content-type: application/json"" -d '{""command"":""run"", ""name"":""Root"", ""caDevice"":true, ""device"":""165.160.15.20"", ""deviceName"":""nalo228"", ""username"":""admin"", ""password"":""admin""}' https://localhost/mgmt/tm/cm/add-to-trust. # curl -sk -u admin:admin -X POST -H ""Content-type: application/json"" -d '{""command"":""run"", ""name"":""Root"", ""caDevice"":true, ""deviceName"":""nalo228""}' https://localhost/mgmt/tm/cm/remove-from-trust."
453349 In cases in which no value is specified for interval' for the iCall periodic handler configuration, or if the value specified is '0' (zero), a negative value, or greater than the maximum '4294967295 value', the system displays a valid error, so no system instability can occur. Note that upgrades in which the interval value is '0', the system modifies that value to '1'.
454692 Assigning 'after' object to a variable no longer causes memory leaks.
455006 Invalid UDP datagrams that interfered with SIP processing are now dropped.
455020 With the fix, the RTP and RTCP timeouts use the value configured in the RTSP profile.
455264 The new error message is "This device is not found."
455293 Previously the request statistics were collected at a point which was not reached if a respond iRule was used. The fix includes collecting request statistics at a much earlier point, immediately after the request headers have been parsed.
456413 Persistence records are maintained when connection and persistence timeouts are with 33 seconds of each other.
457293 When the origin CMP instance couldn't find the connection after its peer replied, re-send a REMOVE message to the peer to remove it.
457302 In the tm/net/fdb/tunnel resource, the property 'records' has changed to 'recordsReference', making it a subcollection.
457587 Access to the iControl portal can now be restricted to specific addresses or subnets.
457934 SSL Persistence Profile now operates correctly, and does not cause high CPU usage.
458104 Trunk config member interfaces are no longer merged during load. Only the trunk member interfaces defined in the config are present after a load.
458348 RESOLV:: iRule commands and sFlow now function correctly when using non-default CMP hashing.
458822 Changes are now immediately reflected on secondary blades when the cluster status is changed on the primary blade.
458949 On TCL_ERROR, there is now an error message set on a user-supplied variable when using the catch command on TCL_ERROR.
459467 Added validation to ensure the first and last IP addresses in a subnet remain reserved, and cannot be assigned as self-IP addresses.
460627 The Send Weight messages are processed only after the registration of all the pool members is complete. Monitor logging has been vastly improved. In addition, there was a crashing bug that caused the SASPD_monitor process to be restarted. That bug has been fixed.
460730 Increased MCP's throughput by limiting the amount of data sent in a given chunk.
460946 NetHSM key is displayed as normal in GUI as NetHSM, as expected.
461334 Log message will show the root cause when DNS Express fails to answer a query.
462043 On the 5000 and C2400 platforms, when the DB variable 'qinq.cos' is set to 'inner', the packets are now handled as expected.
462708 When a route is deleted, the system posts the assertion that checks to see if the route was deleted. If not, the assertion triggers (coring TMM).
462714 Source address persistence record no longer times out unexpectedly on FastL4 profile virtual server.
462879 Validation will no longer allow changes to Self IP netmask that invalidates an existing static route gateway address.
462881 Validation for both TCP and UDP profiles has been updated to correctly require the profile type and protocol type to match.
463202 If the EDNS version is not zero, the query passes through the filter and is not dropped.
463696 FIPS exported keys now get created on the HA peer as well as on the unit on which the FIPS key is created or imported.
463715 syscalld's timeout mechanism no longer emits an OPERATION_TIMEOUT message, unless the message appropriately reflects the condition of the system.
463902 Flat-buffer allocator for hardware compression tuned to be less greedy.
463959 The stpd process now checks to ensure that a slot is populated before attempting to connect to that slot.
464024 All pipes are closed when a TMSH command is completed, so file descriptors no longer leak when running some TMSH commands through scriptd.
464043 Integration of Firmware for the 2000 Series Blades.
464163 Customized cert-key-chain of the child client-ssl profile is reverted to parent's profile cert-key-chain during config load.
464252 Fixed an issue in HTML profile which could cause an infinite loop while processing HTML page with certain rules.
464705 The host selector specifier is no longer added to the config and host headers will now match.
465052 Check to make sure all required arguments are present in an HTTP::cookie command prior to attempting to use them.
465590 Mirrored persistence records are now correctly retained.
465607 The system now provides checks to mitigate the race condition on close of FastHTTP to avoid the core.
466034 Treat VxLAN packets as UDP packets by default in HW.
466116 Benign agentx warning messages are no longer logged for the routing protocols ospfv2, ospfv3, bgp, rip, ripng.
466266 In this release, the system ensures that an upgrade or a restart can never result in an Active/Active state.
466761 The heartbeat SIP message, which is a UDP packet with CRLF, is ignored and connection is maintained.
466875 SNAT Automap now matches self-ip against selected SNAT pool member instead of the pool member route.
467015 DES-CBC3-SHA now uses 112 bit as its strength.
467071 Route domain input is now processed in IPsec Diagnostics screen when an IP Address (source or destination) with % or %0 appended as a route domain identifier.
467196 The max log size setting is now greater than 1024, which allows large systems (multiple blades, high-availability) to store messages for more than 24 hours.
467274 Virtual servers configured to use a TCP profile no longer retransmit initial TCP SYN packets at a slightly more aggressive rate than current RFC algorithms.
467551 TCP syncookie and Selective NACK (profile option) now works correctly.
467646 IDE DMA timeouts no longer result in become unresponsive on VIPRION B4100/B4100N (A100), B4200/B4200N (A107) blades and on Virtual Edition (VE) configurations deployed with IDE storage drivers (Xen, Hyper-V).
467693 sysObjectID OID now correctly returns the appropriate BIG-IP platform.
467703 Management interface no longer sends IPv6 Multicast Listener Query packet.
467868 Previously, mcpd might leak memory when returning an error message that contained the reason for a monitor failure. The message now reports the reason without leaking memory.
468083 If an LB_FAILED iRule calls HTTP::respond and references an undefined value, then Traffic Management Microkernel (TMM) no longer crashes or fails over.
468175 The system now works correctly, without stopping traffic going through an IPsec tunnel from BIG-IP systems to Cisco systems.
468175 The system now works correctly, without stopping traffic going through an IPsec tunnel from BIG-IP systems to Cisco systems.
468472 Unexpected ordering of internal events no longer leads to TMM core.
468473 Monitors with domain username now save/load correctly.
468514 Ensures that only one sync for a given commit transaction is sent to the remote peer.
468517 Multi-blade systems no longer experience active/standby flapping after both units are rebooted, so the following MCPD error message no longer occur at the secondary blades: err mcpd[6528]: 010717b5:3: HA group (HA) cannot be removed. It is used by traffic group (/Common/traffic-group-1 ).
468534 External HSM license option is now shown on FIPS platform licenses.
468834 Connection with early FIN when using FastL4 is now handled properly, so that FastL4 connections are immediately removed after connection closure.
468837 SNAT translation traffic group inheritance now syncs across devices using incremental sync.
469705 TMM sets a known route domain when processing SIP Requests to prevent panics caused by an invalid route domain.
469739 The ConfigSync operation completes successfully if HA pair has dissimilar cert-key-chain sub-object names within an SSL profile.
469851 vCMP management-network mode now has a 'host-only' option for tmsh/iControl.
469984 The upgrade process now retains valid HTTP Class URLs.
470171 TFTP-ALG is supported for CGNAT with all inbound setting modes.
470191 FastL4 component now validates existence of connection peer upon reception of TCP FIN.
470207 When the BIG-IP system adds a new IP address on the mgmt interface, the former mgmt IP address is deleted. This prevents the issue of having two mgmt IP addresses.
470394 The BIG-IP system calculates the correct number of members in the active priority group when the slow ramp feature is triggered.
470715 A new db variable vlan.backplane.mtu is added to configure tmm_bp vlan mtu size, default to 1640.
470756 The snmpd daemon now periodically logs warning messages regarding slow query responses from mcpd. snmpd also attempts to maintain heart-beat communication with sod under these conditions.
471001 Standby no longer responds to traceroute packets. This is correct behavior.
471136 Remotely authenticated users can now use iControl REST.
471324 SNAT list enabling on empty VLAN list no longer translates. This is correct behavior.
471496 Standby node sends LSA summary for the default route with a value of 16777215. The OSPF routers in the stub area pick an active node as the gateway for the default route.
471625 After deleting external data-group, importing a new or editing existing external data-group now works as expected.
471704 The vcmpd process is no longer vulnerable to malicious data passed from a vCMP guest.
471704 The vcmpd process is no longer vulnerable to malicious data passed from a vCMP guest.
471821 Compression.strategy "SIZE" would cause software to do the compression.
471821 Compression.strategy "SIZE" would cause software to do the compression.
471860 When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface now shows ENABLED.
472092 The complete request payload is now sent to the ICAP server, even in the presence of a long-running iRule in ICAP_REQUEST.
472148 The Nitrox driver was updated to properly handle highly fragmented SSL records.
472365 Corrected a VCMP timeout issue that might have prevented a VCMP guests from processing SSL and compression traffic.
472376 The crash that can occur if a SIP virtual server is trying to send a message while a connection is shutting down will no longer occur.
472532 Cipher id 0x006b (dhe-rsa-aes256-sha256) has been added.
472571 Multiple client SSL profiles attached to a virtual server no longer causes memory to be leaked.
472573 Maximum security officer password length --14 characters-- is properly supported.
472585 The tmrouted functions normally when multiple route domains with multiple routing protocols, with heartbeat enabled, are created and deleted repeatedly.
472613 "Power supply status changes are now reported correctly on BIG-IP 5000/7000 Series platforms after power supply removal or insertion. LBH no longer watchdogs without a network address set."
472748 The system now releases the default SNAT from the virtual server if there is a SNAT configuration directly associated with the virtual server.
472767 Adding slots to running guests with host-iso no longer becomes stuck.
472944 SMTP commands received after STARTTLS are now correctly buffered by SMTPS profile until the SMTP server is ready to receive them.
473037 BIG-IP 2000/4000 platforms now support RSS with L4 data on SCTP.
473088 Configurations of request-/response-adapt combined with one-connect along with ClientSSL profiles are now handled correctly.
473105 FastL4 connections are now handles correctly with pva-acceleration set to guaranteed, and are no longer reset.
473200 Manually editing the system configuration and renaming a virtual server with an empty pool no longer causes an unexpected error when reloading the configuration.
473210 F5 support for new hardware platforms.
473212 TMSH, GUI, and front panel LCD interfaces of multi-drive systems with a single SSD or hard drive, the LCD RAID status menu now show consistent and correct status information.
473348 When upgrading from a release that did not have the hbInterval set to 300, the new release now has hbInterval set to 300.
473517 snmpwalk now finishes successfully without 'OID not increasing' error, so snmpd no longer core.
473759 Unrecognized DNS records no longer cause mcpd to core during a DNS cache query.
474002 BIG-IP system now successfully completes an SSL handshake with a server that is using Diffie-Hellman parameters that are 2048-bits or larger.
474166 The ConfigSync operation completes successfully, and the sFlow error no longer occurs.
474194 GlobalLB::PoolMember get_all_statistics and get_monitor_association methods no longer cause memory leak.
474226 LB_FAILED event is correctly triggered when persistence pool member is not available or offline.
474323 ePVA IPv6 feature is now available in this release.
474356 Client SSL configurations on a partition other than /Common do not now have a default key/cert and inherit-certkeychain, so the configuration loads correctly.
474388 The race condition that occurred has been fixed, so no APM-profile-related actions complete after the HTTP-profile closes the connection.
474445 TMM no longer crashes when processing unexpected HTTP response in WAM.
474584 The igbvf driver no longer leaks xfrags when a partial jumbo frame is received.
474591 Cosmetic database-error message is no longer recorded when SIP route is emptied of peers.
474601 FTP connections will no longer be offload to ePVA hardware when traversing through a SNAT listener.
474610 Data flow from the ICAP server to the HTTP client resumes after the ICAP_RESPONSE event is complete.
474751 A safety check during memory management function can prevent such erroneous memory freeing event. Crash is no longer seen.
474771 In this release, the system includes the PVA statistics when calculating the BIG-IP system global throughput statistics values.
474974 ssl_profile no longer leaks memory when creating and deleting a number of profiles that have completed handshake operations.
475055 Resolved core caused by accounting miscalculation of Nitrox I/O flows
475125 HTTP::retry no longer causes TMM to crash.
475231 Connection remains open after dispatching CLIENTSSL_CLIENTCERT iRule event, which prevents accessing invalid memory.
475322 The discrepancies in current connections (cur_conns) between tmstat and snmp has been corrected.
475460 TMM no longer crashes if a client-ssl profile is in use without a certificate revocation list (CRL) configured.
475525 Connections no longer stall on virtual servers using OneConnect and SSL profiles.
475584 There is now a counter that reports discarded packets that are dropped due to neighbor queue overflow.
475592 System now reports matching CPU usage in the per-core CPU usage graphs and the system CPU usage graph.
475647 VIPRION Host PIC firmware version 7.02 update now supports all expected BIG-IP software features on VIPRION B4300 blades.
475649 HTTP::respond no longer asserts and HTTP::collect now works as expected when used from HTTP_REQUEST in explicit proxy scenarios.
475677 When an LTM policy action fails, the affected connection no longer hangs until timeout, but rather gets reset immediately.
475681 Changing virtual server type from Standard to Performance (HTTP) now works as expected to connect to VIP.
475728 TMOS has been updated to prevent the daemon bcm56xxd from restarting due to parity errors.
475791 Removed ramcache race condition, so that connection teardown messages are processed in the correct order.
476097 Window scaling with back-end server now works when 'verified-accept' is enabled in the TCP profile.
476157 This release fixes CVE-2014-4341, CVE-2014-4342, and CVE-2014-4343.
476281 tmm no longer crashes when server_key and client_key variables are uninitialized.
476288 Repeated creation and deletion of route domains and routing protocols led to a race condition between the start timer of the routing protocols and inconsistent memory state of the deleted routing protocols. This fix resolves the race condition.
476386 Resolved issue found by f5 testing DHE-RSA-AES256-SHA256 and DHE-RSA-AES128-SHA256 to be supported for tls1.
476521 Use true timeout instead of retries limit in when to give up initializing FIPS device, and subsequently power cycle the unit to recover FIPS device.
476564 The system now sends RST in guaranteed mode for an ePVA flow when the packet is received in software.
476567 The system now updates accelerated status after the flow has been successfully inserted into the ePVA, so the correct state is reported.
476599 In this release, the system clears suspended iRules that have failed before executing new events.
476683 DNS_RESPONSE events are now resumed after suspension.
476886 In this release, if the BIG-IP system receives the complete ICAP response from the ICAP server before it has completed sending the ICAP request, and a OneConnect profile is on the IVS, the TCP connection to the ICAP server is terminated and that connection is not reused.
477031 No TMM restart when deleting multiple VXLAN tunnels with flooding type multipoint.
477064 A crash bug in SSL has been fixed.
477070 Allow configuration to be rolled forward even in case of desired software version less than active slot version.
477111 The main routing table now has a single entry for the management network.
477218 TMSH command now automatically issues the absolute path by using the context for the current connection to MCPd, so there are no MCPd restarts in this case.
477232 An issue with excessive port reuse in CGNAT translations when using persistence mode address has been fixed.
477281 XML Parser configuration was changed to ensure only correct documents are returned to all requests.
477318 Fixed the segfault that occurred in generic message when a HUDEVT_SENT is received and the parser is disabled.
477375 SASP monitor no longer cores when configured in push mode.
477394 Passive FTP using FTP range iRule no longer causes out-of-ports reset.
477611 Apply DAG Round Robin to icmp echo only.
477700 When an internal hardware sensor alert is received indicating a 'Bad' power supply status, additional detail is now logged to help identify the cause of the 'Bad' overall status for the power supply.
477789 The system now correctly converts the '&' (ampersand) character in the Certificate and ensures that the Peer Device process is still operating.
477859 ZebOS config now loads correctly when the password begins with a number.
477888 ICSA logging no longer missing information that is required for certification.
477924 Select provider in previously unknown case, prior to reference. New feature defers selection of provider to improve provider selection behavior.
477950 The displayed SSL profile statistics are now correct.
478195 FIPS exported keys can now be correctly installed on other FIPS platforms that belong to the same FIPS security domain.
478215 'show ltm pool detail' no longer returns duplicate entries for members where their IP matches that of another member whose port is 'any'.
478257 Don't re-transmit packets if the MTU is not changed.
478439 Fixed unnecessary re-transmission of packets on higher ICMP Path maximum transmission unit (PMTU).
478442 Core in sip filter no longer occurs when sending HUDEVT message while processing of HUDCTL message.
478448 cm.device is now updated with the same information as sys.ntp.timezone upon modification or load of SCF file.
478474 Running qkview on pre-11.6.0 vCMP hosts and guests no longer produces innocuous 'Token' error in the qkview.
478540 tmsh now returns data for NTLM profiles in subfolders, so the system operates normally.
478592 Cached certificates are now handled correctly.
478617 Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
478734 Fix debug failure log found by internal F5 testing.
478761 "The load sys config default command functions correctly through iControl REST (iCR) using the following syntax: curl -sk -u admin:muadib https://ip-address/mgmt/tm/sys/config -H 'Content-Type: application/json' -X POST -d '{""command"":""load"",""name"":""default""}'."
478812 With this fix, zone data is no longer vulnerable to corruption from power loss.
478840 Keys in subfolders can now be successfully deleted using web GUI.
478922 Resolved issue that ICSA logging did not contain information that is required for certification.
478983 Prevent TMM core during certificate verification against CRL
478987 TMSH command 'tmsh modify ltm pool fogw gateway-failsafe-device none' now correctly disables failsafe gateway.
478994 NAT-T is configured but there is no NAT in the network, IPsec now works as expected.
479171 TMM no longer attempts to transmit DSACKs after reassembly queue has been purged, so no TMM crash occurs.
479176 This release fixes a potential race condition that occurred during DNS db load.
479182 MCP will throw an error if the user tries to delete a route domain that is referenced by any ike-peer or ipsec-policy or traffic selector.
479359 The no-platform-check option now bypasses the platform check, which allows the user to load UCS files from other platforms.
479367 You can now create all types of resource records, regardless of zone name length.
479374 VIPRION C4800 backplane interfaces are now given proper settings to prevent unidirectional traffic issues.
479381 The System Activity Report (sar) utility fails now runs correctly with SA files exceeding 10 MB.
479543 The pool-member reference check for the node was moved to a later stage of validation, allowing the pool and pool members to be updated/deleted. This ensures that when the delete code for the node checks for references from a pool, there will be none.
479674 The system no longer crashes when Tcl monitors are improperly configured, that is, when the timeout specified is less than the interval.
479681 Sync operations on clustered systems no longer negatively impact performance.
479682 TMM no longer generates hundreds of ICMP packets when the server on the second virtual server in a VIP2VIP configuration becomes unreachable.
479773 Obsolete daemon DCOEP is disabled.
479888 BCM daemon debug mask can now be cleared.
480113 FIPS exported keys can now be successfully installed in FIPS cards without causing config-sync failure.
480119 Error ERR_BOUNDS loglevel has changed from ERR to DEBUG, which is correct behavior.
480246 The main query processing file was not included during build-time. The file has been added and the stats should now show as expected.
480299 Virtual Address delayed update mechanism now sends delayed updates approximately three seconds after change, regardless of previous status, guaranteeing that Virtual Address status reaches all subscribers.
480311 The OneConnect profile can be combined with either or both of request-adapt and response-adapt profiles on a virtual server. Both client and server HTTP connections are reused.
480370 The internal listeners that are created to forward the connections between TMM processes are now deleted when no longer needed, so new connections are not created, which prevents a memory leak.
480443 The SPDY filter no longer sends events up on deleted child flows, thus preventing a possible crash.
480509 HTTP bodies containing a Content-Type header of 'application/javascript' or 'text/javascript' will be recorded under the 'Javascript' compression statistic.
480679 The mapping for subscription groups has been fixed so that the SUBSCRIPTION_NODE_ADDRESS and other similar subscription groups will not be overwritten by the SUBSCRIPTION_MONITOR group.
480686 Internal vlangroup loop no longer occurs when the Translucent/Transparent vlangroup setting exists with a duplicate IP address.
480699 Increased the maximum statemirror.queuelen db variable limits. If necessary, the statemirror.queuelen can now be increased beyond 256 MB up to 1 GB. Note that increasing the statemirror.queuelen increases memory requirements to approximately twice the queuelen multiplied by the number of TMMs, and also increases the time required to detect an error in the mirroring connection. The statemirror.queuelen should be kept as low as possible to prevent repeated failure.
480811 The lib directories /usr/lib64 and /lib64 will no longer be collected in qkview.
480888 A response from the server is no longer truncated in some situations when the serverssl profile is combined with the use of the HTTP::collect iRule command.
481024 If only the base configuration was loaded and the BIG-IP system was restarted, then the high configuration (anything in bigip.conf) would be lost. This no longer occurs.
481082 The auto update settings no longer reset during a sync operation.
481089 After performing a full sync, BIG-IP systems remain in sync as expected, even when active mcpd connections are deleted before the sync completes.
481135 The pool members of a wide IP in Link Controller can now be modified from the GUI pool member page.
481216 A fallback response is no longer inappropriately generated after an error after an Early Server Response.
481272 The BIG-IP system now includes the client-cert in the encrypted part of ClientIdentity.
481603 In this release, the diagnostic single-disk initialization function '-i' option of the tmidiag utility has been restored. The option was originally removed because initialization is fully handled automatically by the system now. However, the command line help text was not removed. In any case, there is no danger in initializing a disk, even if the system has already done so. This routine has protection against initialization of any disk that is in use by TMOS.
481647 OSPF daemon no longer asserts when receiving a Link Status (LS) Update Packet with an LSA header whose length is greater than 255 bytes.
481648 The ipaddrTable's ipAdEntIfIndex value now matches the ifTable's ifIndex value for the same interface.
481677 A TMM crash bug has been fixed.
481696 Amount of shmem for sod has been increased.
481820 SPDY no longer sends superfluous aborts to an already aborting child flow.
481844 When adding and deleting multiple client-ssl profiles configured with differing certificate revocation lists (CRLs), tmm no longer crashes and/or uses the wrong CRL.
481880 SASP monitor no longer core dumps during a state change in push mode.
481974 Fixed a problem where the user loads an SCF that has a different self IP than the current configuration the IP does not change.
482082 The HTTP client receives the complete response from the ICAP server.
482202 The FTP profile does not process invalid command data
482204 Setting the sshd log-level now correctly logs entries.
482304 SSL Forward Proxy does not support server-side client authentication. The fix is to prohibit configuring key/certificate fields in server SSL profile when forward proxy is enabled.
482309 iControl REST now works to fetch GTM wideip records whose names contain asterisk (*) characters.
482436 Improved security of invalid SIP messages.
483030 SPDY no longer causes tmm to core in the case of certain iRule failures in conjunction with deflate.
483104 vCMP guests now report bigipVcmpGuest as platform type.
483228 This release fixes an intermittent race condition in the terminate handler of the icrd_child process, so the process no longer crashes and generates a core.
483257 Can now delete keys without extension .key (and cert without .crt) using GUI or iControl.
483267 UDP connflow now finishes processing the parking iRule, and the connflow does not terminate unexpectedly.
483328 SSL virtual servers now successfully negotiate SSL handshake, so the device no longer logs the following message: crit tmm[14270]: 01260000:2: Profile name-of-profile: could not load key/certificate.
483353 HTTP compression now gracefully handles failed compression provider initialization.
483539 The correct MSS value is now used when SYN has options without MSS specified, so TMM no longer cores.
483653 Flow control through SSL is consistent and no longer leaves the chain misordered on flow control.
483665 The permissions for SSL keys are restricted such that they are readable only for export from iControl or UI.
483683 Added code to catch exceptions in rm_DBLowHighWide. We now delete the binary MCP database when an exception is caught, and restart MCP. This restart without a binary database bypasses rm_DBLowHighWide and allows the secondary MCP to receive its configuration from the primary MCP.
483699 Accessing iFile object in Local Traffic :: iRules : iFile list now works correctly and no longer produces No Access error.
483719 Single-member vlan-groups no longer leak memory.
483751 "Formerly, the primary blade of a chassis is reset, once it rejoins the cluster as a secondary its configuration may fail to load with errors that look like this: 01070088:3: The requested object name (/Common/default-eviction-policy) is invalid. 01070935:3: Unexpected exception caught in MCPProcessor::rm_DBLowHighWide(). 01070734:3: Configuration error: MCPProcessor::check_initialization: 01070734:3: Configuration error: URL category (/Common/Abortion) cannot be deleted. It is being used by a URL filter. The system will now load successfully and not hit this error."
483762 "MAC address conflicts no longer occur between vCMP guests when the vCMP hypervisor is running a fixed version. If a vCMP guest running a fixed version detects that the hypervisor has provided an invalid set of MAC addresses, the guest will log an error similar to err chmand[28121]: 012a0003:3: unexpected init failure : VcmpPlatform: MAC pool size from hypervisor is zero crit chmand[28121]: 012a0002:2: critical platform initialize failure. exiting... and not start."
483840 Serial number of a blade is now cleared in show command after it is moved.
483974 Unrecognized DNS EDNS0 options are now ignored.
484305 TMM no longer crashes when an iRule executes a parking command inside a 'clientside' or 'serverside' context-switching command.
484399 OVA will only create 1 slot and leave the remaining disk space free.
484429 TMM still log critical-level messages, but the system function properly and traffic is not affected.
484453 Reduced the log level for registering with the LOP (lights out processor) to the debug level.
484524 if the connflow gets an ICMP unreachable from another virtual server through VIP2VIP, the connflow is now terminated, which is correct behavior.
484534 Spanning Tree Protocol (STP) now checks for the disabled state of the port before adding it as an STP member.
484706 Incremental sync of the deletion of an iApp instance now completes successfully. Incremental sync of iApp changes, where the iApp template creates a parent object separately from child objects now syncs correctly.
484861 Ensure that the preferred system goes active after auto failback, even if its traffic group score is lower than that of its peers.
484948 Resolve problem of double calling functions that caused iRule to abort.
485472 Resolved issue where TMM might crash with assert: 'Must be syncookie' when the iRule 'virtual' command leads to a protocol mismatch.
485695 The fix updates the core logging library to always get the hostname from a common location updated by mcpd/errdefd. Daemons using either POSIX/syslog or errdefs will quickly and automatically pick up hostname changes. If any daemon fails to pick up hostname changes after this fix, it will almost certainly be using its own ad-hoc logging system and will need to be updated to use errdefs.
485702 The default community string 'public' is not add to the SNMP configuration on upgrade if it has been deleted in the previous software configuration
485812 CVE-2014-3660.
485833 Ensure all user directory file descriptors are closed.
485917 The fix is based on verifying the validity of the TCP sequence number of the TCP packet embedded inside the PATH MTU discovery ICMP packet. If the TCP sequence number is valid for the targeted TCP connection, the ICMP packet is considered a legitimate PATH MTU Discovery packet sent by a router on the connection PATH and therefore the MTU value it carries is adopted as the new PATH MTU. If the TCP sequence number is not valid for the target connection, the ICMP packet is ignored.
486137 Activation function has been modified to eliminate dependency on the MCPD.
486356 Fixed mcpd validation to allow a stats profile to be included in a sip virtual server.
486450 iApp redeployment now works correctly, and no longer causes mcpd on secondaries to restart.
486512 Forwarded auditing messages now contain the correct nas-ip-address attribute, so config auditing is now working as expected.
486514 Fixed the crash that occurred in the logging module when using TCP as the transport to a log destination server.
486640 "A DB Variable was introduced to work around this problem by changing the RFC54254 message ID format to drop the last colon and replace the first one with the letter 'p' (priority): tmsh modify /sys db logpublisher.logstash_rfc5424_fix value true To revert this behavior: tmsh modify /sys db logpublisher.logstash_rfc5424_fix value false"
486712 Improved the statistics for updating the number of PVA connections when using fastL4.
486724 Config-sync will now be successful after upgrading from v10
486762 With the fix in place, clients may open the full number of allowable connections.
487233 An issue has been corrected which affected NTP and RSYNC access via the management network in vCMP guests.
487552 Three or more modules can be provisioned on VCMP guests and VE guests having 5632 MiB or more memory.
487581 You can now use leading exclamation point ( ! ) for Name and Password without error when specifying SSL Certificate Subject Alternative Name.
487587 The allowed range of 'status-age' has been changed to 0 - MAX_INT, with 0 indicating that the status-age check is not performed. That is, it is not checked if the 'thisUpdate' value in the OCSP response is lagging in time by a specified value. Also, the default value of the status-age has been changed to 86400 (one day in seconds).
487781 The tmrouted is restarted whenever a UCS file is restored in the BIG-IP system. The routing protocols will pick the changes from the ZebOS.conf restored from the UCS file.
487800 The guest-specific configuration information blocks are now isolated from each other and the hypervisor is protected against invalid data injected by a vCMP guest.
487983 In this release, when an unsupported cipher is negotiated, the system presents a message similar to the following: 'Cipher 33:3 negotiated is not supported by Proxy SSL configured in virtual server /Common/vs_ssl_proxy.'
488180 An issue has been resolved which could cause mcpd to continuously restart after a chassis blade replacement.
488193 iRule nexthop is now considered after failover with IP forwarding virtual server, so FastL4 forwarding virtual server connections no longer fail after a failover.
488374 The racoon daemon no longer crashes due to mismatched IPsec policy configuration.
488427 Add the limit of maximum outstanding SSL handshakes per profile can protect the memory overrun.
488462 Server-initiated banner protocols now work properly when 'verify accept' is set on the TCP profile.
488598 SMTP monitor no longer fails when using a non-default route domain.
488908 In client-ssl profile which serves as server side, BIG-IP SSL now initializes parameters in initialization function as expected.
488916 Validation error is no longer thrown and address in IP/CIDR format is now handled correctly.
488931 TMM may restart when multi-path TCP (MPTCP) traffic is being handled.
489084 Ensure FQDN nodes, like regular IP nodes, to be unique across folders.
489451 The system now checks for OpenSSL failures during SSL handshake generation, so TMM no longer panics.
489750 The system now handles the case in which deleting FIPS key by-handle using tmsh when the key name is different from the FIPS-label of the key.
489790 A Distribution drop-down UI item has been added for Remote High Speed Logging destinations. It can take on the following values: -- adaptive: default behavior adding logging server connections as needed. -- balanced: balancing logs between logging servers according to the load-balancing algorithm. --replicated: replicating logs to all logging servers. This provides: 1) a more balanced approach, distributing logs according to the load-balancing criteria. 2) having logs be replicated across all pool members for redundancy.
489796 A TMM crash bug when using Woodside congestion control has been fixed. The issue was a division by 0 bug.
489843 File Object configurations now return all expected properties in iControl REST GET operation.
489865 The 64 KB header value limit for ASM has been raised.
490129 SMTP monitor successfully monitors IPv6 pool members
490171 It is no longer required that a default management route is setup in order to add nodes via their FQDN.
490174 TLS server code can now handle ClientHello.protocol_version that is higher than TLS1.2, according to the TLS1.2 specification.
490225 BIG-IP DNS/mcpd now checks for an existing key and does not import keys that already exist.
490414 /shared/vmisolinks is now properly cleaned up upon system startup.
490429 The dynamic routes for the default route are no longer flushed during operations on non-default route domains.
490480 UCS load now completes successfully if the saved configuration includes FIPS keys with names containing dot ( . ).
490537 Using the GUI to view Persistence Records statistics in GUI when there are a large number of records might crash the system. (Persistence Records are available for LTM and GTM by navigating to Statistics :: Module Statistics, clicking on Local Traffic, DNS Delivery, or DNS GSLB and then selecting 'Persistence Records' for Statistics Type.) This occurs when viewing statistics in the GUI for a large number of Persistence Records (approximately 1 million, but the number might be lower depending on network configuration and capacity). The system runs out of memory and fails over. Workaround: Use TMSH to see Persistence Records and associated statistics. For LTM and GTM Delivery: tmsh show ltm persistence persist-records. For GTM GSLB: tmsh show gtm persist destination | level | target-name | key | max-results | target-type.
490577 An issue has been corrected which could result in the TMM process crashing and leaving a core during process shutdown.
490713 FTP port selection uses a round robin method to avoid quick-reuse as much as possible.
490740 HTTP will no longer crash if HTTP is disabled while it is parked on the client side.
490817 Clear codec alert after propagation so SSL filter no longer reports alerts indefinitely.
490893 HSL logged deterministic NAT state information can be use to correctly forward and reverse map.
491454 SSL handshake now completes successfully when a SPDY profile is attached when Next Protocol Negotiation (NPN) is detected on a BIG-IP system with a Cavium Nitrox accelerator.
491518 SSL [session id] persistence no longer prematurely terminate TCP connection.
491556 tmsh show sys connection output is correct for users that do not have access to all partitions.
491727 BIG-IP configurations now load successfully after an upgrade if the TCP profile's Time Wait value is set to 4294967295
491791 Performing a GET on nonexistent pool members now shows an error when using iControl REST with nonexistent pool members.
492163 Instances in which the pool monitor is incompatible with the pool member are now validated correctly.
492368 CVE-2014-8602.
492422 Response code now reported only in HTTP response logs.
492458 Initial BIOS 1.05.033.0 release. No issues.
493014 The deprecated "MPTCP Debug" tcp profile option was removed from the UI. The tmsh help text was updated to specify that "MPTCP Debug" option of the tcp profile has been deprecated.
493117 Now, an advertised route remains advertised after its netmask is changed.
493140 Using cookie hash persistence and invoking cookie hash persistence from within an iRule now works as expected.
493223 syscalld has a fixed-size queue of jobs. If this fills up, then it will intentionally dump core, but this core dump used to have little visibility into what commands were being run at the time. It now maintains a list of the most recently run commands that will be written into the core file.
493246 The software that generates the F5 BIG-IP MIBs has been updated to allow a slot 0 return value.
493250 Now, disabling graceful-restart and persists through system reboot.
493673 Fields are properly not compressed, e.g., the NAPTR Replacement field.
493807 Using PPTP with profile logging now works correctly and no longer causes TMM to crash.
493950 The system now prevents an unbalanced configuration of TCP, UDP, or SCTP profiles set with context clientside without a corresponding context serverside (and vice versa), and the upgrade process corrects existing configurations so that roll-forward occurs correctly.
494122 dnatutil can use HSL logged state information for deterministic NAT on p8
494280 The system now drops the new flow/tunnel and allow it to clean up, so TMM no longer crashes when PPTP finds a redirected flow when checking for an existing tunnel.
494319 The system now checks that the state is not in closing state before updating the statistics.
494322 The TMM no longer crashes when under load when the HTTP_REQUEST iRule handler is used with the explicit proxy. HTTP state-changing commands used within HTTP_REQUEST on the explicit proxy works correctly.
494333 Cookie persistence now works as expected.
494367 HSB lockups no longer occur after a HiGig MAC reset on BIG-IP 5000-series and 7000-series platforms.
494743 TMM translations after blade failure or startup can be properly reverse map by dnatutil
494978 The hostagentd daemon is no longer started when the BIG-IP system is not provisioned for vCMP.
495020 Changes to the Perfect Forward Secrecy configuration of an IPsec IKEv2 Peer are now successfully processed using the GUI.
495215 Device trust will now request a unique iControl session ID when communicating with peers in order to avoid conflicts with external scripts.
495253 TMM no longer cores in low-memory situations during SSL egress handling.
495335 Avoid a divide by zero while computing average packet size.
495526 TMM no longer cores if users choose to modify the tunnel interface attributes, such as MTU value, before traffic passes through an IPsec tunnel interface.
495557 Ephemeral node health status now reports 'offline' rather than 'unknown' in cases in which the monitor is offline.
495574 DB monitor functionality might cause memory issues.
495588 Before v11.5.0, Clientssl profile only supports one key/cert pair, no name associated with the key/cert pair. In v11.5.0, multiple key/cert pairs are associated with one clientssl, so each key/cert pair has a name.
495836 SSL verification error no longer occurs when using server side certificate.
495838 Round Robin DAG can now be enabled only on platforms that support it.
495862 Virtual status now stays red if all the pool members are down.
495875 Connection limit on nodes now works correctly, and no longer causes tmm to loop indefinitely with heavy traffic.
496758 The system now handles a configuration in which a child custom monitor precedes the parent's, so that monitor parameters are constructed properly.
496950 The standby device ignores the route to the client when accepting mirrored connections. If failover occurs without a route back to the client, the connection will still fail on failover.
497078 tmm will not crash when user modify an existing ipsec policy configuration object
497579 An issue has been corrected that might have prevented a vCMP guest from processing SSL and compression traffic.
497584 The RA bit is set for the response when the cache resolver answers the query from the fast path.
497619 The intermittent performance impact no longer occurs when a pool members goes up and down when using source_addr persistence.
497719 CVE-2014-9295, CVE-2014-9293, CVE-2014-9294, CVE-2014-9296
497742 All TCP re-transmits have the proper source MAC address.
498005 HTTP::payload will no longer cause a TMM crash if invoked in a non-HTTP event. Instead, an error will be returned to the iRule.
498269 The 5200 platform now forwards STP BPDUs across VLAN groups when in PASSTHRU mode.
498334 TMM will correctly send a response message back when processing a zone notify message from a remote name server.
498597 When the SSL profile fails to initialize, it now causes the SSL to reject traffic correctly.
499150 Connections will be reused even with VIP on VIP configuration.
499260 Deletion of a device trust domain now completes successfully when the BIG-IP system is a member of a device trust domain configured with a traffic group high-availability order that references a device other than the local system.
499280 For the serverside, the system now contains sha512 in the signature_algorithms extension when sending the clienthello with TLS1.2 (when the user configures 'ANY' in the SSL sign hash option in the serverssl profile), so that the server does not reject the SSL connection because the BIG-IP system does not contain sha512 in the clienthello. sha512 is also included on the clientside so that if the client uses sha512 to hash/sign the certvfy message, the BIG-IP system (acting as a server) does not reject to verify it (when the user configures 'ANY' in the SSL sign hash option in the clientssl profile).
499430 Standby unit no longer bridges network ingress packets when bridge_in_standby is disabled. This is correct behavior.
499701 The SIP UDP flow now remains when the ingress len limit is reached.
499795 Persist record now has correct "Client Addr" even when the owner for the persist record is in different TMM.
499946 The processing buffers reserve the proper number of subsequent parameters.
499947 "The Virtual Address state change code was improved in multiple areas: 1. GTM is checked for provisioning. 2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast. 3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority. 4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3. 5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations."
499950 An issue involving inconsistent behavior of persistence across TMMs is fixed.
500234 Fixed a race condition that might have caused IPsec components to access previously freed memory.
500365 This release fixes a memory leak that occurred when using SIP in TCP/ClientSSL configurations, when the clientside flow was torn down in response to the SSL handshake not completing. The system now frees the SIP handler upon receiving the notification of a failed SSL handshake, so that the connection is rejected, the system performs the proper cleanup of the SIP handler, and no memory leak occurs.
500424 DNATUtil will continue on even if it encounters an error. It will report the error but not exit.
500625 The default-value is one of the values available for modifying the LTM profile client-ssl options. Use this value to reset the options to its default.
501264 When there is an error in a payload chunk header of a response from the ICAP server, the BIG-IP system detects an error and aborts (RST) the connection to the ICAP server, and performs the configured service-down-action on the HTTP virtual server (the service-down-action is configured in the request-adapt or response-adapt profile).
501271 You can now use the vCMP guest to install hotfixes without error.
501418 OSPF: Multiple ECMP default routes are now distributed to TMM.
501437 The rsync daemon is now shut down properly when the configsync-ip is set to none, and no longer listens on configsync-ip.
501516 bigd no longer runs out of file descriptors during restart when using a very large number of monitors.
501517 Increased the transaction timeout to accommodate very large configuration transfers.
501690 TMM no longer crashes due to the behavior of the LTM listener with an iRule that has a RESOLV::lookup command when parsing its return values.
501953 The fix correctly removes the next active setting for a device when it is in standby mode and a HA failsafe triggers. This causes a new device to be picked as next active if one is in standby mode and capable of running the traffic group.
501961 The system no longer reports the following messages during blade power-up and power-down operations: warning clusterd[7569]: 013a0009:4: Blade 7: blade 5 powered DOWN.
502149 iControl stores the mode info and set a default value to it, so no error is reported..
502197 The BIG-IP system now uses outbound proxy setting from existing db variables proxy.host, proxy.port, proxy.protocol, proxy.username, proxy.password for the update check and phonehome_activate features.
502238 "Three related fixes are needed to fully address the issue: -- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message. -- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded. -- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here: -- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html"
502443 When a VIPRION blade comes on-line, the bigd process on the blade no longer starts health monitors prematurely, which could have caused some monitored objects to be marked down incorrectly.
502675 LOP/LBH firmware updates are protected against rare corruption by critical kernel events.
502683 Traffic is now handled correctly in certain corner cases involving hardware syncookies.
502714 File objects properly resolve references within the transaction
502747 The BIG-IP system will no longer generate an ACK to incoming SYNs which match an existing connection that cannot be recycled.
502770 "Parking command can run inside clientside and serverside. The client side connection must exist when clientside command runs; the server side connection must exist when serverside command runs; otherwise the clientside and serverside commands fail."
502959 The system now deletes a persist entry from all peer TMMs when it is deleted in any TMM, so no conflicts occur.
503118 "Parking command can run inside clientside and serverside. The client side connection must exist when clientside command runs; the server side connection must exist when serverside command runs; otherwise the clientside and serverside commands fail."
503237 CVE-2015-0235 is fixed.
503343 Prevent TMM crash due to cloned packet incorrectly marked for TSO.
503381 SSL persistence no longer cause the connection to be reset with non-SSL traffic.
503384 SMTP monitor succeeds with multi line greeting banner in SMTP server
503560 The validation logic is now changed so as to allow a Statistics profiles and an HTTP transparent profile to be attached to the same virtual server simultaneously.
503604 When switching from interface tunnel to policy based tunnel, tmm cores.
503620 BIG-IP SSL now works well with ciphers ECDHE_ECDSA or DHE_DSS with OpenSSL client version OpenSSL 1.0.1k and later.
503652 Some SIP UDP connections are now retained after enabling a blade on the Active HA unit.
503676 SIP REFER, INFO, and UPDATE requests now trigger the SIP_REQUEST and SIP_REQUEST_SEND iRule events. This is the correct behavior.
503741 The system now silently discards all of the invalid records and preserves the association. This is correct behavior.
503795 Debug logs are no longer displayed when log level is set to notice.
503979 The CPU usage does not increase unexpectedly when the cache resolver sends a large number of DNS queries to slow backend name servers.
504021 route-domain with routing-protocol enabled will have routes for lsn-pool members, regardless of ordering in which routing-protocol or route-advertisement is enabled.
504205 When adding a Rule to a Policy, the system now ensures the Condition is saved with 'equals' when 'equals' is selected in the list.
504306 https monitors now properly perform SSL session re-use.
504348 Two new ADAPT iRule events have been added (ADAPT_REQUEST_HEADERS and ADAPT_RESPONSE_HEADERS) which trigger after ADAPT has received the modified headers, when the IVS is returning a modified request or response. They do not trigger when the IVS has instructed ADAPT to bypass or a service-down condition has occurred.
504396 When a virtual server's ARP or ICMP is disabled, the correct mac address is now used.
504494 Upgrading to 11.5.0 and later no longer associates a disabled HA group to traffic groups. This is correct behavior.
504508 IPsec Tunnel between the BIG-IP system and CISCO devices with older Dead Peer Detection (DPD) are no longer brought down because of mismatched Cookie Field in the DPD messages.
504545 FQDN node without service checking has the correct status: 'Unknown (enabled) - Node address does not have service checking enabled.'
504572 PVA accelerated 3WHS packets are new egressed on correct hardware COS queue.
504633 The system now updates the 'expected next sequence number' only when the record is good.
504803 Pools with a name that contains _mam are now showing up in the Pools list in the GUI.
505045 The two described cases can be handled properly by the BigIP. In addition, noticeable problematic configuration situations have been extensively tested and verified to work after the fixes.
505056 Packet priority passthrough mode is now sending correct packet priority and delivering on the correct switch COS queue.
505059 Handle special characters properly for username and password fields
505071 For certain types of objects, an incorrect message would be sent to the secondary blades' mcpd processes if an object of that type was deleted and then recreated within a single transaction. This would cause mcpd to restart on every secondary blade. The correct message is now sent even for this type of object.
505097 The lsn-pool backup-member prefix is now present in the route table after tmrouted restart, when lsn-pool route-advertisement is enabled.
505123 Querying for sysObjectID on VIPRION 4400 now returns the correct value: Platform Name BIG-IP PB200.
505222 "In current implementation, DTLS sends CN requests one by one. DTLS sends one request, waits for the response and then sends another one. The fix is sending multiple requests currently to CN."
505323 NSM endless loop issue has been fixed and does not hang. Dynamic routing operation is normal.
505324 The nexthop iRule command now works with IPv6 addresses.
505331 SASP monitor no longer cores when multiple Group Workload Manager (GWM) servers are down.
505705 Both the local and mirrored owner persistence record are properly removed.
505878 Configuration now loads to completion on secondary blades.
505973 "Monitoring daemon, bigd, may now run as multiple processes for distributed monitoring load. Previously, bigd (the primary monitoring daemon) ran as a single instance per BIG-IP system. By default, the system now runs multiple bigd processes per BIG-IP system if there are enough processor cores to support doing so. Monitor instances are divided among the processes, allowing each to do a subset of the monitoring work. A new sys db variable has been added to control this behavior: Bigd.NumProcs. This variable defaults to 0, which instructs the system to select a reasonable default. When set to 1, bigd runs a single process, very much like it always has. Any value greater than 1, and less than or equal to the number of available processor cores, causes that number of bigd processes to be started. Note that bigd must be restarted with bigstart whenever this variable is changed."
506034 Applied patches for CVE-2014-9297 and CVE-2014-9298
506041 Only folders and partitions in the device group will get synced. However, since multiple device groups can still share the same partition, there is still a chance that the route domain on the partition could get overridden if the two device groups use different route domains.
506101 Long-running operations via the iControl/REST interface no longer lead to timeouts and non-responsiveness to new requests while the operation completes.
506199 The system now ensures that VDAG entries get ordered correctly to avoid cases where VCMP guests on VDAG platforms might experience excessive TMM redirects after multiple guest provisioning cycles
506281 Configuration Management tools fix for better reliability.
506282 DNSSEC key generation is now synchronized upon key creation.
506282 DNSSEC key generation is now synchronized upon key creation.
506290 Send MPI redirected traffic to HSB ring1, which is correct behavior.
506304 UDP connections no longer stall if initialization fails.
506702 TSO no longer causes rare TMM crash.
507109 The certificate, key, and chain certificate settings in a Client SSL profile no longer change after an upgrade.
507127 DNS cache resolver is added to the correct linklist on creation and removed from the correct linklist on deletion.
507143 Diameter filter will now queue HUDCTL_ABORT events to prevent leapfrogging previously queued events.
507327 A memory leak reading stats has been fixed.
507461 The system no longer resets active net cos settings during device/group HA configuration sync operations.
507602 IPsec lifebyte functions properly and leaves no inconsistent state on the BIG-IP device after rekey.
507611 BGP sessions with TCP MD5 enabled now establish connection to neighbors as expected on BIG-IP 2000- and 4000-series platforms.
507842 CVE-2015-1349
507849 Packets matching these criteria now appear when inspecting the output of tcpdump on a BIG-IP.
507853 Ensured that MCP no longer crashes when performing a large chunked query and a connection to a TMM is severed.
508556 When using the GUI to renew a CA certificate that contains a subject alternative name (SAN), the SAN field is correctly included in the CSR.
508638 Issuing the 'exit' command in the Maintenance Operating System (MOS) now restarts the installer.
508716 DNS cache resolver no longer drops chunked TCP responses
509063 Creating or loading a guest config on a clustered BIG-IP with an empty slot 1 no longer results in an error, and the default cores-per-slot value is correctly used for the guests.
509276 VXLAN tunnels with floating local addresses no longer generate incorrect gratuitous ARPs on the standby device.
509475 A SPDY profile with 'activation-mode always' and multiple 'protocol-versions' no longer causes an upgrade to fail. Instead upgrade changes the profile such that the 'protocol-versions' field only contains the highest SPDY protocol version that was listed before the upgrade.
509503 The tmsh load sys config merge operation performance was optimized. With this optimization the time for merge operation is slightly greater than the load operation.
509611 Asynchronous Tasks for Long-Running command control now work as expected.
509641 Ephemeral pool member now correctly inherits attributes from parent node upon resolution.
509782 "Three related fixes are needed to fully address the issue: -- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message. -- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded. -- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here: -- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html"
510159 Outgoing statistics for MAP tunnels are now included in the 'tmsh show net tunnels command.
510164 DNS Express zone RR type-count statistics are correctly set after restarting zxfrd.
510393 Resolved occasional TMM restarts when stopping vCMP guests on 12050 and 10350N appliances
510425 DNS Express zone RR type-count statistics now display correctly.
510436 tmm log messages posted during startup now include the correct BIG-IP system hostname.
510580 Loading of a set of partitions not including Common no longer re-enables interfaces that were previously disabled.
510597 SNAT Origin Address List is now stored correctly when first created.
510638 Config change in DNS cache resolver now take effect immediately and no longer require tmm restart.
510921 Database monitors now support monitoring IPv6 nodes.
511057 Monitor modification and deletion can now happen in the same transaction.
511130 Memory is now validated before handling a CMP acknowledgement.
511326 The BIG-IP system now correctly forwards messages when configured as SIP ALG with translation.
511398 When the responder side ipsec-policy remote IP address is configured with wrong IP address, tunnel negotiation now fails, which is correct behavior.
511517 The system now supports a simultaneously configuring both a Request Logging profile and an HTTP transparent profile on a single virtual server.
511559 Virtual address status is updated after load, so no unavailable virtual address is advertised.
511588 The system now correctly handles the case in which two virtual addresses share the 'any' address (0.0.0.0), one in a route domain other than 0 (zero), and one in route domain 0.
511651 Fixed memory leak related to packet processing.
511751 The GUI no longer allows 'none' as a value for LTM policy operand and action parameters, which avoids an issue where a configuration is created that cannot be loaded.
511924 LTM Policy rules more strict validation
512016 There is now a DB variable to control DNS UDP truncation behavior: dns.udptruncate. When dns.udptruncate is enabled, UDP DNS responses are truncated if the response is larger than 512 bytes. When dns.udptruncate is disabled, the message is not truncated, and the full message is received. If the client specifies a non-default size via EDNS, the message is truncated if the response is larger than the specified size regardless of the value of dns.udptruncate.
512054 The BIG-IP system now correctly creates a media channel for audio/video traffic when the CSeqID value greater than 64 KB.
512148 A self IP now can be deleted even when its VLAN is associated with a static route, as long as at least one self IP exists on that VLAN. If the static route is IPv4, then an IPv6 self IP does not meet the requirement, and vice versa.
512383 The incorrect stats value are fixed.
512485 In this release, the system does no L2 forwarding of encapsulated frames received from one endpoint and destined to another within the same overlay (VXLAN VNI/Tunnel), so no extra hop is added.
512490 Disable Nagle algorithm on TCP/HA profile to improve performance.
512688 The 'Display LCD System Menu' checkbox is now available in the GUI for the BIG-IP 4000, 5000-series, and 7000-series platforms.
513034 TMM no longer crashes if Fast L4 virtual servers have fragmented packets
513142 FQDN nodes with a default monitor no longer cause configuration load failure.
513151 Added new SNMP OID for Victoria 1+ with SSD platform.
513202 A DNS client will be properly filtered by the RPZ database.
513213 An issue with hardware syncookies and FastL4 connections has been resolved.
513243 If certain crypto command return an error, but memory is allocated successfully, we now protect against the double free scenario.
513294 LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances now works as expected.
513319 TMM no longer leaks memory when the sideband destination is unreachable.
513454 Cache internal query data to optimize statistical queries.
513649 Attempts to delete and recreate objects within the same transaction now complete successfully.
513974 The system now supports adding/removing a reference and the object in a single transaction.
514450 This version of software more consistently handles the condition of a remote MAC address being moved from one endpoint to another.
514496 The system now allows recreation of rate-shaping context after it has been destroyed due to modification.
514514 "The gtm_add script now saves the BIG-IP configuration (using tmsh save system config) when the master keys are exchanged. This is necessary for proper functioning of configuration parsing and loading."
514521 Early retransmit now handles corner cases where the SACK scoreboard is empty.
514604 Management of nexthop object reference counting is more consistent.
514686 Software archive files with parenthesis in the name are shown as 'undefined' (or blank) in Software Volume Management (SVM).
514726 Individual DSR tunnels are removed after the corresponding client's user flows expire.
515009 In this release, the log.ssl.level default is set to 'warning', to more easily identify the reason for SSL failure. There is no longer any need to set the log.ssl.level to 'debug.'
515139 The BIG-IP system now correctly represents the pool current connections in the specific configuration combination.
515226 All handling of objects has been updated to common handling procedures that align with tmsh handling.
515482 When receiving ABORT commands, TCP catches cases where the connection is already closed.
515646 TMM no longer core when multiple PPTP calls arrives from the same client.
515667 Truncated OIDs are now appended with a unique check-sum value that remains unchanged from one query to the next.
516057 When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), new connections fail and log an error message indicating that the IVS is not ready for connections. If the connections are to an ICAP server, the BIG-IP system performs the service-down-action configured in the request-adapt or response-adapt profile of the virtual server that attempted to initiate the connection. There are no assertions or unpredictable effects. Any new connections that failed for this reason may be retried after the configuration update is complete.
516179 The Woodside congestion control algorithm now correctly detects congestion without false alarms.
516292 The http/2 protocol handling now correctly encodes repeated headers.
516320 Match across persistence no longer causes CPU spike.
516322 Modifying a persistence profile while updating partition /Common during a merge config no longer disassociates the iApp from the virtual server.
516327 Stricter validation makes http2 more secure but pre-12.0 configurations using http2 may need attention.
516432 DTLS no longer sends corrupted records when DB variable tmm.ssl.dtlsmaxcrs is not default value 1.
516540 devmgmtd no longer leaks file descriptors in a certain error path (which would sometimes cause it to dump core).
516598 Prevent starting multiple TCP keepalive timer for the same fastL4 flow
516669 Errors in handling allocated have been fixed to prevent memory allocator failure.
516808 'tmsh list ltm monitor monitor_type monitor_name' no longer returns output when the named monitor is not the of the specified monitor type. For example, if there is an HTTP monitor on a system named 'http', the query 'list ltm monitor gateway-icmp http' no longer lists the HTTP monitor, even though it is not type gateway-icmp. Note that if the command asks for a monitor that does not exist on the system, the system returns a message similar to the following: 01020036:3: The requested monitor (/Common/http1) was not found. However, if only the type is different, there is no not-found message posted.
516995 NAT traffic group inheritance now syncs across devices using incremental sync.
517124 The HTTP::retry command no longer corrupts input that isn't in the UTF8 format.
517197 "In 11.5.1, the sys httpd ssl-ciphersuite was updated to (tmos)# list sys httpd ssl-ciphersuite sys httpd { ssl-ciphersuite DEFAULT:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP } However, the tmsh documentation at (tmos)# help sys httpd did not correctly list the new defaults. This was corrected. The help page now lists the correct defaults."
517209 The /var/tmp or /shared/tmp are now invalid paths for the tmsh save sys config file command.
517556 NS type added to NSEC3 type bitmap.
517578 A logic error on an error path was fixed.
517580 The bcm56xxd daemon detects a bus problem and resets the bus to recover communications with SFP transceivers.
517790 The passthrough-pipeline option now allows unexpected server-side ingress to switch the Transparent HTTP proxy into pass-through mode.
518020 This release has improved handling of certain HTTP types, so that an HTTP request with a version token that is not properly crafted is no longer treated as HTTP 0.9. This has the effect of all of the request data being forwarded to the backend.
518039 Certain iApps deployed by BIG-IQ now provide statistics.
519068 The system now correctly resets device trust when devices are being added to and deleted from the device trust.
519081 The server configuration of :* members now loads without error using tmsh.
519419 We now include the text as the value of the key 'msg' for Splunk.
519510 Change in L4 packet header offset, resulting from VLAN header insertion, is being accounted for to verify checksum.
519781 The Address Field in an iRule datagroup address list now responds correctly to edit operations.
520405 A max-concurrent-queries configuration setting significantly above default no longer leads to a situation that causes tmm to restart in certain traffic loads.
520540 Overlarge HTTP Authorization headers will no longer cause the TMM to crash if they are inspected via the HTTP::username, HTTP::password iRule commands, or via the sflow feature.
520604 Fixed a scenario where route domain creation might fail when using create and modify in the same transaction.
520635 The custom netmask is set correctly on the newly created virtual server.
520640 The iControl Management.Zone.get_zone_v2() method returns a value in the options_seq field in a format that is consistent with the format expected by the Management.Zone.set_zone_option() method.
520682 In PBA mode connections now succeed and new port blocks are allocated as expected when subscriber attempts more than 512 connections to the same server IP and port.
520891 "The sequence number when using server initiated DTLS renegotiation has changed. Formerly, the ServerHello was sequence number 0, now it is sequence number 1. This corresponds with a change in OpenSSL to become RFC compliant. The system will retain the previous behavior on the server which is not compliant with RFC. This is required to maintain compatibility with clients that are already deployed by customers. The client behavior now accepts both RFC-compliant and non-compliant re-negotiation requests from the server."
521144 Network failover packets on the management interface now have the correct source-IP when device service clustering (DSC)/high availability (HA) device group have management ports on different IP networks, so that a management-route is necessary for them to communicate.
521272 Fixes a memory leak in Authentication Token mechanism in restjavad.
521333 An issue affecting vCMP guests when using IPv6 management IPs has been resolved.
521522 Traceroute through BIG-IP now displays a Self IP address of the BIG-IP device at that hop. This is correct behavior.
521538 Keep-alive transmissions now resume after failover of flows on an L4 virtual, when the sequence number is known
521548 A sporadic crash when using SPDY together with a compression profile no longer occurs.
521556 Assertion "valid pcb" does not occur.
521711 The fix will involve sending a Connection: Keep-Alive header to the client as opposed to Connection: Close when the server responds to a non-keepalive CONNECT request with 200 OK. Also HTTP will keep the connection open in such a scenario.
521813 Reverted changes made for ID481611.
522635 iRule LSN::inbound-entry create is successful and LSN inbound entry is created as expected.
522882 MCP validation is in place to prevent the profile of a tunnel is changed from one type to another after the tunnel is created.
522894 Tooltip now shows the correct host name of FQDN pool members in Network Map tooltips
523032 Integrated fixes to resolve CVE-2015-3456.
523079 Fixed a crash bug in Merged.
523125 Disabling/enabling blades in cluster no longer results in inconsistent failover state.
523434 mcpd on secondary blades may restart and log an sflow_http_virtual_data_source error after a change in the cluster's primary blade.
523527 Routing protocols are now correctly configured on Route Domain 0 (zero) (RD0) after upgrade to version 11.2.0 or later.
523642 Power Supply status is now reported correctly after LBH reset.
523863 The help for the istats command line was augmented to clearly state that the double-dash option should be specified before the negative number.
523909 The ZebOS RIB shows the correct the VLAN info for an IPv6 self-ip address that is either moved or removed.
523922 Session table entries now consistently get their timeout values touched in all scenarios.
523995 ECMP routes are working correctly and TMM does not crash
524326 Extended MCPD validation to ensure any deleted GTM link/GTM server addresses do not leave parent objects without addresses.
524490 tmsh show sys running-config shows minimal default configuration.
524653 "In order to reduce iControl SOAP authentication from clients other than iControl, a user may modify the DB variable 'icontrol.webrootenforcement' to be enabled, then restart httpd. Use caution when enabling this feature in order to avoid invalidating existing SOAP clients. In particular, those SOAP clients the do not authenticate at the /icontrol/ webroot."
524666 DNS licensed rate limits are now handled as expected.
525478 Correctly handle requests for deflate compression of cached gzip documents with non-deflate compression methods.
525958 TMM no longer cores when load balancing to a node's IP address in iRule, routed towards an unreachable nexthop.
525989 A previously disabled blade is no longer spuriously re-enabled if the primary blade is moved around quickly.
526031 Link LSAs are correctly re-originated by the BIG-IP system when the LSAs are sent to the BIG-IP by a neighbor router.
526419 "Deleting an iApp service formerly could fail with an error message like this: 01070712:3: Can't load node: 839 type: 4 This is no longer possible."
526810 The crypto accelerator queue timeout may now be specified in milliseconds using the crypto.queue.timeout DB variable.
527021 BIG-IP iApps now correctly provide statistics to BIG-IQ in empty-pool use cases.
527094 iControl REST: the records collection in tm/ltm/data-group/internal/ now shows the correct partition and subPath metadata.
527168 In GUI System :: Users : Authentication TACACS+ ports now have correct max value of 65535.
527238 "Single DH use" option in Client SSL or Server SSL profiles now works for all configurations except high availability configuration.
528007 The server name extension no longer leaks during renegotiation.
528432 The calculation of the control plane CPU usage no longer includes other CPUs.
528739 The DNS Cache now correctly ignores data from the ADDITIONAL section when constructing the ANSWER section.
529899 On chassis, there was one possible case where the installation would occasionally fail with the error "(Storage modification process conflict.)". This case has been fixed.
530264 Fix clears references to released memory when the parser discards whitespace.
530761 Corrected system to properly handle the above combination of conditions.
531576 TMM no longer leaks memory while processing certain types of TCP traffic.
531705 Issuing a list command for a non-existent iRule now successfully returns an error.
531982 After a dropped message, parser is returned to a state where it is waiting for the next message.
531986 The problem with default tmm route breaking Hourly licenses has been resolved with the fix. The default tmm route no longer affects the Hourly license.
532107 Maximum RTT value for nameserver cache is now deleted when the nameserver cache is deleted, which is correct behavior.
532911 Ignore X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE certificate validation error message when serverssl profile sets 'Untrusted Certificate Response Control' to ignore.
533257 Fixed a problem with tmsh config file merge failing when AFM security log profile is present in merged file.
533388 tmm no longer crashes with assert "resume on different script"
534052 Memory is no longer leaked when VLAN failsafe is active and sending ICMP probes.
534630 BIND was upgraded, which addresses this vulnerability. F5 is less vulnerable than the industry rating due to system design.
534795 Add additional protection and error logging for VLAN-name- and VLAN-ID-lookup failures in the switch daemon.
534804 TMM no longer cores in certain conditions with rate limiting and service-down-action reselect on poolmembers

Behavior changes in 12.0.0

ID Number Description
224022 The HTTP response statistics were collected on the server-side and accounted for status code and version that were received from the server. These did not accurately reflect the status code that was sent to the client. With the new changes, the response statistics are now collected on the client-side and should reflect the status code and version sent to the client, if the original status code received from the server was changed by a plugin, say ramcache or WAM.
224131 GTO global setting send-wildcard-rrs now triggers resource record auto-creation in BIND when creating wildcard wide IPs.
227347 "Added the HTTP::cookie attribute iRule command. The supported sub-commands of this are: HTTP::cookie attribute COOKIE_NAME insert ATTRIBUTE [VALUE] HTTP::cookie attribute COOKIE_NAME exists ATTRIBUTE HTTP::cookie attribute COOKIE_NAME value ATTRIBUTE [VALUE] HTTP::cookie attribute COOKIE_NAME remove ATTRIBUTE HTTP::cookie attribute COOKIE_NAME names HTTP::cookie attribute COOKIE_NAME count"
248678 Default value for bridge_in_standby attribute in vlangroup has changed from enabled to disabled.
250670 Unnecessary trailing semicolons are no longer appended to cookie headers.
343455 The cookie handling code no longer uses case-sensitivity of attributes to determine cookie RFC version.
345389 The HTTP::cookie functions are now case and sigil insensitive when operating on attributes
348194 "ENG HFs and Rollup HFs (at this time only v11.5.1 HF5) have TM.TCPFinWait2Timeout db variable to tune the fin wait 2 timeout for all tcp profiles. With the 12.0 fix, it is changed to per tcp profile configuration item. Also, when the customer migrates from these ENG HFs or Rollup HFs (at this time only v11.5.1 HF5), db variable value does *not* get migrated and profile's fin-wait-2-timeout is set to default 300 seconds."
357188 "The grub_default utility has a new option: -s. The option modifies cluster.conf on the blade so that it is in sync with the current grub configuration. This option is useful in the instance in which installation is unsuccessful, and the cluster contains a nonworking version of the software. When this occurs, the entire cluster boots to the newly installed location, which cannot run mcpd, which, in turn, prevents setting a different default boot entry so the system can be rebooted to a working version of the software. The '-s' option can be specified concurrently with other options (e.g., grub_default -bs HD1.1). The change occurs in the cluster.conf on the blade where you run the command. Running the utility on a blade in a cluster produces the following results. 1. grub_default -l: Lists grub boot locations. 2. grub_default -c: Displays currently booted location. 3. grub_default -b: Sets the new active location. Note: Each of these commands produce a warning if cluster.conf is not in sync with grub. Running grub_default with the '-s' option on an appliance results in a warning message, and the option is ignored. The warning message is similar to the following: Warning: -s is relevant only for clustered systems. Ignoring -s option."
361367 Partition alignment changes from cylinder to 8 MB boundary.
374067 "The persistence record attached to a connection is no longer reset upon pool member detachment when using OneConnect. When using OneConnect, the pool member detaches on the completion of every response. This causes subsequent requests to be LB'ed to the original pool member."
382157 F5-BIGIP-SYSTEM-MIB::sysVlanStatTable is obsoleted, IF-MIB::ifXTable should be used instead.
398067 As of version 11.0.0, upgrade performs a check to ensure a failover unicast address actually exists. In configurations using the management port for failover, the management IP and unicast failover IP must be identical for failover to function properly. A further change was made in 11.3.0, so that upon upgrade to 11.3.0 and later, an error occurs if these IP addresses are not identical. To work around this, ensure that the management IP and unicast failover IP are identical before upgrading.
415726 12.0 includes a new editor for LTM iRules (Local Traffic > iRules). It provides features such as line numbering, syntax highlighting, brace matching, code folding and search/replace. Note that the new editor is only available for modern browsers. IE8 and earlier will display the legacy simple text area for editing rules.
451433 "In the previous code, if a user configured both HA Group Score and an HA Failsafe, when the failsafe triggered, all traffic groups on the failed device would transition to Standby. However, the group score for that device would remain at the prior value so that the traffic group would not become active on another device. The result was a traffic group that was not active on any device. With this change, the traffic group score on the failed device is forced to 0, since the failsafe condition indicates that the device is not acceptable to host any traffic group. The HA Group scoring algorithm then activates the traffic group on the best remaining non-failed device."
462879 Will no longer allow selfip netmask changes that invalidate a static route gateway address, to occur.
463152 Corefiles are now purged on upgrade.
465286 Added a INFO-level log message that will trigger when max_requests is exceeded. The default HTTP log level will not display this message.
468964 new values and strings for proxy data.
471042 "Datastor will now reserve a given percentage of the obj table for the writing of new objects. By default, if a new object cannot be created after a given period of time, datastor will log a message, then restart. Controlling how many contiguous failures, the percentage of the obj table to reserve for writing, and how to restart datastor has been exposed as a new command line parameter."
473188 dnatutil summary will no longer display default DAG information.
474465 Average system CPU and busiest CPU calculation is now based on the critical data plane processing.
476444 Graceful restart can now be disabled for all protocols by explicitly disabling it in ZebOS.
477753 No forwarding flows are created by proxy_connect for serverside flows with immediate timeout configured. Affects only full-proxy UDP virtual servers at this point.
478474 Taking a qkview on vCMP hosts and guests will include an enhanced view of run-time system details inclusive of the licensing dossier and internal addressing. There is an authentication token that is not live by the time the qkview has been collected from the host.
478767 "New configuration properties: tmsh modify auth cert-ldap system-auth { ssl-cname-field san-other ssl-cname-otheroid 1.3.6.1.4.1.311.20.2.3 } ===== ssl-cname-field defines which value from the client certificate will provide the client name. The choices are: - subjectname-cn - san-other - san-email - san-dns - san-x400 - san-dirname - san-ediparty - san-uri - san-ipadd - san-rid The description of the meaning of each of these values is as follows. Terms in angle brackets (< and >) reference names defined in RFC5280. subjectname-cn: (default) select the commonName (CN) attribute from the subjectName field. san-other: select the <GeneralName> <otherName> attribute from the <SubjectAltName> field. When this value is selected, ssl-cname-otheroid must also be configured. san-email: select the <GeneralName> <rfc822Name> attribute from the <SubjectAltName> field. san-dns: select the <GeneralName> <dNSName> attribute from the <SubjectAltName> field. san-x400: select the <GeneralName> <x400Address> attribute from the <SubjectAltName> field. san-dirname: select the <GeneralName> <directoryName> attribute from the <SubjectAltName> field. san-ediparty: select the <GeneralName> <ediPartyName> <partyName> attribute from the <SubjectAltName> field. san-uri: select the <GeneralName> <uniformResourceIdentifier> attribute from the <SubjectAltName> field. san-ipadd: select the <GeneralName> <iPAddress> attribute from the <SubjectAltName> field. san-rid: select the <GeneralName> <registeredID> attribute from the <SubjectAltName> field. ===== ssl-cname-otheroid provides the ASN.1 object identifier that defines the type of the attribute that holds the client name. For example, OID 1.3.6.1.4.1.311.20.2.3 represents the userPrincipalName, which is a UTF8 string containing the unique username used by Microsoft Windows domain controllers in Common Access Card (CAC) deployments. The ssl-cname-otheroid must be configured when ssl-cname-field is set to san-other. In all other situations, the value in this field is ignored."
480583 Prior to this release, SIP/DNS DOS detection and mitigation was supported on TCP,UDP and SCTP protocol packets. With this release SIP/DNS DOS detection and mitigation is only for UDP protocol packets. SIP/DNS DOS attacks will not be detected for TCP and SCTP protocol packets.
480811 qkview now explicitly excludes file collection from the lib and lib64 directories (as well as /usr/lib and /usr/lib64).
480911 CGNAT PBA Syslog and Splunk messages have 2 new fields added. 1) allocation UTC time on both ALLOCATE an RELEASE messages and 2) duration in seconds on RELEASE message.
482950 Phone Home scheduled jobs are now scheduled based on installed time, rather than at default daily/monthly intervals found in cron.daily and cron.monthly.
484000 "BIG-IP software does not negotiate SSLv2 or SSLv3 protocol, or export ciphersuites for these keywords: DEFAULT, ALL, NATIVE, COMPAT. After upgrade to this release, ciphersuites limited to SSLv2, SSLv3, and Export will not be available, unless added explicitly. Furthermore, the COMPAT set is empty in this release by default. Specifically, COMPAT includes four export ciphers, which are not enabled by default, resulting in an empty set."
484664 Tcl syntax checker now supports creating an iRule with the LSN::pool command in the CLIENT_DATA event.
487552 You are now allowed to provision any number of combinations of modules on platforms with 5.5 GiB of memory or more so long as there are resources available. Previously, 3 or more modules were not allowed to be provisioned on platforms with 6 GiB or less. Note that Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
493250 Graceful restart can now be disabled at the command line and the setting persists through reboots.
495721 "Matches User Level Permissions between TMSH and GUI. Specifically: -Managers can no longer Create DNS Net Resolvers through the GUI. -Administrators, Firewall Managers, and Resource Administrators can now Delete and Modify DNS Net Resolvers through the GUI."
497328 AFM DDOS filters no longer block IGMP IP packets with Router alert option to support multicast use-cases, even if tm.acceptipoptions is disabled. If it is desired to block these packets, both tm.acceptipoptions and tm.allowigmprouteralert sys db variables should be set to disabled.
497433 SSL Forward Proxy server side supports all key exchange methods. Previously, SSL Forward Proxy on the server side only supported RSA, ECDHE-RSA, and EDH-RSA key exchange methods.
499947 "The Virtual Address state change code was improved in multiple areas: 1. GTM is checked for provisioning. 2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast. 3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority. 4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3. 5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations."
502443 The external monitoring daemon (bigd) no longer sends monitoring traffic while the blade (cluster member) is offline or disabled, or while the HA member (chassis or appliance) is offline (including forced offline).
502679 "Previously when one of the pre-configured IP reputation blacklist categories (e.g., botnets) was added to the IP Intelligence policy the IP addresses belonging to the other pre-configured blacklist categories (e.g., scanners, spam_sources, etc.) were also matched by that policy and default policy action was applied. This is no longer the case. In order for any IP address to be matched by the policy its blacklist category must be configured in this policy. Previously IP Intelligence blacklist categories automatically learned from URL feed lists were implicitly added to the IP intelligence policies using these lists and matching IP addresses were subjected to default policy actions. This is no longer the case. The categories automatically learned from URL feed lists now must be explicitly configured in the policy. The IP addresses that are included in the WHITELIST category in the URL feeds will continue to be implicitly matched by the policies using the feeds. IP addresses previously matched by the policy may no longer be matched and may not be subjected to the default policy actions. Users may be required to change IP Intelligence policy configuration by adding desired categories to IP Intelligence policies. To prevent loss of functionality the categories must be added to the policies before performing the upgrade to 12.0.0."
502770 clientside and serverside command error out if client side or server side connection does not exist at the time the command runs. Here is an example of where this might occur: clientside { SSL::disable }. This script fails if the client side connection does not exist. To work correctly, change the script to: SSL::disable clientside.
504348 Two new ADAPT iRule events have been added (ADAPT_REQUEST_HEADERS and ADAPT_RESPONSE_HEADERS) which trigger after ADAPT has received the modified headers, when the IVS is returning a modified request or response. They do not trigger when the IVS has instructed ADAPT to bypass or a service-down condition has occurred.
505973 "Previously, bigd (the primary monitoring daemon) ran as a single instance per BIG-IP system. By default, the system now runs multiple bigd processes per BIG-IP system if there are enough processor cores to support doing so. Monitor instances are divided among the processes, allowing each to do a subset of the monitoring work. A new sys db variable has been added to control this behavior: Bigd.NumProcs. This variable defaults to 0, which instructs the system to select a reasonable default. When set to 1, bigd runs a single process, very much like it always has. Any value greater than 1, and less than or equal to the number of available processor cores, causes that number of bigd processes to be started. Note that bigd must be restarted with bigstart whenever this variable is changed."
506704 The /shared volume is now 60GB on all platforms with disks greater than or equal to 300GB. The previous /shared allocation for disks of this size was 30GB.
508969 Only save the binary database for trust changes instead of a full save
517579 Qkview now collects the status of all bigd instances running on a blade/appliance, and /var/log/bigdlog log entries are prefixed with the bigd instance and process ID.
517789 The Transparent HTTP proxy will go into pass-through mode if a carriage return or newline is seen before a colon in a HTTP header.
519419 Splunk messages contain only keys and values. The general text in logs is not the value of a key, so it was not included in splunk messages. To include this text in the message, the splunk driver was extended to insert the text as a value for the key 'msg'.
520891 "The sequence number when using server initiated DTLS renegotiation has changed. Formerly, the ServerHello was sequence number 0, now it is sequence number 1. This corresponds with a change in OpenSSL to become RFC compliant. DTLS renegotiation: New OpenSSL 1.0.1l+ treats Hello Request message as message sequence to 0, so Server Hello should be 1 when Hello Request is sent for renegotiation. The system will retain the previous behavior on the server which is not compliant with RFC. This is required to maintain compatibility with clients that are already deployed by customers. The client behavior now accepts both RFC-compliant and non-compliant re-negotiation requests from the server."
539344 TMM process no longer produces a core file and restart when processing SPDY traffic issue that occurred when a virtual server processed a SPDY client connection with more than two concurrent streams, and the SPDY client connection stalled and was subsequently aborted.

Known issues

ID Number Description
221956 Beginning with version 10.0.0, the system reports module memory mixed in with memory used by all processes. This occurs beginning with version 10.0.0. The system reports module memory mixed in with memory used by all processes. Workaround: To determine actual memory usage, you must use standard Linux commands, such as ps, top, and other similar commands.
221963 When you are logged on to a cluster management address, and you or another user subsequently promotes one of the secondary blades to the primary, you and the other user might need to log on again. This occurs when using cluster management and promoting secondary blades to the primary. You and other users might need to log on again. Workaround: None.
221973 BIG-IP system ignores a pool member's response and marks the pool member down after the configured timeout. This issue occurs when all of the following conditions are met: -- An ECV health monitor such as TCP, HTTP has been assigned to a pool or pool member (Note: HTTPS ECV monitors are implemented differently than HTTP and TCP monitors and are not affected by this issue.) -- A pool member responds after the assigned health monitor has sent three probes to it. The pool member will not be available to serve the clients' requests. For example, if the HTTP monitor is configured with an interval of 5 seconds and a timeout of 31 seconds, and the BIG-IP system receives the pool member's response after the third HTTP monitor probe has been sent, the BIG-IP system ignores the pool member's response and mark the pool member down after the timeout of 31 seconds. Workaround: To work around this issue, you can set the monitor interval to a value greater than the affected pool member's response time under the expected production load. For more information, see SOL9104: The BIG-IP system may ignore a pool member's response to health monitor probes, available here: https://support.f5.com/kb/en-us/solutions/public/9000/100/sol9104.html.
222034 If HTTP::respond is called in LB_FAILED with large headers and/or body, the response might be truncated. The Content-Length header value is correct; it is the content itself that is truncated. This issue occurs when all of the following conditions are met: -- TCP Slow Start is enabled in the TCP profile. -- HTTP::respond is used in the LB_FAILED event to return a large response. -- No other TCP data has been sent to the client. The response sent by the BIG-IP system will be truncated. For example, with slow-start enabled, and no data sent to the client yet, the response will be truncated after two packets. Workaround: To work around this issue, disable TCP Slow Start in the TCP profile, or modify the iRule. For example, instead of directly using HTTP::Respond inside of an LB_FAILED event, perform a 302 Redirect to another URI, which can then be handled by an unaffected event. For more information, see SOL9456: Using the HTTP::respond iRule command in the LB_FAILED event may result in truncated responses, available here: http://support.f5.com/kb/en-us/solutions/public/9000/400/sol9456.html.
222184 When the license expires, if you are on the License Summary page on a partition other than Common, the system automatically returns you to the Common partition, but does not activate the Reactivate button. This occurs if you are on the License Summary page on a partition other than Common The system automatically returns you to the Common partition, but does not activate the Reactivate button. Workaround: The workaround is to select a different partition and then reselect the Common partition. This should reset the Reactivate button to an active state.
222221 The BIG-IP system may fail to complete an SSL handshake. This issue occurs when all of the following conditions are met: -- The affected virtual server is processing the client SSL connection with an iRule. -- The iRule uses the TCP::close command in the CLIENTSSL_HANDSHAKE event. The TCP::close command can be used in the CLIENTSSL_HANDSHAKE event to close the client connection. For example, the iRule closes the client connection if the hostname requested by the client does not match the common name in the SSL cert. As a result of this issue, you may encounter the following symptoms: -- The client SSL connection stalls until the TCP connection is timed out by the BIG-IP system. -- The client SSL connection fails at the Change Cipher Spec Protocol during the SSL handshake. Workaround: To work around this issue, you can insert a delay with the after command for the TCP::close command. Impact of workaround: Depending on the type and volume of the connections, the after command may introduce noticeable latency. F5 recommends that you test any such changes in an appropriate environment. For more information, see SOL14037: The BIG-IP system may fail to complete an SSL handshake , available here: http://support.f5.com/kb/en-us/solutions/public/14000/000/sol14037.html
222287 On multi-core platforms running in CMP mode, rates configured in a rate class are internally divided between the active TMM instances. This occurs on multi-core platforms running in CMP mode. As a result, each flow is restricted to bandwidth equal to the configured rate divided by the number of active TMM instances. Workaround: In order to achieve the actual rate set on the rate class, the system must be processing at least one flow on each active TMM instance. For more information, see SOL10858: Rate classes on CMP systems are divided among active TMM instances, available here: http://support.f5.com/kb/en-us/solutions/public/10000/800/sol10858.
222344 If a route learned via any dynamic routing protocol exactly matches a management static route, traffic from the Linux host will follow the dynamic route. NOTE: Regarding affected modules, the problem affects any module provisioned in TMOS as the root cause is in the core functionality shared by all modules. Dynamic routes might override static management routes. Workaround: There is no workaround.
223031 If you run the tcpdump utility from a B4100 blade on a VIPRION chassis containing a mix of B4100 and B4200 blades, the process does not show packets from the B4200 blades. This happens on a VIPRION chassis with a mix of B4100 and B4200 blades. tcpdump does not report packets from the B4200 blades. Workaround: To work around this issue, run the tcpdump operation from the B4200 blade.
223412 When configuring a ConfigSync peer IP address, the IP address must reside in the default route domain. The default route domain has an implicit value of zero (0). For example: 192.168.20.100%10. "Checking configuration on local system and peer system... Peer's IP address: 192.168.20.100%10 Caught SOAP exception: Error calling getaddrinfo for 192.168.20.100%10 (Temporary failure in name resolution) Error: There is a problem accessing the peer system. BIGpipe parsing error: 01110034:3: The configuration for running config-sync is incorrect. On BIG-IP 11.x, the system returns an error message that appears similar to the following example: err mcpd[5766]: 01071430:3: Cannot create CMI listener socket on address 192.168.20.100%10, port 6699, Cannot assign requested address" ConfigSync operations will fail if you configure a peer address that contains an explicit route domain ID. Workaround: The workaround is to not use route domains for ConfigSync operations. For more information, see SOL12089: ConfigSync operations fail when you configure a ConfigSync peer address with an explicit route domain ID, available here: http://support.f5.com/kb/en-us/solutions/public/12000/000/sol12089.html.
223421 If a disk is removed from an array, the serial number of the disk persists in the system until the drive is manually removed. This occurs on multi-disk systems. The serial number of the disk persists even after the disk is removed from the array. Workaround: There is no workaround for this issue. The serial number of the disk persists in the system until the drive is manually removed.
223426 If you apply to a virtual server a TCP profile with the MD5 signature setting enabled, the virtual server incorrectly accepts connections regardless of whether the peer presents the MD5 option. This affects both client-side and server-side connections. Note that the problem does not affect TCP connections established from the BIG-IP host (for example, BGP connections). Enabling the TCP option for MD5 signatures does not cause TCP connections without MD5 signatures to be rejected or ignored. However, when the MD5 signature setting is enabled, and an MD5 signature is present, the MD5 signature is validated. The MD5-configured virtual server incorrectly accepts connections regardless of whether the peer presents the MD5 option. Workaround: None. For more information, see SOL12241: A virtual server with the MD5 signature setting enabled in its TCP profile does not reject or ignore non-MD5 optioned connections, available here: http://support.f5.com/kb/en-us/solutions/public/12000/200/sol12241.html.
223542 You must delete and recreate a trunk to change its speed. This occurs when you change the speed of an existing interface in a trunk. You cannot change the speed. Workaround: You must either delete all the interfaces and add them back at the new speed, or delete the trunk and recreate it.
223634 The Traffic Management Shell (tmsh) may not display dynamic Address Resolution Protocol (ARP) entries as expected. In BIG-IP 11.x, the show net arp Traffic Management Shell (tmsh) command displays dynamic ARP entries for all route domains. Additionally, you can display dynamic ARP entries for specific route domains by using the show arp any %route domain id command; however, you cannot specify the default route domain 0. In BIG-IP 10.x, the show net arp Traffic Management Shell (tmsh) command displays ARP entries for only the default domain. This issue occurs when you have a BIG-IP system with more than one route domain configured, and you view dynamic ARP entries using tmsh. ARP entries appear to be missing for route domains other than the default (BIG-IP 10.x). The system is unable to display only those dynamic ARP entries specific to the default route domain 0 (BIG-IP 11.x). Workaround: If you are in the tmsh utility (in 10.x or 11.x), you can run the bigpipe utility to view dynamic Address Resolution Protocol (ARP) entries for a different route domain. To do so, run the command run until bigpipe arp args... at the tmsh command line. For more information, see SOL12623: The Traffic Management Shell may not display dynamic ARP entries as expected, available here: http://support.f5.com/kb/en-us/solutions/public/12000/600/sol12623.html.
223651 An SSH File Transfer Protocol (SFTP) client might emit an error message containing 'Received message too long' when the user is unprivileged and may not use SFTP. This occurs when using a user with insufficient privileges uses SFTP. 'Received message too long' posted for SFTP client when the user is unprivileged. This is a known issue with SSH. For more information, see 2.9 - sftp/scp fails at connection, but ssh is OK, available here: http://www.openssh.com/faq.html#2.9. Workaround: The user must be authorized to use SFTP/SCP.
223796 When an SFP is not inserted in a VIPRION interface socket, the interface status should show 'MS' (missing); instead, the interface status might show 'DN' (down). This occurs on a VIPRION chassis where there is no SFP in the interface socket. The interface status might show 'DN' (down). Workaround: None.
223885 If you apply a hash persistence profile to a FastL4 virtual server, the virtual server stops processing traffic. Note: The hash persist profile was extended in 10.0.0 with new options, but is no longer supported in combination with FastL4 virtual servers. In addition, when the hash persistence profile is initially applied and during each subsequent configuration load, the BIG-IP system logs messages to the /var/log/tmm file: notice hudfilter_init: 'HASH' is not a bottom-level filter. ... mcp error: 1031000 in mcpmsg_to_database. This occurs when using hash persistence profile with FastL4 virtual servers. FastL4 virtual servers stop processing traffic after a hash persistence profile is applied. Workaround: The workaround is to use universal persist instead. You can also use the TCP or UDP profile instead of FastL4. If a hash persistence profile was applied to a FastL4 virtual server, you can restore traffic by deleting and recreating the virtual server with a different virtual server name. For more information, see SOL12078: FastL4 virtual servers stop processing traffic after a hash persistence profile is applied, available here: https://support.f5.com/kb/en-us/solutions/public/12000/000/sol12078.html.
224073 Pinging the floating self-ip from the command line of the same system results in a no response to the ping. This no-response reply does not indicate that the floating self-ip is not working and is not responding to normal ping operations. This occurs when the floating self-IP tries to ping from the BIG-IP system command line This results in a no response to the ping. Workaround: To work around this, issue the ping from another host in the network.
224142 There is a pause negotiation mismatch in a trunk containing a mix of fiber and copper. To work around this issue, do not mix fiber and copper in the same trunk. This occurs in a trunk containing a mix of fiber and copper. A pause negotiation mismatch occurs. Workaround: To work around this issue, do not mix fiber and copper in the same trunk.
224294 SASP monitor validates timeout and interval although these values are not used by the monitor. This occurs when using SASP monitor timeout and interval. This causes certain SASP monitor configurations not to load. Workaround: None.
224372 When you are connected using the serial console to a multi-drive platform, you might see messages similar to the following: warning kernel: RAID1 conf printout and warning kernel: disk 0, wo:0, o:1, dev:dm-14. The messages are also logged in /var/log/kern.log file. This occurs when you are directly connected by serial console of a multi-drive system. These messages appear during the time a drive is rebuilding. Note that the messages appear only when you are directly connected by serial console. They do not appear when you are logged in using SSH. Workaround: This messages are benign, and you can safely ignore them.
224402 When you specify a custom configsync user (that is, an account other than admin), if you have specified a maximum number of password failures, the configsync account is subject to the password lockout after the specified number of failures. This occurs for configsync users when maximum password failure is set. The configsync account is subject to the password lockout after the specified number of failures. Workaround: To work around this issue, use the admin account as the ConfigSync user, or reset the non-standard account that is locked out.
224406 The dashboard cannot handle numbers that exceed 32 bits. If a statistic goes above that number, dashboard values will be incorrect. This occurs dashboard and numbers that exceed 32 bits. When this occurs, there will be incorrect dashboard values. Workaround: There is no workaround.
224520 The bcm56xxd service's small form-factor pluggable (SFP) plug_check mechanism (for example, bs_i2c_sfp_plug_check()) looks for module-detect signal changes every five seconds, and can miss a pluggable media type swap (that is, a swap from fiber SFP to copper SFP or SFP+) because the check does not look at pluggable media type changes. This occurs when changing pluggable media. This can result in link failures, due to internal media settings that are still associated with a previously populated pluggable module. Workaround: None.
224665 The Proxy Exclusion List setting is not aware of administrative partitions. As of BIG-IP 10.1.0, VLAN group objects reside in administrative partitions. This means that you can create a VLAN group in an administrative partition, and then give users the authority to view and manage the object in only that partition. Proxy exclusion is a VLAN group setting, so the partition restrictions should be in effect. However, the system does not prevent you from adding proxy exclusion for a VLAN group in another partition. Doing so may result in issues for the VLAN group. Using VLAN groups and proxy exclusion. Results in issues for the VLAN group Workaround: None. For more information, see SOL12711: The Proxy Exclusion List setting is not aware of administrative partitions , available here: http://support.f5.com/kb/en-us/solutions/public/12000/700/sol12711.html.
224881 On AOM-equipped platforms, changing the management IP via the front-panel LCD multiple times might result in fields on the LCD being displayed with a value of 0.0.0.0. Repeatedly changing management IP using front-panel. Fields on the LCD are displayed with a value of 0.0.0.0. Workaround: The correct values will be displayed after a system restart.
225358 Both units probe both gateway fail-safe pools regardless of their unit IDs. This occurs in HA configurations. Members of a redundant configuration continue to probe both gateway fail-safe pools. Workaround: Reload config via "tmsh load sys config".
225431 Disabling the LCD System Menu does not persist across restarts. This is for diagnostic purposes. This occurs when you disabled the LCD display and restart the system. The LCD display setting is not saved. Workaround: To prevent access or configuration changes from the LCD Systems Menu, you can re-enable and then disable the LCD System Menu after each system restart. For more information, see SOL11363: Disabling the LCD System Menu does not persist across restarts, available here: http://support.f5.com/kb/en-us/solutions/public/11000/300/sol11363.html.
225588 Error conditions such as unreachable IP addresses, and unavailable TACACS+/RADIUS services, are not logged to /var/log/ltm for the TACACS+ RADIUS audit forwarding accounting feature. This occurs when you configure the feature using a non-existent IP or a good IP that is not running TACACS+ or RADIUS, and run some tmsh commands. Entries are logged in /var/log/audit, and no error messages are logged in /var/log/ltm. Workaround: None.
226113 "ACPI: Unable to locate RSDP ACPI Error: A valid RSDP was not found (20090903/tbxfroot-219)" Limited to 6900, 8900, 8950, 11050, and PB200 platforms. These messages are benign and indicate that an ACPI capable kernel is booted on a system without ACPI support. Workaround: None.
226964 Node marked down by a monitor that is waiting for a manual resume mistakenly displays Enabled state when it is actually down. After a health monitor configured for manual resume has marked a node down, the Configuration utility incorrectly reports the node as Enabled instead of Forced Offline. After a health monitor configured for manual resume has marked a node down, the Configuration utility incorrectly reports the node as Enabled instead of Forced Offline. This issue only affects nodes. The issue does not affect pools or pool members. Node remains disabled, but the GUI reports Enabled. Workaround: You can work around this issue by clicking the Enabled (All traffic allowed) option and clicking Update. For more information, see SOL11828: After a health monitor configured for manual resume has marked a node as down, the Configuration utility incorrectly reports that the node is still enabled, available here: http://support.f5.com/kb/en-us/solutions/public/11000/800/sol11828.html.
227272 If you replace a tri-speed copper small form-factor pluggable (SFP) module with a fiber SFP, you may have to reinsert the fiber SFP module a second time before it accurately reports link status. This occurs when replacing copper SFPs with fiber SFPs The link does not work. You might see the following messages: 'Failed to recover link status' and 'temporarily removed from linkscan.' Workaround: To work around this, remove and reseat the fiber SFP module.
227281 When a full-proxy HTTP virtual with ramcache, fallback, and deferred accept configured; executes, a reject command in a CLIENT_ACCEPTED event TMM restarts. This occurs when the virtual server is configured with all of the following elements: - HTTP profile configured with Cache Setting and a fallback host. - iRule that uses the CLIENT_ACCEPTED iRule event, along with a reject statement. - The TCP profile Deferred Accept setting is enabled. If a virtual server that is configured with the previous settings receives a connection that triggers the reject iRule statement, the TMM process may restart and temporarily fail to process traffic. Workaround: To work around this, remove the fallback host statement in the HTTP profile that is used by the virtual server.
227369 Generating a SIGINT or SIGQUIT on the serial console during login causes all services to halt and restart. Further, SIGQUIT may cause chmand and get caught in a loop of failed restarts, requiring a host reboot. This occurs when at any point while the password prompt is displayed, there is a signal generated, for example: -- For SIGINT, press Ctrl-C. -- For SIGQUIT, press Ctrl-4, Ctrl-\, or (in some cases) SysReq. All services halt and restart. Further, SIGQUIT may cause chmand and get caught in a loop of failed restarts, requiring a host reboot. Workaround: None. But the problem no longer occurs after the first successful login from the console.
246726 A virtual address is defined as the IP address with which you associate one or more virtual servers. A virtual server is represented by an IP address and a service. The BIG-IP system continues to process traffic for virtual servers after disabling the related virtual address. When a virtual address is disabled in LTM, TMM still processes traffic for the VIPs on that virtual address. For example, if you define virtual servers of 10.10.10.2:80, and 10.10.10.2:443 on the BIG-IP system, then 10.10.10.2 is the virtual address. If you disable the virtual address of 10.10.10.2, the BIG-IP system continues to process traffic for the virtual servers. Traffic is still processed. Workaround: Disable virtual servers instead. For more information, see SOL8940: The BIG-IP system processes traffic for virtual servers after disabling the virtual address, available here: https://support.f5.com/kb/en-us/solutions/public/8000/900/sol8940.html
246871 When you are on the license summary general properties screen and you refresh the browser after you reactivate a license, the system prompts you to log on again. This occurs after reactivating a license on the license summary general properties screen, and then refreshing the browser. The system prompts you to log on again. Workaround: Do not refresh the browser.
246962 The system counts route domain health check traffic as part of IPv6 traffic statistic totals. If your configuration has a monitor on a pool in a routing domain, you will see an increase in IPv6 traffic. If you remove the monitor from the pool, the IPv6 statistics freeze (assuming there is no actual IPv6 traffic). If occurs with configurations that have a monitor on a pool in a routing domain. With this configuration, you will see an increase in IPv6 traffic. If you remove the monitor from the pool, the IPv6 statistics freeze (assuming there is no actual IPv6 traffic). Workaround: None.
246983 A display issue in the browser-based Configuration utility makes it appear as if users can modify user settings that they should not be able to access. For example, a user logs on using an account assigned a non-administrator role. When that user changes the password and clicks Update, the screen temporarily redisplays with available settings for file, partition, and shell access. This might occur in some Internet Explorer or Firefox browsers after changing a password. Although the user can manipulate the controls, and select different settings, the system does not accept the change. Workaround: None, however this is a browser issue. Internet Explorer and Firefox might allow user to see contents of change-select controls after the form has been submitted. The controls are disabled, even though it might appear that they are functional.
247011 Unlike in SSL profiles, the system does not validate keys and certificates used for SIP and HTTPS monitors. That means that you can specify non-matching or invalid keys and certificates. There is no checking on the command line or in the browser-based Configuration utility to make sure keys and certificates are valid and usable. This occurs with validation for SSL keys and certificates used for HTTPS and SIP monitors. You can specify non-matching or invalid keys and certificates. Workaround: None. You must ensure the validity of the keys and certificates used.
247012 If you use a SIP or HTTPS monitor on a server that requires authentication using a certificate signed by a certificate authority (CA), the monitor must use certificates signed by a CA that the server recognizes. Do not configure a monitor using certificates signed by an Intermediate CA because the monitor does not send such certificates to the server. This occurs when using non-CA-signed certificates on SIP or HTTPS monitors that communicate with servers that require CA-signed certificates. Authentication fails. Workaround: Use CA-signed certificates.
247094 If you have state mirroring enabled, when you upgrade one unit of a redundant system, the system posts messages until all systems are running the same version of the software. tmm tmm[1917]: 01340001:3: HA Connection with peer 10.60.10.3:1028 established. This occurs when upgrading redundant system configurations and the versions are not yet the same. The system posts messages until the software versions are the same. Workaround: There is no workaround for this condition. All units in a redundant system must be running the same version of the software.
247099 After an import default operation, the prompt is set to reboot, but the operation does not instigate the reboot operation on the primary blade, although it does on the secondary blade. This is intentional behavior: the operation causes a reboot on secondary blades, but the primary blade does not reboot automatically in this case. To activate the imported configuration, reboot the primary blade. Workaround: None.
247135 Linux represents long VLAN names using the first 13 characters and an appended ~1. If you use the Linux system command ifconfig to retrieve the interface configuration of a VLAN with a name longer than 9 characters, the operation truncates the name to 8 or 9 characters. Workaround: To work around this issue, use the ip addr show command to retrieve the VLAN using the IP address.
247200 When a user configured for one role is logged on to the browser-based Configuration utility, and you change that user's role to another type, also using the Configuration utility, the system logs off that user. This occurs when changing the user role while that user is logged on. When that user logs back on, the system writes to the catalina.out file error messages such as com.f5.mcp.io.McpIOException: java.io.EOFException: Error while reading message at. Workaround: None, however, these messages are benign, and you can safely ignore them.
247216 The help frame crops the right edge of some of the formula definitions on the Performance statistics screen. This occurs when viewing formula definitions on the Performance statistics screen. The right side of the text is cropped, and there is no horizontal scroll bar. Workaround: Click the Launch button to view the full text.
247241 Occasionally, when you create an installation repository on a USB thumb drive from the BIG-IP system, the operation fails while copying the repository files to the thumb drive. (The failure might also occur when reading or writing any large file to the thumb drive from the BIG-IP system.) mount USB thumb drive and attempt to copy large files between drives. When the failure occurs, the system reboots and writes a log entry similar to the following in the /var/log/ltm file: -- Dec 10 11:13:12 local/8900 notice overdog[2401]: 01140108:5: Overdog scheduling exceeded 1/2 timeout of 5 seconds (measured:8060 ms) Workaround: Create the installation repository on a USB thumb drive using a Linux workstation, as documented in the BIG-IP Systems: Getting Started Guide. In any case, do not perform the operation on a BIG-IP system that is actively in production to prevent the potential failure from affecting live traffic.
247300 "You should not use the SSL::respond method with a CLIENTSSL_CLIENTCERT iRule event with a COMPAT mode cipher, as it can result in a handshake failure." "This occurs when you use the SSL::respond method with a CLIENTSSL_CLIENTCERT iRule event with a COMPAT mode cipher." This results in a handshake failure. Workaround: None.
247310 There is an extremely rare chance that, if the high-availability mirroring connection fails and recovers, the result might be a new persistence record and an expired record using the same key to send their respective messages. For example, if a record comes in that would have matched an old one on the active system, it is possible that the old record's expiration action might arrive after the new record's update action. If the key matching the old record expires, the standby system incorrectly deletes the corresponding new record. This occurs when high-availability mirroring connection fails and recovers in the time between checking persistence entries. When this occurs, there might be a new persistence record and an expired record using the same key to send their respective messages. If the key matching the old record expires, the standby system incorrectly deletes the corresponding new record. Workaround: None, but the possibility of encountering the issue is very rare.
247709 "When you change the idle timeout in System :: Preferences, the system must restart the httpd process. This results in a set of error messages similar to the following example: err httpd[6246]: [error] [client 127.0.0.1] Invalid method in request OPTIONS * HTTP/1.0 err httpd[6320]: [error] (9)Bad file descriptor: apr_socket_accept: (client socket) warning httpd[3064]: [warn] RSA server certificate CommonName (CN) `dhcp-137' does NOT match server name!? warning fcgi-[6376]: [warn] FastCGI: server ""/usr/local/www/mcpq/mcpq"" started (pid 6377) err httpd[6379]: [error] [client 127.0.0.1] Invalid method in request OPTIONS * HTTP/1.0 warning httpd[3064]: [warn] long lost child came home! (pid 6239) These messages occur primarily as a result of the process restart, and you can safely ignore them." Workaround: None.
247727 When you create a new profile or edit an existing profile using the all-properties option of the tmsh utility, unless you remove some options, the properties might produce unexpected behavior. This occurs when creating or editing profiles using the all-properties option. All properties become custom; that is, profile properties no longer inherit parent settings. Workaround: Use the tmsh utility create and modify commands operations. When you do so, the system preserves the profile's properties inheritance.
247894 The iRule substr function cannot use a string with a number in it as a terminating string. This occurs when using iRules. The iRule converts that string to integer and incorrectly uses it as a substring length. Workaround: None.
247981 "Setting controlling PMTU and route metrics is global now. However different traffic profiles FASTL4 vs full proxy may need different setting and it is not possible now." Some traffic flows may be using sub optimal setting. Workaround: None.
248489 If the user configuration set (UCS) file you roll forward at installation time contains a problem, subsequent system load operations can fail. If this happens, the remote users and administrators cannot log on to the system. This occurs when rolling forward the UCS fails. Remote users and administrators cannot log on to the system. Workaround: To work around the situation, log on to the system as the root user or as the admin local user.
248742 Using the command line, you can enable or disable a nonexistent interface. For example, issue 'tmsh modify /net interface [x/]y.z ...' where x is an invalid blade number and/or y.z is an invalid interface. This occurs when using the command line to enable or disable a nonexistent interface. The 'tmsh show net interface' or 'b interface show' command displays the nonexistent interface. This is a display issue only. The system does not make use of the interface. Workaround: None.
284910 The BIG-IP system may continue to generate server-side TCP connections to pool members after the associated virtual server configuration is deleted. To improve connection speeds for Performance HTTP virtual servers, the BIG-IP system primes connections to the pool members. When a client makes a connection to the virtual server, if an existing server-side flow to the pool member is idle, the BIG-IP LTM system marks the connection as non-idle and sends the client request over it. This issue occurs when all of the following conditions are met: -- The configuration contains a Performance HTTP virtual server that references the base FastHTTP profile. -- The Performance HTTP virtual server processes at least one connection before being deleted. -- The Performance HTTP virtual server configuration is removed. As a result of this issue, you may encounter the following symptoms: -- Packet traces show the BIG-IP system connecting to pool members from its non-floating self IP address. -- The BIG-IP connection table includes an entry showing the recurring connections. In the following example, the any6.any connection table entry represents the client-side IP address, and 10.11.16.221 is the BIG-IP self IP address: 'any6.any any6.any 10.11.16.221:44321 10.11.16.253:80 tcp 9 (tmm: 0)' Workaround: To work around this, you can delete the pool and restart TMM. For more information, see SOL13850: The BIG-IP system may continue to create server-side TCP connections to pool members after the associated virtual server configuration is deleted , available here http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13850.html.
291327 Configuring a virtual server for multicast communications inside a route domain does not work. This occurs when configuring a virtual server for multicast communications inside a route domain. The resulting configuration does not work. Do not configure a virtual server for multicast communications inside a route domain. Workaround: None, but this appears to be a rare condition.
291541 If there are static Address Resolution Protocol (ARP) entries targeted to the management network in either the existing configuration or in the configuration being installed or used in a ConfigSync operation, the configuration may fail to load. This occurs when performing a config sync or loading a configuration containing static ARP entries targeted to the management network. When this occurs, the configuration may fail to load. An error message is logged to the /var/log/ltm file similar to the following example: '01070712:3: Caught configuration exception (0), Netlink reply from kernel has error: -101 - routing.cpp, line 883' Workaround: "To work around the issue, first delete any static ARP entries targeted at the management network and then complete the configuration load or ConfigSync operation. ***Procedure for BIG-IP v11.x: ----- 1. Log in to the Traffic Management Shell (tmsh) by entering the following command: tmsh. 2. Display the list of static ARP entries configured on the BIG-IP system by typing the following command: show net arp all. 3. Identify the relevant static ARP entry. 4. Remove the relevant entry by typing the following command, where Name is the name of the address being deleted: delete net arp Name. For example: delete net arp /Common/192.168.1.1. 5. Save the change by typing the following command: save /sys config. ***Procedure for BIG-IP v10.x: ----- 1. Log in to the BIG-IP command line as the root user. 2. Display the list of static ARP entries configured on the BIG-IP system by typing the following command: bigpipe arp static list. 3. Identify the offending static ARP entry. 4. Remove the offending entry by typing the following command: bigpipe arp IP_address delete. 5. Save the change by typing the following command: bigpipe save all."
291584 When backslash is used to escape quote in external data group, the backslash is duplicated when the data group is saved. Backslash is used to escape quote. More backslash is inserted to the data group and eventually leads to config load error. Workaround: Delete the extra backslash.
291689 When you use the Weighted Least Connections (Node) load balancing method, you must set a connection limit for each node prior to adding the pool member to the pool. This occurs with Weighted Least Connections (Node) and connection limits. If you fail to specify the connection limit for the node prior to adding the pool members, the system presents a configuration validation error. Workaround: "In this release, you must use the following process to accomplish this: 1. Create a pool that uses the Weighted Least Connections (Node) load balancing method. 2. Explicitly create the node entries for the pool members on the Local Traffic Nodes Node List (create) screen. 3. For each node, specify a value other than 0 (zero) in the Connection Limit box. 4. Return to the pool configuration screen by clicking its link in the Local Traffic Pools Pool List. 5. Select the Members tab and add the pool members to the pool, using the same IP addresses as the nodes that you configured in the earlier step."
291704 If you replace a copper (Cu) small form-factor pluggable (SFP) with a fiber SFP, the link might remain down, even when connected to an active peer. This occurs when you replace a copper SFP with a fiber SFP. When this occurs, the link might remain down. Workaround: The workaround is to issue a bigstart restart bcm56xxd command. From the command line, 'bigstart restart bcm56xxd'.
291719 When the Configuration utility restarts, system writes benign messages to catalina.out. This occurs when the Configuration utility restarts The system writes messages to catalina.out: 'log4j:ERROR A 'org.apache.log4j.ConsoleAppender' object is not assignable to a 'org.apache.log4j.Appender' variable,' 'log4j:ERROR The class 'org.apache.log4j.Appender' was loaded by log4j:ERROR,' '[org.apache.catalina.loader.StandardClassLoader@1359c1b] whereas object of type,' and 'log4j:ERROR'org.apache.log4j.ConsoleAppender' was loaded by [WebappClassLoader.' Workaround: None, but these messages are benign, and you can safely ignore them.
291723 At system startup, you might see messages about unrecognized md component devices. This occurs because datastor volumes are not intended to be combined into a redundant array. The disk management subsystem unintentionally tries to join them into an array, but fails. The system posts messages similar to the following: -- mdadm: Unrecognized md component device - /dev/mapper/vg--db--sda-mdm.app.wom.dat.datastor -- mdadm: Unrecognized md component device - /dev/mapper/vg--db--sdb-mdm.app.wom.dat.datastor Workaround: None, but no adverse result occurs, and you can safely ignore these messages.
291742 In the ltm.log file, you might see mcpd warning messages similar to the following:" warning mcpd[3002]: 01070156:4: Could not remove file /config/bigip/auth/pam.d/tmm_ldap. Please remove this file manually." When you navigate to the specified directory, you do not find the files. These messages are incorrect, and you can safely ignore them. Messages in ltm.log show issues with removing files that do not exist. none. Workaround: None.
291756 On a multi-drive system, when you remove a drive, LED status might not reflect status correctly. This occurs when removing a drive on multi-drive systems. If the LED is flashing when you remove a drive from the unit, the LED status does not turn green (as it should) when disk replication begins. If the LED is not flashing, the LED turns green immediately in the transition to replicating a drive. Workaround: None, but this is a cosmetic issue only, and has no effect on functionality.
291761 When you complete a new installation, the Firefox browser may not recognize the SSL certificate. This occurs only on a new installation when using the Firefox browser. When this occurs, the Configuration utility posts the message 'Please wait while this BIG-IP device reboots, shutting down device.' This spins forever and never returns. This behavior is Firefox-browser specific, so when the certificate is no longer viewed as valid, the Firefox browser ignores subsequent HTTP requests. Workaround: None, but the issue happens only when doing a fresh install using the Firefox browser. A configuration you roll forward includes the device certificates, so this is not an issue. The Microsoft Internet Explorer browser posts an accept-certificate dialog box when you restart the system.
291777 The software does not support running small form-factor pluggable (SFP)+ on SFP ports on VIPRION systems that contain B4100 blades, even if the ports are running at 1 GB. Although the system does not prevent you from doing so, and you might find such a configuration functional, we do not support nor recommend running in this configuration. This occurs when using SFP+ on SFP ports on B4100 blades on VIPRION systems. Configurations of this type intermittently lose link aggregation and produce errors. Workaround: None. This is not a supported configuration.
291782 Running tmsh load sys config operation (on versions 11.0.0 and 11.1.0), or b load (on version 9.4.x and 10.x), fails when pool members are configured with port numbers 63, 66, 172, 211, 564, and 629. In version 11.2.0 and later, although the tmsh load operation completes for such configurations, the command "tmsh list ltm pool members" fails. This occurs when pool members are configured with port numbers 63, 66, 172, 211, 564, and 629. Load operations may fail or may fail to be listed. Workaround: The workaround is to use numbers other than these for pool member port configuration. If you want to use those ports, you can disable the utility from converting service names by running the command "tmsh modify sys db bigpipe.displayservicenames value false" (on version 11.x), or "bigpipe db bigpipe.displayservicenames false" (on version 10.x). For more information, see SOL12365: The configuration may fail to load when a pool member contains certain service numbers, available here: http://support.f5.com/kb/en-us/solutions/public/12000/300/sol12365.html.
291784 If you set the import save value to 1 (one) and import a single configuration file (SCF), the import operation stops. This occurs when setting the import save value to 1. After initiating the SCF import, the import operation halts and does not resume. Workaround: To work around this issue, set the import save value to 2 or more. Note that the default value is 2.
291786 When you use the domaintool utility to delete a domain when you are configuring Kerberos delegation, if that domain serves as the default, the system removes the domain but leaves it as the designated default. "add a domain using the domaintool which will set it as the default. remove the domain using the domaintool. This will remove the domain but leave it as the default." Deleted domain still defined as the default in krb5.conf Workaround: To work around this issue, change the default to a different domain before the delete operation.
336885 There is a memory leak that affects Firefox 3.6 but not Internet Explorer 8. The leak occurs because of an interaction between the dashboard and the web browser. The workaround is to use Internet Explorer to view the dashboard. This occurs in Firefox 3.6 and involves the dashboard interaction with the web browser. When this occurs, there is a memory leak. Workaround: If running the dashboard for a long time, use Internet Explorer instead of Firefox.
336986 If a hard drive is in the process of replicating and an install to a non-existent volume set is started, the array status for the replicating drive will transition to 'failed' while the volume sets are created. They are created at the very beginning of the installation, so this failed status should last no more than 1 minute. After the volume set is created, the status will go back to 'replicating', as expected. This occurs when installing to a control plane that doesn't exist yet, for example, in the middle of replication. The array status shows 'failed'. Workaround: None.
338426 Clusterd can core on shutdown under certain circumstances. This occurs with vCMP, and only happens when clusterd is shutting down. When this occurs, clusterd can assert. Workaround: None, but it has taken care of all notifications to other system components, so the core can be safely ignored.
342319 When you add a Domain Name System (DNS) server to the BIND forwarder server list from the Configuration utility, the recursion option is set to no and the forward option is not set. The parameters 'recursion yes' and 'forward only' are not being updated in named.conf when creating entries in the BIND Forwarder Server List from the GUI. This issue may cause some DNS queries that are sent to the BIG-IP system to fail. Workaround: You can work around this issue by setting the recursion and forward options. For more information, see SOL12224: Configuring the BIND forwarder server list does not correctly set additional options for the named.conf file, available here: http://support.f5.com/kb/en-us/solutions/public/12000/200/sol12224.html.
342325 If username and password have not been configured for a RADIUS accounting monitor, it will try to connect with a NULL username-password. This occurs when the username and password have not been configured for a RADIUS accounting monitor. The system attempts to connect with a NULL username-password. Workaround: Configure the username and password for the RADIUS accounting monitor before attempting a connection.
342423 The statsd process computes the value for system-wide CPU usage using a formula: process 'A' CPU usage divided by the number of CPUs on the chassis. Assuming a chassis is fully populated with PUMA I blades, the average is divided by 16. If a blade drops out, the number of CPUs is now 12, so while that blade is out of circulation, the data is divided by 12. However, even for the 5-second window: it is possible that the average might be calculated incorrectly. This occurs when calculating average system-wide CPU usage when a blade drops out. For example: -- From time1 to time4, there are 16 CPUs on the box, and processA is using 96% of its CPU. -- At time5, one of the blades drops out. -- The calculation to compute CPU and system usage happens at this time. -- Before the blade dropped out, the system-wide average was 96/16 = 6. When the blade drops out, the system-wide average is 96/12 = 8. Workaround: None. However, this is a small difference. Although blades going down should not happen often, when it does happen, it is only the first 5-second system-wide average that is affected. The next average will be correct.
344226 Trying to create a CRLDP server using a name that already exists fails. The resulting error message does not indicate the problem. This occurs when creating a CRLDP server using a name that already exists. The operation fails with the message 'An error has occurred while trying to process your request.' A more accurate message is 'The requested CRLDP server ('crldp_server_name') already exists in 'partition_name'.' Workaround: None.
345092 "When a RAID system is booting, the system posts the message: Press 'CTRL-I'; to enter Configuration Utility..." This occurs on RAID systems during boot. Pressing Ctrl+I has no effect. It is not possible to enter the Configuration utility this way. This is a hardware constraint. Workaround: Instead, you can configure RAID parameters through TMOS.
345529 The BIG-IP Configuration utility may incorrectly allow you to assign certain health monitors to pools while their pool members are configured with a wildcard service port. This occurs when assigning the pool health monitor before assigning a member-specific monitor to each pool member. For LTM configurations, the system fails to pass traffic due to the configuration failing to load. For GTM configurations, sync group members may fail to answer wide IP requests. Workaround: To workaround this issue, make sure to specify an Alias Port on a monitor when it needs to probe a specific service port on wildcard pool members. For more information, see SOL12400: The BIG-IP Configuration utility may incorrectly enable you to assign certain health monitors to pools and server objects that are configured with a wildcard service port, available here: http://support.f5.com/kb/en-us/solutions/public/12000/400/sol12400.html.
347174 When starting BIG-IP VE on a Hyper-V platform, the BIG-IP VE system posts multiple Advanced Configuration and Power Interface (ACPI) messages. This occurs when starting BIG-IP VE on a Hyper-V platform. The system posts ACPI messages such as: 'ACPI: LAPIC (acpi_id[0x3f] lapic_id[0x3e] disabled)'. Workaround: None, but these messages are expected and you can ignore them.
348431 "If you cancel a qkview when it is being generated via the GUI, a zero-byte sized qkview will be created. Subsequent attempts will still generate a zero-byte qkview (even when deleting the previous qkview). Canceling qkview generation via the GUI does not stop the qkview process; until its finished or killed, qkviews will have size zero." Cancel a qkview while being generated via the GUI; immediately re-generate a qkview via the GUI. Confusion and inability to generate a qkview. Workaround: "Wait until qkview process has finished or kill the process and regenerate. Removing the lock file (# rm /shared/tmp/.qkview_lock) will also allow it to work, but having 2 processes overwriting each other's the temp files is not recommended."
349242 The load balancing method 'Ratio Least Connections (node)' does not perform correctly with 'Performance (Layer 4)' virtual servers. This occurs when using the Ratio Least Connections load balancing method. Does not perform correctly with 'Performance (Layer 4)' virtual servers. Workaround: None.
349629 "The error is usually similar to : 01070257:3: Requested VLAN member (1/2.1) is currently a trunk member Unexpected Error: Loading configuration process failed." Changes to vlan/trunk/port may cause UCS load to fail. Config will fail to load. Workaround: None.
351934 Booting with SSD installed, you will be able to see the SSD sled activity light blinking while the other spinning media sleds do not. This happens when booting with SSDs installed. SSD tray is only tray to blink activity while booting. Workaround: None, but this is normal behavior.
352560 Proxy SSL is incompatible with persistence profiles. This occurs with persistence profiles and Proxy SSL. The result does not work. Workaround: None, but persistence profiles and Proxy SSL should not exist on the same virtual server.
352840 When using partition default route domains, an attempt to load a previously saved configuration which had a different default route domain on a VIPRION may result in the secondary daemons restarting. load a configuration with a different default route domain to the previously saved one on a VIPRION. secondary daemons restarting. Workaround: To work around this, load the default configuration before loading a config that has a different default route domain on any partition.
352957 Established flows via virtual servers with iRules using the 'node addr' command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail (due to mis-routing of packets) after a route table change, even if the change does not affect any of the addresses used in the flow. Existing flows might not recognize valid routes after being set with iRules using the 'node addr' command if the next hop is set to an address other than the gateway returned in the route lookup or transparent flows to a pool member. New flows established before route table changes might not work as expected. New flows established after the route table change work as expected. Workaround: None.
353249 LTM Virtual Server Bytes in/out and Packets in/out values may be larger than expected on PVA platforms, when using FastL4 profile with PVA in 'Assisted' mode. This occurs when using the FastL4 profile with PVA in 'Assisted' mode. LTM Virtual Server Bytes in/out and Packets in/out values may be larger than expected. Workaround: None.
353621 You can get an error from tmsh when adding a device to the trust-domain that says the device cannot be found. This occurs in TMSH, if the 'name' option is omitted. This only occurs in TMSH. Adding devices in the GUI does not result in an error. The system posts the error: 'The requested device (10.10.20.30) was not found.' Workaround: This error actually indicates the "name" parameter was not specified in the command. The message does not indicate that there is a connectivity issue to the device being added to the domain.
354467 When you create an opaque VLAN group before creating the route domain to assign it to, opaque mode does not work. This occurs with VLAN groups created before the associated route domain. In this case, opaque mode does not work Workaround: To work around this issue, you can add the VLAN group to the route domain and then set its mode to opaque, or if you are already in this state, you can restart tmm.
354972 In some cases, TMSH does not properly recognize hostnames as an item reference for commands. This occurs in tmsh commands. Hostnames are not recognized when referenced in tmsh commands. Workaround: Use IP addresses instead of hostnames when creating addresses with tmsh in this release. Or use the GUI.
355299 PVA acceleration can be configured on a platform without a physical Packet Velocity ASIC present. This occurs when configuring PVA acceleration on a platform without PVA present. No acceleration can occur, because the platform does not support it. Workaround: None, but the setting has no actual effect and is harmless.
355564 The Error message 'The requested unknown (/Common/traffic-group-1/Common/bigip1) was not found.' might appear in the log during startup. This message does not indicate a problem, and can be ignored in this situation. Configuration is new or has been set to defaults. The error message will appear in the log during the device name change. There is no impact, as the message appears due to the device name changing. Workaround: None.
355616 LTM virtual-address objects are only shown in tmsh list output when specifically requested, as in 'list ltm virtual-address', not in commands such as 'list ltm'. This occurs when running the command: tmsh ltm. Virtual-address objects are not shown. This is expected behavior. Workaround: Use the command: list ltm virtual-address.
356611 You can invoke imish (the shell for configuring dynamic routing) from tmsh. When you subsequently press Ctrl + Z, sshd and imishd start consuming CPU until the imish shell times out. This occurs when tmsh is not the login shell. If the system is already in this state, run the fg command, and then exit imish. This occurs when invoking imish from tmsh and press Ctrl + Z. sshd and imishd start consuming CPU until the imish shell times out. Workaround: None, but suspending tmsh is not recommended behavior.
356705 After completing the setup wizard in the Configuration utility, the user is redirected to the Welcome screen. After completing the setup wizard in the Configuration utility and returning to the Welcome screen. The menu at left should also change from the restricted setup menu to the full menu, but occasionally it does not. Workaround: In this case, the workaround is to log out/in or refresh the browser.
357656 When you use bigstart restart to restart all daemons on a guest on VIPRION platforms, the system logs a benign ltm log message. This occurs when restarting all daemons on a guest on VIPRION platforms. "The system logs the message: notice chmand[7975]: 012a0005:5: Chmand cleanup: Slot:Led:Color (1:3:0) not succeed: virtual void Hal::NullAnnunSvc::ledSet(Hal::LedFunction&, Hal::LedColor&, uint32_t&, uint32_t&, uint32_t&)." Workaround: None, but this is a benign message and you can safely ignore it.
357822 User can use "delete cm trust-domain all" to create or fix trust-domain when loading a blank or inconsistent SCF. Workaround: None.
358063 If you issue the command 'restart sys service all' from the tmsh shell, the next command you issue results in the error message: 'The connection to mcpd has been lost, try again.' This occurs when restarting services. The connection to mcpd is lost when mcpd is stopped and restarted. A message indicating the lost connection is expected behavior. Workaround: Try the command again.
358099 If two devices have different provisioned modules, then the application with those modules configured in one device might not be able to sync to the other device. This occurs when syncing two devices that have different provisioned modules. The two devices are out of sync and cannot recover in this situation. Workaround: For sync to occur correctly, both devices must have the same provisioning.
358191 "If the user resets device trust and changes the host name of the device, the other devices in the trust domain still show the unchanged, former host name and show the device as still attached." This occurs in a trust configuration. Resetting a device name has no effect on other devices in the trust configuration. Workaround: None.
358575 The traditional ConfigSync mechanism has been replaced with a more robust MCP-to-MCP communication mechanism. As a result, UCS files now load the full configuration in all cases, and no longer have the concept or ability to only load the 'shared' portion. This occurs when attempting to load a UCS file that was created on a different device. Cannot load UCS files created on a different device. Workaround: None.
358615 Because there is no 'add' option for unicast-address, if you have two existing unicast addresses, the command to add another replaces both addresses with a single address. For example, given a device with two existing unicast addresses, this command replaces both addresses with a single address: modify cm device centmgmt1.f5net.com unicast-address { { ip 10.10.10.1 } } The result is that the device unicast has only the mgmt address, and has lost the internal IP address. Workaround: When modifying failover unicast addresses using tmsh, you must specify all addresses, even if the intention is to remove or add a single address.
358655 The system posts an error message 'No such file or directory' during kernel installation. This occurs during kernel installation. The system reports an error such as the following: info: RPM: ls: /etc/modprobe.d/*.conf: No such file or directory. Workaround: None, but it does not negatively impact the installation itself.
358667 On initial boot of VIPRION blade, before the blade is licensed, you may see the following error message in /var/log/ltm: err mcpd[5015]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure. It is not yet known what the conditions are that trigger this error. This occurs on initial boot of the VIPRION blade, prior to licensing the device. After licensing, this error does not occur. Workaround: None. If this error is reported on first boot, but can otherwise be licensed, it can be safely ignored.
359393 In order to be compliant with the FIPS-140 standard. Keys cannot be exported from a FIPS card in plain text, hence they can only be exported by encrypting them with the master key on the FIPS card. This occurs when the master key on the FIPS card has changed since the keys have been exported. In this case, it is not possible to import the keys back into the card. Workaround: None.
359395 Invalid or empty SSL certificates, keys, or CRLs will not be rolled forward on upgrade to v11.0.0. empty or invalid certificates under /config/ssl/ssl.crt, /config/ssl/ssl.key, /config/ssl/ssl.crl Roll-forward fails when invalid or empty certificates, keys or CRL are found. Workaround: None.
359491 When a system's hostname is set by the user via the tmsh setting "modify sys global-settings hostname new-hostname.example.com" only the local copy of the self device is set. Remote copies of the hostname are not updated accordingly. Thus, running the command "list cm device name-of-device hostname" would have the hostname "new-hostname.example.com" on the local machine and "old-hostname.example.com" on other machines in the trust domain. "update or set the hostname using tmsh. login to another host into another host in the trust domain and check the first hostname." Hostname returned for a remote host in a trust domain will not match the host name defined on that host locally if set using tmsh. Workaround: None.
359873 LTM-initiated SSL renegotiation is not attempted when secure renegotiation is configured as required and the peer is unpatched (does not support SSL secure renegotiation). This applies both to configuration-based (e.g., renegotiate-period), as well as iRules-based attempts to renegotiate. This occurs when secure renegotiation is required and the peer is unpatched. LTM-initiated SSL renegotiation is not attempted. Workaround: None except to ensure that all peers are patched.
360122 The iControl method System.Statistics.reset_all_statistics() does not reset iStats. This occurs when running the iControl method System.Statistics.reset_all_statistics(). Does not reset iStats. Workaround: To work around this, do the following: 1. bigstart stop. 2. Remove all files (not directories) in /var/tmstat2. 3. bigstart start.
360134 6400, 6800, 8400, and 8800 platforms with Cavium NITROX Federal Information Processing Standards (FIPS) cards do not support secure SSL renegotiation with RC4 ciphers. Initial SSL handshakes are unaffected, but attempts to perform mid-connection rehandshakes fail when SSL secure renegotiation is negotiated. This occurs on the 6400, 6800, 8400, and 8800 platforms with FIPS cards using secure SSL renegotiation with RC4 ciphers. Initial SSL handshakes are unaffected, but attempts to perform mid-connection rehandshakes fail. Workaround: You can work around this by disabling SSL renegotiation or RC4 ciphers. Platforms with Cavium NITROX-PX FIPS cards are unaffected.
360485 Node statistics, especially after a statistics reset, may be too high for a node whose address is in a lasthop pool. Lasthop pool configured. Inaccurate node stats. Workaround: None.
360675 Creating a configuration object with a FIPS 140 key will always create a key in the FIPS 140 device even when the configuration objects are not saved. FIPS 140 key handling. Configuration objects that are not saved will require the user to delete FIPS 140 keys manually from the device. Workaround: Manually delete keys using the following command: tmsh delete sys crypto fips by-handle. List key handles using the following command: tmsh show sys crypto fips.
361036 When the AOM powers down the Host for cause (for example, over temp) it abruptly stops the Host, bypassing a normal graceful power-down sequence. Occurs when the Host is powered off for cause. Because of this, some log messages sent from the AOM to the Host might be lost. Workaround: None.
361181 You can run the command 'fipsutil -f init' to force re-initializing the FIPS card or 'fipsutil reset' to reset the FIPS card. Both these operations delete all the keys in the card. However, issuing the command does not delete the BIG-IP configuration objects representing those keys. It also does not modify SSL profiles utilizing those keys. When there are BIG-IP configuration objects referencing to such FIPS keys, these operations will result in the failure to load configuration on reboot. This occurs when running the command 'fipsutil reset' or 'fipsutil -f init' and when BIG-IP has configuration objects referencing keys on the FIPS card. The system posts messages similar to the following: 'notice mcpd[5816]: 01390002:5: The size of the configuration DB has been extended by 2097152 bytes, now using a total of 10485760 bytes', 'err mcpd[5816]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: FipsMgr::get_handle_from_modulus error unable to obtain handle. Modulus(e1:fb:55...ef:89:b3), FIPS:ERR_HSM_NOT_INITIALIZED. ', 'err mcpd[5816]: 010713e4:3: FIPS subsystem reported error while attempting file object operation: fips_insert_masked_object error on import, ERR_HSM_NOT_INITIALIZED. ', 'err mcpd[5816]: 01070712:3: Caught configuration exception (0), unable to import FIPS 140 key (/Common/fipspartition) from key file.) - sys/validation/FileObject.cpp, line 4714. ', 'err tmsh[6948]: 01420006:3: Loading configuration process failed. ' Workaround: "To avoid this situation, delete the FIPS keys and remove the usage from profiles before resetting or re-initializing the FIPS device. If the system gets into the failure condition, you can recover by completing this procedure: 1. Edit the bigip.conf file where the FIPS key is referenced. Delete all occurrences of the key. 2. Delete the key from /config/ssl/ssl.cavfips 3. Find and delete the key from filestore/files_d/partition-name/certificate_key_d/ 4. Run 'tmsh load sys config partitions all' to make sure the config loads. After this point, the config should load without issue after a reboot."
361315 if you go to the System : Preferences screen and simply click the Update button without editing any values, the system incorrectly posts a Changes pending notice (that is, recommendation for synchronization). Many values on this screen are not even synchronized across BIG-IP devices. This occurs when you click the Update button on the System : Preferences screen. The system incorrectly recommends a sync, even though it's not needed. Workaround: None.
361470 An error message is posted when a virtual server's destination address is entered into tmsh with invalid IPv4 or IPv6 numbering or a hostname. This occurs when entering invalid IPv4 or IPv6 numbering or a hostname in tmsh. The system posts an error message similar to the following 'The requested virtual address (/PATH/ADDRESS) was not found.' Workaround: None.
362225 Disabling connection queuing via "tmsh edit" while connections are queued causes the queued connections to become stuck. This occurs when using tmsh edit while connections are queued. Queued connections become stuck. Workaround: The workaround is to use tmsh modify command instead of edit.
362874 There is a misleading Upgrading Device Trust banner that can appear on GUI. The banner indicates that the device is waiting for its peer to be contacted. This occurs when a device that is configured to be in a redundant pair is upgraded to version 11.x, but its peer device cannot be contacted. After upgrading, the GUI might post the following message for several hours: 'Upgrading Device Trust Device trust is still being upgraded. Please do not make modifications to Device Management or Traffic Groups pages while this message is displayed.' Workaround: If the peer device is no longer in use, the following workaround should be used to remove the banner message: * Set the trust.configupdatedone db variable to 'true'. * Set the failover.isredundant db variable to 'false'. * Restart devmgmgtd. * Reset trust.
363216 A virtual server might indicate 'vlans-disabled', but does not include a list of which ones are disabled if that list is empty. The tmsh list command does not indicate that a VLAN is disabled. This can bee seen only in GUI. "This occurs when you add a VLAN to a virtual server. The default setting is disabled. For example, this means that the virtual server is disabled for no VLAN entries, which is the default setting: ltm virtual sample_vs { destination any:any profiles { fastL4 { } } vlans-disabled }" Silently disables the VLAN added to a virtual server. Workaround: Running the command 'list ltm virtual all-properties' indicates whether the VLAN is enabled or disabled.
363284 The cipher list 'DEFAULT:!NATIVE' is different on v10.2.2 (valid) and v11.0.0 (invalid, empty). This can cause configurations to fail loading on v11.x during the upgrade. This occurs because ciphers 'ALL' in the Client SSL profile only includes 'NATIVE' ciphers. That means that 'COMPAT' must be specified to include 'COMPAT' ciphers (e.g., EXP, EDH). As all SSLv2 ciphers are COMPAT ciphers, this also means that 'ALL:SSLv2' no longer includes SSLv2 ciphers. Note that this change impacts upgrade. Workaround: So if your configuration uses COMPAT ciphers, it requires a configuration change (to specifically include COMPAT ciphers) for upgrade to complete successfully.
363541 You can create an 'and' rule for the default node monitor that includes the monitor '/Common/none'. This occurs with the none monitor. When this occurs, the state of the node is not reported correctly. Workaround: None.
363912 In rare occasions, when there are no monitors assigned as the default node monitor, an entry 'none' may appear in the Active select box on the 'Default Monitor' page in the Configuration utility. This still represents the fact that no monitors are selected as the default node monitor and the BIG-IP system operates as such. This occurs because tmsh allows /Common/none for the default-node-monitor GUI displays correctly, but none is not in GUI by default. Workaround: None.
364522 A user with the app_editor role can create an app service; however, because app_editor users cannot create objects (they can only update and enable/disable them), app_editor users actually cannot create an app service. This occurs with users with the app_editor role. App_editors cannot add pool members unless node already exist. Workaround: There are two workarounds: 1. Use the new add_member_v2 method, which does not have this constraint (the add_member command is deprecated). 2. Have a user with the appropriate role create/manage the node address prior to using add_member.
364588 Running the show cmd from /Common to display pool in another partition does not show all of the information. This occurs when you run the show command from /Common partition to display the details of a pool in another partition. The monitor instance line is missing. Workaround: To work around this, navigate to the partition first. Then the show command presents the expected results.
364717 There is an issue when using the node-port option with the delete command for persistence persist-records. This occurs when using the delete command to delete persistence records on a nonexistent port. The system deletes all the persist table entries irrespective of the port specified. In addition, the show command with nonexistent port displays all the entries irrespective of the port specified. Workaround: None, except to ensure that the port exists before deleting the persist table entries.
365006 Installing a 10.x UCS on a "clean" 11.0 will cause daemons on secondary blades to restart. Workaround: None.
365219 "Trust upgrade fails when upgrading from version 10.x to version 11.x. The upgrade fails without apparent error, but there will be one of the two following error messages in /var/log/ltm log: -- com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:425): Trust configuration update for HA Pair has failed: [STACK TRACE: {java.lang.Exception: Config sync password is invalid.}{ at com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:200)}. -- devmgmtd[7983]: 015a0000:3: Trust Config Update: [TrustConfigUpdateForHAPair.cpp:521 ] Skipping already-completed trust." Upgrading high availability version 10.x configurations that use the factory default admin password. Trust upgrade for version 10.x high availability configuration fails. Workaround: Change the default admin password in the 10.x configuration before upgrading to 11.0.0. This is intended functionality. The default admin password should be changed before deployment.
365555 The DES ciphers have been deprecated for TLS V1.2 but TMM is including them. These ciphers are supported on earlier versions of SSL/TLS, such as SSLv3 and TLS v1.0, which are widely used. TLS v1.2 is trying to depreciate and move to higher standards. Workaround: None. F5 recommends that you do not use these ciphers.
365756 During the load of a bad SCF file, once an error occurs, the user is left in the partition folder where the error occurred. If the user attempts a second load, they get an error: 'Data Input Error: 01070734:3: Configuration error: Invalid mcpd context, folder not found'. This occurs when loading a bad SCF file. The system changes the cli location to folder that has the error. Workaround: Fix the SCF file, change directory/context back to /Common and attempt to reload.
365757 Mixed mode is presented as an option for extra disks. When trying to change the mode for logical disks, the system presents all options in the GUI and tmsh, even those that are not valid. When applied, this configuration option presents an error message: '01071372:3: Cannot change the mode for logical disk (HD2) from (NONE) to (MIXED). Disks cannot be changed to MIXED or CONTROL modes.' Workaround: Only None and Datastor are functional modes for extra disks.
365767 The verify option during a load .scf file operation from tmsh on the VIPRION system will cause mcpd to restart. To work around this issue, do not use the verify option on VIPRION. load .scf file using tmsh on a VIPRION mcpd restart. Workaround: None.
366060 There is an issue that is rarely encountered in FTP mirroring. FTP mirroring occasionally fails when connections come from tmm0. "When it does fail, the idle timer on the standby is not updated and the connection is reaped in the 30-50 second range." Workaround: None.
367072 Running the command 'tmsh show sys hardware' on appliance-based system shows a Registration Key field with a -- value, even on licensed systems. This field is designed only for chassis-based systems, so you can ignore the value This occurs on appliance-based systems when running the command. The Registration Key field contains a -- value. Workaround: There is no workaround, but this field is designed only for chassis-based systems, so you can ignore the value.
367198 Running 'tmsh show sys hardware' on appliances shows a blank Registration Key field. This occurs when running this command on hardware other than VIPRION chassis. Blank Registration Key field. Workaround: This is by design; this field is intended for VIPRION chassis only.
367714 When accessing the serial console on some BIG-IP platforms, if the baud rate is changed repeatedly on the serial client, the serial console port may cease functioning. In this case, a reboot of the BIG-IP system is required to restore serial console functionality. "This problem is known to occur on BIG-IP 6900 appliances, and may also occur on BIG-IP 1600, 3600, 3900, 8900, 8950, 11000 and 11050 appliances. This problem has been observed to occur more frequently when connecting to the BIG-IP serial console from a client using a USB-to-Serial adapter. Different makes and models of USB-to-Serial adapters do not perform identically." The serial console interface to the affected BIG-IP system is lost. A reboot of the BIG-IP system is required to restore serial console functionality. Workaround: The BIG-IP system can be accessed via the management IP address, or by the AOM management IP address if so configured. For more information, see SOL13331: The BIG-IP serial console port may lock up when the terminal emulator is configured with a mismatched baud rate, available at http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13331.html.
367996 Chunked HTTP responses might not be unchunked before they are compressed and forwarded to the client. This issue occurs when the following conditions are met: - The NTLM and OneConnect profiles are applied to a virtual server. - HTTP compression is enabled on the virtual server. This can also be triggered when replacing the NTLM profile with an APM access policy configuration on the virtual server Client connections might fail. Workaround: To work around this issue, you can either modify the type of response chunking or disable compression. For more information, see SOL14030: The BIG-IP system may fail to unchunk server response when compression is enabled, available here: https://support.f5.com/kb/en-us/solutions/public/14000/000/sol14030.html.
368888 The system allows you to create a virtual server (which creates the virtual address) in traffic-group 2 and a SNAT translation IP in traffic-group 1, and then to assign the SNAT IP to the virtual IP address, even though doing so could cause asymmetric routes if these traffic-groups were not active on the same unit. This occurs with multiple traffic groups and SNAT translation tables. This configuration might cause asymmetric routes. Workaround: To workaround this, only perform this type of configuration when two traffic groups are active on the same unit.
369352 When logged in as a resource administrator "load sys config default", which restores the configuration to factory defaults, doesn't prompt for verification as it should. If you execute the command from a normal administrator role you do get a prompt. "Login as a resource administrator run ""load sys config default"" restore begins without a verification prompt." System restore initiated without prompt when run as a resource administrator. Workaround: None.
369596 'tmsh show ltm pool' command doesn't show the latest updates for connection and rate limits. The connection and rate limits do not get published to the UIs until a monitor instantiates a state change on the pool member or node. Note that this does not impact the data path, it is only a UI issue. Configure a pool member or node to have connection or rate limits. statistics displayed using tmsh may not be current. Workaround: None.
369640 If an iRule is assigned to two different virtual servers in different contexts, the first time the rule runs any internal object conversions/lookups will be performed in the first context. When the second virtual runs the same rule, it will assume that the objects that have been looked up are correct, and point to the wrong members. Two virtual servers in different folder paths use short names for objects like pools, procs, nodes and virtual servers. iRule can point to objects outside the current folder path. Workaround: Give each virtual servers its own copy of the iRule (it is not necessary to provide complete folder paths).
371164 Since traffic groups are not bound to any specific VLAN, so Neighbor Discovery (ND) for link-local addresses go out on all VLANs. This occurs because traffic groups are not bound to any particular VLAN or interface. Since MAC is bound to the traffic group, it is not bounded to particular VLAN either. "Using MAC masquerade addresses on VLANs. TMM creates new link-local address for each masquerading MAC. Thus, the same link-local address might be used on all interfaces, which means that the system might use the same MAC on different VLANs. For example, in the following configuration, you might expect that traffic-group-1 and MAC 02:23:e9:74:e2:c4 are bound only to VLAN Internal. However, you can create another self IP address, assign it to different VLANs or route domains, and have them be part of the same traffic group. A traffic group is about availability and not about routing or partitioning. Configuration =========== net self 10.10.10.10%1 { address 10.10.10.10%1/23 allow-service { default } floating enabled traffic-group traffic-group-1 unit 1 vlan Internal }." Although this is intended functionality, some users might not expect the behavior. BIG-IP sends ND probes for all masquerading addresses on all VLANs. Although switches typically build up forwarding tables per VLAN, there are some switches that might not correctly, which results in failure to forward packets as expected. That might impact other traffic, including IPv4. Workaround: Set the db variable tm.macmasqaddr_per_vlan to True. This ensures that a single source MAC is associated with a single VLAN ID, and is guaranteed to be unique per VLAN.
371647 When using the F5 Advanced Client Authentication (ACA) module's Kerberos delegation, users must manually add the iRule _sys_auth_krbdelegate to their profile. Using Kerberos authentication in ACA. When using ACA Kerberos delegation, users must manually add the iRule _sys_auth_krbdelegate to their profile. Note: This does not apply to APM authentication. Workaround: Manually add the iRule _sys_auth_krbdelegate.
372209 When the certificate used to verify a signed iRule expires, the iRule verification status still remains 'Verified' as long as the certificate exists on the device. This occurs when an expired certificate that was used to sign an iRule still exists on the system The iRule status remains 'Verified', even though the certificate is expired. Workaround: To avoid the misleading status, the signature for iRules signed with an expired certificate should be modified to have the 'ignore verification' property set to true, or edited to remove the signature (edit the rule and remove the 'definition-signature' line).
373467 MD5 certificates do not work with TLS 1.2. This occurs with TLS 1.2 and MD5 client certificates. Client does not authenticate with certificates signed with rsa-md5. Workaround: None.
374109 The radvd config is not migrated to tmsh syntax during a UCS restore. Performing a UCS restore. radvd config is not migrated to tmsh syntax. Workaround: Create the config manually with tmsh.
374333 When the rate of new connections (CPS) is extremely low, observed/predictive load balancing can perform uneven connection distribution across pool members. Configure a pool using predictive or observed load balancing methods. Uneven connection distribution across pool. Workaround: None.
375207 On rare occasions, tmsh writes an innocuous error message to /var/log/ltm based on a query to mcpd. Here is one case that issues the message: In tmsh, type the command 'generate sys icall event', and then press the tab key. The following error is posted: 01070734:3: Configuration error: Invalid wildcard query, invalid or missing class ID. Workaround: None, but this message is innocuous and can be safely ignored.
376166 QSFP+ module ports do not allow a media capability setting of 1 GbE. This occurs when setting the media capability of the 10 GbE port to 1 GbE. This action fails to turn the 'link-up' LED to amber; the LED remains green. Workaround: None. This action is not supported on this port.
376447 If a VLAN group member is used in the configuration of another object, an error may result. It should not be possible to add that VLAN directly to a route domain since it is part of a group, however, if you create a new route domain. The VLAN appears. Attempting to add that VLAN results in the error. This occurs when using tmsh or iControl and the VLAN group feature. "The system posts an error similar to the following: 01070712:3: Caught configuration exception (0), Cannot create vlan 'vlanx' in rd0 - ioctl failed: File exists - net/validation/routing.cpp, line 395." Workaround: To avoid the problem, when using tmsh and the VLAN group feature, only use the VLAN groups, never their members, when configuring other objects. Furthermore, it is not necessary to work with the VLAN group member (that is, in this case, the group is already in the route domain, so adding the VLAN itself is not even necessary).
377231 VIPRION B4300 blades only support 9600 and 19200 baud, even though other baud rates are accepted. This occurs when using baud other than 9600 or 19200 on VIPRION systems. You can select other baud rates, but they do not work. Workaround: None. VIPRION B4300 blades only support 9600 and 19200 baud.
378055 The serial console on the B2100 blade in a VIPRION C2400 chassis cannot be set to 38400 using the tmsh command 'tmsh mod sys console baud-rate 38400,' but can be set using the AOM Command Menu. After setting to 38400 via the AOM Command Menu you can use the tmsh command to see that the baud rate has been set to 38400. This occurs on the B2100 blade on a VIPRION 2400. Cannot use tmsh to set baud rate to 38400. Workaround: Use AOM to set baud rate to 38400.
378967 Users in partitions attached to sync-only device groups do not sync to other devices in that device group. There are users whose active partitions are attached to a sync-only device group. This affects sync-only device groups only, not the failover device group. Workaround: None.
379002 MSRDP persistence fails when pool members are in route domains, causing the pool's load-balancing mechanism to be used instead. A configuration with route domains and MSRDP persistence. Connections will be load-balanced in perpetuity. Workaround: Do not use route domains if possible.
380047 Listing objects that exist in partitions other than /Common shows no results. This occurs when you are in the /Common partition and you attempt to list objects that exist in another partition, for example, running the command 'list ltm profile ntlm my_subfolder/my_ntlm_profile' when /Common is the active partition. Listing certain objects in subfolders of the current folder (e.g. 'list ltm profile ntlm my_subfolder/my_ntlm_profile') may not show any output. Workaround: As a workaround, you can change into the partition ('cd my_partition') and then list the object: 'list ltm profile ntlm my_ntlm_profile'.
380415 TMM CPU utilization statistics reported by sFlow or by running 'tmsh show sys tmm-info' are less than actual TMM CPU utilization. This occurs when using sFlow or by running 'tmsh show sys tmm-info' to report TMM CPU utilization statistics. The values reported are less than actual TMM CPU utilization. Workaround: TMM CPU utilization stats can be found by running 'tmsh show sys proc-info tmm'.
381123 Enabling more than 10 sFlow receivers may impact the performance of the BIG-IP system and, therefore, is not recommended. This occurs when using more than 10 sFlow receivers. Slower system performance. Workaround: None. This configuration is not recommended,
381710 The test-monitor and test-pool-monitor commands require the monitor or pool argument to include its partition; e.g. /Common/pool1. This occurs when using these commands inside a partition. Tab completion from inside a partition causes the partition name to be omitted. Workaround: To work around this, run these commands from the root partition, or to manually type the full pool or monitor argument including partition.
382040 Config sync fails after changing an IP address of a pool member with a node name. IP addr change achieved by deleting the pool member and node then recreating the pool member/node. "This issue occurs when the following steps are followed. 1. Delete an existing pool member that has a node name set. 2. Recreate the pool member with a different IP address using the same node name before syncing the config. 3. Sync the configuration. ltm pool ip_mod_pl { members { ip_mod2_nd:http { address 10.168.1.4 } ip_mod_nd:http { address 10.168.1.1 } } } ltm node ip_mod2_nd { address 10.168.1.4 } tmsh modify ltm pool ip_mod_pl members delete { ip_mod2_nd:http} tmsh delete ltm node ip_mod2_nd tmsh modify ltm pool ip_mod_pl members add { ip_mod2_nd:http { address 10.168.1.5 }} tmsh run cm config-sync to-group S48-S49 On versions 11.4.0 and later, the issue happens only if a full is performed. Note that full loads may still complete successfully on occasion, even if full-load-on-sync is false for the device group." Config sync fails. Workaround: Delete the pool member and node on the peer then sync the configuration. The issue does not affect pool members/nodes with no name associated with the node.
382252 If TMM cores, the High Speed Bridge (HSB) driver clears its transmit and receive ring buffers as part of its shutdown routine. This causes the loss of HSB ring buffer data and state information that might be useful in diagnosing the cause of certain TMM cores resulting from invalid buffer data. "- BIG-IP platforms containing a High Speed Bridge (HSB) FPGA device. - A TMM core occurs." HSB ring buffer data and state information, that might be useful in diagnosing the cause of the TMM core, is not preserved in the resulting TMM core. Workaround: None.
382363 The system does not require min-up-members of a pool to be set greater than zero when also using gateway-failsafe-device on the same pool. A pool's min-up-members is 0 when gateway-failsafe-device is set. Failure to set min-up-members greater than zero when using gateway-failsafe-device might cause errors. The tmm might crash. Workaround: Set min-up-members greater than zero when using gateway-failsafe-device.
382613 On VIPRION 4400 chassis containing B4100 blades, the Speed LED stays with solid yellow when at 10Mb. VIPRION 4400 chassis containing B4100 blades. The Speed LED stays with solid yellow. Workaround: This is not an indication of a problem with the system, even though the Platform Guide: VIPRION 4400 Series indicates that the Speed LED should blink yellow.
383128 While upgrading or booting between versions on the VIPRION B2400, B4200, and B4300 Blade Series, it should be expected that firmware upgrades between versions may delay the cluster from becoming active by up to fifteen minutes. This occurs when upgrading or booting between versions on VIPRION blades. Firmware upgrades between versions may delay the cluster from becoming active by up to fifteen minutes Workaround: None.
383442 If a packet is split into multiple fragments and the matching part of the tcpdump filter is in a later fragment, it does not match. This occurs on multi-fragment packets. The tcpdump packets do not match. Workaround: None.
384717 While viewing 'watch-trafficgroup-device', if devices in the device group change, 'watch-trafficgroup-device' can sometimes become non-responsive. This occurs while viewing 'watch-trafficgroup-device' if devices in the device group change. The 'watch-trafficgroup-device' can sometimes become non-responsive. Workaround: Killing the tool and restarting after the device group membership stops changing keeps the 'watch-trafficgroup-device' running stable.
385508 Loading a pre-11.0.0 UCS onto a system running 11.0.0 or later resets the device trust group, and should be avoided after the original migration. Save a new 11.x UCS immediately after migration is complete and use that UCS going forward. Migrating with pre-11.0.0 UCS onto system running 11.0.0. Resets device trust group. Workaround: None.
385825 The CMI watch-* scripts (such as watch-devicegroup-device, watch-sys-device, watch-trafficgroup-device) should not be allowed to run indefinitely as they may adversely affect performance of the unit after a few hours. Run a CMI watch script for an extended period, for example: 'tmsh run cm watch-devicegroup-device'. Might cause processes to fail, or a unit to failover or unexpectedly reboot when non-tmm memory is exhausted. Workaround: Do not allow CMI watch-* scripts (such as watch-devicegroup-device), to run indefinitely. Problems typically occur after a few hours, so the issue might not occur if you keep run to less than an hour.
385915 When using the tmsh command 'list net interface all lldp-tlvmap' to display the lldp-tlvmap values, you might see values that deviate from the default of 130943 (for example, 114552). "This issue occurs when Link Layer Discovery Protocol (LLDP) is enabled and you use the BIG-IP Configuration utility to manually update the properties of a BIG-IP interface. This issue occurs when unused bits in the Type, Length, Value (TLV) bitmask are incorrectly set." None. This issue is purely cosmetic. Workaround: Manually modify the value as needed.
386778 IPsec in HA deployment cannot use anonymous ike-peer. This occurs when using IPsec in an HA configuration. The tunnel is not created. Workaround: - Create a new ike-peer with the required remote IP field holding the remote peer's IP address. - If using RSA (the default) uncheck the verify certificate field (not required when using PSK). - Change the presented ID and verified ID fields to 'address'.
387106 Ramcache statistics are associated with only one virtual server per profile. The statistics for all of the virtual servers that use this profile are reflected in the ramcache statistics for that virtual server. This occurs in reporting ramcache statistics. System reports statistics for only one virtual server per profile. Workaround: The workaround is to create a copy of the profile for each virtual server if the individual statistics are desired. However, this adds complexity to the configuration and should only be done when necessary.
387448 Monitoring device group status from a device from outside the group might return an incorrect status. When monitoring device group status from a device that does not belong to that group, the config sync status reported could be inconsistent with the device-level status. For example, the sync status for device A is 'Changes Pending,' but the device-group to which device A belongs shows a status of 'In sync.' Workaround: View the sync status from a device in the device group.
388098 Running dmesg can report hda cable detect errors. This occurs when running dmesg. dmesg might display a message similar to the following: 'localhost warning kernel: hda: host side 80-wire cable detection failed, limiting max speed to UDMA33'. Workaround: None. This is expected and does not indicate any problem with the hardware or software.
388273 On a VIPRION, the failover daemon does not communicate correctly with the peer chassis unless the management port is configured on each blade. This occurs on a VIPRION when the failover daemon attempts communication with the peer chassis. Communication does not occur correctly, and both chassis can become active for an interval of time. Workaround: Configure the management port on each blade. Specifically, assign a network address and subnet to the management port for each blade.
389397 On 12050/12250 (D111) and 10350N (D112) platforms, setting the db variable platform.powersupplymonitor to disable might not stop power supply error messages on power supplies that are connected but not turned on. This occurs on BIG-IP 12050/12250 (D111), 10350N (D112), and 10000s/10050s/10200v/10250v (D113) platforms on which platform.powersupplymonitor is set to disable. The power supplies in the system that are not turned on might log error messages until power is removed. Workaround: Remove power on disabled power supplies.
390764 A BFD session might not show the correct session 'Up Time' value in the BFD session information returned using the IMI shell command 'show bfd session detail'. This occurs when any BFD session parameter is modified through imish. BFD Session 'Up-time' is reset when BFD configuration is modified.. There is no functional impact, only diagnostic. The BFD session appears to have reset when it has not. Workaround: None.
392085 On a standalone BIG-IP system, on the properties screen for Device Management, the Force to Standby button might become available. Since this is a standalone unit and there is no active-standby configuration, this button is not valid and it should not be clicked. This occurs on a standalone BIG-IP system. The Force to Standby button might become available, even though it is not valid. Workaround: None.
395148 When setting the baud rate for the front panel serial management port using the AOM command menu, the LCD display does not reflect the baud rate change until fpdd is restarted. This occurs when changing the baud rate using the AOM command menu. The incorrect baud rate might be shown. Workaround: Restart fpdd using the command 'bigstart restart fpdd'.
395269 Reapplying a template to reconfigure an Application Service Object deletes any firewall rules that have been created through the Security screen. This occurs when reconfiguring an iApp. Firewall rules are deleted. Workaround: To retain a set of firewall rules, include creation of the desired firewall rules in the template itself.
395720 On the BIG-IP 4000 platform, sometimes on boot, Ethernet devices do not get renamed. For example, eth6 should be renamed to pf1-7. This occurs on the BIG-IP 4000. Ethernet devices do not get renamed. Workaround: To work around this issue, reboot the device.
396122 In a non-homogeneous cluster, validation on a secondary blade may fail if the module is not allowed or resources are not available. Module provisioned and validated on a primary blade but the validation for this module not completed on secondary blade. Daemons may restart when the an invalid module is provisioned on the secondary blade. Workaround: Make sure the primary member of a cluster is the blade with the least available resources (Puma1).
396273 When running dmesg, you might see errors similar to the following: 0000:17:00.0: vpd r/w failed. This is likely a firmware bug on this device. Contact the card vendor for a firmware update. This can occur when 'lspci -vvv' has been executed. This is a benign message, and you can safely ignore it. Workaround: There is no workaround, but this is not a functional issue.
396278 If you set MGMT IP address using the LCD module, the ltm log contains a message stating the management route was not found. This is the message: Aug 31 12:01:20 localhost err tmsh[9771]: 01420006:3: 01020036:3: The requested management route (/Common/default) was not found. This is a benign logging message that is reporting a non-existent error condition. This occurs when you set MGMT IP address using the LCD module on 1600, 2000, 3600, 3900, 4000, 5000, 6900, 7000, 8900, 10000, and 11000 platforms. The system writes this message to the ltm log: Aug 31 12:01:20 localhost err tmsh[9771]: 01420006:3: 01020036:3: The requested management route (/Common/default) was not found. Workaround: There is no workaround, but this is a benign logging message that is reporting a non-existent error condition.
396293 SNAT bounceback does not work when the non-default CMP hash is used on a VLAN carrying that kind of traffic. This occurs with SNAT bounceback using non-default CMP hash. SNAT bounceback does not work. Workaround: None.
396294 At startup, the BIG-IP 4000 logs a message 'SwEdge Error: No core edge found' in /var/log/ltm. This occurs at startup time on the BIG-IP 4000. The system logs the message 'SwEdge Error: No core edge found' in /var/log/ltm. Workaround: None. This message is benign and reports a non-existent error condition.
396831 Provisioning Virtual Clustered Multiprocessing (vCMP) on 2000/4000 series platforms can cause a kernel panic. vCMP is not supported on these platforms. This can occur on the 2000/4000 series platforms. A kernel panic can occur. Workaround: The release notes contain information about which platforms support vCMP. You can also check the AskF5 Knowledgebase. If a vmdisks application-volume was created on a platform that does not support vCMP, it should be removed.
398947 It is possible that the text 'serial8250: too much work for irq4' may be seen on the host serial console. These messages are extremely rare. The cause of the message is a temporary overload of the serial port. However, once the serial port has recovered from the overload, it continues to operate normally. The system might post the text 'serial8250: too much work for irq4' may be seen on the host serial console. Workaround: None. No character loss on the console has been observed when this condition is encountered.
399073 You might encounter the error 'err ntpd[5766]: Frequency format error in /var/lib/ntp/drift' in /var/log/daemon.log once after boot. This occurs after boot. The system posts the error: err ntpd[5766]: Frequency format error in /var/lib/ntp/drift. Workaround: None. This message indicates an innocuous condition.
399470 Switch based platforms incorrectly identify Fiber Channel SFP modules. This occurs on switch based platforms. The platform incorrectly identifies the Fiber Channel SFP. Workaround: None. Switch based platforms do not support Fiber Channel SFP modules.
399726 "TMM restarted during license or config loading. New TMM core file is in /shared/core. Message 'HA daemon_heartbeat tmm fails action is go offline down links and restart.' from sod daemon in /var/log/ltm file." This occurs on Virtual Edition (VE) configurations when TMM takes more than 10 seconds to mmap in the GeoIP files as part of the license loading process because of high disk latency. It might trigger failover. Workaround: None.
400078 When removing a pluggable module from some specific ports on 4300/4340N blades or on the 10000 and 12000 series platforms, it is possible for the adjoining ports to lose link briefly. For example, this might occur when removing a pluggable module from the 4300 blade's ports 1.1 or 1.5 When this occurs, it may cause established link on ports 1.2 or 1.6 respectively, to drop briefly. Workaround: None. Workaround: None.
400584 lsn-pool object can be created without any member prefix, however will not function for translation until prefixes are added. lsn-pool without any member prefix lsn-pool without any member prefix will no perform translation Workaround: add prefixes to lsn-pool
400778 On a VIPRION system during failover in which the blade transitioning from secondary to primary, log messages make it appear that chmand is looking to delete logical disks on CF1 and HD1. This occurs on VIPRION systems. The ltm log displays messages: 'Oct 9 01:31:00 slot2/cluster err chmand[6909]: 012a0003:3: Physical disk CF1 not found for logical disk delete', 'Oct 9 01:31:00 slot2/cluster err chmand[6909]: 012a0003:3: Physical disk HD1 not found for logical disk delete'. Workaround: None. These messages are benign and you can safely ignore them.
402115 Using the command 'tmsh show sys memory' displays zero usage for some entries. Any running product. The division of memory usage may not be clear. Workaround: None. However, the information shows the most important value, which is the memory utilization of each thread; the memory available to each thread is derivable from the total.
402455 Before attempting synchronization using the GUI setup wizard, clocks of the BIG-IP devices must be synchronized. It is recommended to use an NTP server for completing this operation. This occurs when using the setup wizard. Establishing device trust group fails. Workaround: To facilitate this, synchronize the clocks of the BIG-IP devices, preferably using an NTP server.
402855 Removal of Route-Domains from configuration might cause load failures. #NAME? Load of the updated config fails. Workaround: Clear the current config by loading defaults before loading the UCS using the following command sequence: -- tmsh load sys config default. -- tmsh load sys ucs ucs_name.
402873 Source IP address for SNMP traps is inconsistent. For example, traps regarding monitor up/down status are sent with the TMM self IP as the source IP; however, traps regarding the restart of the SNMP agent are sent with the management IP as the source IP. The desired destination for SNMP traps is configured on TMM interface(s), and there is no specific management route configured. Routing change, or SNMP manager does not accept the SNMP trap if it does not come from the registered source IP address. Workaround: "The recommended workaround is to configure a specific management route to make the SNMP traps consistently source from the management IP address. The following configuration will make the SNMP traps consistently source from the TMM self IP address (10.x.x.y): sys snmp { traps { my_trap { community public host 10.x.x.z } } } ltm rule trap_translate { when CLIENT_ACCEPTED { log local0. ""original src-ip is [IP::client_addr], going to translate"" snat 10.x.x.y } } ltm virtual-address 10.x.x.z address 10.x.x.z arp disabled mask 255.255.255.255 traffic-group traffic-group-1 } ltm virtual trap_translate_vip { destination 10.x.x.z:snmptrap ip-forward ip-protocol udp mask 255.255.255.255 profiles { fastL4 { } } rules { trap_translate } translate-address disabled translate-port disabled vlans-disabled }"
403613 The drop counters for the 1.x interfaces on the 2000s / 2200s and 4200v platforms currently do not work in LTM mode due to a hardware issue. This occurs on 2000s / 2200s and 4200v platforms drop counters for 1.x interfaces. Drop counters do not work in LTM mode. Workaround: There is no workaround.
403688 Hardware syncookies currently require both client side and server side profile context to have hardware syncookies enabled in order to function. This occurs with hardware syncookies. Hardware syncookies do not function. Workaround: Enable client side and server side profiles for hardware syncookies.
403764 If a log message is not matched by any filter, then the log will be processed by the syslog-ng daemon. Workaround: To disable log processing by the syslog-ng daemon, create a filter with source equal to "all" and level equal to "debug" then route as desired.
404398 Using tmsh merge to update route-domains does not work. This occurs when attempting to merge configuration information that contains differing route domain information. The operation fails with a message similar to the following: 01070979:3: The specified vlan (/Common/external) for route domain (/Common/0) is in use by a self IP. Unexpected Error: Loading configuration process failed. Workaround: A workaround is to manually merge the changes to /config/bigip_base.conf (or /config/partitions/partition_name/bigip_base.conf) before performing the load operation.
404588 LSN iRules persistence-entry get/set and inbound-entry get/set might not work properly for RTSP when the iRule gets suspended (for example if the 'after' command is used). This occurs when an iRule on the RTSP_RESPONSE event get suspended (for example when using the 'after' command). LSN iRules persistence-entry get/set and inbound-entry get/set might not work properly for RTSP. Workaround: None.
405255 Issuing a 'reset-stats net interface' command in tmsh does not clear the stats for an interface with status 'disabled'. This occurs when resetting stats on a disabled interface. Stats do not reset. Workaround: Enabling the interface with 'modify net interface x.y enabled' before resetting stats causes the stats to correctly clear. The interface can be disabled again afterwards if needed.
406238 FTP active mode data connection does not work from the BIG-IP system command line, if the connection is exiting through an interface with SP DAG. cmp-hash = src-ip or dst-ip. ftp initiated from the BIG-IP system. The data connection cannot be established with active mode. Workaround: Use FTP passive mode for data transfer.
408599 iRule node command does not work under LB_SELECTED event Using iRule node command under LB_SELECTED node command does not function properly Workaround: Use node command under other events.
408810 BIG-IP with Vyatta neighbor on a single link may appear to be stuck in ExStart/Exchange state because Vyatta incorrectly drops a database description packet containing a 24 byte router-LSA (zero link LSA). "OSPFv2 or OSPFv3 Neighbor is a Vyatta router" OSPF session will not come up Workaround: None
409059 Hairpin connections are not supported for NAT64. "lsnpool with NAT64, hairpinning enabled" hairpinned connections will not work Workaround: Hairpin via upstream router
410036 "If a client and server attempt to resume a TLS connection using TLS session tickets through a BIG-IP virtual server configured for Proxy SSL, the BIG-IP resets the connection. If Reset Cause Logging is enabled (refer to SOL13223), the reset cause is 'SSL Session Not Cached.'" #NAME? Resumed handshakes do not succeed, which might result in traffic disruption for the affected clients through the virtual server. Workaround: Disable TLS session tickets on either the pool members, or the client systems.
410114 When the OSPF protocol running on BIG-IP system sends a 24-byte router LSA, Vyatta discards this LSA. This might cause the OSPF protocol to become stuck in ExStart/Exchange and never reach FULL state. This occurs intermittently. OSPF v2 protocol configured between BIG-IP system and a Vyatta neighbor. OSPFv2 protocol does not synchronize without manual intervention. Workaround: In imi shell, run the command 'clear ip ospf process'. You might need to run the command multiple times.
410223 For a virtual with a SIP profile configured as an ALG using the TCP transport, TCP FIN and RST packets are being unnecessarily sent by the BIG-IP system to multiple peer clients/servers when one of the client/servers issues a FIN or RST packet. SIP ALG TCP virtual configuration and one of the clients/servers send a FIN or RST packet to the virtual. Unless the SIP clients/servers are configured to automatically reconnect when they receive an unexpected FIN or RST, the in-progress sessions/calls that are using the connection being closed will fail. Workaround: "Configure the mblb (message based load balancing) profile to isolate the clients and servers from RST and FIN packets generated by the other client and servers. Add the following mblb profile to the SIP virtual: ltm profile mblb /Common/test { defaults-from /Common/mblb isolate-abort enabled isolate-client enabled isolate-expire enabled isolate-server enabled }"
411875 The persist command generates an erroneous intermittent error when resuming after server-side shutdown This occurs when the persist command parks and the flow is closed before it resumes. Any portion of the iRule following the park does not run, and the connection logs a spurious error. Workaround: Insert a [catch] around the [persist add].
412458 It is possible to misconfigure a SIP ALG virtual by adding a transport protocol profile to the virtual server that does not match the ip-protocol of the virtual server. This invalid configuration will result in a core. If a UDP profile is applied, then the ip-protocol type should be udp. If a TCP profile is applied, then the ip-protocol type should be TCP. "Add a tcp transport protocol profile to a virtual server. apply a UDP profile to the same configuration." Misconfigured SIP ALG virtual server allows packets for other protocols to reach the tcp/udp/sctp filters. Workaround: None.
414018 Hairpin connections between different subscriber hosts fail. The subscriber network(s) and the internet are in different route domains. Applications on different subscriber hosts cannot establish connections. Workaround: Use the same route domain for the subscriber networks and the internet.
414160 Configuring the VLAN used for inter-device mirroring for an IP cmp-hash mode may cause errors establishing the mirroring connection between devices. Configure the VLAN used for inter device mirroring also for IP cmp-hash mode. Errors generated when establishing mirroring connections between devices. Workaround: Configure the VLANs used for the mirroring connection with the default cmp-hash mode, not an IP cmp-hash mode.
414454 When you update an iRule and replace an event that contains script content with a blank script, TMM cores with a stack trace. In response, TMM cores because it is trying to compile an empty script. Note that when creating a new iRule, there is a check for adding an event script with no content, so the error does not occur on create. This occurs when replacing iRule events containing valid Tcl code with whitespace or with no Tcl code. When the issue occurs, TMM cores with stack trace. Workaround: To work around this issue, delete or comment out the empty event, or insert a comment.
415483 A license activated on 11.2.1, or later, is not backward compatible with software versions 11.2.0, or earlier An issue occurs after performing a software downgrade from version 11.2.1, or later, to software version 11.2.0, or earlier. The license becomes non-operational. Workaround: You must acquire a new License Key, or request for 'allow move' from F5 after downgrade.
415961 Unused HTTP Class profiles are not rolled forward during upgrade or UCS restore. If you have defined HTTP Class profiles but have not assigned them to virtual servers, the system does not bring forward those profiles into the new configuration when you upgrade. No Policy is created from the HTTP Class profile and the profile does not appear in the new configuration. This occurs when upgrading a pre-v11.4.0 configuration with a HTTP Class profile not attached to a virtual server. You might lose unused HTTP Class profiles in the configuration. Workaround: Attach all HTTP Class profiles to a virtual server before upgrade or save of a UCS.
417045 Upon shutdown, the system posts the message 'err chmand[8873]: Error sending MCP system_information (err:1020003)’ to the ltm log. This might occur intermittently when shutting down the system. This message is benign, and the system should power up correctly. Workaround: None.
417526 The system logs a message sequence that includes a hardware sensor critical alarm in log /var/log/ltm when a power cable is disconnected and then re-connected. This might occur when a power cable is disconnected, then re-connected to an AC power supply. When that happens, system status might switch from Good to Bad, and then back to Good within seconds. As a result, the system posts a message sequence similar to the following: -- notice chmand[9322]: 012a0016:5: Blade 0 hardware sensor notice: Power Supply 2 GPIO status(SPAFFIV04G): Good. -- crit chmand[9322]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV04G): Bad. -- notice chmand[9322]: 012a0016:5: Blade 0 hardware sensor notice: Power Supply 2 GPIO status(SPAFFIV04G): Good. This is expected behavior, in that the system is actually reflecting the state in real time: when the cable is connected, the status is Good; when the cable is disconnected, the status is Bad; when the cable is re-connected, the status is Good. This message sequence does not indicate a problem in the BIG-IP system. It simply means that it might take a few seconds for the fan in the power supply to come up to speed. Workaround: None.
417720 "If a power supply fan unit becomes jammed or experiences a failure that prohibits the minimum RPM threshold to be met, the LTM log will erroneously indicate that the power supply has been turned off. For example: localhost crit chmand[8482]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(73-610-125): Bad localhost crit chmand[8482]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power supply #2 fan-1: Bad localhost warning chmand[8482]: 012a0018:4: Chassis power module 2 turned off." Any kind of power supply fan failure that prevents the unit from achieving the minimum spec. for RPMs. Misleading log message. Workaround: None.
418509 It is not possible to match a literal ( in the stream filter "Stream filter enabled Stream expression includes a ( not intended as the opening of a regex group" Unable to directly match expression that contain a literal ( Workaround: "Use octal character encoding to resolve stream filter conflict as shown in this example. ( = \050 ) = \051 so instead of the expression: function\(param1\) use the expression: function\050param1\051"
418709 The LCD module might report the error 'Low fan speed'. However, it does not specify which fan component on the unit is low: the CPU fan, the chassis fan, or a specific PSU fan. This occurs on the 2000 series, 4000 series, 5000 series, 7000 series, and 10000 series platforms. There is an indication that a component is failing, but no indicator of which specific component is failing. Workaround: Use the console to determine which fan is low either by viewing console messages/warnings as they show up or by running 'tmsh show sys hardware' or viewing the /var/log/ltm file.
418924 Secondary blades in a cluster go into swap when there are too many iso images in /shared/images. Too many iso images in /shared/images. Secondary blades are slow. Workaround: Use tmsh or the GUI to delete as many iso images from /shared/images as feasible.
419345 Changing Master Key on the standby of an HA configuration on a chassis might cause secondaries to restart processes. This occurs when you modify the master key on standby chassis. Users might not be able to access the cluster. The secondary blades of that chassis might experience continuous restarts of mcpd and other daemons, accompanied by 'decrypt failure' messages in the ltm log. Workaround: Run the command bigstart restart on secondaries to return system functionality. In general, you should change master keys on the primary in the cluster.
419621 After a blade failover, an existing inbound session may not have the delete event logged when it completes. "lsn-pool with NAPT Inbound session logging enabled HA configuration After failover" The add event for the inbound session may not have a matching delete event. Workaround: None.
419623 If a command that needs to suspend processing (for example, table, session, after, sideband, and persist) is evaluated within the content of an expr block, tmm cores. This occurs when using the table, session, after, sideband and persist commands inside an expr block within an iRule. Tmm cores. Workaround: Assign result of command to a variable outside the block and operate on that value.
419733 BIG-IP systems configured with additional non-default management routes via static, OSPF or other protocols might post error messages. The problem occurs when multiple management interfaces are defined. The system might post route_mgmt_entry count errors during the operation of the /usr/bin/config script. Workaround: You can use an alternative method exist to configure the mgmt address and default route: GUI, iControl, tmsh, and configuration file load.
419741 Rare TMM crash bug with vip-targeting-vip. Core analysis is typically necessary to determine whether this bug is the cause. Triggering this bug is difficult and seems to require vip-targeting-vip (e.g., use of the 'virtual' command in an iRule) and more than one blade. In rare situations, the TMM crashes. Workaround: None. This occurs rarely, and the system recovers automatically. Although this workaround has not be verified, in situations where virtual A targets virtual B via the 'virtual' command, it should be sufficient for virtual A to have shorter timeouts than virtual B.
420053 Although the IPFIX Logging Destination accepts transport protocol profile configuration, it does not use parameters from the profile. An IPFIX Logging destination can be configured with non-default protocol profiles, such as a custom TCP profile with specific values for Idle Timeout or Keep Alive interval, but the selections are not used. This occurs when customizing parameters within the configured protocol profile. Parameters specified within the configured protocol profile are not utilized, and default values are used instead. Workaround: None.
420184 A transaction fails when you create a new folder and then create an object in that new folder in a batched set of command-line commands. This occurs when a folder does not yet exist, and you try to create the folder and the object in a batched set of command-line commands. The transaction fails with an error similar to the following: 01070734:3: Configuration error: Invalid mcpd context, folder not found (/AAA). Workaround: To work around this, create a folder before using batch commands to create objects in a folder.
420330 When experience a large amount of traffic, TMM could crash due to corruptions. "The system is under stress and TMM memory is exhausted. SSL profiles are configured." TMM crash which would cause the system to either failover to redundant or traffic would be broken for TMM to restart. Workaround: None
420344 When BFD is configured between the HA pair neighbor and the HA pair units, BFD fails to establish a session because the IS-IS routing module uses floating self IP address for establishing adjacency rather than non-floating self IP address. BFD is used with IS-IS in HA pair configuration. BFD cannot be used with IS-IS in HA pair configuration. Workaround: None.
420689 A single configuration file (SCF) as generated by the command save sys config file 'name', does not contain information describing what configuration objects have synchronized between the device and other devices. This occurs with an SCF generated using the command: save sys config file 'name'. Loading the SCF can cause the system to lose track of this information. Workaround: From one device, run the following command: modify cm device-group device_group_name devices modify { device_name { set-sync-leader } }'.
421092 The maximum number of named variables in an iRule is 4,194,304. This occurs when using iRules. System drops core file and posts message: Assertion 'maximum pages' failed. No more than 4,194,304 named variables can exist in an iRule. Although the maximum pages limitation has always existed, beginning with 11.3.0, the assert occurs very early when this is detected. Workaround: None.
421332 "If a 40GbE interface is configured with bundling disabled, its attributes (including Enabled/Disabled state and media-sfp configuration) are inherited by the first corresponding 10GbE interface. This can result in the 10GbE interface being disabled or failing to establish a link, and reporting a status of DOWN. For example, on a B4300 blade: 40GbE interface 10GbE interfaces 2.1 bundle disabled, disabled 1.1 DOWN, 1.2-1.4 UP 2.2 bundle disabled, disabled 1.5 DOWN, 1.6-1.8 UP 2.3 bundle disabled, disabled 1.9 DOWN, 1.10-1.12 UP 2.4 bundle disabled, disabled 1.13 DOWN, 1.14-1.16 UP" "F5 hardware platforms that allow bundling/unbundling of 40GbE/10GbE interfaces: - VIPRION B4300 blades (A108, A110) - VIPRION B2250 blades (A113) - BIG-IP 10000-series appliances (D111, D112, D113) With the following interface configurations: - 1.x (10GbE) interfaces populated with 10Gb SFP+ modules and properly connected to switch. - 2.x (40GbE) interfaces configured as 'bundle disabled'." "The first of four unbundled 10GbE interfaces that correspond to the unbundled 40GbE interface may not behave as expected. In many situations, it may fail to establish a link successfully, and remain in a DOWN state." Workaround: "To recover after booting: Manually Disable and re-Enable affected (10GbE) 1.x interfaces after the BIG-IP system boots and initial configuration is applied. To prevent this issue from repeating: Restore the configuration of the corresponding bundled 2.x interface to its default state. For instance, ensure it is configured for auto negotiation, and is not disabled."
421640 Entries that mention yourtheme.css appear in the httpd error logs. Using the GUI for iApps triggers this condition. Entries appear in httpd_errors referencing yourtheme.css. There is no impact, visual or otherwise, to the GUI or the rest of the BIG-IP system. Workaround: None.
421670 TMM will sometimes crash when using plugins Intermittently, under the right conditions, the TMM will crash when plugins are in use. Traffic processing will be interrupted while TMM restarts Workaround: Do not use plugins. This is likely not practical.
421702 The BIG-IP system publishes the mgmt MAC addresses using offsets of the chassis base MAC address, instead of the MAC addresses from the kernel (as ifconfig and dmesg report). This occurs on BIG-IP systems MAC addresses. MAC address is inconsistent between ifconfig and 'tmsh show sys mac'. Workaround: None.
421851 When iRules are saved into bigip.conf, the first line is automatically indented with four whitespaces. Usually these whitespaces are removed when the config is loaded, but when an iRule starts with commented lines, the whitespace is not removed. Every subsequent save/load operation adds another four whitespaces. When users adds checksum to the iRule, loading fails at checksum verification error This occurs when both conditions are true: 1. Line 1 begins with a # character and white spaces. 2. The checksum operation is performed on the iRule. Load failure. Workaround: Remove the whitespace at the beginning of the iRule
422259 "An IPFIX logging destination is configured with a pool of nodes to identify the collectors to which IPFIX messages should be sent. The health of the nodes and the overall pool can be monitored by the BIG-IP system using a health monitor. However, if network or other issues cause the ICMP monitors to mark a node as Offline, the BIG-IP system continues to try to establish connections and send data to that node, instead of deferring such attempts until the node is declared Online again by the health monitor." Network or other issues that cause ICMP requests to a pool member to fail. Minimal, other than extra processing load. Under normal circumstances, if ICMP traffic to a pool member is not successful, the BIG-IP system cannot establish a connection to that member, and IPFIX messages might be transmitted to other available nodes in the pool. When the iptables filter is removed, it takes approximately five seconds for the traffic to resume. This is expected behavior. Workaround: None.
422315 When trying to remove certain interfaces from list, the user can encounter an error in the UI. For example, if more than two interfaces exist in the Interface list on a trunk object, you receive an error if you attempt to remove one of the interfaces that appear between the first and last interfaces listed. More than two interfaces exist in Interface list on trunk object. Customer tries to remove a 'middle' interface and Update. Customers cannot remove all interfaces from Trunk using UI. Workaround: Use tmsh.
422709 Intermittently, if a secondary blade is being disabled, it may miss the command and stay enabled. Unknown. Secondary blade will still pass traffic as if it is active. It will not be considered inactive for counting of min-up-members. Workaround: As this only happens rarely, you can re-enable the blade and re-disable the blade.
423304 Synchronized configuration objects may contain invalid parameters after you delete an object and create a different object type with the same name. "This issue occurs when all of the following conditions are met: -- The BIG-IP systems are configured as part of a Device Group. -- You delete a configuration object of one type and then create a different type of object that uses the same name. -- The new object's configuration is synchronized to the other systems of the Device Group." An invalid configuration on the box that is synced to, and no obvious warning signs. Workaround: Use either of the following methods: -- Synchronize the configuration after you delete the original object and before you create the new object. -- Use a different name for the new configuration object.
423392 In previous versions of iRules, the variable tcl_platform was readable as: 'set myvar static::tcl_platform'. However with recent changes, the variable is in the global, not static namespace and should be accessed as '::tcl_platform'. This occurs on pre-11.4.0 iRules that use the variable 'static::tcl_platform'. iRules that worked properly under earlier versions can result in runtime Tcl exceptions (disrupting traffic) after an upgrade to v11.4.0 or later, if those iRules reference static::tcl_platform. Workaround: To map tcl_platform into the static namespace in an iRule, use the following: when RULE_INIT { upvar #0 tcl_platform static::tcl_platform }. Or you can use ::tcl_platform instead of static::tcl_platform. Note: The latter workaround might demote a virtual server from CMP. For more information, see SOL14544: The tcl_platform iRules variable is not in the static:: namespace, available here: http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14544.html.
424228 If a virtual server is created without an assigned pool (i.e. the pool is assigned in the iRule) and the iRule parks, the iRule may not return from suspension and the packet will be dropped. A virtual server is created and an iRule is assigned that parks, and the virtual server has no assigned default pool. Packets are dropped. Workaround: Either use the CLIENT_ACCEPTED event for UDP data or assign a default pool.
424568 When a certificate contains multiple/nested OUs, the X509 data returned through iControl has only the first OU. This occurs when using iControl. X509 data returned through iControl does not return multiple/nested OUs. Workaround: None.
424649 Blades will continually fail over with a large enough translation address space in an lsn-pool in DNAT mode. An example of a translation prefix large enough to cause this problem would be /8, or several translation prefixes summing to a large number of translation addresses. an lsn-pool in deterministic mode, assigned to a virtual, with a /8 prefix (or similar number of addresses.) System is rendered unusable until DNAT mode is disabled. Workaround: Change to NAPT mode, or use a smaller translation prefix range. There is no other workaround.
425017 For Thales HSM clients, the tmm and pkcs11d daemons must be restarted for changes to take effect to the key protect mechanism. This occurs for Thales HSM clients when support is added for module keys and token keys, or for softcard features, or when these are enabled or disabled. Changes do not take effect. Workaround: None. The tmm and pkcs11d daemons must be restarted for the changes to take effect.
425018 Loading a SCF after modifying self IP may cause route in Linux kernel to be dropped. Linux host applications may not be able to connect when they are expected to. Create a config with a self IP on a VLAN and a default gateway route on that VLAN, save a SCF file, then modify the self IP in that SCF file and then load the SCF. Linux kernel default gateway route is dropped and host applications looking for the route may not be able to connect. Workaround: Reset the config to default before loading modified SCF: 1. tmsh load sys default. 2. tmsh load sys scf SCF_flename. For more information, see SOL14572: Routes configured in a single configuration file may be missing from the Linux kernel route table after loading the single configuration file, available here: http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14572.
425826 "Unit in HA configuration constantly cored until the system was rebooted. An intermittent error appears: notice panic: ../kern/xbuf.c:2273: Assertion 'valid xfrag' failed" It is unclear whether this is an high-speed bridge (HSB) issue or a driver issue. The return buffer is provided by the driver and used by HSB to return the packets. Either the provided buffer is corrupt or HSB somehow corrupts it. This issue is rare and has been seen across several platforms and HSB bitfiles. Rare issue that results in kernel panic. You might see invalid return buffer and invalid xfrag messages. Workaround: This is typically cleared on reboot. The issue might also be cleared with a bitfile upgrade.
425965 "On the BIG-IP 2000 and 4000 family of platforms rapid changes to port speed and duplex mode on the fixed RJ-45 ports may cause a TMM restart. Ports may be listed as down in UI, but through the CLI the DUT port is listed as up. Messages about tmm processes restarting may appear in /var/log/ltm." Ports down due to tmm restarting. Workaround: Change both sides of the interface to auto-negotiation, then switch to the desired speed/duplex.
425980 "Messages displayed on the VIPRION chassis LCD display always reference the blade number of the Primary blade in the chassis at the time that the message was issued. If a message indicates a condition that is specific to a different blade in the chassis, the blade number of the Primary blade is still referenced by the message in the LCD display. On VIPRION C4000-series chassis, if the roles of blades in the chassis change such that a different blade becomes the Primary blade, messages that were originally issued by the previous Primary blade still appear in the LCD display with the original Primary blade number. New messages will reference the new Primary blade number. For example, a message that reports a slow CPU fan speed on blade 6 will be displayed in the LCD display with the blade number of the Primary blade (at the time the message was issued), not the blade that actually experienced the slow CPU fan speed." "Affects: VIPRION B4100 (PB100), B4200 (PB200) and B4300-series blades in VIPRION C4400, C4480 and C4800 chassis. VIPRION B2100, B2150 and B2250 blades in VIPRION C2400 and C2200 chassis with external LCD displays attached." It may not be possible to accurately determine which blade has actually experienced a blade-specific condition reported on the chassis LCD display. Workaround: "Workarounds include: 1. Connect to the host console of a cluster member (e.g., primary blade) and observe new messages displayed at the console prompt. 2. Examine the LTM log to find more-detailed messages reporting the condition displayed on the LCD display."
425992 If the BIG-IP mgmt interface is connected to a switch port with fixed settings (e.g., 100Mbps Full duplex) but with auto-negotiation Disabled, the BIG-IP mgmt interface will be set to 100Mbps HALF duplex instead. "1. The remote switch port is configured with fixed media settings (speed, duplex) and auto-negotiation disabled. 2. The Management interface on the BIG-IP system is configured with fixed media settings (speed, duplex)." Inability to access BIG-IP via mgmt interface. Workaround: "1. Enable auto-negotiation on remote switch (with only the desired option advertised). 2. Toggle the mgmt interface media setting between 'auto' and '100TX-FD' after the BIG-IP system boots."
426128 If the passphrase for the pkcs12 file being installed is greater than 49 characters in length, installation could fail with the error - "Key management library returned bad status: -28, Bad password". This occurs with pkcs12 files with passphrases greater than 49 characters. When this occurs, installation could fail with the error - "Key management library returned bad status: -28, Bad password". Workaround: Use passphrases containing fewer than 50 characters for pkcs12 files.
426129 CGNAT translation logs sent to ArcSight HSL destinations will not be in a compatible format for ArcSight to parse. "LSN pools are configured for a virtual server A log profile is configured to use an ArcSight destination and attached to the LSN pool" CGNAT log messages will not be processed correctly by ArcSight Workaround: "Modify ArcSight for custom parsing Use a different log server."
427260 Type tmsh show sys pptp and it shows the identical flow with different stats incremented CGNAT and PPTP-ALG with default DAG Cosmetic but may be confusing Workaround: Grep and aggregate the stats for a unified view
427679 After HA Group creation, the UI does not allow the user to change pool weight. The user can change the value and submit it, but the value is not reflected post-update. User has created the HA Group. Pool weight cannot be changed post-creation. Workaround: Make modifications to pool weight using tmsh.
427924 When inserting a new blade in a VIPRION C2400 chassis, with UDP or TCP hash set to 'ipport', the new blade uses the 'port' hash instead. Rebooting the blade or restarting bcm56xxd and tmm causes the correct DAG (Disaggregator) hash to be used. UDP or TCP hash algorithm changed from default (e.g. changed from 'port' to 'ipport'). -- UDP or TCP virtual servers configured. -- New blade inserted into chassis. New blade includes external interface to which traffic will arrive. Prevents adequate distribution of traffic within a chassis, which may disrupt traffic flows or reduce the traffic throughput of the BIG-IP system. Workaround: Reboot the new blade after it has been configured. Issue the 'bigstart restart' command (to restart the bcm56xxd and tmm modules and program the DAG with the correct hash type).
428752 Occasionally, on shutdown/reboot of a platform, diskmonitor might be started while the system is shutting down. This occurs when the system is shutting down, halting or rebooting. After a shutdown, halt, or reboot is initiated, the system console may display this message: 011d0002: Can not access the database because mcpd is not running. The ltm log file shows the same database warning along with a date and system entry: warning diskmonitor: 011d0002: Can not access the database because mcpd is not running. Workaround: The warning is innocuous on shutdown and may be ignored. The diskmonitor script automatically runs when the system is booted next and detects disk space issues at that time.
428976 If a self IP is configured for advertisement in OSPF and is moved to a different VLAN, the LSA may be removed from the database and not readded. OSPF enabled, self IP moved between VLANs. Missing prefix from OSPF. Workaround: Remove and readd connected route redistribution, delete and readd the self IP, or clear the OSPF process ("clear ip ospf process" in imish).
429013 Log file permissions for one specific log file were incorrectly set. This has been fixed to address an issue with CCE-26812-8, CCE-26821-9 and CCE-27190-8 syslog-ng configuration/permissions. Since only Administrators can have advanced shell access, they are on the only ones who could be able to see the log files. This just sets the file permissions the same as the rest. Very little impact. Workaround: none
429075 GetCPUInfo for F5.IsHandler.dll throws an exception when IIS is running on a virtual machine. A Windows Server running IIS on a virtual machine with the F5.IsHandler.dll installed. Unable to use the WMI monitor to monitor a pool of IIS servers. Workaround: This issue has no workaround at this time.
429096 Various tools, including the Dashboard, display an SSL TPS limit provided in the base license, ignoring any additional licensing modules that might increase the TPS limit. This occurs when the system is using licensing modules that increase base SSL TPS. An incorrect SSL TPS limit is reported. Workaround: None. This a display issue only. The correct SSL TPS limit is actually used.
429213 "A race condition may occur in which a monitor instance is killed abruptly if another copy of the same monitor attempts to check health of the same node IP:port in a different route domain. The killed monitor will then contribute to a monitoring timeout and potentially mark the node as down. This issue occurs because the PID file created to prevent duplicate monitoring of the same pool member is not sufficiently unique to distinguish between route domains. For example, SIP monitor named ""sip_london"" applied to pool members 1.2.3.4%100 and 1.2.3.4%200 would share the same PID file: /var/run/SIP__Common_sip_london.::ffff:1.2.3.40..5060.pid" "For health monitor types which execute outside of the bigd process (see list below), a health monitor profile is assigned to monitor 2 different nodes which have the same IP:port in different route domains. The affected monitor types include: Diameter IMAP LDAP NNTP POP3 Radius Radius Accounting RPC Scripted SIP SMB SMTP WAP" Pool members may flap down/up. Workaround: "To work around this, perform the following steps: 1. Create a duplicate copy of the monitor profile, and add the route domain to the name of the monitor profile. For example: ltm monitor radius /Common/radius_seattle_rd43 { default-from /Common/radius_seattle } 2. For nodes or pool members in that route domain, replace the old monitor profile with the new duplicate monitor profile."
429613 TACACS+ accounting packets are only sent to the authentication server. This occurs with TACACS+ accounting packets. These packets are only sent to the authentication server. Workaround: You can use syslog to send the messages (but not TACACS+ accounting codes) to multiple destinations simultaneously.
430354 When an alarm light is present on the primary blade and the USB LCD dongle is then attached, all of the blades go from green/pri or green/sec to amber status, and the alarm light is erased. A few moments later once the LCD screen is up, the blades go back to their original green pri/sec assignment but the alarm light never returns. Although the alarm message is present on the LCD after it comes up, the alarm light should stay on until the alarm has been cleared. Inserting or removing USB LCD module. The alarm message is present on the LCD after it comes up. This is a cosmetic issue, and does not indicate a system issue. Workaround: Run system_check manually.
430776 Setting up an IPsec tunnel on the interfaces used by OSPFv3 does not work. Using OSPFv3 with an IPsec tunnel. OSPFv3 cannot be deployed if auth is a requirement. This is expected behavior, as using OSPFv3 with an IPsec tunnel is not currently supported by TMOS. Workaround: None.
430915 When a power supply or fan tray FRU is inserted into a running BIG-IP system, a critical alarm may be raised indicating low power and/or fan speeds. This is due to the amount of time it takes for the power and/or fan speed levels to reach their steady state levels relative to when the sensors are monitoring them. Insertion of power supply or fan tray FRU. Critical alarm raised for temporary, non-serious issue. Workaround: None.
431936 The SASP monitor does not mark pool members down when the GWM server cannot be reached. The GWM server does not send a RST packet to terminate its connection to the SASP monitor in case of a network failure. The pool members are not marked down for a SASP monitor in case of a GWM/network failure. They are marked down when the TCP connection to the GWM terminates on a connection timeout which was observed around 10 minutes. This is the correct behavior. Workaround: Use the ICMP monitor in conjunction with the SASP monitor. The ICMP monitor should use the GWM server as its destination. This monitor should be associated with each of the nodes that are present in the pool using the SASP monitor. The pool members will be marked down when the GWM server cannot be reached.
432407 The GUI becomes inaccessible after the system logs become large and the user navigates to log lists under System :: Logs. This event is most likely to occur when the logging options are configured to show the most output. For example: Enabled, Verbose, Debug. The issue is most easily seen when the system has been configured with Audit logging enabled, particularly MCP, it sends numerous messages to the var/log/audit log. This causes the log to become large, which after time might render the GUI inaccessible. When logs become large, the GUI might become inaccessible if the user attempts to view the log files through the GUI. Workaround: Configure logging options to show only the most severe output: Emergency, Error, etc. (available under the System :: Logs). If the system is already in this unresponsive state, issue the command 'bigstart restart tomcat'.
432790 "Blade point of load power supply faults may be incorrectly captured and logged during chassis power cycle and card pull events. The blade AOM function continuously monitors the blade health for reporting of hardware failures to the system layer. This AOM function is on standby power and is operational whenever chassis power is present. If the chassis or the entire blade powers down through an intentional or unintentional action, power health monitoring is indeterminate and incorrect power fail event status may be captured. The blade point of load +5V, +3.3V, +1.5V, +1.1V, etc power supply status is stored by the AOM in non-volatile memory. The information is saved in memory forever until reported and cleared by the application layer. Thus any transient power fail status captured during a power down is unintentionally logged by the application layer on the next power-up. This issue has been observed only on a few blades with very low frequency of occurrence during rigorous power cycle testing." This condition although very rare and can occur during chassis power cycles. It can also occur during a blade pull while servicing a system in operation. Incorrect power fault status may be reported in the system logs and maintained on the blade until the log files are over-written or deleted. This may cause confusion or concerns when viewing the system log files that a hardware issue exists. If point of load power fail system log messages are observed, you must qualify them with system main power events to discriminate between false positive errors and actual power supply faults. Workaround: Recommend process is to power down the blade prior to turning off chassis power or removing the blade from the chassis. Normal controlled blade power down events are unaffected by the issue.
432998 The mssql monitor marks one pool member down that was considered up by the earlier software version. Other units upgraded from version 10.x that are monitoring this pool member are fine. This occurs after upgrade from version 10.x. The mssql monitor marks one pool member down that was considered up by the earlier software version. Workaround: "There is a Microsoft hotfix for SQL Server 2008 that resolves this issue. After applying SQL Server 2008 R2 SP4 to the server, encrypted communications function correctly. You can read more in the KB article that addresses the issue: 'FIX: You cannot connect to SQL Server by using JDBC Driver for SQL Server after you upgrade to JRE 6 update 29 or a later version' http://support.microsoft.com/kb/2653857. One additional issue: looking at the customer's response, they are running SQL Server 2008 SP3 (NOT R2). I would recommend that the customer either try the post-SP3 rollup package on their 2008 server, or upgrade to 2008 R2 and apply SP4. The KB article above addresses both versions. Note, I have not tested this fix on 2008 (non-R2) because I didn't catch until recently that their server version was different than the one stated earlier."
433235 When using certain iRules in congested traffic situations. it is possible for TMM to crash. There are several conditions resulting from iRules that require queuing. Meeting all internal conditions generally requires high concurrency and rare sequences of internal events. Examples include: -- Using 'discard' in a 'when CLIENT_DATA' clause with aborts or half-closes queued by the peer. -- Using 'release' after a connection is closed. TMM cores. Workaround: Modify iRules to handle additional conditions.
433323 When a client request contains no-cache directive, ramcache excludes the request from caching and passes the request through. Because caching is disabled, the resource is not invalidated and the response is not cached. The expectation is the action should cause revalidation of the resource. Configure a virtual server with HTTP caching. Failure to invalidate resource. Increased load on origin server. Workaround: None.
433466 When the bundled interface (e.g., 2.1) is disabled, it might result in link issues observed with the first member of the associated unbundled interfaces (e.g., 1.1). Disabling bundled interfaces affects first member of associated unbundled interfaces. Traffic unable to pass due to ports 'Down' status. Workaround: Do not disable the associated bundled interface (e.g., 2.1) when intending to use the first member of the associated unbundled interfaces (e.g., 1.1). Same for the interface bundle/unbundle relationships for 2.2/1.5, 2.3/1.9, vice-versa, etc.
433572 DTLS does not work with rfcdtls cipher on the B2250 blade This occurs as a result of hardware acceleration offload on the B2250 blade when using dtls on vCMP. DTLS does not work with rfcdtls cipher on the B2250 blade Workaround: None.
433897 If a datagroup contains entries that are longer than the maximum length allowed by a Tcl object, the datagroup can fail to load the element without warning. This occurs when an external datagroup loads strings that exceed Tcl-imposed limits. Incorrect datagroup. TMM might core if the non-loaded element is referenced. Workaround: Use individual datagroup entries that are fewer than 65000 characters in length.
434356 When an internal/external data-group configuration is modified, it doesn't reflect in a client SSL profile. Modifying a data group configuration. You have to manually restart tmm or re-apply the data-group to the SSL profile each time the data-group is modified. Workaround: Restart tmm or re-apply the data-group to the SSL profile each time the data-group is modified.
434364 "When upgrading from 10.x or installing a 10.x originated UCS on 11.x, bigpipe is used to parse the newly created file-object definitions which had been generated from files in the 10.x install. If the filename being upgraded to file-object starts with a '.', then on initial load, bigpipe will give an error while trying to load the generated configuration, resulting in an error message similar to: BIGpipe parsing error (/config/bigpipe/bigip.conf Line 107): 012e0017:3: The requested item (.myfile.txt {) is invalid (external_monitor_file_object_key | show | list | help) for 'external monitor file object'" The installation of a UCS or configuration roll-forward from 10.x to 11.x in which the previous install had files that were upgraded to file-objects, but whose filename started with a '.' The UCS will not install properly, and/or the configuration on initial boot will not load. Workaround: Edit the name of the file-object in question which would be found in /config/bigpipe/bigip.conf to remove the leading '.' character from the object name, and make any references to the file-object match that change.
434517 If a HTTP_RESPONSE event fires due to the server sending an early response (i.e. a response before the entire request has been sent), then HTTP::retry does not work correctly. Client begins sending a request. The server responds before that request is completely sent. A HTTP::retry is called in the HTTP_RESPONSE event. Typically, early server responses are error conditions. Workaround: HTTP::respond or HTTP::redirect may be used at the cost of an extra client-side request.
434889 Unable to configure AOM IP address using the DHCP Menu Option, with the system responding with the "Error: Failed to configure AOM management port" message. When trying to configure an IP address for AOM using the N - Configure AOM network option. unable to configure the AOM address using DHCP. Workaround: None.
435332 If there are users defined on a version 10.2.1 BIG-IP system to have administrator or resource-admin roles, and they have partition access to a single partition, these user config objects fail to load during an upgrade to version 11.x. "Here is a sample user config from 10.2.1: user v-abban { password crypt '$1$UIPmGYdY$yewCx.a2qNDauz/UB1Jbp/' description 'v-abban' group 500 home '/home/v-abban' shell '/bin/false' role administrator in Common }" Upgrade or load UCS fails with the following error: 01070821:3: User Restriction Error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition. Workaround: Prior to upgrade, edit the bigip_sys.conf to have the role line as follows: ... role administrator in [All] }
435488 Cannot configure route domain for centralized management infrastructure (CMI) device unicast-address. (CMI is also referred to as device service clustering (DSC).) Try to configure non-default route-domain for CMI device unicast-address. Cannot configure route domain. This is not a supported configuration. If you use a route-domain address, the configuration does not work, and the system posts a number of log errors indicating that. Workaround: Do not configure non-default route-domain for CMI device unicast-address.
435494 DTLS handshake may fail when UDP messages are round robin among TMMs. "DTLS configuration. Round Robin DAG enabled for DTLS UDP packets." DTLS handshake could fail Workaround: Disable Round Robin DAG for DTLS packets.
435646 lsn-pool inbound setting does not work when not associated with a virtual server. "lsn-pool with inbound or hairpinning enabled That lsn-pool is not associated with a virtual server but is assigned by an iRule." inbound and hairpinning is not enabled for subscribers using that lsn-pool when assigned via an iRule. Workaround: Create a virtual server for each lsn-pool.
435814 CGNAT connections for a single client might exceed connection limits. This occurs when the persistence-timeout value is fewer than 30 seconds on lsn-pools with connection limits Connection limits are not enforced. Workaround: Set persistence timeout to a value greater than 30 seconds.
435946 "TMSH incorrectly allows a user to configure two mutually exclusive failover methods, namely auto failback and HA group, concurrently without warning. In this case, the HA group method will be used." Using TMSH to configure failover and selecting these two methods. HA group method takes the place of auto failback, which may be unexpected if the user does not know about this issue. Workaround: Use the web interface instead on version 11.5.0 and later. It prevents invalid selections.
436170 When FIPS fails to attach, tmm crashes when attaching an SSL profile. This transient issue occurs because of a timing issue during software initialization, in which SSL initialization is occasionally called before FIPS attaches. TMM crashes during bootup. This is typically a transient issue, and not an indication of actual FIPS hardware failure. Workaround: Run the EUD test. If FIPS passes the test, a TMM restart resolves the issue.
436813 Messages for sync statuses differ when there is a sync config in memory that is newer than the one in the binary database, and the system is restarted. This occurs when set-sync-leader and then issue a bigstart restart before saving the config. On one system, the message posted is 'Not All Devices Synced', and on another, 'Changes Pending'. This issue is cosmetic only. The actual sync statuses will be correct. Workaround: Save the configuration on a device before rebooting it.
436825 Under certain conditions, nodes (or any other object with an IP address) in a partition that belong to route domain 0 will be treated as part of the default route domain for the partition after an upgrade. "All of these conditions must be true: - A system is being upgraded from any TMOS v10.x release to any TMOS v11.x release after 11.1. Upgrading to 11.0 or 11.1 is not affected, but the upgrade process resets the partition's default-route-domain setting to 0. - It has a partition that has its default route domain set to a nonzero route domain - That partition contains nodes with no route domain set (so the default is used) - That partition contains other nodes in route domain 0" Those objects may no longer be addressable or able to connect. Workaround: "Set the partition's default route domain ID to 0 before upgrading, then set it back to its previous value after the upgrade. This field is only used by the GUI and shell, so temporarily changing it to 0 will have no effect on the dataplane."
437226 The SERVER_CLOSED execution counter is incremented by 2 for every 1 run when the flow is parked in CLIENT_CLOSE. This occurs in the stats for SERVER_CLOSED when the flow is parked in CLIENT_CLOSE. The stats for SERVER_CLOSED become inaccurate due to parking. Workaround: None. This is a cosmetic issue. TMM does not core.
437256 After starting tmm, you notice the following critical error in /var/log/tmm, but the system otherwise boots and performs normally: crit tmm[11621]: 01260000:2: Profile profile-name: clientssl profile has no key/cert pair. This can occur during start-up of tmm (usually during system boot-up). If the system otherwise performs normally (i.e., you do have the correct clientssl certificate installed), this error is benign; during initial start-up it is possible that the clientssl profile data has not yet been loaded at the right time. In this case the critical log message is misleading. Workaround: None.
437768 Do not use 'bigip1' as a device name. The BIG-IP system uses it as the factory default device name. This occurs when using 'bigip1' as the device name. You might see an error similar to the following: 01070710:3: Can't save/checkpoint DB object, class:devicegroup_device status:13 - EdbCfgObj.cpp, line 127. Unexpected Error: Loading configuration process failed. Workaround: Treat 'bigip1' as a reserved word, and do not use it for device names.
437773 Some of the Link Aggregation Control Protocol (LACP) trunk members are missing after rebooting the primary blade. This occurs on VIPRION chassis with more than one blade, configured for LACP after rebooting the primary blade. Some LACP trunk members are missing. Workaround: If you have not saved the configuration in the bad state (that is, saved the configuration while the LACP trunk members are missing), you might be able to recover by running the command: tmsh load sys config.
437905 "HTTP compression for certain image files may fail on the BIG-IP 2000s/2200s and 4000s/4200v platforms. As a result of this issue, you may encounter one or more of the following symptoms: - BIG-IP iHealth lists Heuristic H450131 on the Diagnostics : Identified : Low|Medium screen. - The BIG-IP system resets the client connection. - You observe error messages in the following files with the same time stamp: /var/log/ltm :: -- crit tmm[19290]: 01010025:2: Device error: (null) Cave Creek compression error, err = -11. -- crit tmm[19290]: 01010025:2: Device error: (null) qa_dc_ctx_done: hw_comp Error. /var/log/tmm :: -- notice dcCompression_ProcessCallback() - : Recoverable error: stateful compression overflow. You may need to increase the size of your destination buffer and resubmit this request." "HTTP compression may fail on some BIG-IP 2000s/2200s and 4000s/4200v platforms. This issue occurs when all of the following conditions are met: The BIG-IP system is configured to use hardware HTTP compression. Note: This behavior is by default for BIG-IP platforms equipped with hardware compression. You can modify this behavior using the compression.strategy database variable. However, F5 recommends that you keep this database variable set to its default value because changing it may impact system resources. For more information, refer to the Profiles for Managing HTTP Traffic chapter in the BIG-IP Local Traffic Manager: Concepts guide. The BIG-IP system is compressing a Portable Network Graphic (PNG) image file." The client browser receives an incomplete image file and experiences a connection reset. Workaround: "To work around this issue, you must obtain an engineering hotfix for this issue and install it on the affected BIG-IP system. The engineering hotfix introduces a new quickassist.compression.buffsize_multiplier database variable that you must configure its value to 300. To obtain an engineering hotfix for this issue, contact F5 Support. To modify the quickassist.compression.buffsize_multiplier database variable, perform the following procedure: Impact of workaround: Performing the following procedure should not have a negative impact on your system. 1. Log in to the Traffic Management Shell (tmsh) by typing the following command: tmsh. 2. Modify the value of the quickassist.compression.buffsize_multiplier database variable to 300 by typing the following command: modify /sys db quickassist.compression.buffsize_multiplier value 300. 3. Save the change by typing the following command: save /sys config."
438048 You might encounter a TMM core when the iRule on the client side sends a TCP:notify request. This occurs when an iRule runs a TCP::notify on the client side, and the server side (peer connflow) of this client side does not exist/is NULL. TMM cores. Workaround: None.
438177 RSA key/cert pair must be configured as a default in clientssl profile even for only DSA/ECDSA ciphers. If ciphers only contain DSA/ECDSA ciphers. The connection cannot be built up if no RSA key/cert is configured on clientssl profile. Workaround: The clientssl profile must have RSA key/cert configured.
438324 Virtual servers configured with Fast HTTP profiles can fail if TCP uses ipport hash on B2150/B2100 blades. The B2150/B2100 DAG (Disaggregator) hash cannot use both IP address and TCP port in selecting tmm in ipport mode. This occurs when TCP is configured to use ipport hash on B2150/B2100 blades and the virtual servers use Fast HTTP profiles. TCP-based virtual servers configured with the Fast HTTP profile can fail. Workaround: To work around this, you can either use port hash or use profiles other than Fast HTTP for TCP-based virtual servers.
438666 iControl/REST relies on automatic parsing of tmsh output in order to reply to requests. The structure of 'show sys raid array' does not provide that support, so the array-members statistics are dropped and not returned in the output. This happens for any 'stats' query on a BIG-IP system that has RAID. Clients cannot get array-members statistics using iControl/REST. Workaround: Use tmsh or other UI (iControl/SOAP).
439507 Running the qkview utility might take a very long time, up to 30 minutes, possibly longer if there are thousands of tunnels or virtual IPs created. This occurs when there are 500 virtual network interfaces or more in a configuration. qkviews are slow to generate. Workaround: Wait for qkview to finish, which might take up to 30 minutes.
439628 Updating the Dynamic Ratio of a node or pool member using TMSH or iControl, instead of a built-in dynamic ratio monitor such as SNMP, results in a 'configuration sync needed' status, or an automatic sync if auto sync is enabled. This occurs when the following conditions are met. - Multiple devices in a device group. - Updating dynamic ratio via TMSH or iControl. - For automatic sync, auto sync is enabled on the sync-failover group. The sync status might unexpectedly transition to 'Changes Pending'. If automatic sync is enabled, the device group performs a ConfigSync immediately. If automatic sync is enabled, and the dynamic ratio is updated frequently (such as by an External monitor or an iControl script), the following additional impacts may occur: - An administrator's pending changes to the configuration may unexpectedly roll back on a receiving device. - A sync conflict may potentially occur. Workaround: "The following 'guishell' command syntax can be used to update the dynamic ratio as an alternative to using TMSH: guishell -c ""update pool_member set dynamic_ratio=dynamic_ratio_number. Where pool_name='/path/pool_name', node_name='/path/node_name', and port='port#'"". The node name is the full folder path to the object name, which might be the node address with the pool folder prepended. In external monitor scripts, the node name is available in the NODE_NAME environment variable. Example: guishell -c ""update pool_member set dynamic_ratio=123 where pool_name='/Common/SMTP_Servers' and node_name='/Common/10.50.5.251' and port='25'""."
440199 Using the LCD buttons to change the console baud rate to anything other than 9600 or 19200 may cause the rate to default to 19200. This occurs when using the LCD to change the baud rate. Console input/output may not be usable after the changes. Workaround: Use tmsh to change the console baud rate for rates higher than 19200 baud.
440365 At upgrade or UCS installation time, one or more files which share the same name may not be copied to a staging location, eventually leading to an error message at configuration load time, of the form, 'File object by name (filename) is missing.' In a 10.x system it's possible that files of different types (e.g. certificates, keys, external monitors, etc.) which are to be upgraded to file-objects in an 11.x system may have identical filenames though they reside in different directories on the BIG-IP system. For instance, a certificate located in /config/ssl/ssl.crt/example and a key in /config/ssl/ssl.key/example, on a 10.x system which is to be upgraded could cause this condition. Error at first boot of a newly upgraded partition, or UCS load time. Workaround: Modify the duplicately named files and any references to them in the configuration before upgrade.
440431 Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands. "This issue occurs when the following condition is met: A virtual server with Response Logging configured has an iRule assigned that uses either the HTTP::respond or HTTP::redirect command. The Request Logging profile gives you the ability to specify the data and format for HTTP requests and responses that you want to include within the log file. Parameters, such as $HTTP_STATUS, are used to specify information that is included within the log file. The HTTP::respond and HTTP::redirect iRule commands allow you to customize the response sent to the client and are intended to run immediately when triggered. Therefore, no further processing of response data should occur. As a result, the system logs blank status information when using the $HTTP_STATUS parameter within the Request Logging profile for Response Logging." The system logs invalid information. As a result of this issue, you may encounter the following symptom: -- BIG-IP iHealth lists Heuristic H465653 on the Diagnostics :: Identified :: Medium screen. If $HTTP_STATUS is used within the Response Logging template, the output will be blank. Workaround: To work around this issue, you can use the iRule to generate the required logs, rather than the Request Logging profile. If an iRule is calling HTTP::respond or HTTP::redirect, you can log directly from that iRule using the log iRule command, and record parts of the old response, or the new one, depending on what is required.
440959 SNMP DCA monitor reject delayed responses with ICMP unreachable result. Within the threshold of configured timeout and retry, in the event of an ICMP unreachable, the monitor marks the weight to the default (1). Configure a pool_member with SNMP_DCA monitor. Delay the SNMP server's response. Delayed SNMP responses are rejected by the monitor. Workaround: "Write an external monitor script, using the snmpget utility. For example: ------------ # values provided by bigd node_ip=`echo $1 | sed 's/::ffff://'` # example: use snmp get command=$(snmpget -v 2c -c private '$node_ip' -r 3 -t 5 .1.3.6.1.4.1.2021.4.5.0 .1.3.6.1.4.1.2021.4.6.0 .1.3.6.1.4.1.2021.11.50.0 .1.3.6.1.4.1.2021.11.51.0 .1.3.6.1.4.1.2021.11.52.0 .1.3.6.1.4.1.2021.11.53.0 .1.3.6.1.4.1.2021.9.1.2 .1.3.6.1.4.1.2021.9.1.9) To configure an external monitor: --------------------------------- -- tmsh create sys file external-monitor my_snmp_exec source-path file:/config/monitors/my_snmp2.sh. -- tmsh create ltm monitor external my_snmp run my_snmp_exec. -- tmsh create ltm node nodeA address 1.1.1.1 monitor my_snmp."
441146 Flooding on forwarding ports for some HSB equipped platforms are being delayed. The delays are due to the absence of an event-driven flushing of HSB L2 entries, when interfaces changes to a STP blocked state. This occurs with the BIG-IP 3900, 6900, 8900, 8950 platforms. This is seen with multiple parallel interfaces on the same VLAN between the BIG-IP system and a remote switch, with STP enabled. Delays are observed with the BIG-IP system again reverting to use the STP selected forwarding port, after the original forwarding port was disabled and re-enabled. Workaround: None.
441482 Although there is a tmsh provision command shown for Secure Web Gateway (SWG) on platforms with less than 8 GB of memory, running the command fails because there is no support for SWG on those platforms. This applies to certain BIG-IP appliances that have less than 8 GB of memory, and to vCMP and VE guests with less than 8 GB of memory allocated. (For memory information, see the Platform Guide for your platform.) Provisioning fails with a message similar to the following: Provisioning failed with error 1 - 'Memory limit exceeded. 5656 MB are required to provision these modules, but only 3964 MB are available.' Workaround: You may provision APM plus SWG only on platforms with 8 GB of memory or more. To use APM and SWG together on platforms with exactly 8 GB of memory, LTM provisioning must be set to None. (To do so, uncheck the box next to Local Traffic (LTM) on the Resources Provisioning screen, if applicable.) To fully support the LTM-APM-SWG combination, reserve at least 12 GB of memory for VE instances, or at least 16 GB for vCMP guests on BIG-IP or VIPRION platforms.
441719 The CRYPTO command might trigger a core when using invalid algorithms (for example, using a symmetric key (hamc-sha 256) instead of an asymmetric key (SHA algorithm ). This is a negative test that only helps to verify iRule completeness. This occurs when the CRYPTO:: commands use invalid algorithms. The system drops a core. Workaround: Only use the same type of algorithms (asymmetric or symmetric alone).
441789 If provisioning is changed too quickly some processes are not allowed to properly finish. This can lead to core files. Changing provisioning levels before module daemons are fully up. Core file generation. Workaround: Check daemons to ensure they are running before making changes to provisioning.
441796 "When you run hsb_snapshot or qkview from the command line, this may cause a watchdog reboot. One or more messages similar to this appear in the log: info kernel: Program hsb_snapshot tried to access /dev/mem between 164e6b000 and 164e6c000." Running qkview or hsb_snapshot from the command line. System reboot. Workaround: Do not run qkview or follow workaround procedure in SOL10052
442227 When using tmsh, a user can set the start time or end time for the database download schedule as 24:01. The supported time range is between 00:00 and 23:59. User could set the download schedule more than 24 hours in start time or end time using tmsh Download schedule might behave randomly. Workaround: To prevent any problem with the schedule, set the time range between 00:00 and 23:59 or use the GUI to set the time.
442489 Licensed SSL and compression limits totals are not shown. Any multi-core system with SSL and/or compression licensed. Might result in confusion or assumption of different limits than actually exist. This is a cosmetic issue and does not affect system functionality. Workaround: None.
442569 Some benign SELinux errors that can occur in this release when installing a hotfix: -- /usr/sbin/load_policy: Can't load policy: No such file or directory. -- semodule: Failed! This occurs when installing a hotfix on the BIG-IP 5000, 7000, and 10000 platforms (with SSDs). The system presents messages that appear severe, but are actually benign: Can't load policy: No such file or directory and semodule: Failed! Workaround: None, but these errors are benign and SELinux corrects itself after reboot.
442613 After user modifies tag map data group content, the tag replacement function may still use the old tag mapping data. After user assigns a data group to FIX profile's sender tag map attributes, user modifies the content of the data group. The replaced tag may still be the data defined in the old data group, this causes the FIX message receiver to not recognize the tag and reject the message. Workaround: After user modifies data group, user must then remove the data group map from the FIX profile, update the profile, re-add the it and update the profile again.
446712 When FTP is used with LSN pools, the data connections do not count towards the LSN client connection limit count. FTP is configured with LSN pool whose client connection limit value is greater than zero. Data connections (active/passive mode) are not counted. This might result in a subscriber being able to create more connections than specified by LSN pool client connection limit Workaround: None.
446713 1st boot to v11.5.0 causes daemon restarts and error messages on B4300/B4300N blades. This happens on each blade except blade1 (which is the Primary). When this occurs, the system posts various error messages and the daemon restarts. Workaround: None.
446717 When running 'tmsh show sys hardware' on the Primary blade, the 'Blade Temperature Status' reports a blade other than the Primary. In addition, all other slots under this category are not reported. This occurs when running the command 'tmsh show sys hardware' on the Primary blade. tmsh reports the wrong slot under 'Blade Temperature Status' on the Primary blade. Workaround: To find out the temperature status of the Primary blade, use the EUD sensor test.
446963 When messages are queued after processing of the HUDCTL_ABORT, processing those messages might cause a crash. After processing ABORT no other messages should be processed. But in the case in which HUDCTL_SHUTDOWN queued. HUDCTL_ABORT is processed and then HUDCTL_SHUTDOWN (queued by SIP filter), causing the crash. TMM crashes and the system creates a core file. Workaround: None.
447958 "A slow clientside SSL connection may result in a timeout due to the new default SSL timeout of 10 seconds. tm.rstcause may indicate ""SSL alert timeout exceeded""." Clientside is clientssl, and it is a slow connection such that it may require longer than 10 seconds. Data transfer might be interrupted. Workaround: Increase the alert timeout value in the configuration.
448409 The command 'load sys config verify' causes loss of sync configuration and initiates a provisioning cycle. The 'verify' option on the 'load sys config' command is designed to ensure that a configuration (either from a file or pasted to the terminal) is valid, but not have it take effect. This affects the ConfigSync communication channel if configured. The ConfigSync connection, including the connections to other devices, might be lost. In addition, provisioning might be impacted. Workaround: You can avoid this issue by using the 'load sys config verify' command 'merge' option, which keeps the current configuration during the validation step. Once affected by this issue, the workaround is to re-load the full configuration using the command: tmsh load sys config partitions all.
449158 iRule: nexthop to 'vlan:mac address' does not forward the packet. HTTP request to a vs:80 with a default pool and an iRule that specifies nexthop to a MAC address on the internal VLAN. Packet forwarding does not occur. Workaround: None.
449502 Diameter monitor script doesn't allow custom grouped AVPs that contain only a single element. Capabilities Exchange Answer (CEA) with a custom grouped AVP containing only a single attribute. Duplicating the attribute in the Diameter monitor script doesn't work either. The monitor will fail. Workaround: Use multiple attributes, or use non-custom grouped-AVP.
449596 At the command line, when you issue the 'show bgp neighbors 'x.x.x.x' advertised-routes' command on one of the BIG-IP systems that is configured to establish a bgp session with another system, an error output is observed: % No such neighbor or address family. The BIG-IP system is configured to be in a bgp session with another system using IPv4 addresses. The command shows incorrect output. Workaround: "Any of the three commands will give you the correct result: show bgp (ipv4|ipv6) (unicast|multicast|) neighbors (A.B.C.D|X:X::X:X) advertisedroutes show ip bgp neighbors (A.B.C.D|X:X::X:X) advertised-routes show ip bgp ipv4 (unicast|multicast) neighbors (A.B.C.D|X:X::X:X) advertised-routes"
449747 All of the self links and reference links in iControl REST responses will contain localhost instead of an IP address or a hostname or an FQDN. This occurs when using iControl. iControl REST clients will need to substitute 'localhost' with the correct server name (or IP address or FQDN) when navigating links returned in responses .This is by design. Workaround: iControl REST clients will need to substitute 'localhost' with the correct server name (or IP address or FQDN) when navigating links returned in responses.
451224 IP packets that are fragmented by TMM, the fragments will have their DF bit set if tm.pathmtudiscovery is set to enable (this is the default setting for this dbvar). This is perfectly compliant with RFC standards, and it is the correct thing to do. IP packet that needs to be fragmented by TMM due to MTU restriction on the egress VLAN/interface. Non RFC compliant downstream switches that do not want to see the DF bit set in IP fragments. Non-RFC compliant switches by other vendors may reject a fragment with DF bit leading to packet being dropped or treated as a bad packet by them. Workaround: Setting tm.pathmtudiscovery to disable results in DF bit not being set on the fragments.
451602 The DPD (Dead Peer Detection) packets are dropped after the IPsec tunnel is up. This occurs because the BIG-IP system drops DPD packets because keyed VLAN connections are enabled. The system tries to match the VLAN ID along with other parameters for DPD packets. Enable keyed VLAN connections and bring up IPsec tunnel. The tunnel does not stay up because of the DPD failure. The match should be done for the host interface instead of the actual VLAN interface. Workaround: None.
452683 The one-line option does not work for some configuration objects. This occurs when using when the 'one-line' option is specified for certain objects, for example, the APM resource. This results in multi-line display instead of the expected one-line display. Workaround: None.
453232 The double-tagging packet stats counters are only supported the on VIPRION blades: B2250, B4300, B4340, and B4350, and on BIG-IP platforms: 10000, 10050, 10050N, 10200, 10250, 12050. Double-tagging packet counters are not supported on the B2100/B2150 VIPRION blades or the BIG-IP platforms 5000 series and 7000 series. The system is configured for and passing double-tagged traffic and showing zero values for the Double Tagged Packets stats in the GUI, TMSH, or via the iControl APIs. When running the command 'tmsh show net interface all-properties' on the unsupported platforms, 'DoubleTag Pkts In' and 'DoubleTag Pkts Out' always show a value of 0 (zero). Workaround: None.
453362 SSL forward proxy does not work with OneConnect when there are multiple connections from the same client to the same server. This occurs with virtual servers configured with OneConnect. SSL forward proxy does not work. Workaround: Multiple connections worked fine without OneConnect.
454209 TMM crash on UDP DNS virtual without datagram-load-balancing enabled. DNS virtual server without datagram lb mode. TMM crash with a backtrace including dns_dev_pool coring at line 360. Failover and potential traffic interruption. Workaround: Enable datagram-lb-mode in the UDP profile used by the DNS virtual server, or turn off DNS queuing via the db variable dns.queuing.
454640 Secondary blades' mcpd instances might restart on boot. This might occur intermittently on VIPRION bladed systems or VCMP guests. This might be the result of a race condition that occurs when /config is sync'd between the blades and when mcpd starts. mcpd restarts on secondary blades. The process eventually returns to normal, and the system finishes booting. The system posts messages similar to the following: 01071038:5: Secondaries couldn't load master key from the database. 01070734:3: Configuration error: Configuration from primary failed validation: 01071029:5: Master Key not present. Workaround: None.
454671 When SIP is used with LSN pools, the media connections do not count towards the LSN client connection limit count. SIP ALG is configured with an LSN pool whose client connection limit value is greater than zero. Media connections are not counted. This might result in a subscriber being able to create more connections than specified by LSN pool client connection limit Workaround: None.
454672 When RTSP is used with LSN pool, the media connections do not count towards the LSN client connection limit. RTSP is configured with LSN pool whose client connection limit value is greater than zero. Media connections are not counted toward the LSN pool client connection limit. This might result in a subscriber being able to create more connections than specified. Workaround: None.
455090 The hashtag character '#' is a Tcl comment command that causes the Tcl parser to ignore the rest of the line. When user inserts a '#' character to a command that has an open curly brace ({) at the end of line, there is a mismatch of open and close braces. However, the user can save the iRule script through the web interface and TMSH. "1. '#' at the start of a line that ends with '{'. 2. The ending '{' perfectly matches a '}' in the script." When the iRule script runs at traffic time, system fails. Workaround: Comment out or delete the matching closing '}' brace character.
455525 "If for some special reasons, the role and partition information are not present, there are two cases where this might occur: When the user's role and partition information is not provided, by default, the no-access role and all partitions are assumed. If the user's role and partition are explicitly deleted, this is also allowed with no further error message. This is potentially useful in cases where you want to preserve the user data such as password for later re-activation the user. In both cases, the user cannot login successfully due to the lack of the necessary role-partition information." User's role and partition information is missing or removed. The user with missing role and partition information is prohibited from login. Workaround: None.
456378 When using ipother profile, if there is an iRule that fires on CLIENT_ACCEPTED that contains a discard or reject action, TMM is going to failover. Virtual server with ipother profile and an iRule firing on CLIENT_ACCEPTED with discard or reject action. TMM cores. Workaround: Use CLIENT_DATA as the firing event for the iRule. Will have the same expected result when discarding the connection.
457149 If a local password policy with password expiry is set, even remotely authenticated users are subject to the password policy. This may disallow users whose password has been remotely authenticated but who have an expired password. Local password policy is set, but remote authentication used. some users may be locked out after the password policy expires their password. Workaround: Do not use a local password policy with remote authentication.
457799 Configuration validation disallows creation of a static route in the default route-domain with an interface in a user-defined route-domain as the nexthop. This is a design limitation. Attempt to a route to a network in the default route-domain address space with a nexthop object that is in a different route-domain. Cannot specify nexthops into a user-defined route-domain. Workaround: This issue has no workaround at this time.
458527 When running spanning tree, a BIG-IP device sends TCN BPDUs after receiving a topology change notification on its root port. A BIG-IP device is connected to another switch running spanning tree and the BIG-IP device is not the root switch of the tree. No observable network impact from the TCN flag being sent in the BPDU. Workaround: None.
458529 When a BIG-IP system is running spanning tree protocol and receives BPDUs from another device containing a worse root path cost, it may not honor the hold timer value on the BPDUs received, and consequently it will send BPDUs at a faster rate than requested. Spanning tree is running and has a better root path cost than an adjacent switch that has a lower transmit hold count than what is configured on the BIG-IP system. Spanning Tree BPDUs sent out more frequently than they should. Workaround: Set the transmit hold count on the BIG-IP system to be the same as all other devices on the network that are participating in spanning tree.
459471 ssl-ocsp and ssl-cc-ldap auth profiles can contain the same name leading to issues when trying to delete them. ssl-ocsp and ssl-cc-ldap objects have the same name. unable to delete both of these auth profile objects. Workaround: Do not create the two auth profiles with the same name.
459596 Packets leak onto network. Memory leak appears in TMM. Multicast traffic and a disabled interface Eventual TMM low memory, OOM, and traffic outage due to TMM coring. Workaround: Restart TMM. Once TMM is restarted, manually or by coring, the leaked memory is released.
459671 iRules source different procs from different partitions and executes the incorrect proc. Multiple iRule procs defined in multiple admin partitions. iRules "proc" lookup algorithm is not deterministic, or Virtual Servers are improperly caching and sharing the lookup results. Workaround: This issue has no workaround at this time.
460500 Cannot load config containing iRules signed with Global comments. This occurs when using iRules with Global comments (outside any WHEN block) before the first block or after the last block. Global comments between WHEN blocks do not cause any issue. The config file cannot be loaded, and the system posts the following error: 01071485:3: iRule (/Common/irule2) content does not match the signature. Unexpected Error: Loading configuration process failed. Workaround: You can use either of these workarounds: -- Delete the Global comments (outside WHEN blocks) that lie either at the beginning or at the end of the iRule (before the first or after the last WHEN block). -- Delete the signing entries (definition-signature and signing-key) from the config file before loading it.
461140 You cannot configure High Availability (HA) using IPv6 IP address formatting. This occurs when using IPv6 formatted IP addresses. "When adding a peer device using an IPv6 address using the web interface, the system posts the following error message: 'java.io.IOException: Could not read response from server: ParseError at [row,col]:[1,150] Message: The reference to entity 'destaddr' must end with the ';' delimiter.' The system posts a similar error message performing the same operation using TMSH: 'Unexpected Error: Could not add ca-device (error from devmgmtd): [evConnection.cpp:162 tryConnect] evConnect(m_ev, fd, (void *) &destaddr, sizeof(destaddr), &::evOutgoingConnection, this, &m_connId): Network is unreachable.'" Workaround: Set up a IPv4 Self IP in an HA VLAN (VLAN on which each device can communicate with the other). Then add that Self IP to the device. To do so, in TMSH, run a command similar to the following: 'modify cm trust-domain Root ca-devices add { 10.10.3.102 } username admin password admin name 8950-3.example.com'. Running that command retrieves the already-set-up IPv6 addresses for management-ip, the config-sync IP addresses, and Network failover IP addresses already exist from the peer device and syncs both of them, so that HA device trust can work correctly.
461199 Memory increases when using certain iRule methods related to Diameter (for example, AVP::insert, AVP::replace, AVP::codes). Inside the underlying function dime_method_optional_args_parse, A call to the function Tcl_GetIndexFromObj was not decrementing the refcount of an object. This issue occurs when all of the following conditions are met: -- You have configured a virtual server to process Diameter messages. -- The virtual server references an iRule that uses Diameter based commands. For example, AVP::insert, AVP::replace, AVP::codes. As a result of this issue, you may encounter one or more of the following symptoms: -- The BIG-IP system fails to process traffic for a brief period of time. -- The BIG-IP system fails over to another host in the device group. -- TMM generates a core file in the /var/core directory. Workaround: None.
461375 The dhcp-enabled property was removed because it cannot be modified and its presence can lead to misunderstanding the configuration. This occurs in version 11.6.0. Can cause misunderstanding of the configuration data. Workaround: None.
461524 Unable to install an ISO software images or hotfixes using iControl REST. Using iControl REST to install software images or hotfixes. The system posts an error: Operation is not supported on component /sys/software/image, and the operation fails. Workaround: Use the GUI or TMSH to install software images or hotfixes.
461776 Setting the DB variable 'qinq.cos' to 'outer' has no effect on the VLAN priority of packets arriving at customer-tagged interfaces and does not correctly affect the egress Class-of-Service (CoS) mapping. Q-in-Q VLANs on customer-tagged interfaces. Using the outer tag to affect VLAN CoS is not supported. Workaround: None.
462507 If CGNAT PBA is configured for block lifetimes, when the lifetime expires it terminates any flows still associated with that port block. However, SIP media flows cannot be terminated, so the block cannot be released until the media flows terminate. This occurs when the following conditions are met: -- Using CGNAT PBA mode. -- block lifetime set. -- Using SIP-ALG. -- Media flows outlive block lifetime. Blocks cannot be released as expected until media flows terminate. Workaround: None.
462524 "When a User-Agent identifies a browser which has known compression limitations, the 'browser workarounds' disable compression. Browsers requiring these workarounds include: - Microsoft Internet Explorer 6.0 - Netscape Navigator 4.1 - Netscape Navigator 5.0 Unfortunately, the functionality will falsely identify many modern browsers as needing compression workarounds, disabling compression." Enable HTTP compression browser workarounds. HTTP compression will not compress responses for modern browsers. Workaround: Disable browser workarounds. If legacy clients require compression workarounds, use an iRule that selectively disables compression depending on the User-Agent.
463970 When using 'LB::reselect pool current_pool' in an iRule, the pool stats do not get increased/updated (although virtual servers stats do get increased as expected). This occurs when using an iRule containing the LB::reselect pool pool2 command in LB_SELECTED. the Pool stats don't get increased (tmsh show ltm pool), resulting in misleading stats reporting, and possibly incorrect traffic based load balancing. Workaround: "Add extra logic in the iRule to ensure the redundant call to LB::reselect pool SAME_POOL is not performed. To do so, you can use an iRule similar to the following: if {[LB::server pool] ne ""/Common/pool_name""}{ LB::reselect pool ""/Common/pool_name"" }"
464437 TMM crashes while loading an external datagroup that has already been loaded. External datagroup is already loaded, and is then re-loaded. TMM crashes. Workaround: To avoid this issue, wait a few seconds between load and reload the same external data group.
465197 The OData $filter is implemented only for filtering iControl REST results based on the partition in which config objects reside. No other filtering can be done. Always. No filtering can be done other than partition. Workaround: None.
466017 Tab-completion does not work for TCP/HTTP profiles with the command: ltm virtual profiles. This occurs with TCP and HTTP profiles when using Tab-completion in tmsh. Cannot use Tab-complete with TCP or HTTP profiles. Workaround: Type the profile name out completely, instead of using tab-completion to complete the name of the profile.
466285 When certain users switch partitions, their displayed role shows Unknown. After a few seconds, the appropriate role displays for the active partition. A user with access only to specific partitions and switches partitions. This occurs only with the Chrome browser. Unknown is shown as their role in the top bar in the GUI. This issue is only cosmetic, the user's actual role changes immediately. Any activity in the intervening time period is performed as the user's true role in that partition. Workaround: Use Firefox or Internet Explorer browsers.
466837 Using the GUI to modify a virtual server with multiple profiles results in multiple audit logs. This occurs with multiple profiles on a virtual server. The system writes multiple audit logs for a single user transaction. This is intended functionality. Workaround: This issue has no workaround at this time.
467043 Modifying banner and banner-text while sshd service is disabled, result in error. This occurs when modifying banner and banner-text while sshd service is disabled. The system posts an error. Workaround: Workaround is to change config order to enable login before banner change, or perform the operations in separate commands. -- tmsh modify sys sshd login enabled banner disabled banner-text none. -- tmsh modify sys sshd login enabled. -- tmsh modify sys sshd banner disabled banner-text none.
468472 TMM may core and failover with the following tcp4 assert: ../modules/hudfilter/tcp4/tcp4.c:937: %svalid pcb%s. If the TCP profile receives a spurious event it can cause TMM to crash. TMM crashes and fails over. Workaround: None.
468505 tmsh crypto commands will fail when executed in tmsh batch mode. tmsh batch mode and 'sys crypto' commands. tmsh crypto commands will fail when executed in tmsh batch mode. Workaround: Run the tmsh 'sys crypto' commands outside of a 'cli transaction' i.e. not in batch mode.
469035 If the configuration includes encrypted items (for example, an LDAP bind password) that are empty strings, a SecureVault rekey operation fails. Empty string as encrypted configuration item. This might occur when using the tmsh command 'modify /sys crypto master-key, or during the introduction of a device into a Trust Domain. The rekey operation fails, and the system posts an error similar to the following: with this error: 01071029:5: master_decrypt failed during rekey. This might result in a ConfigSync failure. Workaround: Do not use empty strings as passwords. Alternately, remove the problematic configuration object (which may require changing system authentication to a different source), perform the rekey operation, and then recreate the configuration.
469366 A config sync operation might fail with a parent-profile-not-found error message, despite the fact that the parent profile is present in the running configuration of both systems. On the sync target (the system receiving the configuration, and the one that reports a sync failure), a system-supplied profile (e.g. /Common/serverssl) has been modified, and is present in /config/bigip.conf. An administrator is unable to synchronize system configurations. The system might post messages similar to the following example: '01020036:3: The requested parent profile (/Common/serverssl) was not found.' Workaround: "One of the following: 1. Manually replicate the changes on the base profile to the system that is sourcing the config sync. 2. Undo the changes to the base profile on the system that is receiving the config sync (to do so, save the configuration, manually remove the base profile from /config/bigip.conf, and then re-load the configuration), and then perform a force sync operation. 3. Perform a sync in the other direction. Important: Performing a sync in this direction overrides any unsync'd changes on the other system."
469549 "Upon reviewing the log file in /var/log/ltm, a user may see the following error: err mcpd[8105]: 01070820:3: User Modification Denied: User (root) may not change the role of system account (admin)" This only happens during the first reboot after a software install. If the error is seen again, the audit log should be checked. There is no known impact at this time. Workaround: None.
470203 Setting a remote syslog destination to a localhost address results in recursive log messages. Using 127.0.0.1 or a hostname resolving to it as a host for syslog's remote-server. Using a localhost address as a remote syslog destination results in continual log entries until the BIG-IP system runs out of disk space. Workaround: Use a non-local remote host for syslog's remote-server.
470807 When an iRule specifies a data-group that is not in Common, or that does not have an explicit path to it, it does not result in an error when the iRule is saved, or during runtime. User saves an iRule with a data-group not in Common or with an explicit path to it. When such an iRule is saved, it can cause all traffic to fail. Workaround: None.
471288 TMM might crash with session-related commands in iRules. "This occurs when the following conditions are met: 1) session/table command. 2) client_closed/server_closed iRule." TMM might crash, and failover occurs. Workaround: Avoid using client_closed and sever_closed iRules at same time, in a virtual server using session/table command in iRule.
471492 When running IP reputation database on small (less than or equal to 4 GB) vCMP or VE instances, or on older platforms with less than or equal to 4 GB of memory, iprepd can use enough memory to make the system wait for disk I/O. This can make the system sluggish when disk operations are taking place. This typically exists on HDD equipped systems only. SSD systems are typically not affected. Extensive disk I/O, such as logging to disk or rotating logs, or when installing software, might result in a system that does not respond to user interaction as expected. Swap might increase, as well. Workaround: Provision 'large control plane' in the GUI provisioning page. Alternatively, add 100 to the existing value of the db variable provision.extramb. (which is zero by default).
471835 After changing the configuration while port blocks are active, the 'Active zombie port block' statistic may become invalid. More than one lsn-pool with overlapping address spaces, and virtual servers using these lsn-pools. Zombie timeout must be enabled on the pool and there must be active zombie port blocks. The PBA zombie statistics for the lsn-pool may be invalid. Workaround: None.
472308 When the management IP address changes (either as a result of enabling mgmt-dhcp, or the leased address changing), the system does not synchronize this updated address to other devices in the failover device group / trust domain. (That is, the system does not trigger an update to the device_trust_group). This occurs on HA configurations. This can cause disruption in an HA environment. The sod process discards any HA heartbeat traffic it receives (e.g., traffic over the self IP addresses) that does not contain a 'known' cluster_mgmt_ip. Workaround: None.
472553 eventd spins at 100% and memory consumption grows over time. If an eventd consumer is deleted while there are events pending, eventd can spin at 100% and its memory consumption will grow. System may be impacted due to eventd cycle usage, and eventually experience increasing memory consumption. Workaround: None.
472573 Cannot set a password of 14 characters --the maximum length-- for the security officer. "Occurs when the following conditions are met: - NG FIPS security device installed. - Initialize FIPS security domain. - Attempt to set password of maximum length (14 characters)." Setting a password using more than 14 characters prevents the creation of the security officer password, and causes device initialization to fail. Workaround: Use a password shorter than 14 characters for the security officer.
473213 Failed system fan emergency alert is exhibited as critical alert at LED and LCD screen. A failure of a system fan would cause this issue to appear. Relatively small event causes unnecessary critical alarm instead of just emergency level. This alarm should be treated at an emergency level and not critical. Workaround: None.
473724 If a DC PSU hotswap is performed on BIG-IP 10000-series or 12000-series appliances, but the PSU is left unpowered, the front panel PSU LED is amber, but no other alerts, LCD messages or LED indications are issued to indicate that the appliance is in a non-redundant PSU state. "This occurs on BIG-IP 10000-series or 12000-series appliances if a DC PSU is hot-swapped but external power is not applied. FND850 DC PSUs for BIG-IP 10000-series or 12000-series appliances do not indicate their presence to the BIG-IP system until external power is applied. Thus, the presence of an unpowered DC PSU in this case is not detected, and its status is reported as Not Present. By design, no alerts are issued by BIG-IP for non-present PSUs." Operators may not be aware that the appliance is left in a non-redundant PSU state after a DC PSU hot-swap. This is expected behavior. FND850 DC PSUs for BIG-IP 10000-series or 12000-series appliances do not indicate their presence to the BIG-IP system until external power is applied. Workaround: "When hot-swapping DC PSUs on BIG-IP 10000-series or 12000-series appliances, verify the success of the operation by: 1. Verify that the front panel PSU LED for the newly inserted PSU is Green. 2. Verify that the status of the newly inserted PSU is reported as Good by the 'system_check -d' or 'tmsh show sys hardware' utilities."
474149 SOD posts benign error message: Config digest module error: Traffic group device not found. In a failover device group, if the peer device (non self device) has gone through the management IP address change, SOD fails to clean the old IP address from its internal storage, so the system subsequently and incorrectly behaves as if there is a 'configuration data inconsistent' error. System posts the benign message: notice sod[8118]: 010c0062:5: Config digest module error: Traffic group device not found. Workaround: None.
474179 SOAP monitors configured with a leading colon':' in the URL path fail. SOAP monitor configured with leading colon ':' in the URL path. Monitor fails. Enabling monitor debug provides additional clues, indicating 'Error calling getaddrinfo'. Workaround: A leading ':' in a URL path is now allowed by RFC 3986, section 3.3. If the URL path is, in fact, a colon, then a leading slash should work (i.e., /:). No errors occur when embedding a colon in a URL path. If your URL path begins with a colon, you need to either escape the colon, or need to add a leading slash.
474797 "If malformed SSL packets are sent to the BIG-IP system, the following errors can be logged to /var/log/ltm: Device error: cn9 core general. crypto codec cn-crypto-4 queue is stuck." Malformed SSL packets being sent to the BIG-IP system. Error logs in /var/log/ltm. This is a cosmetic issue only, and the errors can be safely ignored. Workaround: None.
474983 Virtual server status not automatically updated to TMSH when connection limits met. This issue occurs when issuing the 'tmsh show ltm virtual' command - if the connection limits of a pool member have been met, issuing the command above does not reflect the status. Requires a pool member whose connection limits have been met. Virtual server status is not automatically updated to TMSH when connection limits is reached. TMM does the correct behavior in traffic processing, and this is just a visibility issue in TMSH. Workaround: The workaround is to refresh the pool member status by executing 'tmsh show ltm pool pool_name member', or by viewing through the GUI.
475346 The Expire Certificate Response Control setting in the Server SSL profile is not honored. "This issue occurs when all of the following conditions are met: A virtual server with an associated Secure Sockets Layer (SSL) pool member is configured with an SSL server profile to request a server certificate. The SSL server is serving data with a self-signed, expired certificate. The SSL server profile specifies that the system should not drop the connection if the certificate is untrusted. The SSL server profile specifies that the system should drop the connection if the certificate has expired. Impact" The BIG-IP system fails to drop the SSL certificate expiration requests. SSL certificate expiration requests are erroneously forwarded to the SSL server. This is expected behavior. Workaround: To work around this issue, you can avoid using expired certificates on your SSL server.
475896 "tmsh load /sys config from-terminal of an external-monitor, does not work. Specifically, running the following command does not work: load sys config from-terminal sys file external-monitor ext_monitor { source-path ... }" This occurs when running the command 'tmsh load /sys config from-terminal' external-monitor. The system posts the following error: Failed: name (/Common/external_monitor_name) cache path expected to be non empty. This error prevents using cut and paste to configure external monitors. Workaround: None.
475997 When performing LAN-speed transfers of large files (hundreds of MB) over SSL, the throughput speed of the transfer significantly drops if the hardware SSL offloading is performed. The performance drop is from ~30% - ~50% depending on the cipher suite used. This issue occurs when hardware SSL offloading is turned on. The performance degrades from ~30% - ~50% depending on the cipher suite used. Workaround: Change the "scheduler.hsbpollmode.ltm" to "always" can be used as a workaround for this issue.
476136 On VIPRION B2250 and B4300/B4340N blades, you might encounter log entries of this type: notice HA: ha_enabled_put(daemon_heartbeat, tmm, FALSE): error 01140012 or notice HA: ha_enabled_put(daemon_heartbeat, tmm, TRUE): error 01140012. This occurs only on VIPRION B2250, B4300, B4340N blades. The system posts the error messages. These messages are benign and can be safely ignored. Workaround: None.
476398 The TCP profile options Receive Window and Send Buffer are not used. TCP profile has Multipath TCP (MPTCP), Rate Pacing, or Limited Transmit Recovery enabled, or congestion algorithms illinois, woodside, westwood, cdg, chd, cubic, or vegas are selected. This prevents configuring these settings. Workaround: Modify TCP Auto Tuning by disabling sys db variable using the following command: tmsh modify sys db tm.tcpprogressive.autobuffertuning value disable.
476518 When the iControl REST API is used to load a UCS, restjavad restarts, and the REST client gets a 'Bad Gateway' error response. This occurs when the iControl REST API is used to load a UCS, and restjavad restarts. Although the UCS loads successfully, the system does not respond as expected. A client issues an API request to load a UCS. However, the client does not receive any indication of successful completion; they only see a GATEWAY error as, because restjavad and icrd are in the process of restarting. Workaround: None.
476544 mcpd runs out of memory when a connection's send message queue has a lot of messages in it. The connection's m_current_msg_byte_cnt is high, but does not account for the entire 2GB virtual memory space. mcpd runs out of memory when a connection's send message queue has a lot of messages in it. The connection's m_current_msg_byte_cnt is high, but does not account for the entire 2GB virtual memory space. mcpd cores and restarts if it runs out or memory. Workaround: None.
476920 Any iRule command that references an IP address may not resolve properly without the route domain. This occurs when the when the route domain is not given as part of ip address%route_domain ID. Default route domain ID of the partition is not used with any IP-address-referencing iRule command. Workaround: Explicitly provide the route domain ID with the IP address.
477705 The 'untrusted-cert-response-control=drop' command is not honored. This occurs when the following conditions are met: virtual server is deployed with a SSL server profile that is configured to request a server certificate and drop the connection if the certificate is untrusted. The SSL handshake is not properly dropped. Workaround: This issue has no workaround at this time.
477786 Depending on the release, sending a SYN packet to a self IP address with Port Lockdown set to Allow None might respond to the SYN with a RST packet, or might silently drop the SYN. "With Port Lockdown configured to Allow None, the LTM behaves differently upon receiving a SYN packet. In 11.3.0 and 11.4.1, when receiving a SYN packet the LTM replies with RST. In 11.4.0, 11.5.1, and 11.6.0, when receiving a SYN packet the LTM does not reply (sends a REJECT)." Inconsistent behavior based on version, sometimes RST in response to SYN on closed port, and sometimes nothing (REJECT). Because the traffic is not allowed in either case, there is no fundamental impact. This is primarily a behavioral difference between releases. Workaround: None.
477967 TMM segfaults when attempting to apply TSO processing to an outbound packet that does not need it. Occurs when applying TSO to packets. TMM crashes and the system fails over. Workaround: None.
477992 Errors when enabling Debug Monitoring for an iApp-created pool member and disabling strict updates for the iApp. Create pool members via an iApp, and attempt to enable logging on the pool member. Instance-specific monitor logging fails for pool members created in iApps. The log is never created. The system posts error messages in /var/log/ltm stating the log file cannot be opened. Workaround: If logging is required, bigdlog is available. To enable logging, run the following command: tmsh modify sys db bigd.debug value enabled.
478497 Irrelevant alerts for malware and encryption modules were sent when phishing was detected, confusing diagnosis of threat. Workaround: None.
478986 When power is removed from the PSU but the PSU remains in the system, 'tmsh show sys hardware' reports the PSU as 'not-present'. This occurs when an installed DC powered PSU loses power, and the user runs the command 'tmsh show sys hardware'. Only the message is incorrect. Although the PSU is present, the system cannot read its data without power, so the system marks the PSU 'not present'. Once power is restored, all information is available. Workaround: Plug the power cable into the PSU. The system can now detect the power supply status and read the PSU info.
479129 TCP window scaling is not applied, which can be observed in transmitted packets containing small segments that are about the size of the unscaled window. SYN cookies have been activated. Poor performance / throughput. Workaround: None.
479262 The 'readPowerSupplyRegister error' is logged in LTM log when DC PSU loses its power. When a DC powered PSU loses its power, 'readPowerSupplyRegister error' will be logged into LTM log, because PSU data is not available without power. Cosmetic. Erroneous LTM messages. Workaround: None.
481001 Software auto update settings are not synced between two devices in a sync group. Conditions leading to this issue include performing a full sync with systems that have different auto-update settings. This can lead to software auto update settings not being consistent across two devices. Workaround: This issue has no workaround at this time.
483694 If the primary blade of a cluster fails over and a new primary is elected, then the new primary might not have the up-to-date sync accounting information. If this happens, the sync state may be something other than 'In Sync', usually 'Not All Devices Synced'. Unknown. The system may unexpectedly advise the user to perform a CMI sync. Workaround: It is safe to perform the requested sync.
483953 When traffic has an apparent path MTU of less than TM.MinPathMTU, LTM will insert a route metric entry of TM.MinPathMTU. This entry does not benefit the eliciting endpoint in any way. Worse, the entry is to the detriment of other clients ("behind" the same address) which might benefit from a higher MTU. A low-MTU endpoint is present on network. LTM may enforce a suboptimal MTU. Workaround: This issue has no workaround at this time.
484542 tmsh does not validate QinQ tag-mode and allows invalid values to be set. User sets QinQ tag-mode to non-'none' value on unsupported platform None Workaround: None.
484683 The other Peer of a high-availability (HA) pair cannot show the summary of cert-chain by 'tmsh run sys crypto check-cert verbose enabled' after config-sync. "Conditions leading to this issue include: 1.) Setup an HA Pair 2.) Import Certificate chain to one BIG-IP system. 3.) 'run config-sync' to sync the Certificate chain to the peer BIG-IP system." The other Peer of HA Pair cannot show the summary of cert-chain by 'tmsh run sys crypto check-cert verbose enabled' after config-sync. Workaround: "Copy the cert-chain file to a place (such as /shared/tmp/), and update the cert-chain using: ********************************************************* root@(eng-3900A)(cfg-sync In Sync)(Standby)(/Common)(tmos)# modify sys file ssl-cert Cert-Chain_Browser_Serv.crt source-path file:/shared/tmp/Cert-Chain_Browser_Serv.crt_58761_1 *********************************************************"
485176 The RADIUS::avp replace iRule command will core when only two arguments are passed to it. Must be running an iRule that executes a RADIUS::avp replace command with only two arguments. TMM cores, which can result in a failover. Workaround: None.
485327 "By default the tmsh cli global settings service value is name. That implies that for a user configuration, the ports are saved by their names and not port numbers." This occurs when upgrading. Loading a UCS configuration with port names fails on an upgrade if the port name is not present in /etc/services in the upgrade version. The failure message appears similar to the following: The requested value (*:hosts2-ns }) is invalid (ip_addr | member) for 'dest' in 'monitor'. Workaround: Run the following tmsh command prior to saving the UCS file. (tmos)# tmsh cli global settings service number. The config will then load successfully on an upgrade.
485432 When you change the management port's subnet, existing static routes which now have topologically unreachable gateways will be removed. Routes exist on gateways that will not be on a local subnet after the mgmt port takes on a new network address configuration Services critical for operation such as NTP, SNMP, SMTP and Log Targets may become unreachable to the BIG-IP system although reconfiguring the mgmt port does not generate a warning. Workaround: Configure static routes with gateways that are within the local subnet of the mgmt ports addressing
485714 "The bigd process will go into a restart loop, with the following log message in /var/log/ltm: Fatal error: An unexpected failure occurred while performing an OpenSSL cryptography operation. Root error: 10219:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:evp_enc.c:323:" This issue occurs when there is an encrypted password on a monitor. The bigd process will restart. Workaround: Enter the plaintext password in the Monitor UI page.
486722 The default config-sync timeout is 300 seconds. This time is not sufficient when configuration includes 1000s of FIPS keys. Config-sync operation times out and reports failure. FIPS HA setup and 1000s of FIPS keys in the configuration. config-sync fails Workaround: Increase the config-sync timeout value. Note: The desired timeout value depends on the size of the configuration and the TMOS version. You can increase the timeout value using the following series of commands: -- tmsh mod /sys httpd fastcgi-timeout timeout-val. -- tmsh save sys conf. -- bigstart restart httpd.
487625 A corrupted filestore causes qkview to hang. This occurs due to filestore mapping issues. This might also occur when there are files listed in the filestore are missing. Qkview hangs and sync attempts silently fail due to filestore mapping issue. The system might post error messages similar to the following: err mcpd[4596]: 0107134e:3: Failed while making snapshot: (Failed to link files existing(/config/ssl/ssl.crt/ca-bundle.crt) new(/config/.snapshots_d/certificate_d/1389867940_:Common:ca-bundle.crt_1) errno(2)(No such file or directory).) errno(2) errstr(No such file or directory). Workaround: None.
487660 LSN Translation failures in persistence mode when cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN. "Persistence is enabled on the LSN pool, and cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN, when the lsn-pool port range is relatively small (under 1000), or a blade is added or removed. Translation mode is NAPT or PBA." Translation failures. The system posts an error similar to the following: debug tmm9[25268]: 01670012:7: [0.9] Translation failed client 200.200.200.101,10096. Workaround: Adequately provision the LSN pool.
487795 Front panel port Ethernet TX pause is currently disabled for the following platforms: B4200, B4300, B2100, B2150, B2250, 5000-series, 7000-series, 10000-series, 11000-series, and 12250. This occurs on the B4200, B4300, B2100, B2150, B2250, 5000-series, 7000-series, 10000-series, 11000-series, and 12250 platforms. Front panel Ethernet TX pause flow-control non-functional. Workaround: None.
490121 PVA current and maximum stats are incorrectly reported when using a fastL4 profile with a SERVER_CONNECTED iRule event. For each connection that is established, the current connection count is incremented twice and decremented only once when the connection is terminated. This leads to a lingering connection, which skews the stats. A fastL4 virtual with a SERVER_CONNECTED iRule event. The current and maximum PVA stats are incorrectly reported. Workaround: None.
491076 When a blade fails, any non-mirrored connections on that blade are lost. The loss of these connections are not correctly accounted for when determining LSN client connection count limits. This may cause some clients to reach their connection count limit prematurely. Blade failure on a chassis based system. This condition is most likely to occur when default DAG is configured on LSN VLANs. Client connection count limits reached prematurely. Workaround: In order to make the client connection counter accurate again an effected client must not have any active connections or make any new connections for a time greater than any connections configured timeout. (default 300 seconds). After the client connection counter entry times out, the client connection counter will accurately reflect the number of client connections.
491116 When BIG-IP systems are in HA with auto-sync enabled and full-sync disabled, and there are changes made to clientSSL profiles that are associated with virtual servers, and the changes are synced manually, 'TMM clock advanced' messages could be seen in the LTM logs. BIG-IP systems in HA with auto-sync enabled, full-sync disabled. Changes made to ClientSSL profiles associated with virtual servers. Manual sync. Generally minor and transient, some potential for partial disruption. Workaround: None.
491717 Running the command 'eud_log' on a BIG-IP 7000 series and 10000 series platform produces the following output: -- info: No EUD log found in /var/tmp. Searching boot volume -- info: No eud.log found on sda.dat.boot. This occurs on the 7000 series and 10000 series. This message indicates that eud.log file cannot be detected in the incorrect directory /var/tmp. However, the file does exist in the /var/log directory, which is the correct directory. Workaround: None.
491894 A sync group may go red and log an sync error while a full sync is still in process. Unknown The state of the sync group goes red momentarily and a log is produced, however the sync eventually succeeds. Workaround: None.
493060 If dynamic multicast routing is enabled and a system originates multicast traffic on a VLAN that is a child of a vlangroup, the traffic may not be bridged to the other child VLAN. Dynamic multicast routing enabled, vlangroup configured. Global multicast traffic won't traverse vlangroup. Workaround: n/a
493206 A virtual server that is assigned to a static route is not honored. Specifically, traffic is not filtered to be only on that virtual server. A static route is configured with a virtual server. The traffic continues to be routed to the static route without matching the virtual server. Workaround: None.
494019 System matches to previous Diameter Route Application ID after modifying the application ID value. This occurs after modifying the application ID value for a Diameter Route object. The Diameter Route might continue to match Diameter messages against the old application ID until TMM is restarted. Workaround: Always restart TMM after changing the value of application ID in a Diameter Route.
494035 Session tickets were introduced in 11.4.0 but are disabled in SSL backend. That means, customers can enable session ticket from GUI, TMSH and iControl, but SSL will ignore it and always think session ticket is disabled. session ticket feature in 11.3.0 Potential for confusion, unexpected behavior. Workaround: None.
494575 Cannot use the GUI to export cert/key with long names. GUI shows error screen with the message: An error has occurred while trying to process your request. When a SSL cert/key created with long name, the GUI fails to export that Key/Cert. Cannot export cert/key with long names from the GUI. Workaround: None.
494732 Even if the first matching static route is no longer able to route traffic, the Router continues to send traffic using this bad route rather than automatically selecting an alternate route. If the highest priority static route for a Diameter Router Profile is not able to pass traffic because the route's associated nodes are down, the Router continues to use the route. No Diameter traffic is passed for a Diameter Router Profile whose primary static route has no routable nodes. Workaround: "To switch to using one of the other static routes and get traffic passing again, edit the Diameter Router Profile so that the down route appears at the end of the list in the configuration. The order of this list determines the priority order of route selection. If a route is placed at the end of the list, it can only be selected if there are no other matching routes."
495242 The system posts the following message in the mcpd log: Failed to unpublish LOIPC object. This is an intermittent issue that occurs on standby systems in High Availability configurations. In this case, the system is attempting to remove a file/directory that does not exist. Either it has already been removed or it was not created. The system posts the following error: err mcpd[7143]: 010716d6:3: Failed to unpublish LOIPC object for (loipc_name.1417443578.297505208). Call to (shm_unlink) failed with errno (2) errstr (No such file or directory). This is a benign error that can be safely ignored. Workaround: None.
496038 After a chassis fan tray is removed, the system_check utility still shows the stale data from time before the removal. Remove chassis fan tray There is a warning in the ltm log when the chassis fan tray is removed. So, the impact of the system_check inconsistency is small. Workaround: None.
496137 "No messages are logged to /var/log/boot.log on the following platforms: VIPRION B2100, B2150, B2250 blades BIG-IP 2000-/4000-/5000-/7000-/10000-/12000-series appliances" "Affects the following platforms: VIPRION B2100, B2150, B2250 blades BIG-IP 2000-/4000-/5000-/7000-/10000-/12000-series appliances" Missing diagnostic information that would otherwise be logged to /var/log/boot.log. Workaround: None.
496155 tmsh show ltm persistence persist-records sometimes shows an incorrect number of entries on VIPRION chassis. When there are multiple slots on a VIPRION chassis, and the command is executed on a secondary from the primary. Results are not reported correctly in tmsh. Results display a fluctuating number of src ip persistence entries. Workaround: Specify the virtual server name in the tmsh command directly, instead of running the command for all virtual servers.
496788 MPI failures and a slow failover are observed when B4340N devices, which were attached and used by TMM, become unavailable. Random PCI resets can cause the issue to appear. Momentary loss of traffic passing on the B4340N platform until failover completes Workaround: None.
497304 "When deleting an HTTP iApp, the system posts errors similar to this in the LTM log, along with similar sync errors in the GUI: -- err mcpd[6629]: 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16). -- err mcpd[6629]: 01071488:3: Remote transaction for device group /Common/HA_Group to commit id 895 6070871290648001573 /Common/cr-ltm-bb2.ns.uwaterloo.ca 0 failed with error 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16)." Auto-sync must be enabled. HTTP iApp must have been reconfigured prior to deleting the iApp. Sync failure. Cannot delete the iApp manually after the error occurs. Workaround: Do not use auto-sync. If the sync failure has already occurred, refer to SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) for information on how to restore configuration sync.
500317 When using FastL4, connection might not be immediately removed from the connection table, taking up to 60 seconds until they are removed. This requires a FastL4 with loose-init enabled and loose-close disabled. Connections are not immediately removed from the connection table. This can result by impacting traffic by using up more memory on the unit. Workaround: Disable loose-init or enable loose-close.
500786 When a FastL4/BIGTCP virtual with HTTP profile is used, certain kinds of traffic may cause huge memory growth and result in out-of-memory situation. If the FastL4 virtual with HTTP profile handles HTTP cloaking traffic, that starts up as HTTP and then switches over to non-HTTP data, memory growth could grow unbounded due to lack of flow control. This may lead to out of memory conditions eventually. Out of memory conditions affecting the availability/stability of the BIG-IP system. Workaround: "1.) Avoid using FastL4 with HTTP profile, unnecessarily. 2.) If it could not be avoided, disable HTTP using iRule once the first request/response boundary can be identified if the traffic uses HTTP cloaking."
501984 When an iRule fails in LB_SELECTED, it is possible for TMM to crash. The TMM failure is dependent on timing. Using iRules with a rule for when LB_SELECTED on a vip. TMM outage resulting in brief loss of service or HA failover. Workaround: None.
503037 No warning message when certificate name length greater than or equal to 64 bytes, it just truncate the name to 63 bytes. Configure certificate name with length greater than or equal to 64 bytes. No warning message but the certificate name is truncated to 63 bytes. Workaround: None.
503125 "Excessive internal traffic can cause tmm panics, resulting from abnormal load distribution or excessive session DB usage. The session DB usage can be the result of modules or of custom iRules that store session data. If affected by this when using iRules to create custom keys and data, this can be partially mitigated by consolidating multiple keys and using smaller key lengths as possible. This is affected by the amount of data stored as well, but large keys can exacerbate the issue." "When this occurs, the tmm logs will contain messages similar to: notice MPI stream: connection to node 127.20.3.24 expired for reason: TCP retransmit timeout" Temporary outage and possible failover when using HA. The source conditions will also continue on the new active device, which can cause repeated failovers. Workaround: None.
503257 Client connections to a virtual server with persistence, connection limits, and an iRule that issues an HTTP response may receive a RST with a cause of "pmbr enqueue failed" even though connection queuing is not enabled. This can happen if the connection makes an HTTP request and an iRule directly responds to the first request on the connection. A future request on that TCP connection would be reset if it is persisted to a pool member that is at its connection limit. The iRule would use HTTP::respond (without "connection close") or HTTP::redirect. Clients may receive a RST and fail to connect to an available pool member under some traffic patterns. Workaround: If using HTTP::respond or HTTP::redirect in an iRule, change to HTTP::respond with the "Connection close" option in order to force the connection to terminate and the client to start a new connection after the redirect is sent.
503876 Updating a timeout less cookie persistence profile adds the default timeout value. Creating a timeout less cookie persistence profile using tmsh. list ltm persistence cookie COOKIE_NAME displays the default timeout value. Workaround: None.
504827 tmm crash with panic string 'top filter' appearing in tmm log. Configure DHCP relay virtual server that conflicts with other virtual server address/port. A rarely encountered tmm crash, which might result in network outage. The system posts a message similar to the following: notice panic: ../modules/hudfilter/hudnode.c:310: Assertion 'top filter' failed. Workaround: "Avoid configuring virtual servers that share address:port with DHCP relay virtual server. In releases prior to version 11.6.0, use regular IP forwarding virtual servers if the virtual server is not for Relay but just for 'forwarding'. When the virtual server destination is not 255.255.255.255, it is typically for forwarding, not for Relay."
504854 "With several load balancing methods, OneConnect does not load-balance new connections to pool members as desired. These methods include ratio (node), least connections (node), observed (node) and predictive (node). In these cases, new traffic will continue going to a limited number of pool members." Using OneConnect along with one of the following load balancing methods: ratio (node), least connections (node), observed (node) or predictive (node). Traffic does not balance across nodes as desired. Workaround: This can be partially mitigated if load balancing can be done with other methods; however, using these methods there is no workaround.
505037 Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop Only occurs in clustered environments, when modifying a monitored pool to set the gateway failsafe device while the secondary is down. Symptom occurs when the secondary comes back up and attempts to update the health status of a pool. Secondary in a restart loop. Workaround: Remove the gateway failsafe device. Re-apply when the blade is up.
505089 Sending unsolicited ACK to a virtual server increments the counter 'Total Software Rejected' from tmsh show ltm virtual 'name_of_virtual_server' when syn cookie status is not activated. This has been observed under the following conditions: 1. The client sends a SYN, the LTM sends an SYN/ACK and then the client sends a bad ACK. 2. A client sends an ACK for a connection that does not exist in the connection table (either it never existed or had been closed). Potentially inaccurate statistics in tmsh show ltm virtual. Workaround: None.
506459 If multiple IPsec tunnel interfaces are established, some of their IPsec traffic selector stats may not show up on CLI and GUI. When there are multiple IPsec interfaces, running the command 'tmsh show net ipsec ipsec-sa' shows all of the existing traffic selector stats. However, if the command is specified with a traffic selector name, some of the traffic selector stats do not show up. The display does not show the traffic selector stats. The tunnel works correctly; this is a display issue. Workaround: Run the command 'tmsh show net ipsec ipsec-sa' to show SA status for all IPsec
506543 Disabled ephemeral pool members continue to be selected for new connections. FQDN parent node is disabled causing its derived ephemeral pool members to be marked disabled. Unexpected traffic load balanced to disabled pool members Workaround: None.
506554 When displaying IPv6 multicast routes in ZebOS using the "show ipv6 pim mroute details" command in imish, timers associated with the mroute are not displayed. IPv6 multicast routing is in use. Timers are used for prune limit timeout, source active timeout, and source refresh timeouts. There is no way to display these counters for IPv6. Workaround: n/a
507140 Sod daemon stalls while writing to syslog, and is halted repeatedly on startup. DNS failure while multiple syslog connections are being established. Sod daemon does not start successfully. Workaround: There are two workarounds: -- Remove duplicate remote servers in syslog configuration. -- Add 120 seconds delay in sod startup script.
507206 Multicast Out stats always zero for management interface Statistics information. These stats can help determine whether multicast network failover is working from looking at a qkview. The missing stat may also delay or confuse other troubleshooting activities unrelated to network failover. Workaround: Run the following command: clsh 'ethtool -S eth0 | grep tx_mcast_packets'.
507566 GUI fails to successfully make edits to an external datagroup file. A large external datagroup is loaded and edits are attempted via the GUI. The datagroup file is not updated correctly, and the system posts no error messages. iRules/datagroup dependent functions might fail to behave as expected. Workaround: Use TMSH to make edits to external datagroup files.
507680 Each TMM learns from the traffic that it processes, and this may cause source integrity inconsistency in violation detection. Workaround: Use manual learning or use long-term results of auto-learning.
509568 Mirrored DS-Lite connections on a standby device are dropped within 60 seconds. Connections are not carried over in a failover. CGNAT, DS-Lite tunnels on a mirrored traffic group, high-availability active-standby configuration. DS-Lite connections are not mirrored and are therefore lost on failover. Workaround: None.
510395 If an event is disabled inside the event itself, then a TCL command that executes asynchronously is executed, TMM can core "An event is disabled from inside the event then a parking command is issued. Example: when HTTP_REQUEST { if { $a == $b } { event disable HTTP_REQUEST } after 100 log local0. ""foo"" }" Tmm cores Workaround: "Disable events as the last command before exiting the event. when HTTP_REQUEST { if { $a == $b } { event disable HTTP_REQUEST return } }"
510588 When using the non-default trunk.cluster.distribution mode, with a cross blade trunk and the only remaining trunk member for the slot disabled, results in trunk errors when re-enabling this (non favor local) trunk member interface. Re-enabled local trunk member interface of a balanced cross blade trunk (i.e. using non favor local members) may not function correctly. Workaround: A restart of the bcm56xxd daemon may be required to re-add all the trunk members of a balanced cross blade trunk.
511324 The HTTP::disable command does not work correctly after the first request is complete. If called during the second request (or response), then the connection is reset with an error message. HTTP::disable is called in a request after the first. The pass-through data reaches the server-side before the server-side HTTP filter expects it. The connection is reset. Workaround: None.
511326 The BIG-IP system does not forward messages when configured as SIP ALG with translation. The BIG-IP system is configured as SIP ALG with translation, and the subscriber sends a SUBSCRIBE message to receive a notification. The Subscriber does not receive any notification regarding the subscribed events. Workaround: None.
511782 HTTP_DISABLED is not triggered by the HTTP::disable iRule command, requests using the CONNECT method, and Web-sockets traffic. If the HTTP filter is switched into pass-through mode by the HTTP::disable command, CONNECT requests, or via Web-sockets traffic. The HTTP_DISABLED event does not trigger. Workaround: This issue has the following workaround: -- For HTTP::disable, add the logging code within HTTP_DISABLED after that iRule command. -- For CONNECT, use an iRule to match the method in HTTP_REQUEST, and check that 200 Connected is returned as the status in HTTP_RESPONSE. If so, invoke the logging code within HTTP_DISABLED. -- For Web-sockets, use an iRule to match the 101 Switching Protocols status code in HTTP_RESPONSE. If this happens invoke the logging code that is also within HTTP_DISABLED.
512130 Remote role group authentication fails if there is a space in attribute name of remote-role role-info. This occurs when the auth remote-role role-info attribute name contains a space character. LDAP authentication fails. Workaround: Remove space characters from LDAP attribute group name.
512320 Diameter messages can be retransmitted if the serverside connection experiences a handshake failure and the virtual has an iRule with a LB_FAILED/LB::reselect combination. This occurs because both the clientside diameter filter and mlb proxy attempt to retransmit the same message. This occurs under the following conditions: 1. Retransmission is turned on. 2. Handshake fails. 3. LB_FAILED/LB::reselect iRule is used. Diameter messages might be retransmitted. Workaround: Turn off retransmission.
512885 https monitor fails to work with server that has MD5 with RSA as signature hash algorithm https monitor, server using MD5 with RSA. https monitor fails Workaround: configure the back end server to use another cipher
512954 OSPF6 might core during external route recalculations. This occurs during external route recalculations. ospf6d core. Workaround: None.
513288 Health monitors to node may periodically fail. Health monitors sent with the loopback IP address as the source IP address. Health monitor checking node_ip:port where 1024 <= port < 65536. node_ip:port periodically connecting back to management service on self IP (e.g., iControl, GUI, ssh). Traffic will not be sent to node while monitor is failing. Workaround: none
513789 "Syslog message: 'Inet port exhaustion' message is marked as 'crit' when it should be a 'warning'. The following message appears via syslog: -- crit tmm3[12240]: 01010201:2: Inet port exhaustion on 1.200.2.181 to 202.144.208.246:53 (proto 17)." SNAT or CGNAT are configured. This is reported as a critical event, when it is not a critical event. The 'crit' message designation usually means a critical event has occurred and the system is in imminent danger. That is not the case here. This message should be a 'warning' because it means a connection might have failed to find a port when performing NAT functions. Workaround: None.
514473 VXLAN tunnels rely on the TMM for maintaining ARL entries representing MAC address to endpoint mappings. The BIG-IP system may undergo a brief period of inconsistency in VXLAN ARL entries across the TMM instances. "Network misconfiguration can lead to a period where the BIG-IP system receives alternating encapsulated frames with the same source MAC address from two different endpoints. This leads to conflicting, alternating ARL updates across the TMM instances. One example of network misconfiguration is the configuration of the same MAC address at two different endpoints/VTEPs. Also if the VXLAN topology contains an L2 forwarding loop, this could lead to the same effect. Currently, VXLAN does not have a standard mechanism for detecting and avoiding loops. Therefore, loops need to be avoided by network configuration. However, network HA failover typically does not lead to a period of conflicting, alternating ARL updates." During the period of inconsistency, the TMM instances may forward packets destined to the same remote MAC address to different endpoints. This lasts until the network misconfiguration is corrected and the conflicting ARL entries expire. Workaround: In addition to addressing the network misconfiguration, the condition can be mitigated by using a shorter ARL timeout. This can be done by modifying the bigdb variable vlan.fdb.timeout.
514815 Configuration loaded but cannot re-key. This is sometimes seen as a configuration that is successfully synced but a device that cannot join a trust group. "Configuration includes unused, encrypted items Host is not configured with the correct master key for those items Configuration is loaded under the wrong key An attempt is made to change the master key for any reason" Unable to set device master key. In some cases this has no impact, but it prevents the normal application of SOL9420 and is somewhat difficult to detect as no other operations fail. Workaround: Remove all encrypted items from the config. Re-sync the key either manually with f5mku or with device trust. Re-install the desired configuration.
514844 The Local Traffic :: Pools :: pool_name :: Members :: pool_member_name displays an inconsistent and fluctuating number of health monitors for a pool member. The customer uses partitions (i.e., folders) and route domains, and uses the GUI to display the health monitors for a pool member. Cannot determine the correct number health monitors for pool member correctly. For example, given a pool which was assigned two health monitors, sometimes the screen will display two health monitors, one or none at all. Workaround: Use tmsh to display the health monitors for a pool member.
514975 When a reset is triggered after the connflow idle timeout expiry, the packet contains the sequence number 0 to the client side. Due to this, client will reject it as an invalid packet. FastL4 profile with loose init and loose close enabled for nPath mode. The client connection will be left idle. Workaround: None.
515635 Tcl monitor produces FTP error with Courier IMAP server. Courier IMAP Server when there is no message in the mailbox. IMAP monitor fails, potentially resulting in downed pool members. The systems posts an error similar to the following: ERROR: failed to complete the transfer, error code: 8 error message: FTP: weird server reply. Workaround: Add a message to the monitored mailbox.
515668 Clients that send UDP packets with LSN configured in DNAT mode may sometimes leave the BIG-IP untranslated. Clients that send outbound traffic must match a virtual with an lsn-pool configured in DNAT mode. This rare occurrence might lead to failures in applications sensitive to malformed UDP packets. Workaround: None.
516280 With a very large number of monitors, the bigd process can consume more than 80% CPU when a slow HTTP server returns an error. ~8000 HTTP/HTTPS monitors, and a slow HTTP server returns a 500 error. bigd process uses a large percentage of CPU. Workaround: None.
517456 When there are active connections on the virtual server, resetting its virtual server stat through tmsh reset-stats ltm virtual <virtual name> doubles the client ssl profile cur_conns/cur_native_conns/cur_compat_conns. "- ssl virtual server. - active connections on the virtual server. - resetting the virtual server stats during the active connections." Invalid statistics values on the client ssl profile stats. Workaround: None.
517829 When the BIG-IP system is configured for OCSP authentication, if the OCSP server reports that a certificate has been revoked, client connections are reset without sending SSL error alerts. BIG-IP system configured for OCSP authentication. Client connections are reset without sending SSL error alerts. Workaround: "Use the following iRule for the OSCP authentication profile instead of the system-supplied iRule: when CLIENT_ACCEPTED { set tmm_auth_ssl_ocsp_sid 0 set tmm_auth_ssl_ocsp_done 0 } when CLIENTSSL_CLIENTCERT { if {[SSL::cert count] == 0} { return } set ssl_version [SSL::cipher version] set tmm_auth_ssl_ocsp_done 0 if {$tmm_auth_ssl_ocsp_sid == 0} { set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp] AUTH::subscribe $tmm_auth_ssl_ocsp_sid } AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0] AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0] AUTH::authenticate $tmm_auth_ssl_ocsp_sid SSL::handshake hold } when CLIENTSSL_HANDSHAKE { set tmm_auth_ssl_ocsp_done 1 } when AUTH_RESULT { if {[info exists tmm_auth_ssl_ocsp_sid] && ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} { set tmm_auth_status [AUTH::status] array set tmm_auth_response_data [AUTH::response_data] if {$tmm_auth_status == 0} { set tmm_auth_ssl_ocsp_done 1 SSL::handshake resume } elseif {($tmm_auth_status == 1) && ($tmm_auth_response_data(ocsp:response:status) eq ""revoked"")} { if { $ssl_version equals ""TLSv1.2"" } { set hex_version ""0303"" } elseif { $ssl_version equals ""TLSv1.1"" } { set hex_version ""0302"" } elseif { $ssl_version equals ""TLSv1.0"" } { set hex_version ""0301"" } else { reject } set hex_response ""15${hex_version}0002022C"" set bin_response [binary format H* $hex_response] TCP::respond ""$bin_response"" TCP::close } elseif {($tmm_auth_status != -1) || ($tmm_auth_ssl_ocsp_done == 0)} { reject } } }"
518086 SafeNet hardware security module (HSM) Traffic failure after system reboot/switchover. Restart of services on primary or secondary blade. Now traffic will fail. There will be no pkcs11 connection on new primary blade. Workaround: The workaround is to restart pkcs11d on the secondary blade.
518141 The configuration might fail to load upon upgrade to the affected version if the internal data-group with string type has records that contain open/close brace under data attribute. The error message can differ depending on your exact configuration. "Internal data-group exists with string type and has records that contain open/close brace under data attribute. For example: ltm data-group internal /Common/my_data_group { records { first_record { data } } second_record { data { } } type string }" Upgrade to the affected version fails. Workaround: After upgrade, correct the syntax of the data-group in /config/bigip.conf and then load the config again, e.g., tmsh load sys config.
518963 Configuring the FPS plugin alert server to use an IP address on a non-default Route Domain fails. Alerts do not reach the alert server. Using the FPS plugin (WebSafe) with the alert server configured to use an IP address on a non-default route domain. Alerts are not received. Workaround: Do not use route domains for the alert server.
519064 If a node is configured with a connection limit, the display may show a maximum connection count equal to the number of pool members using that node. Nodes configured with connection limits. Maximum connections statistic on node shows higher than the specified connection limit. This is a display issue only. The actual connection limit is enforced. Workaround: None.
520380 Unit demonstrates behaviors consistent with out-of-memory condition. 'top' and 'ps' may show multiple tmsh processes waiting to run. Enable auto-sync and save-on-auto-sync. Low memory condition may result in system instability. Workaround: None.
520928 Virtual server page becomes unresponsive with 'Display Host Names When Possible' enabled and DNS unreachable. This occurs when the following conditions are met: -- 'Display Host Names When Possible is enabled. -- The configured DNS servers are responding with ServFail or not responding at all (unreachable). The GUI might become unresponsive. Workaround: Use TMSH to display virtual servers when 'Display Host Names When Possible' is enabled. Or disable 'Display Host Names When Possible'.
521077 GUI does not show the external hardware security module (HSM)-based key type correctly. This occurs when the external HSM is used to create the key. GUI shows HSM-based keys as Normal Security Type instead of HSM. Workaround: Although there is no workaround, the HSM-based key works correctly; only the Security Type description is incorrect.
521336 The retry of pkcs11d initialization might post misleading error messages and eventually result in a pkcs11d core. When pkcs11d retries to wait for other services such as tmm or mcpd. After the system reboots, the /var/log/ltm shows initialize errors and the /var/log/daemon.log shows pkcs11_initialize messages: -- err pkcs11d[6247]: 01680002:3: Pkcs11 Initialize error (this is misleading; pkcs11d is actually retrying). -- err pkcs11d[6247]: Nethsm: pkcs11_initialize C_GetSlotList error 0x00000000, number of slots 0. Workaround: Retry pkcs11d restart when tmm and mcpd are both ready.
521572 If many tokens are created in a short amount of time, the system might run out of memory. Successful login requests also create tokens. Logon continuously at a rate at which the system creates 2000 tokens per minute. System becomes unstable as tokens take up more memory. Tokens expire after a certain time. Unexpired tokens are kept in memory. Creating a large number in a short period might consume all memory. Workaround: Do not create that many tokens at once.
521792 Health monitor information and status are both missing for FQDN nodes and pool members. FQDN nodes or pool members. GUI does not show health monitors info/status in node properties page, pool member properties page, or monitor instances page. Difficulty checking health monitor info/status for FQDN members. Workaround: Check logs for this info.
522304 Some password policy settings (maximum and minimum durations, expiration warning) are reflected in /etc/shadow when a user's password is changed. In a CMI device group, changes to password policy are correctly synced, but the settings reflected in /etc/shadow are not. CMI device group configured; maximum or minimum duration, or expiration warning, settings of password policy are used; user password is changed. Password policy may not be enforced consistently across all devices. Workaround: None.
522332 A config with the deprecated 'httpclass' which has the 'hosts' attribute, on an upgrade to later version, gets converted to an LTM policy with the attributes 'http-host host values <value>'. Needs a config with the 'httpclass' in it, which has the hosts attribute. F5 has replaced the HTTP Class profile with the introduction of the Local Traffic Policies feature in BIG-IP 11.4.0. During an upgrade to BIG-IP 11.4.0, if your configuration contains an HTTP Class profile, the BIG-IP system attempts to migrate the HTTP Class profile to an equivalent local traffic policy. You can find more information in SOL14409: The HTTP Class profile is no longer available in BIG-IP 11.4.0 and later, available here: https://support.f5.com/kb/en-us/solutions/public/14000/400/sol14409.html. The policy tries to match only the 'host' part of the HTTP Host header. The policy should be trying to match 'all' (that is, 'host' and 'port') instead. Note: F5 has replaced the HTTP Class profile with the introduction of the Local Traffic Policies feature in BIG-IP 11.4.0. During an upgrade to BIG-IP 11.4.0, if your configuration contains an HTTP Class profile, the BIG-IP system attempts to migrate the HTTP Class profile to an equivalent local traffic policy. Workaround: "Manually edit the config after upgrade to convert 'http-host host' to 'http-host all', for example: http-host host <====== values { tempbus.ladpc.net.il:3433 } } to http-host all <====== values { tempbus.ladpc.net.il:3433 } }"
522552 Currently when the configuration is loaded, SSL immediately reads any associated keys, certificates, and CRLs. This can take long enough that the watchdog timer fires causing TMM to restart. Many SSL profiles are in use. TMM will restart Workaround: This can be mitigated by using fewer SSL profiles.
522837 During a small window of opportunity, mcpd can core if it is told to restart. This often occurs when another component has failed. This issue generally occurs when another component has a problem which then initiates an mcpd restart. An mcpd core file is generated during shutdown, and it may initially appear as if mcpd coring was the cause of the restart. Workaround: None.
522915 When SSL::disable is used after the SSL negotiation, TMM might crash. SSL::disable is used after negotiation. TMM crash Workaround: do not use SSL:disable
523126 When the route domain of the originating address of a NAT configuration is changed without the address itself being changed, the change does not take effect. Viewing the configuration through tmsh and the GUI indicates that the change has worked, when it is not yet in use. This occurs when editing an existing NAT configuration and changing the route domain without changing the address. The intended NAT change is not in effect. Workaround: In order to make the change take effect, delete and recreate the NAT or restart tmm.
523763 If a change is made in an SSL profile, for example removing TLS1.2, a child profile could become invalid. This case is not validated which can cause the configuration to not load. Changes to a base profile that invalidate a child profile. The configuration will not load Workaround: Do not change base profiles.
523797 The upgrade operation might fail to update the file path name for snmp.process_name, causing a validation error. Upgrade from 10.x. The upgrade operation does not remove the parent path name from process-monitors, which might cause a validation error. Workaround: Edit the process name path to reflect the location.
523854 "RTSP streamed data is dropped. The RTSP protocol includes streaming of RTP data over the TCP connection; this is called interleaving. The RTSP profile includes a configurable parameter called Maximum Queued Data that specifies the maximum amount of buffered data held by the profile when processing RTSP commands and interleaved data. The default value is 32768. It is possible for the server to interleave RTP chunks that are larger than this maximum value. In that case, the TCP session is reset with a reset cause of Too Big." "RTSP profile configured RTSP server interleaves RTP chunks that are larger than the ""Maximum Queued Data"" value." "RTSP traffic is interrupted or dropped TCP session is reset with a cause of ""Too Big""" Workaround: Set the Maximum Queued Data value to a large value or configure the RTSP server to serve RTP in smaller chunks when delivering interleaved streams.
523985 Certificate summary information about individual certificates in a bundle does not propagate to device group peers after a config sync. A certificate file is create in a folder synced to a device group. Certificate information about the bundle is not displayed on peers. However, the bundle itself is intact and available. Workaround: None.
523992 tmsh error map not included in /etc/alertd File /etc/alertd/bigip_tmsh_error_maps.h missing. Difficult to create alerts for tmsh related errors (e.g., certificate expiration warnings). Workaround: None
524107 When trying to use special regex metacharacters (for example, \s for whitespaces, \d for digits, and so on), the system posts a warning to the LTM logs, suggesting a change to the syntax, however, making the change as suggested prevents the correct iRule behavior. Writing an iRule that uses metacharacters in a regular expression. System logs a warning that recommends an incorrect resolution. If you make the change as recommended, the iRule behavior does not work correctly. The error messages appears similar to the following: warning mcpd[8501]: 01071859:4: Warning generated : /Common/test_regex:4: warning: ["\d" has no meaning. Did you mean "\\d" or "d"?][{number=(\d+)}]. Workaround: Ignore the LTM log warning. Use the regex metacharacters without modification.
524123 When an iRule invokes ISTATS::remove to remove an iStat, it does not work. The iStat is not removed. This does not work under all conditions. The value of the iStat remains defined. Workaround: Use istats-triggers and iCall scripts to invoke the istats command line tool indirectly.
524722 "Occasionally a secondary blade will reboot when making changes to the configuration in a partition other than Common. An error will be logged in the /var/log/ltm file similar to: Mar 6 14:23:03 slot1/HDI-LVPRF5-LRBM08 err mcpd[4187]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107098a:3: The ip address (10.154.163.199%2164) for a virtual server in partition (Common) references a route domain (2164) in a different partition (PARE-RVBD). Objects may only reference objects in the same or the 'Common' partition ... but will reference the type of object being modified." A chassis-based system with multiple blades, and a configuration with multiple partitions. Secondary blades restart, which may cause a failover event to occur depending on the value of min_up_cluster_member. Workaround: None.
524839 When a dynamic routing protocol is in use and a self IP is moved from one VLAN to another, the connected route for the self IP network may be removed from ZebOS and not readded. Dynamic routing is configured, self IP is moved from one VLAN to another. Networks advertised or learned via dynamic routing may not be reachable if they depend on the connected route. Workaround: Restart tmrouted. This will interrupt dynamic routing.
524861 When using the mkdisk utility to prepare a bootable USB device to install the BIG-IP software onto specific hardware platforms, the platform choices offered might not include the specific model number of the hardware platform as purchased from F5 Networks or reported by the 'tmsh show sys hardware' command. BIG-IP 2000-/4000-/5000-/7000-/10000-/12000-series appliances It might not be obvious which platform to choose from the available options, when none of the offered choices exactly matches the model number reported by 'tmsh show sys hardware', purchase order, etc. Workaround: "Choose the a model number in the same base series as the model number reported by 'tmsh show sys hardware'. The silkscreened model number on the faceplate of the BIG-IP appliance identifies the appliance as a member of a BIG-IP platform series, such as: - BIG-IP 4000 SERIES - BIG-IP 5050 SERIES - BIG-IP 7000 SERIES - BIG-IP 10000 SERIES - BIG-IP 12050 SERIES Selecting any BIG-IP model number in the same base series generates the appropriate result in this context. The closest match can be obtained by selecting a model number which matches except for the 100's digit, which could be either a 0 or 2 depending on the specific model purchased and licensed. For example, model numbers 2000 and 2200 are equivalent for this purpose."
525133 Stopping and starting the tmm causes bigd to restart. "On active unit run one of the following commands: -- bigstart restart tmm. -- bigstart stop tmm;bigstart start tmm. -- bigstart stop tmm;bigstart start." "bigd restarts and a message is logged to the console. Monitoring traffic will cease until TMM restart is completed." Workaround: None.
525400 Connections are dropped prematurely on the standby unit, but remain up on the active unit. This issue occurs when the following conditions are met: -- HA active-standby chassis configuration. -- Connection mirroring is enabled on a virtual server configured for tunneling (e.g., pptp, ipip, gre). -- Hardware syn-cookies are enabled. Failover to the standby unit might cause mirrored client connections to be dropped. Workaround: In the TCP profile, change the 'hardware syn-cookie' setting to 'disabled'.
525464 When failing over by setting the active unit to "offline" will cause bigd to restart on that unit On active unit run: "tmsh run sys failover offline" "bigd will restart. Monitoring traffic will cease while unit is offline. Impact is limited as unit is sent offline." Workaround: None.
525553 During initialization, if there are many SSL keys in use, the watchdog timer can fire causing TMM to crash. There are many SSL keys in use (for example, when a very large number of profiles are attached to a virtual server), and the BIG-IP system is sufficiently loaded. Service interruption Workaround: Use fewer SSL keys.
525675 Under some conditions, SSL with forward proxy might leak memory. Forward proxy is enabled on a BIG-IP system that is running multiple TMM instances. Service degradation leading to an eventual reboot. Workaround: None.
526500 Manually adding a username and encrypted password into ZebOS, either by using imish command line, or by modifying zebos.conf directly, might cause imi to core. Manually modifying the zebos.conf configuration file or adding a non-existing user using imish. The user interface to ZebOS, imi, might core. Other functionality should not be affected. Workaround: Do not add the configuration manually in ZebOS. Use the BIG-IP system facilities for adding/modifying ZebOS users.
527011 "Intermittent lost connections to virtual servers or pool nodes with no observable errors on external interfaces. Errors are observed on internal interfaces using 'tmos show net interface -hidden'" Normal operation Lost connections Workaround: None.
527206 "An error that occurs while reading the management interface registers might cause incorrect interpretation of the management interface state, which might cause the management interface to flap. Example error sequence: -- warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff. -- err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0 : File mgmtif/BourneMgmtIfSvc.cpp Line 357. -- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7. -- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x7 expected=0x5. ... notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is DOWN. ... notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is UP." This problem might occur rarely on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades. The management interface on the affected blade or appliance might be down for several seconds, 15 seconds being a typical interval. Workaround: None.
527393 For a VIP with UDP protocol and fastL4 profile, SERVER_CONNECTED is fired in 10.x, but not in 11.x. Must be fastL4 profile. Unable to run iRule commands in a server-side context when data going from client to server. The SERVER_DATA event does not fire until data is returned from server (or not at all if server does not return data). The LB_SELECTED is client-side. Workaround: Change VIP from fastL4 to standard.
527720 "An error message similar to the following might be logged at rare intervals while the BIG-IP system is operating normally: warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff. This message might be followed by a log message similar to one of the following: err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0. err chmand[32142]: 012a0003:3: GET_STAT failure (status=0xffffffff) page=0x%20 reg=0x50. This message might be followed by a log message similar to the following: warning chmand[5847]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7." This problem might occur rarely on the BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances, and on VIPRION 2100, 2150, and 2250 blades. This problem might occur if the response to a request to read the status of the hardware registers for the management interface is delayed beyond the normally-expected timeout value. When this problem occurs, status of the management interface might be reported incorrectly, which might cause the management interface to flap momentarily. In this scenario, subsequent requests typically complete successfully, at which point status of the management interface is again reported normally, and expected functionality restored. Workaround: None.
527907 "As a result of a known issue, reject Virtual servers configured with IP protocol TCP may not respond to TCP SYN packets with a TCP RST; silently dropping them. All-protocols and UDP reject virtual servers are unaffected." "- Virtual Server, type Reject - Virtual server ip-protocol only TCP." TCP SYN packets are silently dropped. Workaround: Use all-protocols or use a standard VIP and reject via iRule.
528198 reject in iRule event FLOW_INIT currently does not respond with a RST iRule on a tcp VIP which has reject in FLOW_INIT event. RST is not sent Workaround: If licensed/provisioned for AFM, "ACL::action reset" can be an option.
528228 When a node is configured using a FQDN and a port specific monitor is assigned at the node level, the BIG-IP system sends the probe to the incorrect destination port. Assign port specific monitor at node level to a FQDN node. Customer cannot monitor specific port on a FQDN node. Workaround: Apply the monitor at the pool level rather than the node level for correct operation.
528276 The device management daemon can core if a timeout condition occurs during an iControl query. The daemon recovers and proceeds with the operation. A timeout can occur during an icontrol query and in some instances this can cause a core. The daemon crashes and recovers. Workaround: N/A
528295 A 10.x UCS containing LTM virtual servers with ARP set to disable. Loading the 10.x UCS on 11.4.x or later system leads to the ARP and ICMP echo setting value being flipped each time the load occurs. Reloading a 10.x UCS containing virtual servers on 11.4.x or later system. ARP and ICMP echo setting value being flipped each time the load occurs. Note that the ICMP echo virtual field will be flipped even if ARP is enabled. Workaround: Delete the LTM virtual servers on the 11.x version system prior to re-loading the 10.x UCS.
528314 Using CLI to generate new default certificate and key pairs for BIG-IP ssl profiles are not reflected in GUI or in tmsh. Using OpenSSL commands to generate a new default certificate and key pair, as described in SOL13579: Generating new default certificate and key pairs for BIG-IP ssl profiles, available here: https://support.f5.com/kb/en-us/solutions/public/13000/500/sol13579.html. After the renewal, tmsh list sys file ssl-cert default.crt command or the general properties in the GUI SSL Cert List shows the old one. This is a cosmetic issue only. The system uses the new default. Workaround: Perform a force reload of mcpd by running the following commands: -- touch /service/mcpd/forceload. -- tmsh restart sys service mcpd.
528407 In certain circumstances, TMM may core if the unit is configured with an invalid, non-local lasthop pool, "1) BIG-IP system with VIP and lasthop pool with non-local pool member. 2) Sys db tm.lhpnomemberaction set to 2." TMM cores and fails over. Workaround: Configure lasthop pool to use local members/addresses.
528881 When upgrading to an affected version, if a NAT has a name with spaces in it, the upgraded configuration does not load. The BIG-IP system must be configured with NATs that have spaces in their names. The configuration does not load on the upgraded system. Workaround: Remove spaces in NAT names before upgrading. Specifically: the initial letter must be a letter, underscore ( _ ), or forward slash ( / ), and subsequent characters may be letters, numbers, periods ( . ), hyphens ( - ), underscores ( _ ), or forward slashes ( / ).
528894 Config sync after sub-partition config changes results extra lines in the partition's conf file. Make changes under any partition except /Common and then config sync without overwrite. /config/partitions/partition_name/bigip_base.conf in the partitions folder has trunk and ha-group configuration. /config/bigip_base.conf no longer has the trunk and ha-group configuration. Workaround: 'Sync Device to Group' with 'Overwrite Configuration' enabled.
529162 "If a customer disables the HSB's watchdog then they may experience an HSB transmitter failure. The watchdog is disabled using the following TCL command (added to tmm_init.tcl): HSB::enable_rx_watchdog no" Disable HSB's watchdog. An HSB transmitter failure may occur, resulting in a reboot of the device. Workaround: Don't disable the HSB's watchdog.
529395 A local-only network IP forwarding virtual server does not forward traffic on standby systems. BIG-IP systems in an high-availability (HA) device cluster. An IP forwarding virtual server in traffic-group-local-only. Traffic is forwarded only on active BIG-IP systems. Workaround: None.
529400 If an SSL profile contains only an RSA key/cert pair, and also only ecdhe-ecdsa ciphers are selected, the SSL handshake will never succeed. An SSL profile only contains an RSA key/cert pair, and only ecdhe-ecdsa ciphers are selected in the `ciphers' list. All SSL handshakes will fail with `no cipher suite selected' Workaround: Add an ECDSA key/cert to the SSL profile.
529627 In some circumstances LDAP may fail to setup StartTLS on the server-side when instructed by a LDAP client when the LDAP virtual server is in use with a persistence profile. "- LDAP VS with client and server profiles. - LDAP profiles with STARTTLS Activation Mode set to Allow. - Persistence profile, e.g. src addr persistence." Serverside will not upgrade to TLS Workaround: Do not use in conjunction with persistence.
529632 You notice the following warning message in /var/log/ltm: warning chmand[5610]: 012a0004:4: Host CPU subsystem power-off event caused by Super IO. This message is generated when power cycling a device using LOP or AOM. This message simply indicates that power was cycled using the AOM or LOP. Workaround: None needed. This is an expected message.
530016 Statistic will be incorrect or negative: 'Clients Using Max Port Blocks'. Changing the PBA client-block-limit on a LSN pool while there are active blocks and connections might result in incorrect 'Clients Using Max Port Blocks' counts in the stats. 'Clients Using Max Port Blocks' count is used for monitoring the number of clients that have reached the block limit, then this will impact operations and monitoring of lsn-pool status. Workaround: Restarting the BIG-IP system resets the counter.
530081 Mcpd/TMM will crash if load too much SSL certificates. Loading too much SSL certificates at a time. In our case, it is try to load 4000+ SSL certificate. Mcpd/TMM could crash. Workaround: Split the config file into several smaller ones.
530266 Rate limit configured on a node is not honored and is exceeded. The excess per second can be as much as 10 (100%) when the limit is configured as 10. More than 1 tmm needs to be there. Rate limit needs to be configured on the node Node rate limit feature does not work as intended Workaround: Rate limit can be shifted to pool member and it works
530529 FPGA provisioning event may not complete using Firefox browsers. This occurs when using the Firefox browser on VIPRION 2250 blades. When you change the FPGA firmware type and submit the change, the page refreshes and shows the previous FPGA firmware provisioning. This is an intermittent issue. Workaround: #NAME?
530795 The BIG-IP system may send ICMP messages that contain an incorrect tcp seq ack number in the embedded msg body FastL4 TCP virtual servers. Syncookie mode. The TCP connflow might be aborted if an ICMP message (such as More fragment) is received. Workaround: None.
530877 In very some circumstances a specific combination of configuration options may lead an iRule to run the CLIENT_ACCEPTED event twice. "All of the following conditions are needed: - standard Virtual Server configured - Virtual Server to have a TCP profile with verified accept enabled. - Address translation enabled on the Virtual Server - Node selection in iRule via node command. - Client to send initial data to be sent on the ACK of the three-way-handshake" Depending on the scenario this can lead to the specific connection to be reset. Workaround: "Several options exist: - Disabling verified accept. - Modifying the iRule to run the commands in the event on a single occasion by setting a variable and checking it on following runs."
530927 "If a trunk is created from interfaces that have lower than max speed (e.g. 100full-duplex on 1GbE links) adding a new interface will fail. It will lead to an error similar to the following: 01070619:3: Interface 1.4 media type is incompatible with other trunk members" "Interfaces use a lower speed then their capacity. Trunk is created where the highest speed of any of the members is this reduced speed. Interface, also lowered, is added to the trunk" Interface will not be able to be added to the trunk. Workaround: Remove all interfaces, readd them all at the same time.
531724 Configurations with a high number of datagroups result in an unexpected save time. When configuration contains 1000+ datagroups, then the save time is near 60 seconds. "This issues occurs when: - Configuration contains a significant number of datagroups - Running v11.0.0+" Increased save time Workaround: None.
532294 Until this release, the requirement of acquiring a license for Extended Protocols to use the GTP protocol has not been enforced. After this release, that requirement will be enforced. Usage of GTP Profile without Extended Protocols license Users will be unable to use GTP Profile without Extended Protocols License. Workaround: None.
532559 If the client-ssl profile is /Common/clientssl, its parent profile is itself. But the configuration uses 'defaults-from none'. Add 'defaults-from none' under client-ssl profile '/Common/clientssl'. The upgrade fails. This occurs because the script extracts the line 'defaults-from none' and treats 'none' is its parent profile. Workaround: None.
532799 After assigning a static route to a node on a specific VLAN, ARPs are no longer generated, and all traffic to the node uses a broadcast (ff:ff:ff:ff:ff:ff) MAC. Static VLAN route to a poolmember/node with a /32 mask. This can cause the monitors to fail and the poolmember/node to be marked down. Workaround: Use a non /32 mask or use a gateway route instead.
533039 CSS attribute name is not validated in the Anti-fraud profile. Non-default value of CSS attribute name. CSS alert is not sent. Workaround: Use the default value of CSS attribute name or configure it in the profile as alpha-numeric string not starting with a digit.
533480 Creating tens of thousands pools while running qkview may cause qkview to crash. Creating 20,000+ pools via iControl. Run qkview before completion. None Workaround: Allow iControl script to complete.
533826 The snmpd image increases in size on a VIPRION system. Run continuous snmpbulkwalk operations. The snmpd image increases, and might eventually result in a crash. The ltm log might contain an error message similar to the following: err mcpd[7061]: 01071087:3: Killed process for snmpd as current count of messages (965505855) keeps building. Workaround: To reset the memory usage and stop the snmpd daemon from coring, run the following command: bigstart restart snmpd.
534076 As a result of a known issue, SNMP v1 traps with configured trap-source might fail to use the configured address, and will the default management port IP address instead. "- SNMP v1 traps and destination configured. - trap-source configured." Traps will have the incorrect agent-addr set, and SNMP configured trap-source may not be used. Workaround: None.
534111 Config sync problems when modifying cert in default client-ssl profile. Modify cert in default client-ssl profile. After config sync, units in the sync group have different cert/key settings for client-ssl profiles. Workaround: "1. Remove client-ssl definitions from bigip.conf on each unit. 2. Reload the config. 3. Synchronize the config."
534443 "When configuring redundancy in 10.2.x with the GUI you do not configure the config sync peer's user name and password in the GUI. You must use tmsh commands. For example, # modify sys config-sync custom-peer-addr 10.255.252.196 user-password admin # tmsh save sys config" Setting up redundancy with the GUI in 10.2.x This can affect synchronization and upgrade. If the username and password is not set then the configuration synchronization fails with authentication errors. Upgrading is also affected because the upgrade path needs the credentials. Workaround: Use tmsh to establish config-sync peer's username and password
534457 When using dynamic routing, it's possible that L4 connections fail to remirror after a restart on the standby device. Initial mirroring works as expected, but remirroring might not work. Using dynamic routes and mirroring, and either the active or standby restarts. If the active restarts, failover completes correctly, but connections might not remirror to the previously active device after it comes back online. Dynamically discovered routes might fail to remirror connections. One-way failover, similar to L7 virtual servers. Initial failover works as expected; subsequent failovers might drop connections. Workaround: Provide a static route instead of dynamic routes.
534458 In certain circumstances the SIP monitor may incorrectly mark a SIP pool member down. This is due to the comparison the monitor makes of the standard header fields in the SIP monitor request to the response. SIP monitor and response differ in the use of whitespace in the header fields, for example, 'field:value' and 'field: value'. Unable to monitor the SIP pool member accurately using the standard SIP monitor because the pool member will be marked down. Workaround: Use other types of monitors, e.g., UDP.
534500 "When using iRules to configure persistence, if a client uses keepalive so that multiple requests come on the same connection, it is possible to write a conditional ""persist"" command (e.g., to only persist based on certain requests). When doing so, the requests that do not reach that branch of code should keep using the same persistence rule; in prior releases they do not, but instead revert to the persistence configuration of the virtual." Using conditional "persist" requests in an iRule. "Persistence should apply to the client, indicating that the client should continue using the same server. If a client disconnects and reconnects, persistence should send them to the same server as the persistence rule from the iRule indicates. Clients could be redirected to incorrect servers." Workaround: "Before the fix, ensure that all paths specifically declare persistence settings. After the fix, to revert to the old behavior use ""persist none"" or ""persist default"" to disable the persistence rule on new connections."
534890 Under some circumstances, when SSL session is resumed using session tickets, the BIG-IP system might send an incorrect session id. Session tickets are enabled. The session id sent might be incorrect Workaround: Do not enable session tickets.
535717 When logged in as root, or as a user with Administrator or User Manager role, an attempt to change a user's password will succeed, even if the new password is in password history. (An ordinary user changing their own password will be prevented from making this change.) password-memory field of auth password-policy set to nonzero value Privileged users can circumvent the password history restriction Workaround: None.
535759 "The SMTP monitor marks a server down even when the server responds with a 250 message to the HELO command. Monitor debug output might show: ERROR: failed to complete the transfer, error code: 28 error message: Time-out or ERROR: failed to complete the transfer, error code: 56 error message: Recv failure: Connection reset by peer even after showing that it received a ""Helo reply 250 ...""" The monitored server does not close the TCP connection (does not send a FIN) after receiving a QUIT command from the client. The monitored server is always marked down. Workaround: None.
536935 On BIG-IP 2000/4000 systems the driver that manages the MAC and PHY for the 2.x front panel ports will occasionally emit a pair of spurious log messages which appear to indicate that the [unpopulated] port had a link up message followed immediately by a link down message. This appears to occur only intermittently, only on the 2.x ports of BIG-IP 2x00/4x00 systems, and only when the ports are enabled but are not cabled to a live link partner. The impact this issue has is largely cosmetic but it can cause confusion or concern if at first glance one assumes the message is from a port that is actually in use. Workaround: "In most cases a port left unpopulated can safely be disabled with (for port 2.1 for example): tmsh modify net interface 2.1 disabled which should prevent the system from polling the MAC's link state and logging changes."
537553 Making configuration changes to SSL profiles for the virtual server configured for SSL SNI might crash tmm under load. "1. LTM virtual server is configured with multiple SSL profiles, one of which is default SNI profile. 2. The BIG-IP system is under traffic load. 3. A change is made to any of the SSL profiles configured on the virtual server, or SSL profile(s) are added or removed from the virtual server profile list." tmm might crash. Workaround: None.
538133 A list of sensors displayed in the sensor_limit_table or by the system_check utility, with the actions taken when the sensor data exceeds its defined limit. On the affected versions, each sensor item is displayed only once, even if multiple limits and actions are defined for the sensor. Additional limits and actions defined for the sensor are not displayed. "This problem occurs when the affected version of the BIG-IP software is running on the following hardware platforms: BIG-IP 2000-/4000-/5000-/7000-/10000-/12000-series appliances and VIPRION B2100, B2150, B2250 blades." Only one action per sensor. The system does not show the complete set of defined sensor limits and corresponding BIG-IP system actions when there are multiple limits and actions defined. Workaround: None.
538292 When using asynchronous task in iControl REST, specifying any version other than 12.0.0 will cause the API to become unstable in some cases. Specify any version below 12.0.0 for asynchronous task requests. In some cases, user may experience iControl REST to hang or become unresponsive. Workaround: When making requests through iControl REST using asynchronous task, specify only version 12.0.0 in the request URI.
538603 TMM may produce a core file when attempting to retry to calculate the rate-limit on a pool member that has gone down. "This occurs when the following conditions are met: - service-down-action reselect. - rate limit specified. - traffic load balanced to pool members. - traffic is over the rate for all pool members. - all pool members go down." TMM cores. Workaround: Remove rate-limit configuration.
538663 "Jul 2 12:30:02 qanpkadcrscin01 notice mcpd[6165]: 01070829:5: Input error: Remote user message dropped (adm184789 in [All]) because duplicate partition. Jul 2 12:30:02 qanpkadcrscin01 err mcpd[6165]: 01070827:3: User login disallowed: User (adm184789) is not an administrator, does not have a UID of zero, and has not been assigned a role on a partition." SSO between EM and BIG-IP system using a 3rd party authentication system, like LDAP. Incorrect role assignment causing SSO login not working Workaround: Login using remote user credentials in BIG-IP. This will properly update the role for the remote user.
539385 If Access Policy event logs include long string arguments, the log buffer grows while processing each log parameter. The log information can overflow to other files such as, user.log and message.log. "Larger value for log parameters (mainly of string type). Happens only when the parameters are very long. For example, if one assigns big string into session variables." Log information gets truncated and some amount spills over to user.log and message.log. Workaround: None.
539820 When loading the ucs, a warning message is displayed indicating that some of the SSL profiles are being removed from a virtual server's configuration. This issue happens when upgrading from versions < 11.3.0 to versions >= 11.3.0. A virtual server might lose some of its SSL profile configuration. Workaround: The user should be able to easily add those SSL profiles back to the virtual server's configuration.
539832 "1. BGP is not sending extended community attributes in BGP Updates to its neighbors in versions prior to 11.6.0. 2. BGP unable to accept new BGP UPDATE messages that contain extended communities from its neighbors in version 11.6.0 and later. 3. On the sending neighbor, the route-map is reapplied to the prefix every time the connection is torn down by the neighbor, resulting in an ever increasing extended community list." Configure BGP extended community attribute. Loss of/incorrect info related to extended community attribute. Workaround: None.
540568 "TMM may core due to a SIGSEGV (segmentation fault) in ifc_list_is_member due to a NULL ifc parameter passed in to ifc_list_is_enabled. Example stack backtrace contains the following (or similar) elements: #0 __pthread_kill (threadid=?, signo=?) #1 0x0000000000a11427 in sigsegv_handler (signum=11, info=0x0, ctx=0x5707fe4001c0) #2 <signal handler called> #3 ifc_list_is_member (ifc=?, ifc_list=?) #4 ifc_list_is_enabled (ifc_list=0x57080692c6f8, ifc=0x0) ..." Occurs rarely. Specific conditions unknown. TMM crashes, interrupting traffic flow. Workaround: None.
540571 TMM may core when an iRule changes the destination address of a connection to use a multicast address such as 224.0.0.1. When BIGIP looks up the route it will return an internal route with no interface designed for use with multicast traffic. LSN expects to find an interface and crashes when it attempts to use the non-existent interface. "- CGNAT enabled and LSN pools configured on active virtual server that accepts traffic. - iRule is configured on the same virtual server which changes the destination IP to a multicast address in the 224.0.0.0/24 network." TMM crashes, interrupting traffic flow. Workaround: Remove the offending iRule which is sending traffic to the 224.0.0.0/24 network OR prevent traffic from using that destination in the iRule.
540777 "/var/log/snmpd.log contains numerous ""Received broken packet. Closing session."" logs. /var/log/sflow_agent.log contains numerous ""AgentX session to master agent attempted to be re-opened."" logs." Uncertain No apparent impact. Workaround: None.
540825 Under certain conditions, the deletion of non-synchable objects may unexpectedly sync. This is known to happen for the association between route domains and VLANs. It only happens for incremental sync, not full load. Sync may either fail (if the object does not exist on the other end) or succeed with unexpected results (the deletion of the object). Workaround: Perform a full load sync. To do this, either temporarily set the device group's full-load-on-sync flag to true, or use the "Overwrite Configuration" checkbox in the GUI when performing the sync operation.
540923 In some circumstances the use of filters in the "tmsh list ltm node <filter>" no longer works correctly returning all values. Use of filters in the "tmsh list ltm node" command on one of the affected versions. All results are returned and filter is not applied. Workaround: None.
540950 The LB::select command is not CMP-aware in that if an asynchronous persistence lookup is required, the iRule is suspended, then when the persist reply shows up, the proxies (both TCP and MBLB) either drop it, or apply it to the incorrect context. LB::select command does not work on CMP systems (that is, more than one TMM) in an iRule that requires asynchronous persistence lookup. The iRule then stays suspended until the flow is torn down. Connections intermittently hang in LB::select. Workaround: None.
541134 HTTP/HTTPS) monitors send unexpected data (crlfcrlf) after completion of TCP and/or SSL handshake. HTTP/HTTPS monitor with a send attribute set to 'none'. HTTP/HTTPS monitors with a 'none' send string should complete the TCP handshake(+SSL handshake) and then close the connection without sending any data. A monitor configured with a 'none' send string sends a 4-byte string, \r\n\r\n (crlfcrlf), after completing the handshake. This is ignored by the monitored node, which might cause it to be marked down. Workaround: None.
541320 After a full load sync, tunnels may be spuriously added to the default route domain for the partition that contains them. Viewing tunnels after a full load sync. This might result in a deleted tunnel being restored to the configuration. Workaround: None.
541550 "Authentication fails, indicating the affected user is associated with an ""unknown"" role: notice httpd[2112]: pam_bigip_authz: authenticated user bob with role 12345678 ([unknown]) in partition /bin/false" Define more than 10 remote-role groups and authenticate with a user having more than 10 roles. User cannot authenticate. Workaround: None.
541569 The incorrect source port is chosen for the IPsec/IKE NAT-T UDP encapsulated traffic. When IKE decides to float port when NAT device is detected, it should use port 4500 for both its source port and destination port. NAT traversal is enabled on the IKE Peer configuration object and NAT device is detected during IKE negotiation. When NAT-T is enabled, IPsec tunnel cannot be established. Workaround: None.
541571 Under certain circumstances, ephemeral nodes that are force deleted may not repopulate as expected. Sync group, multiple FQDNs resolving to same IP address. Ephemeral nodes may not repopulate as expected. Workaround: None.
541693 Monitors inherit incorrect time-until-up and up-interval from parent via GU Create a parent monitor with non-default time-until-up and up-interval values. Create a child monitor via GUI. The child monitor's time-until-up interval value is set to default (0). The up-interval value is incorrectly inherited from the parent. Workaround: Set the time-until-up value for the child to the desired value.
542104 "In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP to be inconsistent between blades. TCP monitors may fail because the server fails to respond to the initial TCP SYN. TCP traffic that utilizes a SNAT may fail because the server fails to respond to the initial TCP SYN." "A server with tcp_tw_recycle enabled. A multi-blade BIG-IP chassis." Monitor failures or traffic disruption. Workaround: After confirming that the time is properly synchronized across the chassis, reboot the chassis.
542292 In certain circumstances the BIG-IP GUI might cause MIB files to be served uncompressed, but with tar.gz extension. Use Chrome to download BIG-IP MIB files from the GUI. MIB files are uncompressed. Workaround: Do not attempt to uncompress the MIB files further if downloaded with Chrome. Simply untar and use as normal. Renaming the file may help avoid further confusion.
542654 "bigd generates a core file and restarts. /var/log/ltm will show a message like: notice sod[6504]: 01140029:5: HA daemon_heartbeat bigd fails action is restart." tcp-half-open monitors are in use bigd restarts and there is an interruption in monitoring. Workaround: There is no work-around, but this has been seen extremely rarely
542860 TMM can crash when IPsec SA's are deleted using TMSH or racoonctl utility during HA Active to Standby or vice versa. During the HA Active to standby or vice versa event, Use of TMSH or racoonctl utility to delete IPsec SA's can cause TMM crash. This is a race condition and can occur rarely. TMM crashes. Workaround: None.
562808 TMM might produce a core dump if a pool containing poolmembers is renamed. This occurs when the following conditions are met: - Pool with poolmembers. - Move operation is enabled via sys db key. - Pool is renamed. TMM might core. Workaround: Do not use move operation; fully delete/recreate pools if renaming is needed.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.

Legal notices

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)