Applies To:

Show Versions Show Versions

Supplemental Document: Release Information: BIG-IP 11.6.1

Original Publication Date: 06/30/2016

Release Information

Version: BIGIP-11.6.1
Build: 317.0

Cumulative fixes from BIG-IP v11.6.0 Hotfix 6 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 5 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 4 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 3 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.6.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v11.6.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
565169 CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911 SOL05200155 Multiple Java Vulnerabilities
542314-5 CVE-2015-8099 SOL35358312 TCP vulnerability - CVE-2015-8099
529509-6 CVE-2015-4620 SOL16912 BIND Vulnerability CVE-2015-4620
570535 CVE-2011-5321 CVE-2012-6657 CVE-2013-4483 CVE-2014-3184 CVE-2014-3185 CVE-2014-3611 CVE-2014-3940 CVE-2014-6410 CVE-2014-8160 CVE-2014-9420 CVE-2014-9529 CVE-2014-9584 CVE-2015-1593 CVE-2015-1805 CVE-2015-3636 CVE-2015-5307 CVE-2015-5364 CVE-2015-5366 CVE Multiple Kernel Vulnerabilities
567475-5 CVE-2015-8704 SOL53445000 BIND vulnerability CVE-2015-8704
560180-2 CVE-2015-8000 SOL34250741 BIND Vulnerability CVE-2015-8000
553902-2 CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196 Multiple NTP Vulnerabilities
545786-4 CVE-2015-7393 SOL75136237 Privilege escalation vulnerability CVE-2015-7393
540849-7 CVE-2015-5986 SOL17227 BIND vulnerability CVE-2015-5986
540846-7 CVE-2015-5722 SOL17181 BIND vulnerability CVE-2015-5722
540767-2 CVE-2015-5621 SOL17378 SNMP vulnerability CVE-2015-5621
534090-2 CVE-2015-5380 SOL17238 Node.js vulnerability CVE-2015-5380
508057-1 CVE-2015-0411 SOL16355 MySQL Vulnerability CVE-2015-0411
488015-1 CVE-2014-3669 CVE-2014-3670 CVE-2014-3668 SOL15866 Multiple PHP vulnerabilities
556383-1 CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 SOL31372672 Multiple NSS Vulnerabilities
534633-3 CVE-2015-5600 SOL17113 OpenSSH vulnerability CVE-2015-5600
525232-1 CVE-2015-4024 SOL16826 PHP vulnerability CVE-2015-4024
472696-1 CVE-2014-1544 SOL16716 Multiple Mozilla Network Security Services vulnerabilities
470842-1 CVE-2012-5784 SOL14371 Apache Axis vulnerability CVE-2012-5784
560962-2 CVE-2015-3196 SOL55540723 OpenSSL Vulnerability CVE-2015-3196
560948-2 CVE-2015-3195 SOL12824341 OpenSSL vulnerability CVE-2015-3195
567484-5 CVE-2015-8705 SOL86533083 BIND Vulnerability CVE-2015-8705


Functional Change Fixes

ID Number Severity Description
470715-5 2-Critical Excessive IP fragmentation on tmm_bp vlan causes ftp data loss with vlan name >= 16 characters long
570716-3 3-Major Default net ipsec ike-peer anonymous state disable
539130-6 3-Major bigd may crash due to a heartbeat timeout
530133-3 3-Major Support for New Platform: BIG-IP 10350 FIPS
382157-3 3-Major Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats


TMOS Fixes

ID Number Severity Description
492460-3 1-Blocking Virtual deletion failure possible when using sFlow
572086 2-Critical Unable to boot v11.6.0 on 7250 or 10250 platforms
564427-3 2-Critical Use of iControl call get_certificate_list_v2() causes a memory leak.
562959-2 2-Critical In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.
562122-5 2-Critical Adding a trunk might disable vCMP guest
557680-1 2-Critical Fast successive MTU changes to IPsec tunnel interface crashes TMM
556380-2 2-Critical mcpd can assert on active connection deletion
555686-5 2-Critical Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers
554609-4 2-Critical Kernel panics during boot when RAM spans multiple NUMA nodes.
552481 2-Critical Disk provisioning error after restarting ASM service.
551661-2 2-Critical Monitor with send/receive string containing double-quote may fail to load.
544913-6 2-Critical tmm core while logging from TMM during failover
544481-5 2-Critical IPSEC Tunnel fails for more than one minute randomly.
543924 2-Critical Update kernel to latest public RHEL6.4 kernel: 2.6.32-358.61.1.el6
520380-6 2-Critical save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory
511527-2 2-Critical snmpd segmentation fault at get_bigip_profile_user_stat()
510559-6 2-Critical Add logging to indicate that compression engine is stalled.
505071-5 2-Critical Delete and create of the same object can cause secondary blades' mcpd processes to restart.
504508-5 2-Critical IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled
503600-6 2-Critical TMM core logging from TMM while attempting to connect to remote logging server
502841-2 2-Critical REST API hangs due to icrd startup issues
490801-2 2-Critical mod_ssl: missing support for TLSv1.1 and TLSv1.2
484453-6 2-Critical Messages logged when registering with LOP daemon (lopd) or CAN daemon (cand)
365219-2 2-Critical Trust upgrade fails when upgrading from version 10.x to version 11.x.
563475-3 3-Major ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.
562928 3-Major Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled
560423-2 3-Major VxLAN tunnel IP address modification is not supported
560220-1 3-Major Missing partition and subPath fields for some objects in iControl REST
559584-2 3-Major tmsh list/save configuration takes a long time when config contains nested objects.
558573-2 3-Major MCPD restart on secondary blade after updating Pool via GUI
556284-5 3-Major iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found
554563-3 3-Major Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics.
554340-4 3-Major IPsec tunnels fail when connection.vlankeyed db variable is disabled
553649-3 3-Major The SNMP daemon might lock up and fail to respond to SNMP requests.
553576-3 3-Major Intermittent 'zero millivolt' reading from FND-850 PSU
552585-3 3-Major AAA pool member creation sets the port to 0.
551927-2 3-Major ePVA snoop header's transform vlan should be set properly under asymmetric routing condition
551742-2 3-Major Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades
550694-3 3-Major LCD display stops updating and Status LED turns/blinks Amber
550536-3 3-Major Incorrect information/text (in French) is displayed when the Edge Client is launched
549543-3 3-Major DSR rejects return traffic for monitoring the server
548239-3 3-Major BGP routing using route-maps cannot match route tags
547532-2 3-Major Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades
541569-3 3-Major IPsec NAT-T (IKEv1) not working properly
540996-2 3-Major Monitors with a send attribute set to 'none' are lost on save
540871-1 3-Major Update/deletion of SNMPv3 user does not work correctly
539822-4 3-Major tmm may leak connflow and memory on vCMP guest.
539784-4 3-Major HA daemon_heartbeat mcpd fails on load sys config
538663-3 3-Major SSO token login does not work due to remote role update failures.
538024-3 3-Major Configuration containing a virtual server with a named wildcard destination address ('any6') may fail to load
534582-4 3-Major HA configuration may fail over when standby has only base configuration loaded.
534076-2 3-Major SNMP configured trap-source might not be used in v1 snmp traps.
533826-5 3-Major SNMP Memory Leak on a VIPRION system.
531986-3 3-Major Hourly AWS VE license breaks after reboot with default tmm route/gateway.
531705-2 3-Major List commands on non-existent iRules incorrectly succeeds.
530242-3 3-Major SPDAG on VIPRION B2250 and B2250F blades might cause traffic imbalance among TMMs
529977-1 3-Major OSPF may not process updates to redistributed routes
529484-4 3-Major Virtual Edition Kernel Panic under load
528987-3 3-Major Benign warning during formatting installation
528276-7 3-Major The device management daemon can crash with a malloc error
526817-4 3-Major snmpd core due to mcpd message timer thread not exiting
526031-2 3-Major OSPFv3 may not completely recover from "clear ipv6 ospf process"
524300-2 3-Major The MOS boot process appears to hang.
523867-3 3-Major 'warning: Failed to find EUDs' message during formatting installation
522871-1 3-Major [TMSH] nested wildcard deletion will delete all the objects (matched or not matched)
522837-1 3-Major MCPD can core as a result of another component shutting down prematurely
522332-1 3-Major Configuration upgrade of httpclass which has the 'hosts' attribute done incorrectly
521144-5 3-Major Network failover packets on the management interface sometimes have an incorrect source-IP
517388-7 3-Major Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs.
517209-7 3-Major tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable
517020-5 3-Major SNMP requests fail and subsnmpd reports that it has been terminated.
516322-7 3-Major iApp association removed from virtual server
513974-7 3-Major Transaction validation errors on object references
513659-3 3-Major AAM Policy not all regex characters can be used via the GUI
512130-4 3-Major Remote role group authentication fails with a space in LDAP attribute group name
510381-3 3-Major bcm56xxd on A108 (B4300 blade) might core when restarting due to bundling config change.
503246-4 3-Major TMM crashes when unable to allocate large amount of provisioned memory
496679-5 3-Major After renaming /cm device, load fail 'foreign key index (default_device_fk)'.
495865-2 3-Major iApps/tmsh cannot reconfigure pools that have monitors associated with them.
491727-2 3-Major Upgrade can fail to load config due to tcp profile no longer allowing time-wait-timeout of 4294967295 (indefinite).
490537-6 3-Major Persistence Records display in GUI might cause system crash with large number of records
482373-3 3-Major Can not delete and re-create a new virtual server that uses the same virtual address in the same transaction
480246-4 3-Major Message: Data publisher not found or not implemented when processing request
473415-1 3-Major ASM Standalone license has to include URL and HTML Rewrite
449453-5 3-Major Loading the default configuration may cause the mcpd process to restart and produce a core file.
442871-2 3-Major BIG-IP VE instances created using OpenStack interfaces may fail to detect the KVM hypervisor
439559-2 3-Major APM policy sync resulting in failover device group sync may make the failover sync fail
433466-4 3-Major Disabling bundled interfaces affects first member of associated unbundled interfaces
421012-3 3-Major scriptd incorrectly reports that it is running on a secondary blade
405635-2 3-Major Using the restart cm trust-domain command to recreate certificates required by device trust.
553174-4 4-Minor Unable to query admin IP via SNMP on VCMP guest
533790-4 4-Minor Creating multiple address entries in data-group might result in records being incorrectly deleted
519216-4 4-Minor Abnormally high CPU utilization from external SSL/OpenSSL monitors
480071-2 4-Minor Backslashes in policy rule added/duplicated when modified in GUI.
401893-3 4-Minor Allowing tilde in HTTP Profile fields Response Headers Allowed and Encrypt Cookies
223884 4-Minor Module not licensed message appears when APM is provisioned and APML is licensed.
572133-2 5-Cosmetic tmsh save /sys ucs command sends status messages to stderr
413708-5 5-Cosmetic BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response.
388274-3 5-Cosmetic LTM pool member link in non-Common partition is wrong in Network Map.
291469-2 5-Cosmetic SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries.


Local Traffic Manager Fixes

ID Number Severity Description
536690-4 1-Blocking Occasional host-tmm connections within a chassis will fail (affects APM processes trying to connect to a tmm)
476386-2 1-Blocking DHE-RSA-AES256-SHA256 and DHE-RSA-AES128-SHA256 should only be supported for tls1.2
565810-2 2-Critical OneConnect profile with an idle or strict limit-type might lead to tmm core.
554967-3 2-Critical Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets
552151-2 2-Critical Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected
549782-1 2-Critical XFV driver can leak memory
545810-1 2-Critical ASSERT in CSP in packet_reuse
544375-1 2-Critical Unable to load certificate/key pair
542564-3 2-Critical bigd detection and logging of load and overload
540568-2 2-Critical TMM core due to SIGSEGV
540473-6 2-Critical peer/clientside/serverside script with parking command may cause tmm to core.
537988-5 2-Critical Buffer overflow for large session messages
534804-2 2-Critical TMM may core with rate limiting enabled and service-down-action reselect on poolmembers
534052-3 2-Critical VLAN failsafe triggering on standby leaks memory
530505-4 2-Critical IP fragments can cause TMM to crash when packet filtering is enabled
529920-7 2-Critical Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit
528739-1 2-Critical DNS Cache could use cached data from ADDITIONAL sections in ANSWER responses.
527011-6 2-Critical Intermittent lost connections with no errors on external interfaces
525882-2 2-Critical SSL client certificate verification during SSL handshake might leak a reference to the issuer certificate.
524605-2 2-Critical Requests/responses may not be fully delivered to plugin in some circumstances
523995-2 2-Critical IPv4 link-local addresses can cause TMM crash when used in conjunction with ECMP routes
521336-6 2-Critical pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core
520105-3 2-Critical Possible segfault during hardware accelerated compression.
518275-2 2-Critical The BIG-IP system may stop the normal processing of SSL traffic and dump a TMM core file
517465-4 2-Critical tmm crash with ssl
509284-2 2-Critical Improved reliability of a module interfacing with HSM
507611-4 2-Critical On BIG-IP 2000- and 4000-series platforms BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors.
489451-3 2-Critical TMM might panic due to OpenSSL failure during handshake generation
489329-6 2-Critical Memory corruption can occur with SPDY/HTTP2 profile(s)
483719-2 2-Critical vlan-groups configured with a single member VLAN result in memory leak
341928-4 2-Critical CMP enabled virtual servers which target CMP disabled virtual servers can crash TMM.
570617-4 3-Major HTTP parses fragmented response versions incorrectly
564371-2 3-Major FQDN node availability not reset after removing monitoring
562308-2 3-Major FQDN pool members do not support manual-resume
562292-1 3-Major Nesting periodic after with parking command could crash tmm
560685 3-Major TMM may crash with 'tmsh show sys conn'.
559933-2 3-Major tmm might leak memory on vCMP guest in SSL forward proxy
558517-3 3-Major Upgrading results in additional escaping for monitor send/recv strings in /config/bigip.conf.
557783-2 3-Major TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr
557645-3 3-Major On VIPRION 2200 and 2400 platforms, internal HA communication between devices will occasionally fail.
557519 3-Major TMM may core when disabling HTTP in an iRule on a virtual server with HTTP and FastL4 profiles
556568-2 3-Major TMM can crash with ssl persistence and fragmented ssl records
556560-2 3-Major DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records.
556103-3 3-Major Abnormally high CPU utilization for external monitors
554769-4 3-Major CPM might crash when TCLRULE_HTTP_RESPONSE is triggered.
554761-5 3-Major Negotiated TCP timestamps not maintained on syncookie flows
553688-4 3-Major TMM can core due to memory corruption when using SPDY profile.
553613-3 3-Major FQDN nodes do not support session user-disable
552931-4 3-Major Configuration fails to load if DNS Express Zone name contains an underscore
552865-4 3-Major SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'.
550689-2 3-Major Resolver H.ROOT-SERVERS.NET Address Change
549800-2 3-Major Renaming a virtual server with an attached plugin can cause buffer overflow
549406-5 3-Major Destination route-domain specified in the SOCKS profile
548680-2 3-Major TMM may core when reconfiguring iApps that make use of iRules with procedures.
548678-2 3-Major ASM blocking page does not display when using SPDY profile
548563-2 3-Major Transparent Cache Messages Only Updated with DO-bit True
547732-1 3-Major TMM may core on using SSL::disable on an already established serverside connection
544028-5 3-Major Verified Accept counter 'verified_accept_connections' might underflow.
543220-1 3-Major Global traffic statistics does not include PVA statistics
542724-1 3-Major If there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions, TMM could crash
542640-2 3-Major bigd intentionally cores when it should shutdown cleanly
541571-3 3-Major FQDN ephemeral nodes not repopulated after recreating with swapped IP addresses
538639-3 3-Major P-256 ECDH performance improvements
538603-2 3-Major TMM core file on pool member down with rate limit configured
537964-4 3-Major Monitor instances may not get deleted during configuration merge load
535759-3 3-Major SMTP monitor marks a server down if the server does not close connections after a quit command is received
534457-2 3-Major Dynamically discovered routes might fail to remirror connections.
533820-5 3-Major DNS Cache response missing additional section
532911-2 3-Major Setting 'Untrusted Certificate Response Control' to ignore in server SSL profile does not ignore self-signed untrusted certificates.
532107-2 3-Major [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted
530761-1 3-Major TMM crash in DNS processing on a TCP virtual
529899-1 3-Major Installation may fail with the error "(Storage modification process conflict.)".
528407-4 3-Major TMM may core with invalid lasthop pool configuration
528007-6 3-Major Memory leak in ssl
527149-3 3-Major FQDN template node transitions to 'unknown' after configuration reload
527027-4 3-Major DNSSEC Unsigned Delegations Respond with Parent Zone Information
527024-3 3-Major DNSSEC Unsigned Delegations Respond with Parent Zone Information
525989-2 3-Major A disabled blade is spontaneously re-enabled
525958-11 3-Major TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop.
525672-2 3-Major tmm memory leak with SSL forward proxy virtual server having CLIENTSSL_CLIENTHELLO with SNI lookup.
525322-7 3-Major Executing tmsh clientssl-proxy cached-certs crashes tmm
524960-2 3-Major 'forward' command does not work if virtual server has attached pool
524641-1 3-Major Wildcard NAPTR record after deleting the NAPTR records
523471-2 3-Major pkcs11d core when connecting to SafeNet HSM
519217-4 3-Major tmm crash: valid proxy
517282-7 3-Major The DNS monitor may delay marking an object down or never mark it down
517053-2 3-Major bigd detection and logging of load and overload
516816-4 3-Major RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.
515759-3 3-Major Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time
513213-5 3-Major FastL4 connection may get RSTs in case of hardware syncookie enabled.
513142-3 3-Major FQDN nodes with a default monitor may cause configuration load failure
512119-2 3-Major Improved UDP DNS packet truncation
511057-5 3-Major Config sync fails after changing monitor in iApp
510264-1 3-Major TMM core associated with smtps profile.
509641-3 3-Major Ephemeral pool members may not inherit attributes from FQDN parent
507410-2 3-Major Possible TMM crash when handling certain types of traffic with SSL persistence enabled
507109-4 3-Major inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade
505089-4 3-Major Spurious ACKs result in SYN cookie rejected stat increment.
504545-2 3-Major FQDN: node without service checking reported as 'service checking enabled, no results yet'
502480-1 3-Major Mirrored connections on standby device do not get closed when Verified Accept is enabled
500786-6 3-Major Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile
499430-2 3-Major Standby unit might bridge network ingress packets when bridge_in_standby is disabled
488921-2 3-Major BIG-IP system sends unnecessary gratuitous ARPs
476567-5 3-Major fastL4: acceleration state is incorrectly reported on show sys conn
476564-5 3-Major ePVA FIX: no RST for an unaccelerated flow targeting a network virtual
475701-2 3-Major FastL4 with FIX late-bind enabled may not honor client-timeout
472532-4 3-Major Cipher dhe-rsa-aes256-sha256 is missing from the SSL cipher list
460946-2 3-Major NetHSM key is displayed as normal in GUI
458348-2 3-Major RESOLV:: iRule commands and sFlow don't function correctly when using non-default CMP hashing.
455762-1 3-Major DNS cache statistics incorrect
452443-2 3-Major DNS cache resolver cannot send egress traffic on a VLAN with src-ip or dst-ip cmp hash configured
452439-5 3-Major TMM may crash when enabling DOS sweep/flood if a TMM process has multiple threads
446526-7 3-Major TCP virtual server/UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules might cause TMM crash.
441058 3-Major TMM can crash when a large number of SSL objects are created
424831-6 3-Major State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover
418890-2 3-Major OpenSSL bug can prevent RSA keys from rolling forward
406001-3 3-Major Host-originated traffic cannot use a nexthop in a different route domain
372473-2 3-Major mcp error 0x1020003 may be logged to /var/log/tmm when TMM crashes
554774-2 4-Minor Persist lookup across services might fail to return a matching record when multiple records exist.
551614-2 4-Minor MTU Updates should erase all congestion metrics entries
546747-2 4-Minor Occasional SSL connection handshake failure when one ClientHello is sent in multiple packets
534458-6 4-Minor SIP monitor marks down member if response has different whitespace in header fields.
452482-7 4-Minor HTTP virtual servers with cookie persistence might reset incoming connections
558053-2 5-Cosmetic Pool's 'active_member_cnt' attribute may not be updated as expected.
529897-1 5-Cosmetic Diameter monitor logging displays hex when monitor failing instead of the AVP which the monitor is failing on.


Performance Fixes

ID Number Severity Description
489816-1 1-Blocking F5 Enterprise MIB attribute sysTmmStatMemoryTotal returning zero
548796-2 2-Critical Avrd is at CPU is 100%


Global Traffic Manager Fixes

ID Number Severity Description
533658-5 2-Critical DNS decision logging can trigger TMM crash
471467 2-Critical gtmparse segfaults when loading wideip.conf because of duplicate virtual server names
469033 2-Critical Large big3d memory footprint.
551767-3 3-Major GTM server 'Virtual Server Score' not showing correctly in TMSH stats
546640 3-Major tmsh show gtm persist <filter option> does not filter correctly
529460-7 3-Major Short HTTP monitor responses can incorrectly mark virtual servers down.
526699-6 3-Major TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port.
481328-2 3-Major Many 'tmsh save sys config gtm-only partitions all' stack memory issue.
552352-2 4-Minor tmsh list display incorrectly for default values of gtm listener translate-address/translate-port
494796 4-Minor Unable to create GTM Listener with non-default protocol profile.
494070-2 4-Minor BIG-IP DNS cannot use a loopback address with fallback IP load balancing


Application Security Manager Fixes

ID Number Severity Description
565463-2 1-Blocking ASM-config consumes 1.3GB RAM after repeated Policy Import via REST
566758-2 2-Critical Manual changes to policy imported as XML may introduce corruption for Login Pages
555057-3 2-Critical ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies.
555006-3 2-Critical ASM REST: lastUpdateMicros is not updated when changing a Custom Signature
552139-2 2-Critical ASM limitation in the pattern matching matrix builtup
478351-1 2-Critical Changing management IP can lead to bd crash
474252-1 2-Critical Applying ASM security policy repeatedly fills disk partition on a chassis
574451-2 3-Major ASM chassis sync occasionally fails to load on secondary slot
563237 3-Major ASM REST: name for ipIntelligenceReference is incorrect
562775-2 3-Major Memory leak in iprepd
558642-1 3-Major Cannot create the same navigation parameter in two different policies
554367-1 3-Major BIG-IQ ASM remote logger: Requests are not be logged.
553146-2 3-Major BD memory leak
547000-4 3-Major Enforcer application might crash on XML traffic when out of memory
542511-2 3-Major 'Unhandled keyword ()' error message in GUI and/or various ASM logs
541852-1 3-Major ASM REST: PATCH to XML Profiles with unmodified "validationFiles" fails
541406-1 3-Major ASM REST: XML Profile Validation File Associations are Removed on a Partial PATCH Request
540390-2 3-Major ASM REST: Attack Signature Update cannot roll back to older attack signatures
538195-1 3-Major Incremental Manual sync does not allow overwrite of 'newer' ASM config
535188-3 3-Major Response Pages custom content with \n instead of \r\n on policy import.
534246-2 3-Major rest_uuid should be calculated from the actual values inserted to the entity
531809-2 3-Major FTP/SMTP traffic related bd crash
530598-1 3-Major Some Session Tracking data points are lost on TMM restart
529610-1 3-Major On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db
529535-4 3-Major MCP validation error while deactivating a policy that is assigned to a virtual server
526162-7 3-Major TMM crashes with SIGABRT
520732-3 3-Major XML policy import adds default entities if the relevant element list (in policy xml doc) is specified and empty
514313-1 3-Major Logging profile configuration is updated unnecessarily
514061-4 3-Major False positive scenario causes SMTP transactions to hang and eventually reset.
503696-1 3-Major BD enforcer updates may be stuck after BD restart
491371-1 3-Major CMI: Manual sync does not allow overwrite of 'newer' ASM config
491352-3 3-Major Added ASM internal parameter to add more XML memory
481530-1 3-Major Signature reporting details for sensitive data violation
538837-1 4-Minor REST: Filtering login pages or parameters by their associated URL does not work


Application Visibility and Reporting Fixes

ID Number Severity Description
529900-1 2-Critical AVR missing some configuration changes in multiblade system
519257-2 2-Critical cspm script isn't injected in text/html chuncked response
470559 2-Critical TMM crash after traffic stress with rapid changes to Traffic capturing profiles
552488-1 3-Major Missing upgrade support for AFM Network DoS reports.
549393-3 3-Major SWG URL categorization may cause the /var file system to fill.
535246-6 3-Major Table values are not correctly cleaned and can occupy entire disk space.
530952-1 3-Major MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'
529903-1 3-Major Incorrect reports on multi-bladed systems
528031-3 3-Major AVR not reporting the activity of standby systems.
491185-1 3-Major URL Latencies page: pagination limited to 180 pages
490999-2 3-Major Subscriber-level AVR statistics display the subscriber-type as "Unknown" for subscribers created using Radius Acct-Start
537435-1 4-Minor Monpd might core if asking for export report by email while monpd is terminating
495744-1 4-Minor Some user defined ASM reports are not loading correctly after upgrade from 11.4 upwards


Access Policy Manager Fixes

ID Number Severity Description
553330-3 1-Blocking Unable to create a new document with SharePoint 2010
579559-2 2-Critical DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration
572563-3 2-Critical ---
569306-3 2-Critical Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected
555507-2 2-Critical Under certain conditions, SSO plugin can overrun memory not owned by the plugin.
551764-3 2-Critical [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform
530622-1 2-Critical EAM plugin uses high memory when serving very high concurrent user load
522997-3 2-Critical Websso cores when it tries to shutdown
491080-5 2-Critical Memory leak in access framework
571003-1 3-Major TMM Restarts After Failover
570563-2 3-Major CRL is not being imported/exported properly
569255-3 3-Major Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON
566908-5 3-Major Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file
565527-3 3-Major Static proxy settings are not applied if NA configuration
564496-3 3-Major Applying APM Add-on License Does Not Change Effective License Limit
564493 3-Major Copying an access profile appends an _1 to the name.
564262-4 3-Major Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code
564253-5 3-Major Firefox signed plugin for VPN, Endpoint Check, etc
563474-2 3-Major SNMP F5-BIGIP-APM-MIB::apmPmStatConfigSyncState returns 0 for edited access profile
561976 3-Major Values of high-water and low-water mark for 'apd' pending request queue might not handle requests completely.
558870-3 3-Major Protected workspace does not work correctly with third party products
558631-2 3-Major APM Network Access VPN feature may leak memory
555457-5 3-Major Reboot is required, but not prompted after F5 Networks components have been uninstalled
555435-2 3-Major AD Query fails if cross-domain option is enabled and administrator's credentials are not specified
554993-2 3-Major Profile Stats Not Updated After Standby Upgrade Followed By Failover
554899-2 3-Major MCPD core with access policy macro during config sync in HA configuration
554626-1 3-Major Database logging truncates log values greater than 1024
554228-5 3-Major OneConnect does not work when WEBSSO is enabled/configured.
554041-5 3-Major No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled
553734-1 3-Major Issue with assignment of non-string value to Form.action in javascript.
553063-1 3-Major Epsec version rolls back to previous version on a reboot
552498-1 3-Major APMD basic authentication cookie domains are not processed correctly
549588-2 3-Major EAM memory leak when cookiemap is destroyed without deleting Cookie object in it
549108-1 3-Major RDP resource 'Custom parameters' fail to accept parameters containing spaces or colon in the value
548361 3-Major Performance degradation when adding VDI profile to virtual server
543222-3 3-Major apd may crash if an un-encoded session variable contains "0x"
539270-6 3-Major A specific NTLM client fails to authenticate with BIG-IP
539229-7 3-Major EAM core while using Oracle Access Manager
531983-5 3-Major [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added
528808-3 3-Major Source NAT translation doesn't work when APM is disabled using iRule
526637-4 3-Major tmm crash with APM clientless mode
522791-2 3-Major HTML rewriting on client might leave 'style' attribute unrewritten.
520088-2 3-Major Citrix HTML5 Receiver does not properly display initial tour and icons
518550-3 3-Major Incorrect value of form action attribute inside 'onsubmit' event handler in some cases
517846-2 3-Major View Client cannot change AD password in Cross Domain mode
511893-5 3-Major Client connection timeout after clicking Log In to Access Policy Manager on a Chassis
492122-5 3-Major Now Windows Logon Integration does not recreate temporary user for logon execution each time
488811-5 3-Major F5-prelogon user profile folder are not fully cleaned-up
482177-4 3-Major Accessing Sharepoint web application portal interferes with IdP initiated SAML SSO
472446-2 3-Major Customization Group Template File Might Cause Mcpd to Restart
471318-1 3-Major AD/LDAP group name matching should be case-insensitive
467256-2 3-Major Deleting OPSWAT/Epsec packages from GUI does not delete files from disk causing UCS packages to bloat
462598-4 3-Major Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members.
462258-8 3-Major AD/LDAP server connection failures might cause apd to stop processing requests when service is restored
461084-3 3-Major Kerberos Auth might fail if client request contains Authorization header
389328-7 3-Major RSA SecurID node secret is not synced to the standby node


WebAccelerator Fixes

ID Number Severity Description
551010-7 3-Major Crash on unexpected WAM storage queue state
525478-2 3-Major Requests for deflate encoding of gzip documents may crash TMM


Wan Optimization Manager Fixes

ID Number Severity Description
552198-5 3-Major APM App Tunnel/AM iSession Connection Memory Leak
547537-3 3-Major TMM core due to iSession tunnel assertion failure


Service Provider Fixes

ID Number Severity Description
538784-3 3-Major ICAP implementation incorrect when HTTP request or response is missing a payload
523854-1 3-Major TCP reset with RTSP Too Big error when streaming interleaved data
545985-3 4-Minor ICAP 2xx response (except 200, 204) is treated as error
489957-9 4-Minor RADIUS::avp command fails when AVP contains multiple attribute (VSA).


Advanced Firewall Manager Fixes

ID Number Severity Description
477769-2 2-Critical TMM crash (panic) in AFM pktclass code (Assertion 'classifier ref non-zero' failed.) when virtual server has SPDY or HTTP Prefetching enabled along with AFM Rules.
561433-3 3-Major TMM Packets can be dropped indiscriminately while under DOS attack
489379-1 3-Major Bot signature is not matched
469512-3 3-Major TMM aborted by SOD due to heartbeat failure when trying to load huge firewall policies.


Policy Enforcement Manager Fixes

ID Number Severity Description
529634-2 2-Critical Crash observed with HSL logging
512069-2 2-Critical TMM restart while relicensing the BIG-IP using the base license.
510923-2 2-Critical TMM crashes on the disabled secondary blade and bigstart restart or reboot is triggered.
565765-3 3-Major Flow reporting does not occur for unclassified flows.
564263-3 3-Major PEM: TMM asserts when Using Debug Image when Gy is being used
560607-3 3-Major Resource Limitation error when removing predefined policy which has multiple rules
559382-1 3-Major Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers
557675-3 3-Major Failover from PEM to PCRF can cause session lookup inconsistency
549283-3 3-Major Add a log message to indicate transition in the state of Gx and Gy sessions.


Carrier-Grade NAT Fixes

ID Number Severity Description
555369-3 2-Critical CGNAT memory leak when non-TCP/UDP traffic directed at public addresses
545783-3 2-Critical TMM crashes when forwarding an inbound connection on Large Scale NAT (LSN) pool
540571-2 2-Critical TMM cores when multicast address is set as destination IP via iRules and LSN is configured
540484-2 2-Critical "show sys pptp-call-info" command can cause tmm crash
535101-1 2-Critical Connections to LSN pools in PBA mode may cause tmm core if used in conjunction with udp_gtm_dns profile.


Centralized Management Fixes

ID Number Severity Description
538722-3 3-Major Configurable maximum message size limit for restjavad


iApp Technology Fixes

ID Number Severity Description
546082-5 2-Critical Special characters might change input.


Cumulative fix details for BIG-IP v11.6.1 that are included in this release

579559-2 : DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration

Component: Access Policy Manager

Symptoms:
Network Access always fallbacks to TLS connection even if DTLS is configured when connecting to some hardware platforms.

Conditions:
Network Access is configured to use DTLS Hardware BIG-IP with DTLS Nitrox acceleration is used,

Impact:
Network Access connection always fallbacks to TLS connection

Workaround:
N/A

Fix:
Nitrox hardware acceleration support was fixed


574451-2 : ASM chassis sync occasionally fails to load on secondary slot

Component: Application Security Manager

Symptoms:
ASM chassis sync occasionally fails to load on secondary slot when a new policy is created after a series of other configuration changes in quick succession.

Conditions:
A new policy is created after a series of other configuration changes in quick succession

Impact:
ASM chassis sync fails to load on secondary slot.

Workaround:
Make another system-wide configuration change, such as creating a user-defined signature, or wait until the hourly sync occurs.

Fix:
ASM chassis blades are now synchronized correctly after every policy creation.


572563-3 : ---

Component: Access Policy Manager

Symptoms:
Internet Explorer (IE) gets stuck entering Protected Work Space (PWS).

Conditions:
One of our DLLs, vdeskctrl.dll, provides COM services. Internet Explorer (IE), consumes the COM services. The DLL is loaded by IE during upgrade of PWS components. For some reason (especially on slow systems), IE does not unload the the old DLL promptly after upgrading PWS. When COM services are invoked to initialize PWS after upgrade, old DLL provides the service. Due to the recent renewal of our signing certificate, old DLL can't certify the integrity of the new PWS components. We have researched the issue, but we have not found a way to instruct IE to unload the old DLL after upgrade.

Impact:
PWS session does not launch.

Workaround:
After upgrade, if Internet Explorer(IE) does not enter into PWS within 60 seconds, please close IE and start a new session. This is an one time event.


572133-2 : tmsh save /sys ucs command sends status messages to stderr

Component: TMOS

Symptoms:
When you run the tmsh save /sys ucs command, some normal status messages are being sent to stderr instead of stdout. This will be seen if a you are watching stderr for error messages.

Conditions:
There are no conditions, every time the command is run, it will send some status type messages to stderr.

Impact:
If a script runs the command it may report that the save failed because messages were send to stderr.

Workaround:
You can ignore the message "Saving active configuration..." being sent to stderr. It is not an error.

Fix:
The command will send the status messages to stdout.


572086 : Unable to boot v11.6.0 on 7250 or 10250 platforms

Component: TMOS

Symptoms:
Unable to boot or system constantly rebooting.

Conditions:
Booting into v11.6.0 on 7250 or 10250 platform with RAID disk layout.

Impact:
Unable to boot.

Workaround:
None.

Fix:
This version of the software boots boots correctly on 7250 or 10250 platforms with RAID disk layout.


571003-1 : TMM Restarts After Failover

Component: Access Policy Manager

Symptoms:
TMM generates core file and restarts.

Conditions:
1. In a HA pair running pre 11.5.3-HF2 or 11.6.0-HF6, the standby is upgraded to 11.6.0-HF6 EHF 186, 241, 243, or 247. 2. Force failover. 3. A new session is established or an existing session terminated.

Impact:
Serivce is disrupted. All existing sessions are terminated.

Workaround:
None.

Fix:
TMM no longer generates core file and restarts upon upgrade.


570716-3 : Default net ipsec ike-peer anonymous state disable

Component: TMOS

Symptoms:
The default of 'net ipsec ike-peer anonymous state' has been changed from enabled to disabled.

Conditions:
This applies to the 'net ipsec ike-peer anonymous state' setting.

Impact:
In order to use ike-peer anonymous, it must be explicitly enabled.

Workaround:
Set 'net ipsec ike-peer anonymous state' to enable if that is what is desired.

Fix:
The default 'net ipsec ike-peer anonymous state' is disable.

Behavior Change:
The default of 'net ipsec ike-peer anonymous state' has been changed from enabled to disabled.


570617-4 : HTTP parses fragmented response versions incorrectly

Component: Local Traffic Manager

Symptoms:
When a fragmented response is parsed by HTTP, the version field may be incorrectly bounded. HTTP correctly determines the version of the response. However, other filters that re-scan the version field might see a truncated value. The filters then miss-parse the HTTP version.

Conditions:
A fragmented response where the HTTP version field appears in multiple packets. Another filter, for example VDI, re-scans the HTTP version field.

Impact:
The detected version of HTTP may be incorrect. Typically, the response is detected as a HTTP/0.9 response rather than the 1.0 or 1.1 response it actually uses.

Workaround:
None.

Fix:
HTTP correctly bounds the response version for other filters to parse.


570563-2 : CRL is not being imported/exported properly

Component: Access Policy Manager

Symptoms:
CRL assigned as part of Machine Cert Auth is not being imported/exported properly.

Conditions:
This occurs when importing SSL Certificates and Keys using the CRL type. Or when adding the Machine Cert Check agent to import an Access Profile in when creating a New Certificate Authority Profile.

Impact:
Prevents CRL from being exported. Might also impact the import/export of Certificate Authority Profiles.

Workaround:
1. Copy and install the CRL to the other BIG-IP system separately. 2. Modify the exported configuration to use CRL from step 1

Fix:
Import and export of CRL is fully supported.


570535 : Multiple Kernel Vulnerabilities

Component: TMOS

Symptoms:
CVE-2011-5321 CVE-2012-6657 CVE-2013-4483 CVE-2014-3184 CVE-2014-3185 CVE-2014-3611 CVE-2014-3940 CVE-2014-6410 CVE-2014-8160 CVE-2014-9420 CVE-2014-9529 CVE-2014-9584 CVE-2015-1593 CVE-2015-1805 CVE-2015-3636 CVE-2015-5307 CVE-2015-5364 CVE-2015-5366 CVE-2015-7613 CVE-2015-7872 CVE-2015-8104

Conditions:
+--------------------------------------------------------------- RHSA: https://rhn.redhat.com/errata/RHSA-2015-2636.html RHSA: https://rhn.redhat.com/errata/RHSA-2016-0004.html RHSA: https://rhn.redhat.com/errata/RHSA-2015-2645.html Vulnerabilities Fixed: CVE-2015-5307 CVE-2015-8104 * It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) and #DB (debug exception) is handled. A privileged user inside a guest could use these flaws to create denial of service conditions on the host kernel. (CVE-2015-5307, CVE-2015-8104, Important) +--------------------------------------------------------------- RHSA: https://rhn.redhat.com/errata/RHSA-2015-2636.html RHSA: https://rhn.redhat.com/errata/RHSA-2015-1081.html RHSA: https://rhn.redhat.com/errata/RHSA-2015-0864.html RHSA: https://rhn.redhat.com/errata/RHSA-2014-1167.html Vulnerabilities Fixed: CVE-2015-7872 CVE-2014-9529 * It was found that the Linux kernel's keys subsystem did not correctly garbage collect uninstantiated keyrings. A local attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2015-7872, Important) * A race condition flaw was found in the way the Linux kernel keys management subsystem performed key garbage collection. A local attacker could attempt accessing a key while it was being garbage collected, which would cause the system to crash. (CVE-2014-9529, Moderate) +--------------------------------------------------------------- RHSA: https://rhn.redhat.com/errata/RHSA-2015-2636.html RHSA: https://rhn.redhat.com/errata/RHSA-2015-0284.html Vulnerabilities Fixed: CVE-2015-7613 CVE-2013-4483 * A race condition flaw was found in the way the Linux kernel's IPC subsystem initialized certain fields in an IPC object structure that were later used for permission checking before inserting the object into a globally visible list. A local, unprivileged user could potentially use this flaw to elevate their privileges on the system. (CVE-2015-7613, Important) * A flaw was found in the way the ipc_rcu_putref() function in the Linux kernel's IPC implementation handled reference counter decrementing. A local, unprivileged user could use this flaw to trigger an Out of Memory (OOM) condition and, potentially, crash the system. (CVE-2013-4483, Moderate) +--------------------------------------------------------------- RHSA: https://rhn.redhat.com/errata/RHSA-2015-1623.html Vulnerabilities Fixed: CVE-2015-5364 CVE-2015-5366 * Two flaws were found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use these flaws to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality. (CVE-2015-5364, CVE-2015-5366, Important) +--------------------------------------------------------------- RHSA: https://rhn.redhat.com/errata/RHSA-2015-1272.html Vulnerabilties Fixed: CVE-2014-3940 CVE-2014-3184 * A flaw was found in the way Linux kernel's Transparent Huge Pages (THP) implementation handled non-huge page migration. A local, unprivileged user could use this flaw to crash the kernel by migrating transparent hugepages. (CVE-2014-3940, Moderate) * Multiple out-of-bounds write flaws were found in the way the Cherry Cymotion keyboard driver, KYE/Genius device drivers, Logitech device drivers, Monterey Genius KB29E keyboard driver, Petalynx Maxter remote control driver, and Sunplus wireless desktop driver handled HID reports with an invalid report descriptor size. An attacker with physical access to the system could use either of these flaws to write data past an allocated memory buffer. (CVE-2014-3184, Low) +--------------------------------------------------------------- RHSA: https://rhn.redhat.com/errata/RHSA-2015-1221.html Vulnerabilities Fixed: CVE-2015-1593 CVE-2011-5321 * An integer overflow flaw was found in the way the Linux kernel randomized the stack for processes on certain 64-bit architecture systems, such as x86-64, causing the stack entropy to be reduced by four. (CVE-2015-1593, Low) * A NULL pointer dereference flaw was found in the way the Linux kernel's virtual console implementation handled reference counting when accessing pseudo-terminal device files (/dev/pts/*). A local, unprivileged attacker could use this flaw to crash the system. (CVE-2011-5321, Moderate) +--------------------------------------------------------------- RHSA: https://rhn.redhat.com/errata/RHSA-2015-1221.html RHSA: https://rhn.redhat.com/errata/RHSA-2015-1643.html Vulnerabilities Fixed: CVE-2015-3636 * It was found that the Linux kernel's ping socket implementation did not properly handle socket unhashing during spurious disconnects, which could lead to a use-after-free flaw. On x86-64 architecture systems, a local user able to create ping sockets could use this flaw to crash the system. On non-x86-64 architecture systems, a local user able to create ping sockets could use this flaw to escalate their privileges on the system. (CVE-2015-3636, Moderate) +--------------------------------------------------------------- RHSA: https://rhn.redhat.com/errata/RHSA-2015-1081.html RHSA: https://rhn.redhat.com/errata/RHSA-2015-0864.html RHSA: https://rhn.redhat.com/errata/RHSA-2014-1997.html Vulnerabilities Fixed: CVE-2015-1805 CVE-2014-9420 CVE-2014-9529 CVE-2014-9584 CVE-2014-6410 CVE-2012-6657 * It was found that the Linux kernel's implementation of vectored pipe read and write functionality did not take into account the I/O vectors that were already processed when retrying after a failed atomic access operation, potentially resulting in memory corruption due to an I/O vector array overrun. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2015-1805, Important) * It was found that the Linux kernel's ISO file system implementation did not correctly limit the traversal of Rock Ridge extension Continuation Entries (CE). An attacker with physical access to the system could use this flaw to trigger an infinite loop in the kernel, resulting in a denial of service. (CVE-2014-9420, Low) * A race condition flaw was found in the way the Linux kernel keys management subsystem performed key garbage collection. A local attacker could attempt accessing a key while it was being garbage collected, which would cause the system to crash. (CVE-2014-9529, Moderate) * An information leak flaw was found in the way the Linux kernel's ISO9660 file system implementation accessed data on an ISO9660 image with RockRidge Extension Reference (ER) records. An attacker with physical access to the system could use this flaw to disclose up to 255 bytes of kernel memory. (CVE-2014-9584, Low) * A stack overflow flaw caused by infinite recursion was found in the way the Linux kernel's UDF file system implementation processed indirect ICBs. An attacker with physical access to the system could use a specially crafted UDF image to crash the system. (CVE-2014-6410, Low) * It was found that the Linux kernel's networking implementation did not correctly handle the setting of the keepalive socket option on raw sockets. A local user able to create a raw socket could use this flaw to crash the system. (CVE-2012-6657, Low) +--------------------------------------------------------------- RHSA: https://rhn.redhat.com/errata/RHSA-2015-0284.html Vulnerabilities Fixed: CVE-2014-3611 CVE-2014-3185 CVE-2014-8160 * A race condition flaw was found in the way the Linux kernel's KVM subsystem handled PIT (Programmable Interval Timer) emulation. A guest user who has access to the PIT I/O ports could use this flaw to crash the host. (CVE-2014-3611, Important) * A memory corruption flaw was found in the way the USB ConnectTech WhiteHEAT serial driver processed completion commands sent via USB Request Blocks buffers. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-3185, Moderate) * A flaw was found in the way the Linux kernel's netfilter subsystem handled generic protocol tracking. As demonstrated in the Stream Control Transmission Protocol (SCTP) case, a remote attacker could use this flaw to bypass intended iptables rule restrictions when the associated connection tracking module was not loaded on the system. (CVE-2014-8160, Moderate)

Impact:
Various. See CVE descriptions.

Workaround:
Various. See CVE descriptions.

Fix:
CVE-2011-5321 CVE-2012-6657 CVE-2013-4483 CVE-2014-3184 CVE-2014-3185 CVE-2014-3611 CVE-2014-3940 CVE-2014-6410 CVE-2014-8160 CVE-2014-9420 CVE-2014-9529 CVE-2014-9584 CVE-2015-1593 CVE-2015-1805 CVE-2015-3636 CVE-2015-5307 CVE-2015-5364 CVE-2015-5366 CVE-2015-7613 CVE-2015-7872 CVE-2015-8104


569306-3 : Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected

Component: Access Policy Manager

Symptoms:
User is shown the logon page to connect to VPN after he logs on. Windows logon credentials are not used for VPN automatically.

Conditions:
Connectivity profile has "Reuse Windows Logon Credentials" selected

Impact:
User has to retype his credentials to connect to VPN

Workaround:
Enter the credentials again to connect to VPN

Fix:
Now logged on credentials are used automatically to connect to VPN


569255-3 : Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON

Component: Access Policy Manager

Symptoms:
When Network Access is already established and a second network interface is being connected to client system, VPN quickly reconnects, which breaks existing TCP connections. Because reconnect occurs very quickly, it might appear to the user that nothing happened.

Conditions:
-- 'Allow Local subnet access' enabled. -- Client system is getting second network interface connected.

Impact:
Long-standing TCP connection may break, for example, VPN over Network Access.

Workaround:
Disable 'Allow Local subnet access'.

Fix:
Now Network Access remains stable when a second network interface is being connected, so any long-standing TCP connections (such as VPN over Network Access) continue as expected.


567484-5 : BIND Vulnerability CVE-2015-8705

Component: TMOS

Symptoms:
In some versions of BIND, an error can occur when data that has been received in a resource record is formatted to text during debug logging. Depending on the version of BIND in which it is encountered, this error can cause either a REQUIRE assertion failure in buffer.c or an unpredictable crash (e.g. segmentation fault or other termination). (CVE-2015-8705)

Conditions:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/86/sol86533083.html

Impact:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/86/sol86533083.html

Workaround:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/86/sol86533083.html

Fix:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/86/sol86533083.html


567475-5 : BIND vulnerability CVE-2015-8704

Component: TMOS

Symptoms:
A buffer size check used to guard against overflow could cause named to exit with an INSIST failure In apl_42.c. (CVE-2015-8704)

Conditions:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/53/sol53445000.html

Impact:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/53/sol53445000.html

Workaround:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/53/sol53445000.html

Fix:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/53/sol53445000.html


566908-5 : Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file

Component: Access Policy Manager

Symptoms:
Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN if proxy.pac is defined in a way that forwards all web traffic over VPN.

Conditions:
proxy.pac, network access, OS X system.

Impact:
Local web server is inaccessible if proxy.pac is defined in a way that forwards all traffic over VPN to corporate proxy server.

Workaround:
None.

Fix:
Webserver listening on local Wifi or Ethernet IP can be accessed after VPN even if proxy.pac is defined in a way that forwards all web traffic over VPN to corporate proxy server.


566758-2 : Manual changes to policy imported as XML may introduce corruption for Login Pages

Component: Application Security Manager

Symptoms:
Manual changes to policy imported as XML may introduce corruption for Login Pages. If the expiration period is omitted, the Login Page will be inaccessible.

Conditions:
Expiration period is omitted in hand-crafted XML policy file.

Impact:
The Login Page created as a result is inaccessible in GUI and REST.

Workaround:
Ensure that expiration period exists in XML policy file before import.

Fix:
A policy file, with a missing expiration field, imported as XML is now handled correctly.


565810-2 : OneConnect profile with an idle or strict limit-type might lead to tmm core.

Component: Local Traffic Manager

Symptoms:
OneConnect profile with an idle or strict limit-type might lead to tmm core.

Conditions:
OneConnect profile with a limit-type value of idle or strict.

Impact:
tmm core.

Workaround:
Use a limit-type of 'none'.

Fix:
A OneConnect profile using an idle or strict limit-type no longer causes the tmm to core when attempting to shutdown idle connections.


565765-3 : Flow reporting does not occur for unclassified flows.

Component: Policy Enforcement Manager

Symptoms:
Flow reports are missing for some of the flows.

Conditions:
Flow reporting action has been configured with no classification filter. This was observed for flows that remained unclassified until the very end.

Impact:
If you are using flow reports to track the data usage of the subscriber, the usage will not be accurate.

Workaround:
None.

Fix:
For flows that do not get classified at all, the system now sends out flow reports at the end of the flow. The FLOW_INIT and FLOW_END reports are sent out in this case (that is, there are no FLOW_INTERIM reports). This is correct behavior


565527-3 : Static proxy settings are not applied if NA configuration

Component: Access Policy Manager

Symptoms:
Applications that cannot evaluate PAC file cannot make use of static proxy configuration either.

Conditions:
- Network Access (NA) setting has static proxy configuration. - Application on user's system does not support proxy auto configuration, but does support static proxy configuration.

Impact:
Application cannot make connections if the proxy is required to connect to the destination. This could result in failed connection from that application

Workaround:
None.

Fix:
Static proxy settings are now applied in Network Access configurations. This allow applications that do not support PAC files to work inside the VPN.


565463-2 : ASM-config consumes 1.3GB RAM after repeated Policy Import via REST

Component: Application Security Manager

Symptoms:
Multiple ASM-config processes are running (more than 10) and consuming more than a GB.

Conditions:
ASM provisioned. Repeated policy import via REST.

Impact:
The BIG-IP system might run low on memory and post the following message in /var/log/kern.log: Out of memory: Kill process 22699.

Workaround:
Restart asm - disrupting Restart asm_config_server.pl - non disrupting

Fix:
We modified an operation to limit the number of ASM configuration processes. The operation now reuses processes instead of creating new ones, so the system no longer runs out of memory.


565169 : Multiple Java Vulnerabilities

Component: Centralized Management

Symptoms:
CVE-2015-4734 Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS. CVE-2015-4805 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serialization. CVE-2015-4806 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. CVE-2015-4810 Unspecified vulnerability in Oracle Java SE 7u85 and 8u60 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVE-2015-4835 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4881. CVE-2015-4840 Unspecified vulnerability in Oracle Java SE 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via unknown vectors related to 2D. CVE-2015-4842 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JAXP. CVE-2015-4843 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVE-2015-4844 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. CVE-2015-4860 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4883. CVE-2015-4871 Unspecified vulnerability in Oracle Java SE 7u85 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. CVE-2015-4881 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4835. CVE-2015-4882 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect availability via vectors related to CORBA. CVE-2015-4883 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4860. CVE-2015-4901 Unspecified vulnerability in Oracle Java SE 8u60 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX. CVE-2015-4902 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60 allows remote attackers to affect integrity via unknown vectors related to Deployment. CVE-2015-4903 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to RMI. CVE-2015-4906 Unspecified vulnerability in Oracle Java SE 8u60 and JavaFX 2.2.85 allows remote attackers to affect confidentiality via unknown vectors related to JavaFX, a different vulnerability than CVE-2015-4908 and CVE-2015-4916. CVE-2015-4908 Unspecified vulnerability in Oracle Java SE 8u60 and JavaFX 2.2.85 allows remote attackers to affect confidentiality via unknown vectors, a different vulnerability than CVE-2015-4906 and CVE-2015-4916. CVE-2015-4916 Unspecified vulnerability in Oracle Java SE 8u60 and JavaFX 2.2.85 allows remote attackers to affect confidentiality via unknown vectors, a different vulnerability than CVE-2015-4906 and CVE-2015-4908. CVE-2015-4868 Unspecified vulnerability in Oracle Java SE 8u60 and Java SE Embedded 8u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVE-2015-4911 Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4893.

Conditions:
Java.

Impact:
There is no impact; F5 products are not affected by this vulnerability.

Workaround:
None needed.

Fix:
CVE-2015-4734 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4901 CVE-2015-4902 CVE-2015-4903 CVE-2015-4906 CVE-2015-4908 CVE-2015-4916 CVE-2015-4868 CVE-2015-4911


564496-3 : Applying APM Add-on License Does Not Change Effective License Limit

Component: Access Policy Manager

Symptoms:
When an add-on license is applied on the active node, the effective license limit is not updated. even though telnet output shows that it is.

Conditions:
1. Set up a high availability (HA) configuration with a base APM license. 2. Apply an APM add-on license to increase Access and CCU license limits.

Impact:
The actual number of sessions that can be established remains unchanged after adding an add-on license.

Workaround:
To make the add-on license effective, run the command: bigstart restart tmm.

Fix:
Applying APM add-on license now increases Access and CCU license limits, as expected.


564493 : Copying an access profile appends an _1 to the name.

Component: Access Policy Manager

Symptoms:
Copying an access profile appends an _1 to the name.

Conditions:
This occurs on every copy operation on an access profile.

Impact:
This is a cosmetic issue that does not impact system functionality.

Workaround:
To workaround this: 1. Copy the profile. 2. Edit bigip.conf to remove the _1 from the profile name. 3. Issue the command: tmsh load sys config.

Fix:
Copying an access profile no longer appends an _1 to the name unless it is needed, for example, when copying a profile whose name already exists.


564427-3 : Use of iControl call get_certificate_list_v2() causes a memory leak.

Component: TMOS

Symptoms:
Use of iControl call get_certificate_list_v2() causes a memory leak.

Conditions:
This occurs when using the Management::KeyCertificate::get_certificate_list_v2 method in iControl.

Impact:
memory leak.

Workaround:
Restarting httpd helps reduce memory, but it must be restarted periodically to clear up the memory issues.

Fix:
Use of Management::KeyCertificate::get_certificate_list_v2 method in iControl no longer causes a memory leak.


564371-2 : FQDN node availability not reset after removing monitoring

Component: Local Traffic Manager

Symptoms:
If you are using FQDN nodes that are being monitored, the node status will remain set to whatever it was before the monitor was removed.

Conditions:
This occurs when removing monitoring from FQDN nodes

Impact:
The expected behavior is that the node status becomes 'unknown'. This could make it so FQDN nodes are permanently marked down or up.

Workaround:
None

Fix:
FQDN node status will now change to Unknown if monitoring is removed.


564263-3 : PEM: TMM asserts when Using Debug Image when Gy is being used

Component: Policy Enforcement Manager

Symptoms:
TMM assert leading to restart.

Conditions:
When a policy P1 is installed over Gx with a reference to rating group R1 and later when an update is received over Gx to remove P1 and add policy P2 which also referring to same rating group R1 then TMM will core when Policy P2 is being removed.

Impact:
TMM restart and disruption of service.

Workaround:
PCRF should make sure add and remove policies are not done in single update.

Fix:
Issue has been fixed now.


564262-4 : Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code

Component: Access Policy Manager

Symptoms:
Tunnel server component of Edge client crashes, and user cannot establish VPN.

Conditions:
-DNS names cannot be resolved on client system. -PAC file used to determine proxy server uses JavaScript DNS resolution function.

Impact:
Tunnel server crashes and user cannot establish VPN.

Workaround:
Enable DNS resolution on client or do not use DNS resolution JavaScript functions in PAC file.

Fix:
Network Access now works as expected even when DNS cannot be resolved on client and PAC file contains DNS resolution code.


564253-5 : Firefox signed plugin for VPN, Endpoint Check, etc

Component: Access Policy Manager

Symptoms:
Firefox v44.0 and later does not allow loading of Netscape Plugin Application Programming Interface (NPAPI) plugins, which are not signed by Firefox.

Conditions:
Using APM with Firefox v44.0 and later.

Impact:
Firefox v44.0 and later cannot establish network access or perform endpoint checking.

Workaround:
- Use Firefox v43.0 and earlier on all platforms. - Use Safari on Mac systems and Microsoft Internet Explorer on Microsoft Windows systems.

Fix:
Firefox v44.0 through v46.0 can now install F5 Network plugins, perform endpoint checking, and establish network access connections.


563475-3 : ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.

Component: TMOS

Symptoms:
ePVA dynamic offloading can result in immediate eviction and re-offloading of flows. If dynamic offloading is enabled in the fastl4 profile, flows that collide in the ePVA will ping/pong in and out of the ePVA due to immediate eviction and re-offloading. Flows that are evicted due to collisions are reported in the epva_flowstat stats, tot.hash_evict.

Conditions:
A fastl4 profile with PVA Offload Dynamic enabled and two flows that result in a hash collision, resulting in an evicted flow.

Impact:
Flows that collide will be re-offloaded, evicted, and then re-offloaded again within a short time span. It is unknown if there is a direct impact, but in some cases a delay in processing packets on a connection may occur.

Workaround:
Disable PVA Offload Dynamic in the fastl4 profile. Another option would be to disable PVA Flow Evict in the fastl4 profile.

Fix:
The system now handles flows involved in hash collisions such that ePVA dynamic offloading no longer results in immediate eviction and re-offloading of flows.


563474-2 : SNMP F5-BIGIP-APM-MIB::apmPmStatConfigSyncState returns 0 for edited access profile

Component: Access Policy Manager

Symptoms:
F5-BIGIP-APM-MIB::apmPmStatConfigSyncState returns a zero value for an APM access profile that has been edited but not yet applied, which should instead return a non-zero value. config # snmpwalk -v2c 127.0.0.1 -c public F5-BIGIP-APM-MIB::apmPmStatConfigSyncState F5-BIGIP-APM-MIB::apmPmStatConfigSyncState."/Common/my-test-access" = Counter64: 0

Conditions:
The access profile has been edited but not yet applied.

Impact:
SNMP users cannot discriminate the status of an APM access profile: applied or not applied.

Workaround:
None available.

Fix:
F5-BIGIP-APM-MIB::apmPmStatConfigSyncState now returns the correct non-zero value.


563237 : ASM REST: name for ipIntelligenceReference is incorrect

Component: Application Security Manager

Symptoms:
The reference name for a Security Policy's ip-intelligence configuration is not consistent with F5 REST standards; which dictate that a reference name starts with a lower case letter. In the return for a policy resource the following is seen: ... 'IpIntelligenceReference': { 'link': 'https://localhost/mgmt/tm/asm/policies/<POLICY ID>/ip-intelligence' ... This should be 'ipIntelligenceReference' This has already been corrected in versions 12.0.0 and later.

Conditions:
ASM REST is used to access IP Intelligence for Security Policies.

Impact:
Reference names are inconsistent and confusing.

Workaround:
If an API client wishes to $expand the resource wanted in a way that works against all versions, the pre-expanded name can be used. ?$expand=ip-intelligence

Fix:
We corrected an inconsistent reference name. 'IpIntelligenceReference' is now 'ipIntelligenceReference'.


562959-2 : In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.

Component: TMOS

Symptoms:
In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.

Conditions:
This occurs when there is some issue processing the packet going through IPsec tunnel.

Impact:
Tmm restart without core due to internal connection timeout.

Workaround:
None.

Fix:
IPsec now only sends packets intended for IPsec over the tunnel.


562928 : Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled

Component: TMOS

Symptoms:
Certain url connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled with 'curl: (7) couldn't connect to host' error.

Conditions:
Using curl command with'--local-port' option causes the connections to fail on the BIG-IP system.

Impact:
TCP connections do not complete the three way handshake and traffic does not pass.

Workaround:
Disabling 'cmp' option in virtual server secures the traffic over IPsec tunnels.

Fix:
Using curl command with'--local-port' option no longer causes the connections to fail on the BIG-IP system.


562775-2 : Memory leak in iprepd

Component: Application Security Manager

Symptoms:
The IP reputation daemon (iprepd) has a small leak of around ~8 to ~16 bytes every 5 minutes.

Conditions:
This occurs when the BIG-IP box is licensed with IPI Subscription, and iprepd is running.

Impact:
Memory increases slowly until the kernel out-of-memory kills the iprepd process.

Workaround:
None.

Fix:
This release fixes a memory leak in the IP reputation daemon (iprepd).


562308-2 : FQDN pool members do not support manual-resume

Component: Local Traffic Manager

Symptoms:
FQDN pool members do not support manual-resume, but allow its configuration.

Conditions:
Attempting to use manual-resume for FQDN pool members.

Impact:
FQDN pool members do not honor manual-resume setting.

Workaround:
Do not configure manual-resume on FQDN pool members.

Fix:
FQDN pool members do not support manual-resume, and BIG-IP no longer allows its configuration.


562292-1 : Nesting periodic after with parking command could crash tmm

Component: Local Traffic Manager

Symptoms:
If an iRule contains a periodic after command, and within this there is another periodic after command whose contents park, it can lead to tmm crashes.

Conditions:
A periodic after command is used, and within this there is another periodic after command whose contents park.

Impact:
tmm crashes.

Workaround:
Do not nest after commands with parking command.

Fix:
TMM no longer crashes with iRules that contain a periodic after command, which itself contains a periodic after command whose contents park. These iRules now complete as expected.


562122-5 : Adding a trunk might disable vCMP guest

Component: TMOS

Symptoms:
If a vCMP guest is running when a trunk is added, the guest might fail until vCMP is restarted.

Conditions:
-- vCMP guest running -- Trunk added.

Impact:
Guest failure. vCMP restart required.

Workaround:
Restart vCMP.

Fix:
Adding a trunk no longer disables vCMP guests.


561976 : Values of high-water and low-water mark for 'apd' pending request queue might not handle requests completely.

Component: Access Policy Manager

Symptoms:
Under heavy authentication requests from tmm with a slow or down back-end authentication server, the apd accept connection queue could get full, resulting in apd logs: AD module: authentication with ‘1439805563539620’ failed: Too many open files

Conditions:
- Incoming authentication request to apd (from tmm) is very high. - Back-end authentication server is slow or down.

Impact:
Authentication failures; might bring authentication rate down to zero.

Workaround:
Adjust the value of connhwm, connlwm and soconnmax values using tmsh commands. - To set the value to 1024, use the following command: sysctl -w net.core.somaxconn=1024. - Change Low water mark first using the following command: tmsh modify sys db apm.apd.connlwm value 480. - Change highwater mark next using the following command: tmsh modify sys db apm.apd.connhwm value 512.

Fix:
Values of high-water and low-water mark for the 'apd' pending request queue now handle requests as expected.


561433-3 : TMM Packets can be dropped indiscriminately while under DOS attack

Component: Advanced Firewall Manager

Symptoms:
When we have a loaded tmm which cannot consume packets fast enough, then packets could be dropped while DMAing from the HW.

Conditions:
This could happen for a variety of reasons which cause tmm to be loaded.

Impact:
Packets will be dropped indiscriminately.

Workaround:
none

Fix:
We've now added a sys db tunable (sys db dos.scrubtime) which can be set to drop DoS attack packets in HW more aggressively. This will prevent other non-attack packets from being dropped indiscriminately.


560962-2 : OpenSSL Vulnerability CVE-2015-3196

Component: TMOS

Symptoms:
ssl/s3_clnt.c in OpenSSL 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1p, and 1.0.2 before 1.0.2d, when used for a multi-threaded client, writes the PSK identity hint to an incorrect data structure, which allows remote servers to cause a denial of service (race condition and double free) via a crafted ServerKeyExchange message. (CVE-2015-3196)

Conditions:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/55/sol55540723.html

Impact:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/55/sol55540723.html

Workaround:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/55/sol55540723.html

Fix:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/55/sol55540723.html


560948-2 : OpenSSL vulnerability CVE-2015-3195

Component: TMOS

Symptoms:
OpenSSL mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.

Conditions:
Use of the OpenSSL command line tool by users with advanced shell access.

Impact:
The BIG-IP / BIG-IQ / Enterprise Manager system does not accept untrusted input that would match the type required to exploit this vulnerability. This vulnerability is exposed on the BIG-IP / BIG-IQ / Enterprise Manager only when the OpenSSL utility is used from the BIG-IP / BIG-IQ / Enterprise Manager command line to process PKCS or CMS applications.

Workaround:
To mitigate this vulnerability, you should limit command line access to only trusted users.

Fix:
Resolved OpenSSL vulnerability CVE-2015-3195.


560685 : TMM may crash with 'tmsh show sys conn'.

Component: Local Traffic Manager

Symptoms:
Although unlikely, the 'tmsh show sys conn' command may cause the tmm process to crash when displaying connections.

Conditions:
Although the conditions under which this occurs are not well understood, this is a rarely occurring issue.

Impact:
The tmm restarts.

Workaround:
The only workaround is to not issue the command: tmsh show sys conn.

Fix:
Running the command 'tmsh show sys conn' no longer causes TMM to crash when displaying connections.


560607-3 : Resource Limitation error when removing predefined policy which has multiple rules

Component: Policy Enforcement Manager

Symptoms:
Resource Limitation error when removing a predefined policy which has multiple rules referring to the same rating group.

Conditions:
- Gx and Gy are configured for the session - All rules refer to the same rating group

Impact:
Unable to remove an existing policy

Workaround:
none

Fix:
Policies can be removed and updated regardless of rules or rating group limitations.


560423-2 : VxLAN tunnel IP address modification is not supported

Component: TMOS

Symptoms:
VxLAN tunnel local and remote tunnel IP address change is not supported.

Conditions:
If a user tries to change the local and/or remote tunnel IP address, the configuration handler will fail the configuration change.

Impact:
The user must delete and recreate the VxLAN tunnel in order to change the tunnel local and/or remote address. Tunnel deletion also requires removing references to the tunnel, for example the tunnel self IP address and routes pointing to the tunnel, before the tunnel can be deleted. Those self IP addresses and routes must be re-added after recreating the tunnel with changed IP address parameters. This can be error-prone, especially if the number of tunnels is extremely large.

Workaround:
Delete existing VxLAN tunnel, and add a new tunnel with the modified tunnel IP address parameters.

Fix:
Modifying VxLAN tunnel IP addresses now works. Only tunnels that have been created with a multicast flooding type and have a multicast remote IP address are supported.


560220-1 : Missing partition and subPath fields for some objects in iControl REST

Component: TMOS

Symptoms:
When using iControl REST, the return output of some objects does not include the partition and subPath properties. Also the name property contains the full path instead of only the object name.

Conditions:
This occurs when running BIG-IP systems with 11.6.0 HF6 installed.

Impact:
This breaks custom scripts that rely on those properties.

Workaround:
Do not use custom scripts to gather the partition and subPath properties of objects on BIG-IP systems with 11.6.0 HF6 installed.


560180-2 : BIND Vulnerability CVE-2015-8000

Component: TMOS

Symptoms:
An error in the parsing of incoming responses allows some records with an incorrect class to be accepted by BIND instead of being rejected as malformed. This can trigger a REQUIRE assertion failure when those records are subsequently cached. Intentional exploitation of this condition is possible and could be used as a denial-of-service vector against servers performing recursive queries. (CVE-2015-8000)

Conditions:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/34/sol34250741.html

Impact:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/34/sol34250741.html

Workaround:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/34/sol34250741.html

Fix:
See solution article: https://support.f5.com/kb/en-us/solutions/public/k/34/sol34250741.html


559933-2 : tmm might leak memory on vCMP guest in SSL forward proxy

Component: Local Traffic Manager

Symptoms:
In SSL forward proxy configuration on vCMP guest tmm might slowly leak memory when subjected to SSL Hello messages containing server name extension (SNI) that is not configured on the virtual server.

Conditions:
This occurs with the following conditions are met: -- SSL forward proxy configuration. -- SSL hello with SNI extension.

Impact:
tmm might leak memory

Workaround:
None.

Fix:
tmm no longer leaks leak memory on the vCMP guest in SSL forward proxy configurations.


559584-2 : tmsh list/save configuration takes a long time when config contains nested objects.

Component: TMOS

Symptoms:
A configuration containing a number of nested objects takes a long time to list or save. For example, the tmsh listing time for a ~2 MB config can exceed 30 seconds.

Conditions:
Following is an example of nested objects in a config. If the config contains thousands of such virtual servers, it might take longer than 30 seconds to run either of the following commands: -- tmsh list ltm virtual. -- tmsh save config. ltm virtual vs { destination 10.10.10.10:http ip-protocol tcp mask 255.255.255.255 profiles { ::: nested object http { } http_security { } tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vs-index 26 } .

Impact:
When commands take longer than 30 seconds to complete, iControlREST times out.

Workaround:
None.

Fix:
A configuration containing a number of nested objects no longer takes a long time to list or save, so iControlREST no longer times out. Note: You might still encounter this issue in configurations that have greater than ~6000 nested objects, which is the largest number tested.


559382-1 : Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers

Component: Policy Enforcement Manager

Symptoms:
CCR-I requests from PEM to PCRF contain subscriber ID type is set to 6 (UNKNOWN) for DHCP subscribers instead of NAI.

Conditions:
Occurs for DHCP discovered subscribers on a BIG-IP that uses a PCRF for policy determination.

Impact:
May impact the way policies are provided from the PCRF.

Workaround:
none

Fix:
Subscrbier ID type is marked as NAI for DHCP discovered subscribers.


558870-3 : Protected workspace does not work correctly with third party products

Component: Access Policy Manager

Symptoms:
1) Internet Explorer and Firefox cannot be launched in Windows protected workspace if Norton Internet Security 22.x is present on user's machines. 2) Microsoft OneDrive does not work correctly inside protected workspace.

Conditions:
Norton Internet Security 22.x is installed on user's desktop. Protected workspace is used.

Impact:
User cannot launch Internet Explorer or Firefox inside protected workspace. Files cannot be synced to OneDrive.

Workaround:
There is no workaround.

Fix:
User can now launch Internet Explorer or Firefox inside protected workspace.


558642-1 : Cannot create the same navigation parameter in two different policies

Component: Application Security Manager

Symptoms:
Cannot create the same navigation parameter in two different policies. A validation issue blocks the user from adding a navigation parameter that is already defined in a different security policy.

Conditions:
This occurs after adding navigation parameter X to one policy, and then attempting to add the same parameter to another policy.

Impact:
Cannot add navigation parameter X to another policy after adding it to the first policy.

Workaround:
None.

Fix:
The system now supports adding the same navigation parameter to different security policies.


558631-2 : APM Network Access VPN feature may leak memory

Component: Access Policy Manager

Symptoms:
VPN connections may cause memory usage to increase with the memory never being reclaimed.

Conditions:
The APM Network Access feature is configured and VPN connections are being established.

Impact:
Slow memory leak over time with eventual out-of-memory condition, performance degradation, and traffic outage.

Workaround:
No workaround short of not using the APM Network Access feature.

Fix:
The APM Network Access VPN feature no longer leaks memory.


558573-2 : MCPD restart on secondary blade after updating Pool via GUI

Component: TMOS

Symptoms:
If you use the LTM GUI in a clustered environment to add an IP Encapsulation profile to a Pool, then click Update, mcpd and other daemons may restart on secondary blades in the cluster. When this occurs, errors similar to the following will be logging from the secondary blades: -- err mcpd[22537]: 01020036:3: The requested pool profile (49825) was not found. -- err mcpd[22537]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool profile (49825) was not found.

Conditions:
This problem may occur when operating BIG-IP in a clustered environment (VIPRION), and using the GUI to update the properties of an LTM pool with an IP Encapsulation profile defined.

Impact:
Daemon restarts, disruption of traffic passing on secondary blades.

Workaround:
Perform pool updates via the tmsh command-line utility.

Fix:
Pool profile update is performed by name rather than object ID, so MCPD no longer restarts on secondary blade after updating a pool using the GUI.


558517-3 : Upgrading results in additional escaping for monitor send/recv strings in /config/bigip.conf.

Component: Local Traffic Manager

Symptoms:
Upgrading results in additional escaping for monitor send/recv strings in /config/bigip.conf. After upgrading the bigip.conf still has the old #TMSH-VERSION header. This is behavior is an intended behavior in 12.1.0, so it is not a bug; the configuration is still loaded in memory properly. The TMSH-VERSION string will be updated the next time a save sys config command is issued.

Conditions:
This occurs only when upgrading BIG-IP software in the following situations: -- From 11.6.0 base version, or from 11.6.0 HF1 through 11.6.0 HF5 (or any engHF built on these versions) to final 11.6.0 HF6. -- From 11.5.3 base version, or from 11.5.3 HF1 or 11.5.3 HF2 (or any engHF for these versions) to 11.5.3 HF2 engHF2 or 11.5.3 HF2 engHF45.

Impact:
Monitors send/recv strings contain extra escape characters, for example: \\r, \\n etc. Post upgrade the monitors containing escaped characters will fail.

Workaround:
Manually/by script remove the additional escaping within the send/recv strings.

Fix:
The system no longer appends extra escape characters to monitor send/receive strings after upgrading.


558053-2 : Pool's 'active_member_cnt' attribute may not be updated as expected.

Component: Local Traffic Manager

Symptoms:
If a pool has no associated monitors, new pool members added to the pool do not increment the active_member_cnt even if traffic will be passed to it. In other cases, for FQDN pool members, the active_member_cnt does not update in user-down scenarios, or other state transitions.

Conditions:
1) Configure a pool without a monitor, and make use of an iRule that attempts to use the 'active_member_cnt' attribute. 2) Configure a pool with FQDN nodes and change the state to user-down, and check the active_member_cnt via an iRule or GUIshell.

Impact:
Although this does not impact load balancing and is not visible in the GUI or tmsh, it is exposed as a consumable attribute in iRules, which can impact your scripts.

Workaround:
member_count returns total members with no status information.

Fix:
Pool's 'active_member_cnt' attribute is now updated as expected, even for pools that have no assigned monitors.


557783-2 : TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr

Component: Local Traffic Manager

Symptoms:
TMM might use a link-local IPv6 address when attempting to reach an external global address for traffic generated from TMM (for example, dns resolver, sideband connections, etc.).

Conditions:
- ECMP IPv6 routes to a remote destination where the next hop is a link local address. Typically this occurs with dynamic routing. - Have configured a virtual server that generates traffic from TMM (for example, dns resolver, sideband connections, etc.).

Impact:
Traffic might fail as its egresses from a link-local address instead of a global address.

Workaround:
It might be possible to work around if the dynamic routing peer can announce the route from a global address instead of a link local. Use of static routes might also work around the issue.

Fix:
TMM now uses the correct IPv6 global address when generating traffic to a remote address using ECMP routes via link-local next-hops.


557680-1 : Fast successive MTU changes to IPsec tunnel interface crashes TMM

Component: TMOS

Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.

Conditions:
The issue occurs when the IPsec tunnel interface attributes has its configuration modified quickly and repeatedly.

Impact:
TMM cores. This might result in site unavailability.

Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.

Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).


557675-3 : Failover from PEM to PCRF can cause session lookup inconsistency

Component: Policy Enforcement Manager

Symptoms:
A small number of PEM sessions can be looked up only by their session-ip, but not by their subscriber-id.

Conditions:
Using PEM, failover to PCRF.

Impact:
Fails to find sessions needed for traffic processing.

Workaround:
none

Fix:
The code change provides an internal fixup for incorrect sessions.


557645-3 : On VIPRION 2200 and 2400 platforms, internal HA communication between devices will occasionally fail.

Component: Local Traffic Manager

Symptoms:
Internal device-to-device communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.

Conditions:
Using VIPRION 2200 and 2400 platforms with more than one blade, when there is a mismatch between how the software and how the hardware selects the IP addresses, hosts, VLANs, etc., to communicate with local host processes. Some selections of IP addresses and config sync VLANs have not exhibited issues; in others the issue is more pervasive.

Impact:
Periodic reported failures in host-to-host communication. This could affect representation in the GUI, config sync, and other HA related communication. Depending on configurations, some percentage of these might fail on VIPRION 2200 and 2400 platforms with more than one blade.

Workaround:
None.

Fix:
Host communication on VIPRION 2200 and 2400 platforms behaves the same as host communication on non-VIPRION 2200 and 2400 platforms, as expected.


557519 : TMM may core when disabling HTTP in an iRule on a virtual server with HTTP and FastL4 profiles

Component: Local Traffic Manager

Symptoms:
In certain scenarios TMM may core if disabling HTTP in CLIENT_ACCEPTED on a virtual server that is configured with FastL4 and HTTP profiles.

Conditions:
-- Virtual server configured with HTTP and Fast L4 profiles. -- iRule attached to the VIP that disables HTTP in CLIENT_ACCEPTED event. -- Traffic is reset abruptly while passing through this VIP.

Impact:
TMM may core and the systems may failover.

Workaround:
Several options exist: - Use TCP and HTTP profiles instead of Fast L4. - Do not disable the HTTP profile via iRules.

Fix:
TMM no longer cores when handling traffic on FastL4/HTTP virtual servers that disable HTTP via iRules.


556568-2 : TMM can crash with ssl persistence and fragmented ssl records

Component: Local Traffic Manager

Symptoms:
Unusual fragmented ssl records may be handled incorrectly resulting in tmm crash.

Conditions:
Ssl persistence and fragemented ssl records.

Impact:
TMM crash, leading to possible network outage.

Workaround:
Possibly switch to different persistence type.

Fix:
The error in parsing fragmented ssl records has been resolved.


556560-2 : DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records.

Component: Local Traffic Manager

Symptoms:
DNS messages which contain an OPT record followed by more than one record in the additional section will become malformed when they pass through a virtual with an assigned DNS profile.

Conditions:
A DNS message contains and OPT record in the Additional section, the message is compressed, and more than one record follow the OPT record.

Impact:
This issue impacts all DNS messages that contain an OPT record followed by more than one record. The DNS handling code expects a message containing an OPT record to have 0 or 1 TSIG record following the OPT record in the additional record section of a message. The RFCs permit the OPT record to be placed anywhere in the additional record section of a DNS message, with the exception of a TSIG record. If a TSIG record is present, it must always be last. If no TSIG record is present, then an OPT record can be last. The RFCs do not restrict a query from containing records in the additional record section of the message. When a DNS query or response is passed through the TMM DNS message handler, and that message contains an OPT record followed by more than one record, and those records that follow the OPT record contain compression pointers to other records that also follow the OPT record, then the message becomes mangled.

Workaround:
Disable DNS compression on the resolver, or configure the resolver to place OPT records at the end of the additional section (except TSIG records which must always be last).

Fix:
DNS messages which contain a record other than TSIG following an OPT record in the additional record section will be transformed in the message handler and the message inspection will be restarted. The transformation involves safely moving the OPT record to be last or second-to-last (in the presence of a TSIG record) position of the additional record section. 'Safely' means updating the relevant compression pointers. The subsequent code paths which depend on the OPT record's position now work as expected.


556383-1 : Multiple NSS Vulnerabilities

Component: TMOS

Symptoms:
Mozilla Network Security Services vulnerabilities CVE-2015-7181, CVE-2015-7182, and CVE-2015-7183.

Conditions:
CVE-2015-7181 The sec_asn1d_parse_leaf function in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, improperly restricts access to an unspecified data structure, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data, related to a "use-after-poison" issue. CVE-2015-7182 Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data. CVE-2015-7183 Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape Portable Runtime (NSPR) in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors.

Impact:
When these vulnerabilities are exploited, an attacker may be able to cause a denial-of-service (DoS) attack or execute arbitrary code. While this vulnerable code exists in BIG-IP, BIG-IQ, and Enterprise Manager products, the use case is limited for affected NSS libraries. There are no known remote access vectors, and local exposure is limited. To trigger an attack using a custom binary, an attacker would need to have directly logged in to the BIG-IP, BIG-IQ, or Enterprise Manager system using a shell.

Workaround:
Only permit management access to F5 products over a secure network, and limit shell access to trusted users.

Fix:
Applied Mozilla Network Security Services vulnerabilities patches for CVE-2015-7181, CVE-2015-7182, and CVE-2015-7183.


556380-2 : mcpd can assert on active connection deletion

Component: TMOS

Symptoms:
When all of the peers in an HA / DSC configuration are removed, then it is possible for the connection tear down to result in an assert.

Conditions:
Removal of all peers while a connection is handling a transaction.

Impact:
MCPD asserts and restarts.

Workaround:
No workaround is necessary. MCPD restarts.

Fix:
Connection tear down checks for active connections and does not result in an assert when removing all peers while a connection is handling a transaction.


556284-5 : iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found

Component: TMOS

Symptoms:
GTM/LC config sync fails with error in /var/log/gtm and /var/log/ltm similar to the following: Monitor /Common/my_http_monitor parent not found

Conditions:
There is a customized GTM monitor on one member of a high availability configuration, but not on others.

Impact:
Config sync fails. On the device that does not have the monitor, the system logs a parent-not-found message into /var/log/gtm.

Workaround:
None.

Fix:
GTM/LC sync now completes successfully even when the configuration being sync'd contains a custom GTM/LC monitor definition.


556103-3 : Abnormally high CPU utilization for external monitors

Component: Local Traffic Manager

Symptoms:
High CPU utilization for external monitors that use SSL.

Conditions:
External monitor using SSL.

Impact:
Abnormally high CPU utilization.

Workaround:
None.

Fix:
This release improves the handling of external monitors that use SSL so that CPU utilization no longer increases.


555686-5 : Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers

Component: TMOS

Symptoms:
Some OPT-0015 copper small form-factor pluggable (SFP) transceiver might cause an internal bus to hang.

Conditions:
This happens only when the following conditions are met: -- 10000-series appliances. -- At reboot, at a restart of the bcm56xxd daemon, or when a copper SFP is enabled or disabled. -- There is at least one copper SFP present in the appliance. -- Interfaces are spread between hardware muxes. That means some SFPs are in ports 1.1-1.8 and other SFPs are in ports 1.9-1.16.

Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up. Enable and disable of copper SFPs may not work.

Workaround:
None.

Fix:
The system now ensures that the I2C bus muxes only enable a single interface, so the issue with interfaces on Copper SFPs OPT-0015 on 10000-series appliances no longer occurs.


555507-2 : Under certain conditions, SSO plugin can overrun memory not owned by the plugin.

Component: Access Policy Manager

Symptoms:
Under certain conditions, SSO plugin can overrun memory not owned by the plugin. Symptoms could be different based on the owner of overrun memory.

Conditions:
This occurs when the following conditions are met: 1. The BIG-IP system is configured and used as SAML Identity Provider. 2. Single Logout (SLO) protocol is configured on an attached SP connector. 3. At least one user executed SAML WebSSO profile.

Impact:
Symptoms might differ based on the owner of overrun memory. Potentially, tmm could restart as a result of this issue.

Workaround:
Disable SAML SLO: remove SLO request and SLO response URLs from configuration in appropriate SAML SP connectors.

Fix:
SSO plugin no longer overruns memory not owned by the plugin, so the system supports the following configuration without memory issues: The BIG-IP system is configured and used as a SAML Identity Provider. Single Logout (SLO) protocol is configured on the attached Service Provider (SP) connector. At least one user executed SAML webSSO profile.


555457-5 : Reboot is required, but not prompted after F5 Networks components have been uninstalled

Component: Access Policy Manager

Symptoms:
Attempt to establish a VPN connection from a Windows 10, Windows 8.1, Windows 7, or Vista desktop fails if F5 Networks components have been removed previously and the desktop was not rebooted. Typically this issue can be identified by these log records: <snip> DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP) DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP) DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter <--- Two F5 Devices DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter (7) <--- Two F5 Devices DIALER, 48, \driverstatechecker.cpp, 155, GetVPNDriverRASDeviceName, found device, F5 Networks VPN Adapter <snip> DIALER, 1, \urdialer.cpp, 1573, CURDialer::OnRasCallback(), RAS error (state=RASCS_OpenPort, error=633: The modem (or other connecting device) is already in use or is not configured properly.)

Conditions:
Windows desktop. Existing F5 components uninstalled. Reboot was not performed after uninstall.

Impact:
End users cannot establish a VPN connection from Windows-based clients.

Workaround:
Reboot the affected Windows desktop.

Fix:
After F5 Networks components have been uninstalled, the system does not require reboot, and uses the latest installed software-device for VPN, as expected.


555435-2 : AD Query fails if cross-domain option is enabled and administrator's credentials are not specified

Component: Access Policy Manager

Symptoms:
AD Query fails in cross-domain environment, when AAA AD Server has no administrator credentials configured and user's logon name is different from pre-win2k name

Conditions:
- AD Query is configured in an Access Policy. - The administrator's credentials are not specified at AAA AD Server configuration page (that is in use by AD Query). - The domain logon name is different from pre-win2k name.

Impact:
AD Query fails

Workaround:
The administrator should provide AD administrator credentials at AAA AD Server configuration page.

Fix:
AD Query now completes as expected if cross-domain option is enabled and administrator's credentials are not specified.


555369-3 : CGNAT memory leak when non-TCP/UDP traffic directed at public addresses

Component: Carrier-Grade NAT

Symptoms:
When rejecting non-TCP/UDP inbound traffic a small amount of memory is leaked with each packet. Depending on the volume of such traffic this may be a slow or fast leak.

Conditions:
CGNAT configured with inbound connections enabled or hairpinning enabled Non-TCP/UDP traffic with a destination in the LSN Pool address space

Impact:
TMM might eventually run out of available memory. The aggressive mode sweeper might be triggered, causing connections to be killed. Eventually TMM restarts.

Workaround:
None.

Fix:
This release fixes a memory leak that occurred When rejecting non-TCP/UDP inbound traffic.


555057-3 : ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies.

Component: Application Security Manager

Symptoms:
When using ASM REST to remove a signature set association from a policy (DELETE), the set is removed from all policies in the system.

Conditions:
ASM REST is used to remove a signature set association from a policy. DELETE /mgmt/tm/asm/policies/<ID>/signature-sets/<ID>

Impact:
All policies will lose their association to that signature set. This may leave some policies not enforcing all the Attack Signatures that they are expected to.

Workaround:
A DELETE can be issued to the collection endpoint: /mgmt/tm/asm/policies/<ID>/signature-sets utilizing the $filter parameter to delete only the desired sets. Ex. DELETE /mgmt/tm/asm/policies/<ID>/signature-sets?$filter=id eq '<ID>'

Fix:
When using ASM REST to remove a signature set association from a policy (DELETE), the signature set association is removed only from the desired policy and not from all policies in the system.


555006-3 : ASM REST: lastUpdateMicros is not updated when changing a Custom Signature

Component: Application Security Manager

Symptoms:
The lastUpdateMicros field is meant to be updated if a user changes a custom signature, but it is not.

Conditions:
REST client is used to look at/filter the signatures collection (/mgmt/tm/asm/sigantures)

Impact:
Checking for updated signatures does not return the expected result.

Workaround:
None.

Fix:
REST: The lastUpdateMicros field is now correctly updated after updating a user defined signature.


554993-2 : Profile Stats Not Updated After Standby Upgrade Followed By Failover

Component: Access Policy Manager

Symptoms:
1. The current active sessions, current pending sessions, and current established sessions counts shown in commands 'tmsh show /apm profile access' and 'tmctl profile_access_stat' become zero after failover. 2. The system posts an error message to /var/log/apm: 01490559:3: 00000000: Access stats encountered error: SessionDB operation failed (ERR_NOT_FOUND).

Conditions:
This issue happens when the following conditions are met: 1. The HA configuration is running a release prior to 11.5.3 HF2, 11.6.0 HF6, or 12.0.0. 2. A standby unit is upgraded to version 11.5.3 HF2, 11.6.0 HF6, or 12.0.0. 3. Failover is triggered.

Impact:
The current active sessions, current pending sessions, and current established sessions counts of profile access stats remain zero after failover.

Workaround:
Upgrade all devices in the HA configuration to the same release and reboot them simultaneously.

Fix:
The current active sessions, current pending sessions, and current established sessions counts of profile access stats now report correctly after failover.


554967-3 : Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets

Component: Local Traffic Manager

Symptoms:
A resolver sending a query with a small EDNS0 UDP buffer limit can lead to packet truncation. These response packets are flagged as truncated in the header, but the OPT record might be cut/missing leading some resolvers to consider the packet malformed.

Conditions:
Primarily via dynamic settings such as iRules on DNS_RESPONSE events adding new records, or DNSSEC record signing with responses over UDP.

Impact:
Some resolvers regard OPT-less truncated packets as malformed and cease follow-up requests via TCP or a larger EDNS0 UDP limit.

Workaround:
none

Fix:
Truncated DNSSEC or iRule DNS packets are RFC-compliant.


554899-2 : MCPD core with access policy macro during config sync in HA configuration

Component: Access Policy Manager

Symptoms:
In high availability config sync, the destination mcpd might crash if the user does the following steps: 1. Manually edit bigip.conf file at source to remove an access policy item (my-ap-1_mac_mymac1) that calls a macro, from the original access policy (my-ap-1) to another access policy (my-ap-2); 2. Load the modified config into running config; 3. Delete the original access policy (my-ap-1) before manually starting the config sync. The modified source configuration is sent to the destination during the manual incremental config sync, resulting in destination mcpd logging an error message: err mcpd[5441]: 01020036:3: The requested access_policy_name (/Common/my-ap-1) was not found. Immediately following the error message, the destination mcpd will crash and generate a core file.

Conditions:
Config sync is manual incremental, and the user manually edits /config/bigip.conf to modify the source configuration such that an access policy item with a macrocall is removed from the original access policy to another access policy, and then the original access policy is deleted, all before the manual config sync is started.

Impact:
During config sync, the destination BIG-IP system's mcpd crashes and restarts.

Workaround:
After removing the access policy item with a macrocall from the original access policy to another access policy and loading into the source running the configuration, do not delete the original access policy. Instead, start the config sync right away. After this first config sync is successful, delete the original access policy at the source, and then start the second config sync to finish the operation.

Fix:
MCPD no longer cores with access policy macro during config sync in high availability configuration.


554774-2 : Persist lookup across services might fail to return a matching record when multiple records exist.

Component: Local Traffic Manager

Symptoms:
Persist lookup across services might fail to return a matching record when multiple records exist.

Conditions:
Persistence profile with 'match-across-services' enabled, and the configuration contains multiple records that correspond to the same pool.

Impact:
Connection routed to unexpected pool member.

Workaround:
None.

Fix:
The operation now continues searching persistence records when 'match-across-services' is enabled until the operation finds a record that corresponds to the same pool.


554769-4 : CPM might crash when TCLRULE_HTTP_RESPONSE is triggered.

Component: Local Traffic Manager

Symptoms:
TMM might crash if CONNFLOW_FLAG_L7_POLICY is not set in the connection flow flags, but the system still tries to call Centralized Policy Matching (CPM).

Conditions:
This occurs when TCLRULE_HTTP_RESPONSE is triggered from the server-side, if the server-side does not process the policy, and the connection flow flags do not have CONNFLOW_FLAG_L7_POLICY set.

Impact:
TMM/(CPM Module) might crash.

Workaround:
None.

Fix:
The system now adds the flag check of CONNFLOW_FLAG_L7_POLICY if it is not already set, so there is no crash in TMM or Centralized Policy Matching (CPM).


554761-5 : Negotiated TCP timestamps not maintained on syncookie flows

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, the BIG-IP system does not maintain TCP timestamps on a connection, even though timestamps have been negotiated, when syncookie mode is activated.

Conditions:
-- L7 virtual server with a TCP profile with Timestamps enabled. -- syncookie mode has been activated.

Impact:
Connection might be reset by a client TCP stack, e.g., netbsd/freebsd, that requires timestamps to be maintained when negotiated.

Workaround:
Choose or create a TCP profile that has timestamps disabled, which prevents the connection from being reset.

Fix:
TCP Timestamps are now maintained on all negotiated flows.


554626-1 : Database logging truncates log values greater than 1024

Component: Access Policy Manager

Symptoms:
The Logging agent truncates log values greater than 1024. If the log value size is greater than 4060, the field is empty or null.

Conditions:
Logging into local database with log values (such as session variables) greater than 1024. If this size is too high (greater than 4060), the field displays as empty or null in reports.

Impact:
The reporting UI displays null or empty fields when the logged value is too large in size, such as a huge session variable.

Workaround:
No workaround.

Fix:
This release handles large single log values.


554609-4 : Kernel panics during boot when RAM spans multiple NUMA nodes.

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) crashes in the kernel during early boot.

Conditions:
This occurs when the following conditions are met: * VE is running on Hyper-V. * VE RAM is configured in a such a way that it spans multiple NUMA nodes.

Impact:
Kernel panic during boot.

Workaround:
No workaround.

Fix:
The kernel now properly aligns memory on multiple NUMA nodes, so there is no kernel panic during boot.


554563-3 : Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics.

Component: TMOS

Symptoms:
Class of Service Queues (cosq) egress drop statistics are counted against both Drops In and Drops Out interface statistics.

Conditions:
This occurs for all cosq drops in response to excess egress traffic and MMU egress congestion.

Impact:
Any CoS queue egress drop is also counted against ingress drop stats, which could be interpreted incorrectly as doubled total drop stats.

Workaround:
None.

Fix:
The Drops In interface statistics no longer includes Class of Service Queues (cosq) egress drop counts, which is correct behavior.


554367-1 : BIG-IQ ASM remote logger: Requests are not be logged.

Component: Application Security Manager

Symptoms:
BIG-IQ ASM does not log requests for the first remote logger configured on the system.

Conditions:
No remote logger has been previously configured for ASM.

Impact:
No requests are sent to remote logger that was just configured.

Workaround:
This issue resolves itself after a few seconds when the remote destination is responsive.

Fix:
An issue with requests not being logged after configuring a new remote logger for BIG-IQ ASM has been fixed.


554340-4 : IPsec tunnels fail when connection.vlankeyed db variable is disabled

Component: TMOS

Symptoms:
When connection.vlankeyed db variable is disabled, if the data traffic coming out of IKEv1 tunnels that needs to be secured using IKEv2 tunnels lands on tmm's other than tmm0, it will be dropped. The system establishes the IKEv2 tunnel but the data traffic will not be secured.

Conditions:
This issue is seen when the interesting data traffic lands on tmm's other than tmm0. The reason for this issue is due to incorrectly creating a flow on another TMM that is the owner of the outbound SA (IKEv2 tunnel).

Impact:
The system drops the data traffic to be secured using IPsec and connections fail.

Workaround:
Disable the cmp in the virtual server configuration.

Fix:
Flow creation at the TMM that owns the outbound SA for the IKEv2 tunnel is properly handled. TMM can handle the inner traffic from IKEv1 tunnel and secure it over another IKEv2 tunnel.


554228-5 : OneConnect does not work when WEBSSO is enabled/configured.

Component: Access Policy Manager

Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and doesn't reuse pooled connections.

Conditions:
WEBSSO and OneConnect.

Impact:
Idle serverside connections that should be eligible for reuse by the virtual server are not used. This might lead to build-up of idle serverside connections, and may result in unexpected 'Inet port exhaustion' errors.

Workaround:
None.

Fix:
OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server side connections.


554041-5 : No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client loses all connectivity and an option to establish VPN is not available.

Conditions:
All of the following conditions must apply. 1) Edge Client is installed in "Always Connected" mode. 2) The Connectivity profile on server has location DNS list entries. 3) One of the DNS locations matches the DNS suffix set on the local network adapter.

Impact:
Client shows "LAN Detected" in the UI and does not try to connect to VPN. All traffic to and from the user's machine is blocked.

Workaround:
This issue has no workaround at this time.

Fix:
Edge Client now ignores DNS location settings in Always Connected mode and establishes VPN even inside enterprise networks.


553902-2 : Multiple NTP Vulnerabilities

Component: TMOS

Symptoms:
CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196

Conditions:
CVE-2015-7871 NAK to the Future: Symmetric association authentication bypass via crypto-NAK (Cisco ASIG) CVE-2015-7855 decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (IDA) CVE-2015-7854 Password Length Memory Corruption Vulnerability. (Cisco TALOS) CVE-2015-7853 Invalid length data provided by a custom refclock driver could cause a buffer overflow. (Cisco TALOS) CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability. (Cisco TALOS) CVE-2015-7851 saveconfig Directory Traversal Vulnerability. (OpenVMS) (Cisco TALOS) CVE-2015-7850 remote config logfile-keyfile. (Cisco TALOS) CVE-2015-7849 trusted key use-after-free. (Cisco TALOS) CVE-2015-7848 mode 7 loop counter underrun. (Cisco TALOS) CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC. (Tenable) CVE-2015-7703 configuration directives "pidfile" and "driftfile" should only be allowed locally. (RedHat) CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should validate the origin timestamp field. (Boston University) CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey data packet length checks. (Tenable)

Impact:
Exploitation of some of these vulnerabilities may allow an attacker to cause a denial-of-service (DoS) condition.

Workaround:
See Bugs/Links below for Mitigation http://support.ntp.org/bin/view/Main/NtpBug<number> Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric association authentication bypass via crypto-NAK (Cisco ASIG) Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (IDA) Bug 2921 CVE-2015-7854 Password Length Memory Corruption Vulnerability. (Cisco TALOS) Bug 2920 CVE-2015-7853 Invalid length data provided by a custom refclock driver could cause a buffer overflow. (Cisco TALOS) Bug 2919 CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability. (Cisco TALOS) Bug 2918 CVE-2015-7851 saveconfig Directory Traversal Vulnerability. (OpenVMS) (Cisco TALOS) Bug 2917 CVE-2015-7850 remote config logfile-keyfile. (Cisco TALOS) Bug 2916 CVE-2015-7849 trusted key use-after-free. (Cisco TALOS) Bug 2913 CVE-2015-7848 mode 7 loop counter underrun. (Cisco TALOS) Bug 2909 CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC. (Tenable) Bug 2902: CVE-2015-7703 configuration directives "pidfile" and "driftfile" should only be allowed locally. (RedHat) Bug 2901: CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should validate the origin timestamp field. (Boston University) Bug 2899: CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey data packet length checks. (Tenable)

Fix:
Applied patches for CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196


553734-1 : Issue with assignment of non-string value to Form.action in javascript.

Component: Access Policy Manager

Symptoms:
Exception in javascript code.

Conditions:
Attempt to assign non-string value to a Form.action in javascript code.

Impact:
Web application misfunction.

Workaround:
There is no workaround at this time.

Fix:
The issue is fixed for non string value types.


553688-4 : TMM can core due to memory corruption when using SPDY profile.

Component: Local Traffic Manager

Symptoms:
TMM corefiles containing memory corruption within 112-byte memory cache.

Conditions:
Virtual server using a SPDY profile encounters an internal error while processing a SPDY packet.

Impact:
Possible outage and tmm restart.

Workaround:
None.

Fix:
This release contains a fix that prevents a double free on error within the SPDY component.


553649-3 : The SNMP daemon might lock up and fail to respond to SNMP requests.

Component: TMOS

Symptoms:
The SNMP daemon might lock up and fail to respond to SNMP requests.

Conditions:
If the SNMP configuration on the BIG-IP changes and the SNMP daemon restarts. This is a timing issue that might appear intermittently.

Impact:
The BIG-IP system stops responding to SNMP requests. You then cannot monitor the BIG-IP system via SNMP.

Workaround:
If the SNMP daemon is locked up, restart it by issuing the following command: bigstart restart snmpd.

Fix:
The SNMP daemon no longer locks up and become unresponsive when it is restarted.


553613-3 : FQDN nodes do not support session user-disable

Component: Local Traffic Manager

Symptoms:
FQDN nodes do not support session user-disable.

Conditions:
Configure a monitor with recv-disable string, and set node to session user-disabled. Monitor does not mark the node down for draining persistent connections.

Impact:
Unable to use session drain.

Workaround:
None.

Fix:
FQDN nodes now support session user-disable


553576-3 : Intermittent 'zero millivolt' reading from FND-850 PSU

Component: TMOS

Symptoms:
In rare instances, certain BIG-IP platforms may erroneously generate power supply error messages that indicate zero milli-voltage. Specific symptoms include: - SNMP alert 'bigipSystemCheckAlertMilliVoltageLow' detected. - Front panel Alarm LED is blinking amber. - Errors such as the following are logged: emerg system_check[<#>]: 010d0017:0: Power supply #<x> meas. main outpu: milli-voltage (0) is too low. [where <x> is the power supply location (either 1 or 2)] - Errors such as the following may also be logged: -- err chmand[<#>]: 012a0003:3: Sensor read fault for Power supply #<x> meas. main outpu : File sensor/LopSensSvc.cpp Line 1453. -- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>). -- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>). Note that this condition may affect either PSU 1 or PSU 2.

Conditions:
This may occur intermittently on BIG-IP 10000-/12000-series appliances (including 10000s/10200v, 10050s/10250v, 10055/10255, 10350v and 12250v models) with FND850 model DC power supplies.

Impact:
There is no impact; these error messages are benign.

Workaround:
None.

Fix:
Resolved intermittent erroneous "zero millivolt" reading from FND-850 PSU on BIG-IP 10000-/12000-series appliances.


553330-3 : Unable to create a new document with SharePoint 2010

Component: Access Policy Manager

Symptoms:
VPN users are unable to create a new document with SharePoint 2010 An error is given: "The Internet address https://ip:port/shared documents/forms/template.dotx" is not valid

Conditions:
Create a new document using the"New Document button".

Impact:
User cannot create a new document with SharePoint 2010.

Workaround:
none

Fix:
You can create a new document with Microsoft SharePoint 2010.


553174-4 : Unable to query admin IP via SNMP on VCMP guest

Component: TMOS

Symptoms:
The admin IP address is not returned via ipAdEntAddr.

Conditions:
Query admin IP via SNMP on VCMP guest via ipAdEntAddr.

Impact:
Unable to obtain admin IP address via SNMP for VCMP guests.

Workaround:
none

Fix:
ipAdEntAddr will now return the admin IP address on a VCMP guest.


553146-2 : BD memory leak

Component: Application Security Manager

Symptoms:
BD memory increases. May reach a kernel OOM killer scenario

Conditions:
Usually a policy with missing content profile on a post request that causes the POST to be parsed wrongly and issue many parameters violations.

Impact:
Bad memory consumption of the system, swap memory usage, crashes.

Workaround:
Apply correct content profiles (XML etc) as usually valid requests should not have that many parameters in them. Otherwise apply the "apply value signature" on big POSTs.

Fix:
We fixed a memory leak in the Enforcer.


553063-1 : Epsec version rolls back to previous version on a reboot

Component: Access Policy Manager

Symptoms:
If administrator has installed multiple EPSEC packages, after a reboot the EPSEC version rolls back to the previously installed version.

Conditions:
The BIG-IP system needs to be rebooted for this issue to be seen, and multiple EPSEC packages must have been installed on the system before the reboot.

Impact:
OPSWAT version rolls back without prompting or logging. This might open up the end-point security issues that are supposed to be fixed by the latest installed OPSWAT package.

Workaround:
The workaround is to upload a dummy file in Sandbox. 1. Go to Access Policy :: Hosted Content :: Manage Files. 2. Upload any dummy file, even a 0 byte file. Change the security level to 'session'. After this change, even if you reboot or shutdown-restart, the EPSEC version does not revert.

Fix:
The most recently installed EPSEC version now remains configured, and does not roll back after reboot or shutdown-restart.


552931-4 : Configuration fails to load if DNS Express Zone name contains an underscore

Component: Local Traffic Manager

Symptoms:
A configuration with a DNS Express Zone with an underscore in the name does not load, even though the gtm global-settings general domain-name-check is set to any of allow-underscore, svn-compatible, or none.

Conditions:
-- Configuration setting gtm global-settings general domain-name-check is set to any of allow-underscore, svn-compatible, or none. -- DNS Express Zone exists with an underscore in the name.

Impact:
Cannot load the LTM configuration when restarting BIG-IP system when DNS Express Zones that have an underscore character in the name.

Workaround:
Force the GTM configuration to load by sequentially running the following commands: tmsh load sys config gtm-only. tmsh load sys config.

Fix:
All FQDNs may now contain underscore character. The BIG-IP system now correctly load configurations that contain DNS Express Zones with underscores in the name.


552865-4 : SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'.

Component: Local Traffic Manager

Symptoms:
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, handshake might fail if the client sends an invalid signed Certificate Verify message.

Conditions:
When SSL client certificate mode is request, and the client sends an invalid signed Certificate Verify message to the BIG-IP system.

Impact:
The handshake does not ignore the invalid signed certificate verify message, and handshake might fail. SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'. Regardless of whether the Certificate and Certificate Verify message is valid, the handshake should ignore the Certificate Verify signature error and let the handshake continue.

Workaround:
None.

Fix:
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, the handshake now ignores the Certificate Verify signature error and lets the handshake continue. This is correct behavior.


552585-3 : AAA pool member creation sets the port to 0.

Component: TMOS

Symptoms:
When the AAA server pool member is created (for Radius mode BOTH and for AD), the port is set to 0 (Any) as there are more than one ports for that pool member.

Conditions:
Create AAA pool member while creating an AAA RADIUS server or Active Directory server. The created pool member does not support the ability of having multiple port numbers and for that reason is updated with 0 (Any) as the port number for the pool member. If the user continues to modify using the Admin UI, the port changes made using tmsh will be overwritten again to 0.

Impact:
AAA pool member port is set to 0 (Any) rather than the port specified in the GUI. This is correct as the pool member does not support more and 1 port number.

Workaround:


552498-1 : APMD basic authentication cookie domains are not processed correctly

Component: Access Policy Manager

Symptoms:
401 responses containing Set-Cookie headers might not be processed correctly. Domains that begin with a dot will be truncated and the cookies will not be sent to pool members.

Conditions:
An access policy needs to use Basic or NTLM authentication and one or more of the 401 responses must contain Set-Cookie headers. If a domain is specified and the domain begins with a dot, it will not be processed correctly.

Impact:
Cookies assigned during the authentication handshake might not be sent to pool members.

Workaround:
An iRule can be used to process the 401 responses and remove any leading dots from domain fields of Set-Cookie headers.

Fix:
Domain fields in Set-Cookie headers found in 401 responses are processed correctly.


552488-1 : Missing upgrade support for AFM Network DoS reports.

Component: Application Visibility and Reporting

Symptoms:
When upgrading, the statistics of AFM Network DoS reports are not migrated correctly to the new version, leading to loss of data about the Client-IP addresses.

Conditions:
Upgrade from versions 11.4.x or 11.5.x to versions 11.6.x or 12.0.x.

Impact:
The IP Addresses information of AFM Network DoS is lost. However, new activity is collected correctly.

Workaround:
There is no workaround for this issue.

Fix:
This release provides upgrade support for AFM Network DoS reports.


552481 : Disk provisioning error after restarting ASM service.

Component: TMOS

Symptoms:
Disk provisioning error after restarting ASM service. In newer BIG-IP software versions ASM uses a different application volume name. Older BIG-IP software versions identify the application volume as being owned by ASM, and allows ASM to be provisioned and start. However, in the older versions, ASM create the application volume so there will be two ASM application volumes. If ASM is restarted with bigstart or tmsh, or if the BIG-IP system is rebooted, provisioning does not allow ASM to start.

Conditions:
ASM provisioned on both pre-v12.0.0 and post-v12.0.0 versions.

Impact:
ASM does not start, and bigstart status asm indicates a disk provisioning error.

Workaround:
Follow these steps: 1. Boot into the most recent version of BIG-IP software. 2. Run the command: tmsh modify sys provision asm level none. 3. Wait for unprovision to complete (do so by monitoring /var/log/asm). 4. Run the command: tmsh delete sys disk application-volume asmdata1. 5. Run the command: tmsh modify sys provision asm level nominal.

Fix:
ASM starts successfully with no disk provisioning error after restarting ASM service using newer BIG-IP software.


552352-2 : tmsh list display incorrectly for default values of gtm listener translate-address/translate-port

Component: Global Traffic Manager

Symptoms:
tmsh list displays incorrectly for default values of GTM listener translate-address/translate-port settings.

Conditions:
Using the tmsh list command to show translate-address/translate-port for GTM listener.

Impact:
tmsh list gtm listener does not display 'translate-address'/'translate-port' when it is set to enabled, but the command does show the values when it is set to disabled. The tmsh list gtm listener command should not show the default settings. This becomes an issue when used with the TMSH merge command, where the value gets set to the LTM virtual server default instead of maintained as the GTM Listener default. This might eventually result in failing traffic.

Workaround:
Use tmsh list with 'all-properties' instead.

Fix:
GTM Listener's translate-address and translate-port field are now always displayed in TMSH commands. This is because there are different defaults in GTM Listeners than the LTM virtual servers. When used with the TMSH merge command, the value gets set to the LTM virtual server default instead of maintained as the GTM Listener default. By always displaying this attribute, no matter what the value is, the merge will always be handled appropriately.


552198-5 : APM App Tunnel/AM iSession Connection Memory Leak

Component: Wan Optimization Manager

Symptoms:
A memory leak occurs when APM application tunnels or AM iSession connections are aborted while waiting to be reused.

Conditions:
The iSession profile reuse-connection attribute is true. A large number of iSession connections are aborted while waiting to be reused.

Impact:
Available memory might be significantly reduced when a large number of iSession connections waiting to be reused are aborted.

Workaround:
Disable the iSession profile reuse-connection attribute. Restart TMM.

Fix:
This release fixes an APM App Tunnel/AM iSession connection memory leak.


552151-2 : Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected

Component: Local Traffic Manager

Symptoms:
Hardware compression slowly and progressively fails to handle compression operations. The system posts the following errors in ltm.log: crit tmm3[14130]: 01010025:2: Device error: n3-compress0 Nitrox 3.

Conditions:
This occurs when the system encounters errors during hardware compression handling. This occurs on the BIG-IP 5000-, 7000-, 10000-, and 12000-series platforms, and on VIPRION B22xx blades.

Impact:
Compression is (eventually) performed by software. This can result in high CPU utilization.

Workaround:
Disable compression if CPU usage is too high.

Fix:
Improved the device exception handling so that errors are correctly propagated to compression clients, thus preventing the progressive failure of the compression engine, and stopping the offload to software compression (which was driving up the CPU).


552139-2 : ASM limitation in the pattern matching matrix builtup

Component: Application Security Manager

Symptoms:
The signature configuration is not building up upon adding new signatures. This can look like a configuration change is not finishing, or if it does, it may result in crashes when the Enforcer starts up resulting in constant startups.

Conditions:
Too many signatures are configured with custom signatures. The exact number varies (depending on the signature) but hundreds of signatures may be enough to trigger it.

Impact:
Configuration change doesn't finish or crashes in the ASM startup (which results in constant startups of the system).

Workaround:
Workarounds are possible only in a custom signature scenario, only using fewer signatures or by removing unused signatures.

Fix:
Fixed a limitation in the attack signature engine.


551927-2 : ePVA snoop header's transform vlan should be set properly under asymmetric routing condition

Component: TMOS

Symptoms:
On ePVA capable platform with fastl4 profile and asymetric routing on client side, ltm sends packets to the client with wrong vlan/correct mac address (or correct vlan and wrong mac-address) and undecremented ttl.

Conditions:
fastl4 profile and asymetric routing on client side

Impact:
Return traffic could use the wrong vlan

Workaround:
none

Fix:
Use the nexthop VLAN for ePVA transformation for offloaded flow when available, instead of the incoming VLAN


551767-3 : GTM server 'Virtual Server Score' not showing correctly in TMSH stats

Component: Global Traffic Manager

Symptoms:
GTM server 'Virtual Server Score' is not showing correct values in TMSH stats. Instead, stats shows zero value.

Conditions:
You have a virtual server configured with a non-zero score.

Impact:
tmsh show gtm server server-name detail lists 'Virtual Server Score' as zero. Note that there is no impact to actual load balancing decisions. Those decisions take into account the configured score. This is an issue only with showing the correct information and stats.

Workaround:
None.

Fix:
TMSH now shows the correct value for 'Virtual Server Score' when you have a virtual server configured with a non-zero score.


551764-3 : [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform

Component: Access Policy Manager

Symptoms:
Successful execution of an Access Policy will result in the client receiving a HTTP status 500 error response when clientless mode is set. This error response is generated by APMD. This is a regression condition that occurs when the fix for bug 374067 is included.

Conditions:
-- The system has the fix for bug 374067. -- Clientless mode is enabled. -- BIG-IP platform is chassis platform. -- The administrator does not override the Access Policy response with iRule command.

Impact:
Client receives an invalid response.

Workaround:
None.

Fix:
Upon successful execution of the Access Policy in clientless mode, the request is forwarded to the configured backend as needed.


551742-2 : Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades

Component: TMOS

Symptoms:
In rare occurrences, BIG-IP hardware is susceptible to parity errors due to unknown source. This bug mitigates parity errors that occur in the SOURCE_VP table of the switch hardware, indicated with the following message in the ltm log: Sep 15 12:12:12 info bcm56xxd[8066]: 012c0016:6: _soc_xgs3_mem_dma: SOURCE_VP.ipipe0 failed(NAK)

Conditions:
This occurs only on the BIG-IP 10000s/10200v/10250v platforms, and on the VIPRION B4300/B4340N and B2250 blades. The exact trigger of the parity error is unknown at this time.

Impact:
This impacts several series of BIG-IP products with hardware parity error mitigation capabilities.

Workaround:
Rebooting BIG-IP hardware should clear issues caused by hardware parity errors.

Fix:
A hardware parity error issue has been fixed.


551661-2 : Monitor with send/receive string containing double-quote may fail to load.

Component: TMOS

Symptoms:
When a monitor string contains backslash double-quote but does not contain a character which requires quoting, one level of escaping is lost each save/load.

Conditions:
If the string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Monitors are marked down due to expected string not matching or incorrect send string. Potential load failure.

Workaround:
You can use either of the following workarounds: -- Modify the content the BIG-IP system retrieves from the web server for the purposes of health monitoring, so that double quotes are not necessary. -- Use an external monitor instead.

Fix:
If the monitor send-recv strings contain a double-quote ", character the system now adds quotes to the input.


551614-2 : MTU Updates should erase all congestion metrics entries

Component: Local Traffic Manager

Symptoms:
MTU updates erase cwnd cache entries, but not ssthresh or RTT, while an MTU update generally indicates a path change, meaning that these values might be invalid.

Conditions:
TCP cached congestion metrics from a previous connection, and subsequently receives an ICMP PMTU message.

Impact:
Connection might use invalid congestion metrics.

Workaround:
Disable cmetrics-cache, accept the suboptimal cached values, or write an iRule to purge the entry after path change.

Fix:
MTU updates now erase all congestion metrics entries, which is correct behavior.


551010-7 : Crash on unexpected WAM storage queue state

Component: WebAccelerator

Symptoms:
In rare circumstances WAM may enter an unexpected queue state and crash.

Conditions:
WAM configured on virtual with request queuing enabled

Impact:
Crash

Workaround:
none

Fix:
Gracefully recover from unexpected WAM storage queue state


550694-3 : LCD display stops updating and Status LED turns/blinks Amber

Component: TMOS

Symptoms:
The LCD display may stop updating and the Status LED may turn Amber and begin blinking on BIG-IP 2000, 4000, 5000, 7000, or 10000-series appliances.

Conditions:
The Status LED turns Amber if the LED/LCD module stops receiving updates from the BIG-IP host, and begins blinking Amber if the LED/LCD module does not receive updates from the BIG-IP host for three minutes or longer. This condition may occur if data transfers between the BIG-IP host and the LED/LCD module over the connecting USB bus becomes stalled. Due to changes in BIG-IP v11.5.0 and later, the frequency and likelihood of this condition is greatly reduced, but may still occur under rare conditions.

Impact:
When this condition occurs, the front-panel LCD display does not display the current BIG-IP host status, and the Status LED blinks Amber. There is no impact to BIG-IP host operations, and no disruption to traffic.

Workaround:
This condition can be cleared by either of the following actions: 1. Press one of the buttons on the LCD display to navigate the LCD menus. 2. Issue the following command at the BIG-IP host console: /sbin/lsusb -v -d 0451:3410. Either action generates USB traffic, which triggers recovery from the USB stalled transfer condition.

Fix:
Auto-recovery from a USB stalled-transfer condition has been implemented, which prevents the Status LED from blinking Amber on BIG-IP 2000, 4000, 5000, 7000, 10000 or 12000-series appliances.


550689-2 : Resolver H.ROOT-SERVERS.NET Address Change

Component: Local Traffic Manager

Symptoms:
The IPv4 and IPv6 addresses for H.ROOT-SERVERS.NET are changing on December 1st 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53). The old addresses will be good for 6 months after the change, and then the IPv4 address will go completely offline, and the IPv6 address is subject to go offline as well. More details http://h.root-servers.org/renumber.html

Conditions:
DNS Resolver uses hard-coded root hints for H.ROOT-SERVERS.NET.

Impact:
Incorrect address for a root-server means no response to that query.

Workaround:
There are 12 other root-servers that also provide answers to TLD queries, so this is cosmetic, but the addresses still need to be updated to respond to the change.

Fix:
Updated H.ROOT-SERVERS.NET to reflect the new IPv4 and IPv6 addresses taking effect December 1st, 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53). For more information, see H-Root will change its addresses on 1 December 2015, available here: http://h.root-servers.org/renumber.html.


550536-3 : Incorrect information/text (in French) is displayed when the Edge Client is launched

Component: TMOS

Symptoms:
Incorrect information/text (in French) is displayed when the Edge Client is launched.

Conditions:
Edge client is used in French locale.

Impact:
User sees grammatically incorrect text in French. This is a cosmetic error that has no impact on system functionality.

Workaround:
None.

Fix:
The correct information/text (in French) is now displayed when the Edge Client is launched.


549800-2 : Renaming a virtual server with an attached plugin can cause buffer overflow

Component: Local Traffic Manager

Symptoms:
Renaming a virtual server (essentially, moving one virtual server to a new location, which effectively renames it) might cause buffer overflow and potentially result in Failover.

Conditions:
The database variable 'mcpd.mvenabled' must be set to 'true'. Also, when moving a virtual server, the new name must be longer than the original name.

Impact:
Buffer overflow and potentially failover.

Workaround:
Do not use the move command. Instead, issue a delete followed by a create command in a transaction.

Fix:
Renaming a virtual server now works as expected, and does not results in buffer overflow or failover.


549782-1 : XFV driver can leak memory

Component: Local Traffic Manager

Symptoms:
When the interface goes down, memory is not correctly freed.

Conditions:
the leak happens when the interface goes down

Impact:
Over a long enough period of time the BIGIP can go out of memory and TMM needs to be restarted.

Workaround:
none

Fix:
The driver was corrected so that when the interface is brought down, all the xfrags currently in the ring buffer are freed.


549588-2 : EAM memory leak when cookiemap is destroyed without deleting Cookie object in it

Component: Access Policy Manager

Symptoms:
EAM memory growing and OOM kills EAM process under memory pressure.

Conditions:
This occurs when using access management such as Oracle Access Manager, when an authentication request is redirected to IDP (redirect URL is present) with cookies present, memory can grow unbounded.

Impact:
EAM memory usage increases and OOM kills EAM process if the system is under memory pressure.

Workaround:
No Workaround

Fix:
EAM memory usage no longer grows. Cookie objects are deleted prior to deleting cookieMap from obAction destructor.


549543-3 : DSR rejects return traffic for monitoring the server

Component: TMOS

Symptoms:
System DB variable 'tm.monitorencap' controls whether the server monitor traffic is encapsulated inside DSR tunnel. If it is set to 'enable', monitor traffic is encapsulated, and return traffic is without the tunnel encapsulation. In such a case, the return traffic is not mapped to the original monitor flow, and gets rejected/lost.

Conditions:
System DB variable 'tm.monitorencap' is set to 'enable', and DSR server pool is monitored.

Impact:
Monitor traffic gets lost, and server pool is marked down.

Workaround:
None.

Fix:
The DSR tunnel flow now sets the correct underlying network interface, so that the return monitor flow can match the originating flow, which results in the DSR monitor working as expected.


549406-5 : Destination route-domain specified in the SOCKS profile

Component: Local Traffic Manager

Symptoms:
The SOCKS profile route-domain setting is supposed to control which route domain is used for destination addresses. It is currently used to identify the listener/tunnel interface to use when forwarding the traffic, but does not set the route domain on the destination address used by the proxy to determine how to forward the traffic.

Conditions:
When the virtual server receives a SOCKS request and the route-domain is not the default (0).

Impact:
SOCKS connection fails immediately and the system returns the following message to the client: Results(V5): General SOCKS server failure (1). Traffic is forwarded correctly only when the destination is route-domain 0. Other route domains might result in error messages and possible failed traffic.

Workaround:
Use a destination route-domain of 0 when working with the SOCKS profile.

Fix:
The system now uses the destination route-domain specified in the SOCKS profile. This allows the SOCKS profile to work correctly when the destination is not in route-domain 0.


549393-3 : SWG URL categorization may cause the /var file system to fill.

Component: Application Visibility and Reporting

Symptoms:
Secure Web Gateway (SWG) URL categorization may cause the /var file system to fill. This might manifest in the following ways. 1. The /var file system is full or approaching 100% utilization, as shown in the following example: # df -h /var Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg--db--vda-app.ASWADB.set.1.mysqldb 12G 11G 576M 95% /var/lib/mysql 2. The database and index files for SWG URL categorization have grown very large, as shown in the following example: -- /var/lib/mysql/AVR/AVR_DIM_APM_SWG_URL.MYD: 8.1G <--- Database! -- /var/lib/mysql/AVR/AVR_DIM_APM_SWG_URL.MYI: 765M <--- Index!

Conditions:
SWG is provisioned and configured to perform URL classification, and a large amount of web traffic is being proxied by the SWG system.

Impact:
This results in the following impacts: - SWG-related operations dependent on MySQL may fail. - Once the /var file system reaches 100% utilization, other BIG-IP system functions that are dependent on the MySQL system may also experience issues.

Workaround:
The issue can be worked around by resetting the AVR statistics. You can find information on how to reset AVR statistics in SOL14956: Resetting BIG-IP AVR statistics, available at https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14956.html. Impact of procedure: The procedure removes all Analytics data and resets the MySQL database.

Fix:
Secure Web Gateway (SWG) URL categorization no longer causes the /var file system to fill.


549283-3 : Add a log message to indicate transition in the state of Gx and Gy sessions.

Component: Policy Enforcement Manager

Symptoms:
Without a state transition indicator, it is difficult to determine if the Gx and Gy session is active and UP on the BIG-IP device.

Conditions:
Gx or Gy state transitions need to occur.

Impact:
Difficult to identify and debug issues related to Gx and Gy state transitions.

Workaround:
None needed. This is an improvement.

Fix:
Added a log message to indicate the state transitions for Gx and Gy sessions.


549108-1 : RDP resource 'Custom parameters' fail to accept parameters containing spaces or colon in the value

Component: Access Policy Manager

Symptoms:
Some RDP parameters may contain whitespaces or colon in the value, e.g.: loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.RDSFarm The configuration utility will throw a validation error "01070734:3: Configuration error: apm resource remote-desktop rdp: Parse error on line 0: <parameter>"

Conditions:
This occurs when using RDP parameters containing spaces or colon in the value.

Impact:
Administrator is unable to configure the RDP resource as desired.

Workaround:
None.

Fix:
RDP parameters parsing has been refined to support values containing colons or whitespaces.


548796-2 : Avrd is at CPU is 100%

Component: Performance

Symptoms:
When the Application Visibility and Reporting (AVR) module is being used, the avrd daemon can consume all CPU. The avrd log will contain error messages similar to Semaphore DB_Publisher_ready is not set, for xxxx seconds

Conditions:
This can occur when using the AVR module.

Impact:
Avrd gets to 100% CPU and stays there even when no traffic is being passed, which will impact system performance

Workaround:
Restarting tmm will temporarily mitigate this problem

Fix:
Avrd is no longer susceptible to consuming all CPU indefinitely even when traffic is not being passed.


548680-2 : TMM may core when reconfiguring iApps that make use of iRules with procedures.

Component: Local Traffic Manager

Symptoms:
TMM may core when reconfiguring iApps that make extensive use of iRules with procedures.

Conditions:
During the reconfiguration of more than one iApp by switching templates, prior and new templates to contain iRules with procedures of the same name. After the second or later reconfiguration TMM may core.

Impact:
TMM may core.

Workaround:
Modify iApp template to generate procedures that have a unique name per iApp.

Fix:
TMM no longer cores when reconfiguring more than one iApp that contains iRule procedures of the same name.


548678-2 : ASM blocking page does not display when using SPDY profile

Component: Local Traffic Manager

Symptoms:
The ASM blocking page will not be displayed when using the SPDY profile.

Conditions:
Virtual configured with ASM and spdy profile and request is blocked by ASM.

Impact:
Request blocked page is not displayed.

Workaround:
If possible, disable the SPDY profile on virtual servers configured to use ASM.

Fix:
ASM will now correctly display its blocking page when the SPDY profile is enabled and an ASM blocking rule is triggered.


548563-2 : Transparent Cache Messages Only Updated with DO-bit True

Component: Local Traffic Manager

Symptoms:
When a transparent cache stores a message with DNSSEC OK (DO) bit TRUE and its TTL expires, the message is only updated when a new message arrives with DO-bit TRUE.

Conditions:
Running a DNS transparent cache with clients requesting DNSSEC messages.

Impact:
When the DO-bit TRUE's cached message TTL expires, the general impact is DO-bit FALSE queries will be proxied until the message cache is updated with DO-bit TRUE.

Workaround:
None.

Fix:
The message cache is updated regardless of DO-bit state after TTL expiration. However, the cache prefers DO-bit TRUE messages, and will update the cached message if a newer one arrives with DNSSEC OK.


548361 : Performance degradation when adding VDI profile to virtual server

Component: Access Policy Manager

Symptoms:
Performance degradation when adding VDI profile to virtual server

Conditions:
This occurs when using the VDI profile

Impact:
0.3s latency increase comparing with previous result

Workaround:
none

Fix:
Fixed 0.3s latency between client and server SSL hello if VDI profile is added to virtual server.


548239-3 : BGP routing using route-maps cannot match route tags

Component: TMOS

Symptoms:
When a route-map is used to redistribute routes into BGP, matching on the route tag fails.

Conditions:
Dynamic routing using BGP, redistribution into BGP using a route-map, route-map matches route tag.

Impact:
BGP may not get all prefixes from other routing protocols.

Workaround:
None.

Fix:
Route-maps used with BGP now correctly match route tags.


547732-1 : TMM may core on using SSL::disable on an already established serverside connection

Component: Local Traffic Manager

Symptoms:
TMM process may crash if the SSL::disable iRule command is used on a serverside with the connection already establised.

Conditions:
Use of SSL::disable on a ssl, serverside established connection.

Impact:
TMM cores.

Workaround:
Do not use SSL::disable on an event where the serverside connection is already established.

Fix:
TMM no longer cores on using SSL::disable on an already established serverside connection, it will now log a warning Connection error: hud_ssl_handler:605: disable profile (80)


547537-3 : TMM core due to iSession tunnel assertion failure

Component: Wan Optimization Manager

Symptoms:
TMM core due to "valid isession pcb" assertion failure in isession_dedup_admin.c.

Conditions:
Deduplication endpoint recovery occurs on a BIG-IP that has duplication is enabled.

Impact:
TMM generates a core file and restarts.

Workaround:
none

Fix:
An iSession tunnel initialization defect has been corrected.


547532-2 : Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades

Component: TMOS

Symptoms:
Error messages similar to this are present in the ltm log: -- err mcpd[9369]: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found. -- err mcpd[9369]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.

Conditions:
A chassis-based system with multiple blades. A monitor is attached to an object that is configured in a partition that uses a non-default route domain, but the address of the monitor is explicitly using the default route domain (e.g. %0).

Impact:
Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades. mcpd restarts.

Workaround:
Move the monitor to the /Common/ partition and do not specify %0 in the Alias Address.

Fix:
Ensured that the complete state for addresses in the default route domain is propagated to secondary blades.


547000-4 : Enforcer application might crash on XML traffic when out of memory

Component: Application Security Manager

Symptoms:
Enforcer application might crash on XML traffic when out of memory.

Conditions:
This occurs when the system is out of memory.

Impact:
The BIG-IP system might temporarily fail to process traffic.

Workaround:
None.

Fix:
This release fixes a scenario where the system might crash when the XML parser ran out of memory.


546747-2 : Occasional SSL connection handshake failure when one ClientHello is sent in multiple packets

Component: Local Traffic Manager

Symptoms:
Sometimes BIGIP responds with a fatal-handshake alert and closes the SSL session for a new connection When a ClientHello record is split between two or more packets.

Conditions:
This occurs when a SSL ClientHello record gets split between two or more packets.

Impact:
New SSL connection can't be established.

Workaround:
No workaround.

Fix:
SSL connection can be successfully brought up regardless how many packets are used to send one ClientHello record.


546640 : tmsh show gtm persist <filter option> does not filter correctly

Component: Global Traffic Manager

Symptoms:
Following commands fail to return results even if there are matching records: # tmsh show gtm persist level wideip # tmsh show gtm persist target-type pool-member

Conditions:
This only happens when running the tmsh commands listed in the Symptoms.

Impact:
It is not possible to get a granular detail for persist stats.

Workaround:
Use GUI.

Fix:
Filters for the tmsh show gtm persist command now apply the filters correctly.


546082-5 : Special characters might change input.

Component: iApp Technology

Symptoms:
Special characters by users might change the intended data.

Conditions:
Use of special characters.

Impact:
Incorrect or unwanted response.

Workaround:
None.

Fix:
Updated data handling to properly account for special characters.


545985-3 : ICAP 2xx response (except 200, 204) is treated as error

Component: Service Provider

Symptoms:
An ICAP status code from the ICAP server of 2xx (other than 200 or 204) is treated as an error, causing the reset of the ICAP connection and the service-down-action to be performed on the parent virtual server (as configured in the requestadapt or responseadapt profile). The RFC 3507 requires the ICAP client (BigIP) to handle the response normally (ie. like 200).

Conditions:
The ICAP server returns a 2xx status code that is not defined explicitly for ICAP.

Impact:
Transsactions involving an ICAP server that returns a non-IACP 2xx response do not work, and the service-down action is performed.

Workaround:
If possible, have the ICAP server return status code 200.

Fix:
An ICAP status code from the ICAP server of 2xx (other than 200 or 204) is treated as a normal 200 status code, thus the encapsulated HTTP request or response is returned to the HTTP client or server.


545810-1 : ASSERT in CSP in packet_reuse

Component: Local Traffic Manager

Symptoms:
Causes TMM to crash

Conditions:
happens with CSP module when configured on local loopback.

Impact:
Crash and restart of TMM

Workaround:
None

Fix:
Fixed the logic in determining if we are an L7 loopback connection. This way CSP receives only packets that it owns and can be re-used


545786-4 : Privilege escalation vulnerability CVE-2015-7393

Component: Centralized Management

Symptoms:
The SUID root dcoep application (/shared/mgmt/ep/dcoep) allows local, authenticated users with access to an advanced shell the capability to elevate privileges to root.

Conditions:
Local, authenticated user with advanced shell access and capability to execute shell commands.

Impact:
Local, authenticated user with advanced shell access may be able to elevate privileges to root.

Workaround:
Vulnerable dcoep application (/shared/mgmt/ep/dcoep) is replaced by a empty file which can't be executed.

Fix:
Vulnerable dcoep application (/shared/mgmt/ep/dcoep) is replaced by a empty file which can't be executed.


545783-3 : TMM crashes when forwarding an inbound connection on Large Scale NAT (LSN) pool

Component: Carrier-Grade NAT

Symptoms:
TMM crashes when forwarding an inbound connection and the flow sweeper tries to update the flow before the forwarding operation completes.

Conditions:
A small or over utilized LSN pool that creates inbound entries that require forwarding.

Impact:
TMM crashes

Workaround:
Add more IP addresses to the LSN pool.

Fix:
TMM no longer crashes when forwarding inbound connections configured with an LSN pool


544913-6 : tmm core while logging from TMM during failover

Component: TMOS

Symptoms:
TMM crash and coredump while logging to remote logging server when an HA failover occurs.

Conditions:
The problem might occur when: 1. A log message is created as the result of errors that can occur during log-connection establishment. 2. An error occurs while attempting to connect to the remote logging server. 3. The Primary HA member fails over. The crash occurs on the HA member which was the Primary member prior to the failover.

Impact:
TMM runs out of stack and dumps core. Stack trace shows recursion in errdefs. The system cannot function under these conditions. This is an issue that might occur anytime logs are generated when managing resources that are also used by the logging system itself.

Workaround:
Two possible workarounds are available: 1) Create a log filter specifically for message-id :1010235: that either discards or directs such messages to local syslogs. 2) If the problem occurs on TMM startup, disable and then re-enable the corresponding log source once the TMM starts up.

Fix:
Logging recursion no longer occurs in TMM during failover while the system is attempting to connect to the remote logging server.


544481-5 : IPSEC Tunnel fails for more than one minute randomly.

Component: TMOS

Symptoms:
IPsec IKEv1: DPD ACK may be dropped when excessive DPD message exchange. This causes the IPsec tunnel to fail.

Conditions:
Excessive DPD message exchange.

Impact:
Connection resets.

Workaround:
None.

Fix:
Excessive DPD message exchange no longer causes the IPsec tunnel to fail.


544375-1 : Unable to load certificate/key pair

Component: Local Traffic Manager

Symptoms:
After creating SSL profile, 'could not load key/certificate file' appears in /var/log/ltm with profile name. Unable to connect to virtual with SSL profile.

Conditions:
Certificate uses sha1WithRSA or dsaWithSHA1_2 signature algorithm.

Impact:
Unable to load certificate.

Workaround:
None.

Fix:
Can now load certificates with sha1WithRSA or dsaWithSHA1_2 signature algorithm.


544028-5 : Verified Accept counter 'verified_accept_connections' might underflow.

Component: Local Traffic Manager

Symptoms:
Verified Accept counter 'verified_accept_connections' might underflow.

Conditions:
When the verified accept setting on a TCP profile is changed for an active virtual server.

Impact:
When the counter underflows, new connections on any verified-accept enabled virtual server are dropped. The counter will never recover.

Workaround:
Avoid changing the verified accept setting on a TCP profile for an active virtual server.

Fix:
This release corrects the issue in which the Verified Accept counter 'verified_accept_connections' might underflow.


543924 : Update kernel to latest public RHEL6.4 kernel: 2.6.32-358.61.1.el6

Component: TMOS

Symptoms:
This is a major update from RHEL6.4 2.6.32-358.23.2 used in 11.6.0 releases (including all 11.6.0 hotfixes). This includes many critical bugfixes and vulnerability fixes as of the last published kernel Redhat Security Advisory: https://rhn.redhat.com/errata/RHSA-2015-1030.html Note that there are some additional vulnerability fixes beyond RHSA-2015-1030.html which have been backported from upstream RHEL6 kernels: 6.5, 6.6 and 6.7. This does not include later 6.4 kernel updates from Redhat which are only available for Redhat AUS customers: https://rhn.redhat.com/errata/RHSA-2015-1211.html https://rhn.redhat.com/errata/RHSA-2015-1643.html https://rhn.redhat.com/errata/RHBA-2015-1843.html https://rhn.redhat.com/errata/RHBA-2015-2005.html https://rhn.redhat.com/errata/RHSA-2016-0004.html

Conditions:
This is a kernel-related update.

Impact:
Addresses many critical bugfixes and vulnerability fixes.

Workaround:
None needed.

Fix:
Updated kernel to 2.6.32-358.61.1.el6 [RHEL6.4].


543222-3 : apd may crash if an un-encoded session variable contains "0x"

Component: Access Policy Manager

Symptoms:
when a session variable value contains "0x" (for example 'value0x not encoded'), apd process treat the value as HEX-encoded and tries to decode it. decoding the not-encoded string causes apd to crash

Conditions:
session variable contains substring "0x"

Impact:
apd crash

Workaround:
None

Fix:
With this release: 1. Only values starting from 0x are treated as hex-encoded. 2. If hex decoding fails, apd does not crash.


543220-1 : Global traffic statistics does not include PVA statistics

Component: Local Traffic Manager

Symptoms:
Global traffic statistics shown in the GUI and in TMSH are not correct.

Conditions:
Hardware acceleration enabled.

Impact:
Statistics discrepancy in global traffic statistics.

Workaround:
None.

Fix:
Global traffic statistics now includes the correct PVA statistics in the GUI and in TMSH.


542724-1 : If there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions, TMM could crash

Component: Local Traffic Manager

Symptoms:
If there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions, TMM could crash.

Conditions:
This occurs when the following conditions are met: - There is an OCSP request in progress. - There is a configuration change. - The handshake is aborted. - The HTTP response for the OCSP request indicates a status code that is not 200.

Impact:
TMM might crash.

Workaround:
None.

Fix:
TMM no longer crashes if there is OCSP Stapling enabled on a clientSSL profile, under certain remote conditions.


542640-2 : bigd intentionally cores when it should shutdown cleanly

Component: Local Traffic Manager

Symptoms:
Bigd can core instead of graceful shutdown under certain error conditions where a core is not needed.

Conditions:
Anything that caused bigd to shutdown under abnormal conditions.

Impact:
Bigd crash, core file created. Note that the shutdown scenario was already under error conditions, so this is not a sign that something has broken or failed outside that condition that caused the shutdown.

Workaround:

Fix:
Made bigd more selective about the situations where it self-cores on abnormal shutdown.


542564-3 : bigd detection and logging of load and overload

Component: Local Traffic Manager

Symptoms:
The bigd process cannot detect overload, and does not log its load status. This makes it difficult to determine whether bigd is close to its limits.

Conditions:
The bigd process might reach limits when there is very high load with high probe rate (monitor instances per second).

Impact:
bigd might fail to service monitors in a timely fashion, when under extreme load, which might result in 'flapping' nodes/pool members (where the node/pool member goes down and back up even though the server itself has not gone down).

Workaround:
-- Increase the probe interval for monitors so they probe less often. -- Switch from more 'expensive' monitors (e.g., https) to simpler monitors (e.g., http, tcp, tcp half-open, icmp).

Fix:
This release provides modifications to peak performance to significantly reduce the chance of node flapping. In addition, the ability to monitor bigd load has been added. Because bigd is not integrated with tmstats, the system logs load stats to the debug log file, /var/log/bigdlog. When debug logging is turned on, stats are mixed with the debug output. Load stats can be emitted independently with the following sys db var: modify sys db bigd.debug.timingstats value enable. With this db variable enabled, the system emits bigd load data to the debug log periodically (every 15 seconds per bigd process). The columns correspond to these stats: - load (0-100%) 1-minute mean. - load (0-100%) 5-minute mean. - number of monitor instances active for this bigd process. - number of active file descriptors, 30-second average, this process. - peak number of active file descriptors past 30 seconds, this process. In addition, the system logs warning messages to /var/log/ltm when bigd reaches 80%, 90%, and 95% load levels. The system logs an overload error to /var/log/ltm when bigd detects it is overloaded. The load level indicating overload is in the bigd.overload.latency sys db variable, which is set to 98% load, by default.


542511-2 : 'Unhandled keyword ()' error message in GUI and/or various ASM logs

Component: Application Security Manager

Symptoms:
'Unhandled keyword ()' error message may appear in 'Session Awareness Tracking' GUI page and/or various ASM logs, such as: learning manager log, asm config server log, main asm log. In the case of learning manager, it causes a crash of the latter. Learning manager process is then restarted ~15 seconds later.

Conditions:
ASM provisioned. Session Awareness Tracking is enabled.

Impact:
Uninformative errors in 'Session Awareness Tracking' GUI page and/or various ASM logs, such as: learning manager log, asm config server log, main asm log. Learning manager process restart.

idation Files before, then Bug 541406 will affect them, removing the existing Validation Files. The XML validation file association task would then need to be run again.

Fix:
ASM REST: The system correctly recognizes that the validationFiles field has not changed in value and does not fail the call.


541571-3 : FQDN ephemeral nodes not repopulated after recreating with swapped IP addresses

Component: Local Traffic Manager

Symptoms:
Under certain circumstances, ephemeral nodes that are force-deleted may not repopulate as expected.

ditions.

Impact:
See https://support.f5.com/kb/en-us/solutions/public/k/35/sol35358312.html

Workaround:
None.

Fix:
Rare HSB lockup on a 3900, 6900, 8900, 8950, 11000, 11050, PB100 or PB200 platform no longer occurs.


541852-1 : ASM REST: PATCH to XML Profiles with unmodified "validationFiles" fails

Component: Application Security Manager

Symptoms:
The "validationFiles" is not allowed to be modified via a PATCH call and will fail validation. Even if validationFiles is passed back in unmodified, the call still fails.

Conditions:
An ASM REST client attempts to PATCH the mgmt/tm/asm/policies/<ID>/xml-profiles/<ID> endpoint using "validationFiles"

Impact:
The XML Profile cannot be modified

Workaround:
The user can PATCH the object without supplying this field. However if there were Validation Files before, then Bug 541406 will affect them, removing the existing Validation Files. The XML validation file association task would then need to be run again.

Fix:
ASM REST: The system correctly recognizes that the validationFiles field has not changed in value and does not fail the call.


541571-3 : FQDN ephemeral nodes not repopulated after recreating with swapped IP addresses

Component: Local Traffic Manager

Symptoms:
Under certain circumstances, ephemeral nodes that are force-deleted may not repopulate as expected.

Conditions:
Sync group, multiple FQDNs resolving to different IP addresses. FQDNs deleted and re-created, with IP addresses swapped from deleted nodes to re-created ones.

Impact:
Ephemeral nodes may not repopulate as expected.

Workaround:
None.

Fix:
FQDN ephemeral nodes are now repopulated after being force-deleted and re-created with different IP addresses.


541569-3 : IPsec NAT-T (IKEv1) not working properly

Component: TMOS

Symptoms:
The incorrect source port is chosen for the IPsec/IKE NAT-T UDP encapsulated traffic. When IKE decides to float port when NAT device is detected, it should use port 4500 for both its source port and destination port.

Conditions:
NAT traversal is enabled on the IKE Peer configuration object and NAT device is detected during IKE negotiation.

Impact:
When NAT-T is enabled, IPsec tunnel cannot be established.

Workaround:
None.

Fix:
Now, when NAT-T is enabled, IPsec tunnel can be established as expected.


541406-1 : ASM REST: XML Profile Validation File Associations are Removed on a Partial PATCH Request

Component: Application Security Manager

Symptoms:
Updating an XML Profile via ASM REST with a partial body (ex. just an updated description) removes all attached WSDL validation files as if it had also received: "validationFiles": []

Conditions:
XML Profiles that utilize validation files are updated via REST

Impact:
If the full validation files structure is not re-iterated in the body, then the entire list of WSDL validation files will be emptied. This will cause the XML Schema to not be validated properly during enforcement.

Workaround:
Run the validation file association task again after updating the XML Profile

Fix:
ASM REST now correctly updates only specified fields on a PATCH request.


540996-2 : Monitors with a send attribute set to 'none' are lost on save

Component: TMOS

Symptoms:
Monitors that have a send, recv, or recv-disable attribute set to 'none' are lost on configuration save.

Conditions:
Saving a configuration containing a monitor configured with a send, recv, or recv-disable attribute set to 'none'.

Impact:
Monitor may send unexpected string.

Workaround:
None.

Fix:
Monitor send, recv, and recv-disable attributes now retains a 'none' value on configuration save.


540871-1 : Update/deletion of SNMPv3 user does not work correctly

Component: TMOS

Symptoms:
After creation of an SNMPv3 user via the GUI, SNMP operations for that user do not work if the admin subsequently modifies the user. Deletion of the SNMPv3 user also does not work correctly.

Conditions:
Save (even without modification) an SNMPv3 user after creation, or delete an SNMPv3 user.

Impact:
SNMP operations for that user do not work if the admin subsequently modifies the user. TMSH reports a deleted user as gone, but net-snmp does not process the deletion.

Workaround:
None.

Fix:
Using the GUI to update/delete SNMPv3 users now works as expected.


540849-7 : BIND vulnerability CVE-2015-5986

Component: TMOS

Symptoms:
An incorrect boundary check in openpgpkey_61.c can cause named to terminate due to a REQUIRE assertion failure. This defect can be deliberately exploited by an attacker who can provide a maliciously constructed response in answer to a query. (CVE-2015-5986)

Conditions:
BIND vulnerability CVE-2015-5986

Impact:
A remote attacker may be able to cause a denial-of-service (DoS) attack on the BIG-IP system's local instance of BIND by using a specially crafted DNS request in configurations that expose BIND to requests from untrusted users. If the BIND process (named) terminates or stops responding, the bigstart process will automatically restart the impacted daemon.

Workaround:
To mitigate this issue, if DNS recursion is not required, you can disable recursion in the BIND configuration. Additionally, when DNS recursion is required, you can limit exposure to the vulnerability by configuring an ACL to restrict DNS recursion to trusted users. For additional information, refer to SOL7055: Enabling DNS recursion in the named configuration on a BIG-IP GTM system.

Fix:
Resolved BIND vulnerability CVE-2015-5986. See AskF5 Solution Article SOL17227: BIND vulnerability CVE-2015-5986, available here https://support.f5.com/kb/en-us/solutions/public/17000/200/sol17227.html.


540846-7 : BIND vulnerability CVE-2015-5722

Component: TMOS

Symptoms:
Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c. It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a deliberately malformed key. (CVE-2015-5722)

Conditions:
BIND vulnerability CVE-2015-5722

Impact:
A remote attacker may be able to cause a denial-of-service (DoS) attack on the BIG-IP system's local instance of BIND by using a specially crafted DNS request in configurations that expose BIND to requests from untrusted users. If the BIND process (named) terminates or stops responding, the bigstart process will automatically restart the impacted daemon. Note: Recursive servers are at greatest risk from this defect, but some circumstances may exist in which the attack can be successfully exploited against an authoritative server.

Workaround:
If you require DNSSEC validation, there is no mitigation for this issue. However, if you have manually enabled the DNSSEC validation feature in the BIND configuration but do not require DNSSEC validation, you can mitigate this vulnerability by disabling/removing this feature in/from the BIND configuration. For more information about BIND's DNSSEC validation, refer to the official documentation BIND DNSSEC Guide from Internet Systems Consortium (ISC). Note: The previous link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge.

Fix:
Resolved BIND vulnerability CVE-2015-5722. See AskF5 solution article SOL17181: BIND vulnerability CVE-2015-5722, available here https://support.f5.com/kb/en-us/solutions/public/17000/100/sol17181.html.


540767-2 : SNMP vulnerability CVE-2015-5621

Component: TMOS

Symptoms:
It was discovered that the snmp_pdu_parse() function could leave incompletely parsed varBind variables in the list of variables.

Conditions:
See SOL17378: https://support.f5.com/kb/en-us/solutions/public/17000/300/sol17378.html

Impact:
A remote, unauthenticated attacker could use this flaw to crash snmpd or, potentially, execute arbitrary code on the system with the privileges of the user running snmpd. (CVE-2015-5621)

Workaround:
This exposure can be mitigated by following the guidelines at SOL17378: https://support.f5.com/kb/en-us/solutions/public/17000/300/sol17378.html

Fix:
SNMP has been updated to net-snmp-5.5-54.el6_7.1 per RHSA-2015:1636-01. Moderate: net-snmp security update


540571-2 : TMM cores when multicast address is set as destination IP via iRules and LSN is configured

Component: Carrier-Grade NAT

Symptoms:
TMM may core when an iRule changes the destination address of a connection to use a multicast address such as 224.0.0.1. When the BIG-IP system looks up the route, it returns an internal route with no interface designed for use with multicast traffic. LSN expects to find an interface and crashes when it attempts to use the non-existent interface.

Conditions:
- CGNAT enabled and LSN pools configured on active virtual server that accepts traffic. - On the same virtual server, an iRule is configured that changes the destination IP to a multicast address in the 224.0.0.0/24 network.

Impact:
TMM crashes, interrupting traffic flow.

Workaround:
There are two workarounds: -- Remove the offending iRule that is sending traffic to the 224.0.0.0/24 network. -- Prevent traffic from using that destination in the iRule.

Fix:
TMM no longer cores when multicast address is set as destination IP via iRules and LSN is configured. Now, the system fails connections when the route's IFC is null, which is correct behavior.


540568-2 : TMM core due to SIGSEGV

Component: Local Traffic Manager

Symptoms:
TMM may core due to a SIGSEGV.

Conditions:
Occurs rarely. Specific conditions unknown. See related Bug 540571.

Impact:
TMM crashes, interrupting traffic flow.

Workaround:
None.

Fix:
Fixed an intermittent tmm core related to Bug 540571.


540484-2 : "show sys pptp-call-info" command can cause tmm crash

Component: Carrier-Grade NAT

Symptoms:
Core when "show sys pptp-call-info" is called.

Conditions:
On BIGIP with fastl4 virtual server forwarding PPTP GRE traffic, TMSH "show sys pptp-call-info" command can cause crash in TMM.

Impact:
TMSH "show sys pptp-call-info" command.

Workaround:
Do not issue "show sys pptp-call-info" command on BIGIP forwarding PPTP GRE traffic.

Fix:
Fixed crash from incorrectly matching PPTP ALG traffic in forwarding fastl4 virtual server.


540473-6 : peer/clientside/serverside script with parking command may cause tmm to core.

Component: Local Traffic Manager

Symptoms:
When the peer/clientside/serverside iRule contains parking commands, tmm might core upon connection reuse.

Conditions:
1. The iRule used in peer/clientside/serverside contains a parking command. 2. The connection is reused. This might occur in OneConnect configurations, for example.

Impact:
tmm might core.

Workaround:
Do not use parking commands in cases where the system might reuse the connection.

Fix:
When the peer/clientside/serverside iRule contains parking commands, tmm no longer cores upon connection reuse.


540390-2 : ASM REST: Attack Signature Update cannot roll back to older attack signatures

Component: Application Security Manager

Symptoms:
There is no way to roll back to an older attack signature update using the REST interface

Conditions:
REST is used to manage Attack Signature Updates on a BIG-IP device, and an older version than the currently installed file is desired to be installed.

Impact:
REST clients have no way to fully manage Attack Signature Updates for the BIG-IP

Workaround:
The GUI can be used to roll back to an earlier version

Fix:
The REST API now includes support for the "allowOlderTimestamp" field to the update-signatures task in order to allow rolling back to an older attack signature update using the REST interface. POST https://<host>/mgmt/tm/asm/tasks/update-signatures/ { "allowOlderTimestamp": true, <Rest of body as usual> }


539822-4 : tmm may leak connflow and memory on vCMP guest.

Component: TMOS

Symptoms:
tmm may leak connflow and memory on vCMP guests.

Conditions:
This occurs on a vCMP guest when only one tmm is provisioned on the blade.

Impact:
tmm leaks memory and might eventually crash from an out-of-memory condition.

Workaround:
Provision more than one tmm.

Fix:
tmm no longer leaks connflows and memory on vCMP guests when only one tmm is provisioned.


539784-4 : HA daemon_heartbeat mcpd fails on load sys config

Component: TMOS

Symptoms:
A particular stage of validation can take longer than the ha-daemon heartbeat interval, and while nothing is actually wrong, the system responds as if there is an unresponsive daemon, so the system restarts it.

Conditions:
iRules must be present in the configuration that the system is loading.

Impact:
MCPd restarts.

Workaround:
On the BIG-IP system, run the command: tmsh mod sys daemon-ha mcpd heartbeat disabled.

Fix:
Added additional heartbeats during validation, so HA daemon_heartbeat mcpd no longer fails on load sys config.


539270-6 : A specific NTLM client fails to authenticate with BIG-IP

Component: Access Policy Manager

Symptoms:
Specific NTLM client (such as Android Lync 2013) fails to authenticate with BIG-IP as it sends a particular NTLMSSP_NEGOTIATE which BIG-IP was not able to parse properly and throws an error. This effectively stops the authentication process, and this particular client never completes the authentication.

Conditions:
Specific NTLM client. It is not clear whether this issues affect a particular version of Android Lync 2013 or a particular Android version.

Impact:
Cannot complete the authentication, hence, not allowed to access protected resources.

Workaround:
No workaround exists for the affected clients.

Fix:
The BIG-IP system now processes NTLM requests for affected Lync clients, and users of the client are able to authenticate.


539229-7 : EAM core while using Oracle Access Manager

Component: Access Policy Manager

Symptoms:
Authentication with Oracle Access Manager can result in an exception while checking whether authentication is required. This is an intermittent issue.

Conditions:
This event can be triggered while using the Oracle Access Manager.

Impact:
An unhandled exception will cause EAM to core and possible access outage.

Workaround:
No workaround

Fix:
EAM handles exceptions gracefully during the authentication process when Oracle Access Manager is used.


539130-6 : bigd may crash due to a heartbeat timeout

Component: Local Traffic Manager

Symptoms:
bigd crashes and generates a core file. The system logs entries in /var/log/ltm that are similar to the following: sod[5853]: 01140029:5: HA daemon_heartbeat bigd fails action is restart. This issue is more likely to occur if /var/log/ltm contains entries similar to the following: info bigd[5947]: reap_child: child process PID = 9198 exited with signal = 9.

Conditions:
External monitors that run for a long time and are killed by the next iteration of the monitor. For example, the LTM external monitor 'sample_monitor' contains logic to kill a running monitor if it runs too long.

Impact:
bigd crashes and generates a core file. Monitoring is interrupted.

Workaround:
None.

Fix:
External monitors that run for a long time and are killed by the next iteration of the monitor now recover without bigd crashing and generating a core file.

Behavior Change:
bigd now logs child process exit messages in /var/log/bigdlog (so bigd.debug must be enabled) rather than in /var/log/ltm. This allows the logging to be controllable. Successful command exits are also logged for completeness since this the log messages only appears when debugging is enabled.


538837-1 : REST: Filtering login pages or parameters by their associated URL does not work

Component: Application Security Manager

Symptoms:
When attempting to filter the collection of configured login pages by their URL, the full list is returned instead of the desired results. The same problem exists for URL level Parameters.

Conditions:
The login-pages or parameters collection endpoints are queried with the following $filter: $filter=url/name eq '<URL NAME>'

Impact:
Incorrect results are returned to the REST client

Workaround:
None.

Fix:
REST $filter for associated URLs on login-pages and parameters endpoints now works correctly.


538784-3 : ICAP implementation incorrect when HTTP request or response is missing a payload

Component: Service Provider

Symptoms:
The ICAP request sent to the ICAP server always contains a payload even if the HTTP request or response to be modified does not contain one.

Conditions:
HTTP request or response does not contain a payload.

Impact:
If an HTTP request or response to be modified does not contain a payload, the ICAP client sends a zero-byte HTTP payload instead.

Workaround:
None.

Fix:
The system now correctly identifies an empty HTTP payload and sends the appropriate ICAP header, identifying that there is no HTTP payload included.


538722-3 : Configurable maximum message size limit for restjavad

Component: Centralized Management

Symptoms:
if the client issues a request to iControl REST that results in a large amount of data (approx 200 MB), restjavad goes into an out-of-memory condition when attempting to serialize the response prior to returning it to the client.

Conditions:
A message is received by restjavad that is larger than the total free heap space. The most common cause is that the system sends a broard query to icrd, which returns a very large response (approx 200 MB).

Impact:
restjavad becomes unresponsive until it is rebooted.

Workaround:
This fix exposes the maximum message size limit and allows a Network operator to change it by posting to a new configuration worker. An example is included below. The actual value varies by installation - load, average message size etc. Set it too low and the clients will receive 5xx errors even though there is sufficient memory. Set it too high and dangerously-large messages do not get dropped and might cause an out-of-memory exception. 5 MB is a recommended starting value. An example of setting the maximum message body size to 5kB (5000 bytes) on a machine called 'green.' The password needs to be changed appropriately. curl -s -k -u admin:PASSWORD -H "Content-Type: application/json" -H 'Connection: keep-alive' -X PUT "https://green/mgmt/shared/server/messaging/settings/8100" -d '{"maxMessageBodySize": "5000" }'.

Fix:
There is now a configurable maximum message size limit for restjavad. Restjavad still reaches an out-of-memory condition if it receives very large messages (approx 200 MB), but there is now an option of setting a 'hard cap' that causes restjavad to discard these large messages, preventing the out-of-memory condition.


538663-3 : SSO token login does not work due to remote role update failures.

Component: TMOS

Symptoms:
SSO token login does not work due to remote role update failures.

Conditions:
SSO between Enterprise Manager (EM) and a BIG-IP system using a third party authentication system, such as LDAP.

Impact:
Incorrect role assignment causing SSO login to not work. The system posts messages similar to the following: -- notice mcpd[6165]: 01070829:5: Input error: Remote user message dropped (adm184789 in [All]) because duplicate partition. -- err mcpd[6165]: 01070827:3: User login disallowed: User (adm184789) is not an administrator, does not have a UID of zero, and has not been assigned a role on a partition.

Workaround:
Login using remote user credentials on the BIG-IP system. This properly updates the role for the remote user.

Fix:
SSO token login now works with the correct role assignments to a remote user.


538639-3 : P-256 ECDH performance improvements

Component: Local Traffic Manager

Symptoms:
Recent changes in the TLS clients to only use perfect forward secrecy (PFS) ciphersuites in default configuration may degrade TLS handshake rate on BIG-IP, may cause higher CPU utilization on the BIG-IP, or both. An example of a recent change is Apple iOS's App Transport Security changes to only enable ECDH ephemeral ciphersuites (the ciphersuites with the ECDHE suffix).

Conditions:
Large portion of TLS client only offers *ECDHE* ciphersuites in their TLS CLientHello, the average size of the TLS session is small (e.g. in kilobytes), and the TLS session resumption is not used. In other words, the conditions such that the TLS handshakes likely negotiate ECDHE ciphersuites with short sessions.

Impact:
With this improvement, the TLS handshake rate with a ciphersuite ECDHE-RSA-AES128-GCM-SHA256 is expected to be ~50% higher on hardware platforms without Intel Cave Creek acceleration (released in 2015 and earlier). Internal testing has shown variations in the improvement between 20% and 80% with this enhancement. The comparison is against the current 12.0.x (or 11.6.x) release. The performance of ECDSA with P-256 was also improved. Conversely, previous versions of the BIG-IP will have correspondingly lower performance, or worse for older releases.

Workaround:
Order ciphersuite selection so that ECDH ciphersuites are least preferred. One method to accomplish this is to ensure that the clientssl profile's cipherstring contains 'ecdhe:ecdhe_ecdsa' at the end of the list. This will only matter/needed when non-PFS cipherssuites are allowed in the profile and are offered by the client.

Fix:
Performance improvements for P-256 ECDH and ECDSA algorithms.


538603-2 : TMM core file on pool member down with rate limit configured

Component: Local Traffic Manager

Symptoms:
TMM may produce a core file when attempting to retry to calculate the rate-limit on a pool member that has gone down.

Conditions:
This occurs when the following conditions are met: - service-down-action reselect. - rate limit specified. - traffic load balanced to pool members. - traffic is over the rate for all pool members. - all pool members go down.

Impact:
TMM cores.

Workaround:
Remove rate-limit configuration.

Fix:
TMM no longer produces a core file when attempting to retry to calculate the rate-limit on a pool member that has gone down.


538195-1 : Incremental Manual sync does not allow overwrite of 'newer' ASM config

Component: Application Security Manager

Symptoms:
ASM Sync was designed to only request the ASM portion of the configuration if it recognizes that a peer has a newer configuration. This precluded the ability to 'roll back' changes on a device by pushing from the peer that still has the older configuration.

Conditions:
Devices are set up in an Incremental Manual Sync ASM-enabled group.

Impact:
User is unable to 'roll back' changes on a device by pushing from the peer that has an older configuration.

Workaround:
Make a spurious change on the device that has an older configuration and then push the changes to the peer.

Fix:
Older ASM configurations can now be pushed to a peer in an incremental sync manual device group.


538024-3 : Configuration containing a virtual server with a named wildcard destination address ('any6') may fail to load

Component: TMOS

Symptoms:
Configuration fails to load with an error similar to the following: A port number or service name is missing for '/Common/any6%2.0'. Please specify a port number or service name using the syntax '/Common/any6%2.0:<port>'.

Conditions:
Configuration contains a virtual with destination address in the form of: any6%<route domain>.<port>.

Impact:
Configuration load failure.

Workaround:
None.

Fix:
The BIG-IP system now uses the correct port delimiter when parsing destination addresses containing a named wildcard service and non-default route domain.


537988-5 : Buffer overflow for large session messages

Component: Local Traffic Manager

Symptoms:
System with multiple blades may crash when when configured with functionality that utilizes SessionDB.

Conditions:
On a multi-blade machine, send an MPI message larger than 64K between blades (typically a session message).

Impact:
Core or potential data corruption.

Workaround:
None.

Fix:
There is no longer a buffer overflow for large session messages.


537964-4 : Monitor instances may not get deleted during configuration merge load

Component: Local Traffic Manager

Symptoms:
After performing a configuration merge load (for example, "tmsh load sys config merge ...") that changes an existing pool's monitor, old monitor instances may not get deleted. This can result in a system generating monitor requests that are no longer part of the configuration. It can also result in the system logging messages such as the following: err mcpd[8793]: 01070712:3: Caught configuration exception (0), Can't find monitor rule: 42.

Conditions:
Pools with monitors configured must exist. The merge load must replace the pool's monitor.

Impact:
Multiple monitor instances may be active on some pool members. This may result in incorrect monitoring status.

Workaround:
Once a system is affected by this issue, the misbehavior can be resolved by doing the following: 1. Save and re-load the configuration to correct the incorrect information in mcpd: tmsh save sys config partitions all && tmsh load sys config partitions all 2. Restart bigd: On an appliance: bigstart restart bigd On a chassis: clsh bigstart restart bigd

Fix:
Ensure that all relevant monitor instances are deleted when replacing a pool's monitor.


537435-1 : Monpd might core if asking for export report by email while monpd is terminating

Component: Application Visibility and Reporting

Symptoms:
Core file is created by monpd if you try to export a report by email while monpd is terminating.

Conditions:
Very rare case that can happen if user asks to export report by email in the middle of monpd's graceful termination (due to restart or other reason) will cause core dump (not graceful termination).

Impact:
None

Workaround:
Fixed to code to avoid this behavior.

Fix:
Exporting a report by email in the middle of monpd's graceful termination (due to restart or other reason) will no longer cause a core dump.


536690-4 : Occasional host-tmm connections within a chassis will fail (affects APM processes trying to connect to a tmm)

Component: Local Traffic Manager

Symptoms:
When using features that require a process on the host to connect to a specific tmm within a chassis, those connections sometimes fail. This can result in improper behavior of the feature, such as failure to create sessions in APM.

Conditions:
Using a module and feature that requires host-tmm communication within a chassis. Requires that the fix to ID 499430 be present.

Impact:
Possible service failure, such as disallowing entry to APM.

Workaround:
none

Fix:
Host-to-tmm connections within a chassis no longer fail.


535759-3 : SMTP monitor marks a server down if the server does not close connections after a quit command is received

Component: Local Traffic Manager

Symptoms:
The SMTP monitor marks a server down even when the server responds with a 250 message to the HELO command. Monitor debug output might show the following error messages: -- ERROR: failed to complete the transfer, error code: 28 error message: Time-out. -- ERROR: failed to complete the transfer, error code: 56 error message: Recv failure: Connection reset by peer.

Conditions:
The monitored server does not close the TCP connection (does not send a FIN) after receiving a QUIT command from the client.

Impact:
The monitored server is always marked down.

Workaround:
None.

Fix:
SMTP monitor now closes the TCP connection (sends a FIN) after receiving a QUIT command from the client, so an SMTP monitor does not mark a server down when it is available.


535246-6 : Table values are not correctly cleaned and can occupy entire disk space.

Component: Application Visibility and Reporting

Symptoms:
AVR data in MySQL might grow to fill all disk space.

Conditions:
This might occur when DNS table receives a large number of entries that are not being evicted when they are no longer needed.

Impact:
MySQL stops responding. Site might experience down time due to full disk.

Workaround:
If monitoring disk space and AVR data takes more than 70% of the space, reset AVR data by running the following commands sequentially: -- touch /var/avr/init_avrdb. -- bigstart restart monpd.

Fix:
In this release, the system handles AVR data in MySQL so that database size no longer grows beyond a certain point.


535188-3 : Response Pages custom content with \n instead of \r\n on policy import.

Component: Application Security Manager

Symptoms:
After importing policy with custom content on the Default Response Page, new lines are changed from \r\n to \n and it shouldn’t.

Conditions:
1. Create New Policy. 2. Go to Security : Application Security : Policy : Response Pages 3. On Default Response Page, change Response Type to 'Custom Response'. 4. Add 'Enters' to the 'Response Body' and save it. (for example: <html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: <%TS.request.ID()%></body></html>). 5. View the REST state of the response page and see that the new lines presented by '\r\n'. 6. Export the policy to XML. 7. Import the policy back (replace the old policy). 8. Now the 'new lines' in the content of the response page presented by '\n' instead of '\r\n'.

Impact:
After importing policy with custom content on Default Response Page, new lines are changed from \r\n to \n and it shouldn’t.

Workaround:
In GUI, Go to Security : Application Security : Policy : Response Pages, remove and add the 'Enters' and click on 'Save' for the default response page.

Fix:
After importing a policy with custom content on the Default Response Page, new lines are no longer changed from \r\n.


535101-1 : Connections to LSN pools in PBA mode may cause tmm core if used in conjunction with udp_gtm_dns profile.

Component: Carrier-Grade NAT

Symptoms:
LSN configured in PBA mode can cause tmm to core if a connection needs to obtain resources from a remote tmm process. This occurs most frequently during heavy load or when there is a small translation space(low number of translation addresses) configured on the PBA lsnpool.

Conditions:
- LSN with PBA mode configured. - udp_gtm_dns profile configured on the virtual server handling traffic. - Heavy traffic or small translation space.

Impact:
tmm cores and BIGIP can no longer handle traffic. Connections are interrupted.

Workaround:
Remove udp_gtm_dns profile from the virtual server, and replace it with fast L4.

Fix:
LSN pool configured with PBA mode no longer crashes with heavy load and udp_gtm_dns profile configured.


534804-2 : TMM may core with rate limiting enabled and service-down-action reselect on poolmembers

Component: Local Traffic Manager

Symptoms:
TMM may produce a core file when calculating the rate limit in certain circumstances.

Conditions:
VIP/pool configuration contains: - Pool configured with + Action On Service Down is set to Reselect - Pool members configured with + Connection Rate Limit is set If all pool members go down, this can trigger the core

Impact:
TMM will core.

Workaround:
Remove rate limit configuration.

Fix:
TMM no longer cores in certain conditions with rate limiting and service-down-action reselect on poolmembers


534633-3 : OpenSSH vulnerability CVE-2015-5600

Component: TMOS

Symptoms:
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.

Conditions:
SSH access is enabled.

Impact:
Remote attackers may be able to conduct brute-force attacks or cause a denial-of-service (DoS) by way of the ssh -oKbdInteractiveDevices option.

Workaround:
To mitigate this vulnerability, you should permit management access to F5 products only over a secure network and limit shell access to trusted users.

Fix:
In this release, the system only query each keyboard-interactive device once per authentication request regardless of how many times it is listed. This is correct behavior. (CVE-2015-5600)


534582-4 : HA configuration may fail over when standby has only base configuration loaded.

Component: TMOS

Symptoms:
The active unit may fail over when only the base configuration is loaded on a standby system, and HA communications in the HA configuration is interrupted.

Conditions:
Only base configuration loaded on standby and HA communications are disrupted.

Impact:
Potential site outage.

Workaround:
Configure HA to use multiple network interfaces. Avoid loading only the base configuration on HA configurations.

Fix:
HA configuration no longer fails over when a standby system has only the base configuration loaded.


534458-6 : SIP monitor marks down member if response has different whitespace in header fields.

Component: Local Traffic Manager

Symptoms:
In certain circumstances the SIP monitor may incorrectly mark a SIP pool member down. This is due to the comparison the monitor makes of the standard header fields in the SIP monitor request to the response.

Conditions:
SIP monitor and response differ in the use of whitespace in the header fields, for example, 'field:value' and 'field: value'.

Impact:
Unable to monitor the SIP pool member accurately using the standard SIP monitor because the pool member will be marked down.

Workaround:
Use other types of monitors, e.g., UDP.

Fix:
SIP monitor now correctly processes monitor responses when the use of whitespace in header fields differ.


534457-2 : Dynamically discovered routes might fail to remirror connections.

Component: Local Traffic Manager

Symptoms:
When using dynamic routing, it's possible that L4 connections fail to remirror after a restart on the standby device. Initial mirroring works as expected, but remirroring might not work.

Conditions:
Using dynamic routes and mirroring, and either the active or standby restarts. If the active restarts, failover completes correctly, but connections might not remirror to the previously active device after it comes back online.

Impact:
Dynamically discovered routes might fail to remirror connections. One-way failover, similar to L7 virtual servers. Initial failover works as expected; subsequent failovers might drop connections.

Workaround:
Provide a static route instead of dynamic routes.

Fix:
Remirroring L4 connections using dynamic routes works correctly. (Note that when using dynamic routes it is not guaranteed that the active and standby systems will use the same routes; if the same routing is required on both active and standby fails over, there might be some dropped connections.)


534246-2 : rest_uuid should be calculated from the actual values inserted to the entity

Component: Application Security Manager

Symptoms:
BIG-IP computes the case-sensitive rest_uuid values for HTTP headers but stores the headers as case-insensitive.

Conditions:
This is an example: 1. Go to Security>>Application Security>>Headers>>HTTP Headers. 2. Choose 'Custom...' for the name of the header. 3. Create a custom header as follows use name 'Abc' with Capital letter. 4. Remember the ID generated in the JSON element. 5. Delete the header. 6. Create a new custom header and use the name 'abc'. Actual Results: The ID of 'abc' and the ID of 'Abc' are different.

Impact:
Two identical normalized values may have different rest_uuid.

Workaround:
N/A

Fix:
The REST "id" field is now calculated from the actual values inserted to the entity, and not on the user-input values.


534090-2 : Node.js vulnerability CVE-2015-5380

Component: Local Traffic Manager

Symptoms:
The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence. (CVE-2015-5380)

Conditions:
Running one of the vulnerable versions. For more information, see SOL17238: Node.js vulnerability CVE-2015-5380, available here: https://support.f5.com/kb/en-us/solutions/public/17000/200/sol17238.html.

Impact:
For the f5-rest-node package on both the BIG-IP and BIG-IQ systems: A locally authenticated attacker with access to the command line may be able to cause a partial denial-of-service (DoS) to the system through exploitation of this issue. For the BIG-IQ UI node package: A remote attacker may be able to cause a denial of service (DoS) to the system through exploitation of this issue.

Workaround:
There is no mitigation for this vulnerability. However, F5 recommends that you permit management access to affected F5 products only over a secure network, and limit shell access to trusted users. For more information about securing access to BIG-IP systems, refer to SOL13309: Restricting access to the Configuration utility by source IP address (11.x) and SOL13092: Overview of securing access to the BIG-IP system.

Fix:
Node.js vulnerability CVE-2015-5380


534076-2 : SNMP configured trap-source might not be used in v1 snmp traps.

Component: TMOS

Symptoms:
As a result of a known issue, SNMP v1 traps with configured trap-source might fail to use the configured address, and will use the default management port IP address instead.

Conditions:
- SNMP v1 traps and destination configured. - trap-source configured.

Impact:
Traps will have the incorrect agent-addr set, and SNMP configured trap-source might not be used.

Workaround:
None.

Fix:
SNMP v1 traps now correctly use the configured trap-source.


534052-3 : VLAN failsafe triggering on standby leaks memory

Component: Local Traffic Manager

Symptoms:
Memory is leaked when VLAN failsafe is active and sending ICMP probes.

Conditions:
VLAN failsafe active and sending ICMP probes on standby and configured with failsafe-action failover.

Impact:
Memory leak causing aggressive sweeper and eventually TMM crash on standby.

Workaround:
None.

Fix:
Memory is no longer leaked when VLAN failsafe is active and sending ICMP probes.


533826-5 : SNMP Memory Leak on a VIPRION system.

Component: TMOS

Symptoms:
The snmpd image increases in size on a VIPRION system.

Conditions:
Run continuous snmpbulkwalk operations.

Impact:
The snmpd image increases, and might eventually result in a crash. The ltm log might contain an error message similar to the following: err mcpd[7061]: 01071087:3: Killed process for snmpd as current count of messages (965505855) keeps building.

Workaround:
To reset the memory usage and stop the snmpd daemon from coring, run the following command: bigstart restart snmpd.

Fix:
The snmpd image no longer increases in size on a VIPRION system processor.


533820-5 : DNS Cache response missing additional section

Component: Local Traffic Manager

Symptoms:
Resolver cache lookups are missing authority and additional sections.

Conditions:
Resolver cache lookups could be missing the authority and additional sections for A and AAAA queries if the DO bit is also not set.

Impact:
If the requesting client needs the information that would normally be included in the authority or additional sections, it would have to make additional queries to acquire that data.

Workaround:
none

Fix:
The resolver cache now correctly includes the information available for the authority and additional sections if the information is available.


533790-4 : Creating multiple address entries in data-group might result in records being incorrectly deleted

Component: TMOS

Symptoms:
Using the GUI to create multiple address entries in data-group might result in records being incorrectly deleted

Conditions:
Creating multiple address entries in data-group

Impact:
Cannot add/remove IP addresses from existing data groups without affecting existing IP addresses through GUI.

Workaround:
Use TMSH to add/remove IP addresses from existing data groups.

Fix:
You can now use the GUI to add/remove IP addresses from a data-group IP address list without affecting other IP addresses.


533658-5 : DNS decision logging can trigger TMM crash

Component: Global Traffic Manager

Symptoms:
Applying load balance decision logging to the DNS profile can cause TMM to crash when a query is load balanced to a last resort pool that is unavailable.

Conditions:
-- DNS load balance decision logging is enabled on the DNS profile, A Wide IP is configured with a last resort pool. -- The last resort pool is unavailable. -- A query is load balanced to the last resort pool.

Impact:
TMM crashes and restarts.

Workaround:
Disable decision logging for the DNS profile, or discontinue use of the last resort pool feature.

Fix:
DNS decision logging no longer causse TMM to crash when a last resort pool is configured for a Wide IP, that last resort pool is unavailable, and a query is load balanced to that last resort pool.


532911-2 : Setting 'Untrusted Certificate Response Control' to ignore in server SSL profile does not ignore self-signed untrusted certificates.

Component: Local Traffic Manager

Symptoms:
Setting 'Untrusted Certificate Response Control' to ignore in server SSL profile does not ignore self-signed untrusted certificates.

Conditions:
In server SSL profiles with 'Untrusted Certificate Response Control' set to ignore. When backend server sends self-signed untrusted certificate.

Impact:
The ltm log displays this error: Peer cert verify error: unable to verify the first certificate.

Workaround:
None.

Fix:
Ignore X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE certificate validation error message when serverssl profile sets 'Untrusted Certificate Response Control' to ignore.


532107-2 : [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted

Component: Local Traffic Manager

Symptoms:
If RTT value for nameserver cache reached the maximum value as 120000, even after executing 'delete ltm dns cache nameserver', BIG-IP still keeps the past maximum RTT value.

Conditions:
The RTT for the nameserver cache reached the maximum value of 120000.

Impact:
This can cause dns response failure.

Workaround:
Change size for nameserver-cache-count to reset the nameserver cache. # tmsh modify /ltm dns cache resolver my_dns_cache nameserver-cache-count 16536

Fix:
Maximum RTT value for nameserver cache is now deleted when the nameserver cache is deleted, which is correct behavior.


531986-3 : Hourly AWS VE license breaks after reboot with default tmm route/gateway.

Component: TMOS

Symptoms:
In AWS Hourly instances, if a default gateway is added, the hourly license may fail, causing BIG-IP to fail to come up to a running state. Error messages will resemble the following: Jul 6 19:26:14 ip-10-0-0-104 err mcpd[22186]: 01070734:3: Configuration error: MCPProcessor::check_initialization: Jul 6 19:26:17 ip-10-0-0-104 err mcpd[22186]: 010717ff:3: [Licensing]: Failure in establishing instance identity.

Conditions:
Hourly instance in AWS with default tmm route added.

Impact:
BIG-IP VE will fail to fully start, rendering the instance unusable.

Workaround:
Temporary removal of default tmm route resolves this problem. The tmm route can be added back once MCPD is in the running state.

Fix:
The problem with default tmm route breaking Hourly licenses has been resolved. The default tmm route no longer affects the license check on Hourly billing Virtual Edition.


531983-5 : [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added

Component: Access Policy Manager

Symptoms:
Routing table is not updated correctly in connected state when new adapter is added to the system.

Conditions:
SSL VPN tunnel is established and new adapter is added to the system. For example, Wi-Fi connected when tunnel is established already over Ethernet adapter.

Impact:
Routing table might be corrupted.

Workaround:
Restart OS X.

Fix:
Routing table now updates correctly when new adapter is added to the system while SSL VPN tunnel is already established over an network adapter.


531809-2 : FTP/SMTP traffic related bd crash

Component: Application Security Manager

Symptoms:
Protocol Security: The Enforcer may crash upon FTP or SMTP traffic using remote logging.

Conditions:
FTP/SMTP traffic and remote logging assigned. Crash happens on a rare occasion.

Impact:
bd crash, traffic disturbance.

Workaround:
Remove the remote logging from FTP/SMTP.

Fix:
Protocol Security: The Enforcer no longer crashes upon FTP or SMTP traffic using remote logging.


531705-2 : List commands on non-existent iRules incorrectly succeeds.

Component: TMOS

Symptoms:
In certain cases, issuing an iControl REST or tmsh list rule command on a non-existent iRule can return successfully with an empty list. Instead it should return an error that the specified iRule does not exist.

Conditions:
If any iRule happens to exist in a different folder than the current folder context.

Impact:
The user is unable to rely on receiving an error from tmsh or iControl REST if they query for iRules that do not exist.

Workaround:
There is no workaround.

Fix:
Issuing a list command for a non-existent iRule now successfully returns an error.


530952-1 : MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'

Component: Application Visibility and Reporting

Symptoms:
MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'. Errors in monpd.log similar to the following: [DB::mysql_query_safe, query failed] Error (error number 1615) executing SQL string ...

Conditions:
This is due to a MySql bug. For information, see 'Prepared-Statement fails when MySQL-Server under load', available here: http://bugs.mysql.com/bug.php?id=42041

Impact:
Monpd loses functionality

Workaround:
Restart monpd.

Fix:
Error number 1615, 'Prepared statement needs to be re-prepared', no longer occurs in the monpd.log.


530761-1 : TMM crash in DNS processing on a TCP virtual

Component: Local Traffic Manager

Symptoms:
TMM can crash while processing DNS requests on a TCP virtual server.

Conditions:
A TCP DNS virtual server combined with a DNS iRule that suspends and a client that closes its connection before receiving a response to its DNS request.

Impact:
TMM restarts.

Workaround:
While no true workaround exists, the situation can be avoiding by removing any one of the conditions above.

Fix:
TMM now properly handles DNS requests through a TCP virtual where the client closes the connection during iRule processing.


530622-1 : EAM plugin uses high memory when serving very high concurrent user load

Component: Access Policy Manager

Symptoms:
EAM plugin cannot sustain high concurrent user load and will be killed by memory monitors. EAM is cored and restarted. Any requests coming during restart will not be served.

Conditions:
We found this issue in stress testing and reported by customers during high concurrent user load.

Impact:
As a result, EAM cored and restarted; users cannot authenticate during process restart.

Workaround:
No workaround.

Fix:
There was a memory usage issue in the EAM plugin that was caused by a huge object allocation for each connection. This issue is fixed by reducing the default size of client cert and payload arrays.


530598-1 : Some Session Tracking data points are lost on TMM restart

Component: Application Security Manager

Symptoms:
Session Tracking data points, that are added by ASM upon traffic, based on Session Tracking thresholds configuration, are lost when TMM restarts.

Conditions:
ASM Provisioned. Session Tracking feature is ON.

Impact:
Session Tracking data points may be added by ASM upon traffic. These are data points with action 'Block-All'. These data points are lost when TMM restarts.

Workaround:
None.

Fix:
This release fixes the Session Tracking data points persistence, so that the 'Block-All' Session Tracking data points, which are added by ASM upon traffic, are not lost when TMM restarts.


530505-4 : IP fragments can cause TMM to crash when packet filtering is enabled

Component: Local Traffic Manager

Symptoms:
TMM can crash when an IP fragment is received and packet filtering is enabled.

Conditions:
This issue can occur when packet filtering is enabled and an IP fragment is received on the non-owning TMM. To determine if packet filtering is enabled, then the packetfilter setting can be queried by using the 'tmsh list sys db packetfilter' command.

Impact:
TMM crashes when it attempts to forward the fragment to the owning TMM. Traffic interruption while TMM restarts.

Workaround:
Disable packet filtering.

Fix:
When packet filtering is enabled and an IP fragment is received on the non-owning TMM, TMM forwards the IP fragment without issue.


530242-3 : SPDAG on VIPRION B2250 and B2250F blades might cause traffic imbalance among TMMs

Component: TMOS

Symptoms:
When SPDAG is turned on VIPRION B2250 and B2250F blades, the traffic imbalance among TMMs might be observed.

Conditions:
Enable SPDAG on VIPRION B2250 and B2250F blades.

Impact:
The traffic imbalance can lower the throughput of VIPRION B2250 and B2250F blades.

Workaround:
Adding or removing a A112 blade might mitigate the imbalance.

Fix:
A new DAG hash is added for SPDAG on VIPRION B2250 and B2250F blades, which can resolve the SPDAG traffic imbalance. The new DAG hash can be turned on by setting tmm tcl variable, dag::use_p8_sp_hash, to yes. Add the following to /config/tmm_init.tcl file: dag::use_p8_sp_hash yes.


530133-3 : Support for New Platform: BIG-IP 10350 FIPS

Component: TMOS

Symptoms:
Support for New Platform: BIG-IP 10350 FIPS, effective in 11.5.4 HF1

Conditions:
This details the new platform name.

Impact:
This is an added platform. There is no impact to the product.

Workaround:
None needed.

Fix:
This release provides support for New Platform: BIG-IP 10350 FIPS. You can find more information in Platform Guide: 10000 Series, available here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/pg-10200v.html.

Behavior Change:
This release provides support for New Platform: BIG-IP 10350 FIPS. You can find more information in Platform Guide: 10000 Series, available here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/pg-10200v.html.


529977-1 : OSPF may not process updates to redistributed routes

Component: TMOS

Symptoms:
When routes redistributed into OSPF are rapidly added and removed, OSPF may not reflect all of the updates in its LSA database.

Conditions:
External routes, such as kernel or static, redistributed into OSPF being rapidly added and removed. This my happen when using Route Health Injection and enabling/disabling a virtual address.

Impact:
The OSPF may have stale or missing LSAs for redistributed routes.

Workaround:
Identify the OSPF process ID for the affected route domain using "ps | grep ospfd" and terminate it using the kill command. This disrupts dynamic routing using OSPF.

Fix:
The OSPF LSA database correctly reflects the state of redistributed routes after rapid updates.


529920-7 : Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit

Component: Local Traffic Manager

Symptoms:
TMM crashes on the standby unit.

Conditions:
This is a standby-only failure. Connection mirroring on a OneConnect virtual server can lead to a TMM crash during connection establishment.

Impact:
TMM restarts, and the standby is not available for failover. When the standby unit comes back up it does not have the mirrored flows from the active unit, so failover results in loss of those connection flows.

Workaround:
None.

Fix:
Connection mirroring on a OneConnect virtual server now successfully recovers from a TMM crash during connection establishment, so no mirrored connection flows are lost.


529903-1 : Incorrect reports on multi-bladed systems

Component: Application Visibility and Reporting

Symptoms:
Reports on multi-bladed systems might contain incorrect data, if the blades are active at different times, and do not share the same level of history. A report appears on a different time range than expected.

Conditions:
Example: A setup with 3 blades, and 2 are down while the active 1 receives traffic for a full day. Later the 2 down blades go up. The resulting report for 'last day' contains data only for the previous hour, even though traffic has been passing through it for the last day.

Impact:
Report not as expected.

Workaround:
None.

Fix:
Reports on multi-bladed systems are now displayed correctly even when the blades are active at different times, and do not share the same level of history.


529900-1 : AVR missing some configuration changes in multiblade system

Component: Application Visibility and Reporting

Symptoms:
Some DB variables affect the behavior of AVR, but if they are modified in a multiblade system, then not all blades will be aware of the change, which later leads to errors in functionality.

Conditions:
Multiblade system, having one of the following changes: 1. New primary blade is selected. 2. Change to AVR max number of entities in the DB.

Impact:
Data might not be loaded into the DB, or not be queried correctly.

Workaround:
Restart of monpd solves the problem.

Fix:
Configuration changes in multiblade systems are now treated correctly.


529899-1 : Installation may fail with the error "(Storage modification process conflict.)".

Component: Local Traffic Manager

Symptoms:
On chassis, installation may fail with the error "(Storage modification process conflict.)".

Conditions:
This happens when deleting a boot location and then quickly installing new software to that boot location.

Impact:
Minimal; the installation can be restarted.

Workaround:
Delete the failed volume and restart the installation.

Fix:
On chassis, there was one possible case where the installation would occasionally fail with the error "(Storage modification process conflict.)". This case has been fixed.


529897-1 : Diameter monitor logging displays hex when monitor failing instead of the AVP which the monitor is failing on.

Component: Local Traffic Manager

Symptoms:
Failed diameter monitor logging displays hex instead of the AVP on which the monitor failed.

Conditions:
Logging is enabled on a pool member which is being checked by a diameter monitor, and the monitor is failing.

Impact:
Difficult to determine the reason for the diameter monitor failure.

Workaround:
None.


529634-2 : Crash observed with HSL logging

Component: Policy Enforcement Manager

Symptoms:
In some cases, we see a crash with HSL logging.

Conditions:
Configure a HSL endpoint with session reporting. This crash is observed when multiple sessions are configured with hsl session reporting.

Impact:
Tmm cores.

Workaround:

Fix:
The crash was due to variables shared across threads. Changed this to a per thread variable.


529610-1 : On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db

Component: Application Security Manager

Symptoms:
When session tracking actions are enabled in ASM policy, an HTTP request may be blocked based on HTTP session or username and illegal traffic that has been sent from this session. The blocked request is reported in the security events log, but there is no option to release the username using the Configuration utility.

Conditions:
High availability (HA) setup, and ASM with Session tracking actions enabled.

Impact:
Usernames and HTTP sessions are blocked by ASM without an option to release them from the Configuration utility.

Workaround:
Stop and start tmm on all devices in the HA group by running the following commands: -- bigstart stop tmm -- bigstart start tmm

Fix:
Using the Configuration utility, BIG-IP system administrators can now release blocked usernames and sessions. This is done on the Session Tracking Status screen.


529535-4 : MCP validation error while deactivating a policy that is assigned to a virtual server

Component: Application Security Manager

Symptoms:
When deactivating a security policy via REST, and the policy is assigned to a virtual server, then BIG-IP reports the following error: ---------------------------- "MCP Validation error - 01071726:3: Cannot deactivate policy action '/Common/<VS_name>'. It is in use by ltm policy '/Common/<L7_policy_name>'.", ---------------------------- However, the security policy becomes inactive and remains assigned to virtual server. This will cause the virtual server to stop processing network traffic, and there will be the following errors in 'bd.log': ---------------------------- BD_MISC|ERR |Jun 24 12:53:35.698|17566|src/acc_reject_policy.c:0165|Account id 10 has no reject policy configured. Cannot get data ----------------------------

Conditions:
ASM provisioned, with a security policy assigned to a Virtual Server, then the security policy is deactivated via the REST API

Impact:
An inactive security policy remains assigned to a Virtual Server

Workaround:
Deactivate the security policy via GUI at: 'Security ›› Application Security : Security Policies : Active Policies':

Fix:
The deactivation of a security policy using the REST API now removes the association of the deactivated policy from the virtual server, resulting in no errors and consistent configuration state.


529509-6 : BIND Vulnerability CVE-2015-4620

Component: TMOS

Symptoms:
A flaw was found in the way BIND performed DNSSEC validation.

Conditions:
Red Hat Product Security has rated this update as having Important security impact. Due to F5 architecture and design this has restricted impact and only impacts GTM and only in a non-default configuration.

Impact:
An attacker able to make BIND (functioning as a DNS resolver with DNSSEC validation enabled) resolve a name in an attacker-controlled domain could cause named to exit unexpectedly with an assertion failure. (CVE-2015-4620)

Workaround:

Fix:
A in DNSSEC validation has been fixed.


529484-4 : Virtual Edition Kernel Panic under load

Component: TMOS

Symptoms:
Virtual Edition instances may crash with a kernel panic under heavy traffic load.

Conditions:
Virtual Edition instances passing 10 Gbps of traffic on interfaces that support LRO.

Impact:
When the issue occurs the Virtual Edition instance will reboot.

Workaround:
Disable LRO on the underlying hypervisor, if possible.

Fix:
Virtual Edition instances now stays active when instances passing 10 Gbps of traffic on interfaces that support LRO.


529460-7 : Short HTTP monitor responses can incorrectly mark virtual servers down.

Component: Global Traffic Manager

Symptoms:
Despite successful probe response, BIG-IP DNS marks virtual server down.

Conditions:
HTTP server sends HTTP response that is shorter than 64 bytes.

Impact:
Virtual servers are incorrectly marked down.

Workaround:
Modify server response or use a TCP monitor.

Fix:
BIG-IP DNS HTTP/1.x monitor probe now requires 17, rather than 64 bytes of response payload, so HTTP monitor responses HTTP response that is shorter than 64 bytes no longer incorrectly mark virtual servers down.


528987-3 : Benign warning during formatting installation

Component: TMOS

Symptoms:
The system posts a benign warning during formatting installation: warning: array conf_write could not find data disk.

Conditions:
This occurs during formatting installation.

Impact:
This is a benign error message that does not indicate an issue with the system. You can safely ignore it.

Workaround:
None needed. This is a cosmetic message.

Fix:
This benign warning during formatting installation has been eliminated: warning: array conf_write could not find data disk.


528808-3 : Source NAT translation doesn't work when APM is disabled using iRule

Component: Access Policy Manager

Symptoms:
Source NAT translation does not happen and server-side connection fails.

Conditions:
ACCESS::disable iRule is added to the virtual server.

Impact:
Proxy's server-side connection fails.

Workaround:
Do not use the ACCESS::disable iRule command.

Fix:
Restore the source address translation correctly even if an iRule has disabled APM.


528739-1 : DNS Cache could use cached data from ADDITIONAL sections in ANSWER responses.

Component: Local Traffic Manager

Symptoms:
DNS Caching could use cached data from ADDITIONAL sections of previous lookups in the ANSWER section of responses.

Conditions:
This occurs when using DNS Caching

Impact:
The data from the ADDITIONAL section should not be used in the ANSWER section of DNS responses. The data could be stale or incorrect.

Workaround:
None

Fix:
The DNS Cache now correctly ignores data from the ADDITIONAL section when constructing the ANSWER section.


528407-4 : TMM may core with invalid lasthop pool configuration

Component: Local Traffic Manager

Symptoms:
In certain circumstances, TMM may core if the unit is configured with an invalid, non-local lasthop pool,

Conditions:
1) BIG-IP system with VIP and lasthop pool with non-local pool member. 2) Sys db tm.lhpnomemberaction set to 2.

Impact:
TMM cores and fails over.

Workaround:
Configure lasthop pool to use local members/addresses.

Fix:
TMM no longer cores with an invalid lasthop pool configuration.


528276-7 : The device management daemon can crash with a malloc error

Component: TMOS

Symptoms:
The device management daemon can core if a timeout condition occurs during an iControl query. The daemon recovers and proceeds with the operation.

Conditions:
A timeout can occur during an iControl query and in some instances this can cause a core.

Impact:
The daemon crashes and recovers.

Workaround:
This issue has no workaround at this time.

Fix:
The device management daemon no longer causes a crash when a timeout condition occurs during an iControl query.


528031-3 : AVR not reporting the activity of standby systems.

Component: Application Visibility and Reporting

Symptoms:
When working in Active/Standby configurations, the standby system is completely ignored when generating an AVR report. The standby system might have been an active system in the past, so its statistics should also be counted.

Conditions:
Configuration with Active and Standby systems.

Impact:
Some historical activity might not be reported by AVR.

Workaround:
None.

Fix:
We added device group support, and the user can now choose the device group to query from.


528007-6 : Memory leak in ssl

Component: Local Traffic Manager

Symptoms:
An intermittent memory leak was encountered in SSL

Conditions:
This can occur under certain conditions when using Client SSL profiles

Impact:
The amount of memory leaked is quite small, but over time enough memory would leak that TMM would have to reboot.

Workaround:
none

Fix:
An intermittent memory leak in SSL was fixed


527149-3 : FQDN template node transitions to 'unknown' after configuration reload

Component: Local Traffic Manager

Symptoms:
A FQDN node that was available becomes 'unknown' after configuration load or reload.

Conditions:
This occurs in configurations containing FQDN nodes.

Impact:
An FQDN node template stays 'unknown' after configuration load or reload. This does not affect resolution or generation of ephemeral nodes.

Workaround:
None needed. This is cosmetic only.

Fix:
A FQDN node that was available now stays available after configuration load or reload.


527027-4 : DNSSEC Unsigned Delegations Respond with Parent Zone Information

Component: Local Traffic Manager

Symptoms:
When a DNSSEC zone has an unsigned delegation to a child zone, responses to the queries on the unsigned child zone do not include proper delegation records.

Conditions:
A DNSSEC zone configured on BIG-IP for a zone that delegates to an unsigned child zone.

Impact:
DNSSEC tools are unable to verify that the child subdomain is properly delegated to an insecure authoritative name server.

Workaround:
None

Fix:
Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.


527024-3 : DNSSEC Unsigned Delegations Respond with Parent Zone Information

Component: Local Traffic Manager

Symptoms:
When a DNSSEC zone has an unsigned delegation to a child zone, responses to the queries on the unsigned child zone do not include proper delegation records.

Conditions:
A DNSSEC zone configured on BIG-IP for a zone that delegates to an unsigned child zone.

Impact:
DNSSEC tools are unable to verify that the child subdomain is properly delegated to an insecure authoritative name server.

Workaround:
None

Fix:
Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.


527011-6 : Intermittent lost connections with no errors on external interfaces

Component: Local Traffic Manager

Symptoms:
Intermittent lost connections to virtual servers or pool nodes with no observable errors on external interfaces. Errors are observed on internal interfaces using 'tmos show net interface -hidden'

Conditions:
Normal operation. This can occur on BIG-IP 8950, 11000, and 11050 platforms.

Impact:
Lost connections

Workaround:
None.

Fix:
An issue with intermittent lost connections with no errors on the external interface has been corrected.


526817-4 : snmpd core due to mcpd message timer thread not exiting

Component: TMOS

Symptoms:
snmpd might occasionally experience a thread deadlock conditions and would be restarted (with a core dump) by sod.

Conditions:
This can occur during a SNMP configuration change.

Impact:
snmpd occasionally becomes unresponsive for the duration of the configured snmpd heartbeat timeout.

Workaround:
After a SNMP configuration change on the BIG-IP system, the deadlock timing issue can avoided by manually restarting snmpd.

Fix:
snmpd no longer becomes unresponsive for the duration of the configured snmpd heartbeat timeout during configuration changes.


526699-6 : TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port.

Component: Global Traffic Manager

Symptoms:
A BIG-IP DNS system configured with an iRule that makes use of the command nodes_up in its ip_address :: port version might lead to a crash.

Conditions:
- BIG-IP DNS iRule processing traffic with nodes_up IP/Port command. - IP/Port references an invalid LTM virtual server. - Client sends requests to the BIG-IP DNS wide IP.

Impact:
TMM might crash.

Workaround:
Specify correct IP/Port in the nodes_up iRule command

Fix:
TMM no longer crashes when using an incorrect IP/Port in a nodes_up BIG-IP DNS iRule.


526637-4 : tmm crash with APM clientless mode

Component: Access Policy Manager

Symptoms:
A condition that occurs when using APM in clientless mode can cause a rare tmm crash

Conditions:
Only occurs on 11.5 and later, and while using clientless mode 3. This crash has been very difficult to reproduce.

Impact:
Causes a crash, but it is very rare.

Workaround:
none

Fix:
tmm will no longer crash in APM clientless mode; it now sends a reset.


526162-7 : TMM crashes with SIGABRT

Component: Application Security Manager

Symptoms:
TMM crashes with SIGABRT (sod crashes the tmm). This error appears in the LTM logs: HA daemon_heartbeat tmm fails action is go offline down links and restart

Conditions:
IP reputation is turned on, and the IP reputation database is reloaded.

Impact:
TMM crash, traffic dropped.

Workaround:
This issue has no workaround at this time.

Fix:
We fixed a rare scenario where TMM was halted when the IP reputation daemon was loading a new IP reputation database.


526031-2 : OSPFv3 may not completely recover from "clear ipv6 ospf process"

Component: TMOS

Symptoms:
Open Shortest Path First version 3(OSPFv3) Link link-state advertisements (LSAs) may not be re-originated from the BIG-IP system if a neighboring router sends the LSA back to the BIG-IP system.

Conditions:
Blade failover occurs on a chassis, 'clear ipv6 ospf process' is run, or ospf6d crashes.

Impact:
Routes from Link LSAs generated by the BIG-IP may be missing in the OSPFv3 network.

Workaround:
Disable OSPFv3 on the BIG-IP system until the Link LSA has been purged from the network. To do so, remove OSPFv3 from the route domain for approximately 10 seconds and then add it back.

Fix:
Link LSAs are correctly re-originated by the BIG-IP system when the LSAs are sent to the BIG-IP by a neighbor router.


525989-2 : A disabled blade is spontaneously re-enabled

Component: Local Traffic Manager

Symptoms:
If a secondary blade in a 'ready' state becomes primary and then quickly is disabled, it does not send a cluster packet for ten seconds. A new primary, therefore, is not elected for ten seconds (the heartbeat timeout), instead of the expected time (immediately). The other blades, including the new primary, never receive the message that the blade was set to disabled, so the blade is be re-enabled without the user requesting it.

Conditions:
This occurs only if the blade disable operations occur very shortly after the primary blade is moved.

Impact:
A blade that the user expects to be disabled is spuriously re-enabled. User interfaces to access configuration, such as tmsh and the GUI might hang for the ten-second interval. The system posts an error message similar to the following: load_config_files: '/usr/bin/tmsh -n -g load sys config partitions all base' - failed. -- Unexpected Error: Saving and loading configuration is only allowed on the primary slot.

Workaround:
Wait ten seconds after disabling a blade before disabling another blade.

Fix:
A previously disabled blade is no longer spuriously re-enabled if the primary blade is moved around quickly.


525958-11 : TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop.

Component: Local Traffic Manager

Symptoms:
In a specific combination of events TMM may core.

Conditions:
This occurs when the following conditions are met: - Load balancing a flow to an ip_tuple (e.g., the Tcl 'node' command). - That address is not directly connected. - The matched route is a gateway pool that contains a pool member that is not reachable.

Impact:
System may failover.

Workaround:
Ensure correct routing to all destinations with reachable next hops.

Fix:
TMM no longer cores when load balancing to a node's IP address in iRule, routed towards an unreachable nexthop.


525882-2 : SSL client certificate verification during SSL handshake might leak a reference to the issuer certificate.

Component: Local Traffic Manager

Symptoms:
SSL client certificate verification during SSL handshake might leak a reference to the issuer certificate causing TMM memory leakage over time.

Conditions:
clientssl in use with the client presenting a certificate for verification.

Impact:
TMM memory leak.

Workaround:
None.

Fix:
Client certificate verification now releases all references and the memory leak no longer occurs.


525672-2 : tmm memory leak with SSL forward proxy virtual server having CLIENTSSL_CLIENTHELLO with SNI lookup.

Component: Local Traffic Manager

Symptoms:
tmm memory leak with SSL forward proxy virtual server having CLIENTSSL_CLIENTHELLO with SNI lookup.

Conditions:
- Virtual server (vs1) configured with SSL forward proxy. - vs1 is attached to an iRule which has following events and actions: CLIENT_ACCEPTED does TCP::collect, CLIENT_DATA does TCP::release. CLIENTSSL_CLIENTHELLO does SNI lookup.

Impact:
Double SNI lookup happens instead of single lookup. tmm memory leak and eventual out-of-memory.

Workaround:
None.

Fix:
SSL with forward proxy no longer leaks memory.


525478-2 : Requests for deflate encoding of gzip documents may crash TMM

Component: WebAccelerator

Symptoms:
When searching for documents in the gzip cache, if a document has been cached with gzip encoding but a non-deflate compression method (i.e., CM != 0x08) and the client has requested deflate compression, TMM may crash.

Conditions:
-- WAM/AAM enabled on VIP. -- HTTP compression enabled on VIP. -- Document served with gzip encoding and non-deflate compression. -- Document has entered the gzip cache. -- Client HTTP request specifies deflate encoding.

Impact:
TMM crash.

Workaround:
Ensure that only the deflate method is used in gzip-compressed documents that will be cached by WAM/AAM. With most web servers this is the default behavior and cannot be changed. Alternatively, remove the 'Accept-Encoding: deflate' header using an iRule so that no clients can request deflate encoding.

Fix:
Correctly handles requests for deflate compression of cached gzip documents with non-deflate compression methods.


525322-7 : Executing tmsh clientssl-proxy cached-certs crashes tmm

Component: Local Traffic Manager

Symptoms:
tmm crash while executing "tmsh clientssl-proxy cached-certs" command

Conditions:
ssl forward proxy virtual with a clientssl profile name longer than 32 characters which includes the partition name as well. (/Common/<profilename> -> has length more than 32 chars).

Impact:
tmm crash

Workaround:
Keep the profile name lengths less than 32 chars, or do not run the command until fixed.

Fix:
The "tmsh clientssl-proxy cached-certs" command will now run successfully with profile name lengths longer than 32 characters.


525232-1 : PHP vulnerability CVE-2015-4024

Component: TMOS

Symptoms:
PHP vulnerability CVE-2015-4024.

Conditions:
Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote attackers to cause a denial of service (CPU consumption) via crafted form data that triggers an improper order-of-growth outcome. (CVE-2015-4024)

Impact:
This vulnerability may allow attackers to cause a denial-of-service (DoS) using crafted form data that triggers an improper order-of-growth outcome. Note: This vulnerability is exploitable only through the BIG-IP control plane (non-Traffic Management Microkernel (TMM) related tasks).

Workaround:
To mitigate this vulnerability, F5 recommends that you expose management access only on trusted networks.

Fix:
Fixed PHP vulnerability CVE-2015-4024.


524960-2 : 'forward' command does not work if virtual server has attached pool

Component: Local Traffic Manager

Symptoms:
The iRule 'forward' command does not result in connections being routed to the proper destination if the virtual server has an attached pool.

Conditions:
Virtual server with: - Pool. - iRule that issues 'forward' commands.

Impact:
Connections are routed to pool member instead of destination determined by network routes.

Workaround:
Remove pool assigned to virtual server and select the pool using an iRule with a 'pool' command when 'forward' command is not issued.

Fix:
'forward' command releases previously selected pool member to enabled connection to be routed based on packet destination, as expected.


524641-1 : Wildcard NAPTR record after deleting the NAPTR records

Component: Local Traffic Manager

Symptoms:
There is a dns query issue when adding/deleting a NAPTR record through the Zonerunner.

Conditions:
After deleting a specific NAPTR record, the previously added wildcard NAPTR record will fail for wildcard dig queries and the system does not show the correct subdomains.

Impact:
Wildcard NAPTR record call fails after deleting the NAPTR records.

Workaround:
None.

Fix:
Wildcard NAPTR record call now completes successfully after deleting the NAPTR records.


524605-2 : Requests/responses may not be fully delivered to plugin in some circumstances

Component: Local Traffic Manager

Symptoms:
If a plugin disables itself when encountering a request or response it is not interested in, subsequent requests or responses on the same connection may not be fully delivered to the plugin, causing the plugin and/or user application to function incorrectly.

Conditions:
The one known case where this occurs is when the WebSafe module is deployed and user applications being processed on WebSafe connections make use of POST requests.

Impact:
WebSafe connections may not function correctly. The problem is intermittent and depends on both the application and browser behaviors.

Workaround:
None.

Fix:
Plugins now receive the full request/response when additional requests/responses on the same connection after encountering a request/response it is not interested in.


524300-2 : The MOS boot process appears to hang.

Component: TMOS

Symptoms:
When a BIG-IP 2000 series or BIG-IP 4000 series device is booted into MOS (either manually or as a result of a user running the image2disk utility), the MOS boot process appears to hang. In reality, MOS boots successfully, but loses its connection to the BIG-IP system's serial console.

Conditions:
A BIG-IP 2000 series or BIG-IP 4000 series device with a MOS version older than 2.8.9 - 587.0 is booted from MOS.

Impact:
If you booted into MOS manually, you cannot carry out the tasks that you had set out to do. You must reset the device (either physically or via the AOM menu) to recover it. If the system booted into MOS automatically (as a result of a user running the image2disk utility to perform a clean installation), the installation completes successfully and the system reboots correctly at the end of the installation. However, you cannot see and follow the re-imaging process because of this issue. In this case, you can watch the (seemingly hung) serial console until the system reboots by itself.

Workaround:
You can work around this issue by performing a temporary installation of BIG-IP version 12.0.0 to a new boot slot. No further action is required. This temporary installation of BIG-IP version 12.0.0 can be deleted once completed. This temporary installation of version 12.0.0 has the effect of upgrading MOS to a version which resolves this issue.

Fix:
A BIG-IP 2000 series or BIG-IP 4000 series device with a MOS version older than 2.8.9 - 587.0 is booted from MOS now retains its connection to the serial console.


523995-2 : IPv4 link-local addresses can cause TMM crash when used in conjunction with ECMP routes

Component: Local Traffic Manager

Symptoms:
TMM can crash and ECMP routes via IPv4 link-local addresses may not work correctly.

Conditions:
This happens only for specific IP range with dynamic routing and multiple next hops.

Impact:
TMM crash

Workaround:
Avoid using 169.254 prefix.

Fix:
ECMP routes are working correctly and TMM does not crash


523867-3 : 'warning: Failed to find EUDs' message during formatting installation

Component: TMOS

Symptoms:
The following message may appear on the console: warning: Failed to find EUDs warning: Failed to get volume id for EUD

Conditions:
This warning occurs during a formatting installation.

Impact:
No impact. The message was intended to be logged at the 'info' level.

Workaround:
N/A

Fix:
The 'warning: Failed to find EUDs' diagnostic message during installation has been changed from a warning to info


523854-1 : TCP reset with RTSP Too Big error when streaming interleaved data

Component: Service Provider

Symptoms:
RTSP connection containing interleaved streams is aborted mid-stream, causing loss of data. This occurs when there is packet loss and retransmission due to an unrelaible connection. A RST is sent by BigIP with cause "Too big". There is an RTSP profile parameter Maximum Header Size. When the RTSP filter receives a burst of reassembled stream data that exceeds this size, it aborts with that RST cause. When this parameter is raised above the value of parameter Maximum Queued Data, that parameter is exceeded and the RST cause is "Hudfilter abort". When both parameters are raised much higher, an abort is less likely, but can still occur with cause "Out of memory" (which is a false report as the system is not out of memory).

Conditions:
RTSP profile configured. Interleaved stream. Packet retransmissions due to an unreliable connection.

Impact:
RTSP traffic is interrupted or dropped TCP session is reset with a cause of "Too Big" or "Hudfilter abort".

Workaround:
Set both the Maximum Header Size and Maximum Queued Data values to a value greater than 64K. This reduces the likelihood of failure, but is only a partial workaround.

Fix:
RTSP interleaved traffic passes reliably, even over an unreliable connection experiencing packet retransmission.


523471-2 : pkcs11d core when connecting to SafeNet HSM

Component: Local Traffic Manager

Symptoms:
Very occasionally, using the SafeNet hardware security module (HSM) results in a pkcs11d core.

Conditions:
This occurs when the SafeNet HSM is used. Because of the rare and intermittent nature of the issue, other required conditions are not known.

Impact:
pkcs11d cores, and HSM-based SSL traffic fails. This occurs as a result of the SafeNet library. It is not a BIG-IP system-specific issue.

Workaround:
None.

Fix:
The SafeNet library has been updated, and pkcs11d no longer cores intermittently.


522997-3 : Websso cores when it tries to shutdown

Component: Access Policy Manager

Symptoms:
Websso core file is generated when it is in the process of shutting down.

Conditions:
Websso can be shutdown and restarted for many reasons. For example, when provisioning happens or when a mcpd or tmm process restarts.

Impact:
The impact is minimal because Websso cores during shutdown and will be restarted correctly.

Workaround:
No workaround

Fix:
Websso now handles shutdown events gracefully, and no core file is generated.


522871-1 : [TMSH] nested wildcard deletion will delete all the objects (matched or not matched)

Component: TMOS

Symptoms:
Nested wildcard deletion deletes all of the objects (matched or not matched).

Conditions:
Use deletion in a nested TMSH command. For example: tmsh modify gtm server GTM1 virtual-servers delete {f*} This deletes all virtual servers even if none of the servers match. The same issue applies to pool members.

Impact:
All objects are deleted, instead of those targeted for delete.

Workaround:
None.

Fix:
Nested wildcard deletion now deletes matched objects only.


522837-1 : MCPD can core as a result of another component shutting down prematurely

Component: TMOS

Symptoms:
During a small window of opportunity, mcpd can core if it is told to restart. This often occurs when another component has failed.

Conditions:
This issue generally occurs when another component has a problem which then initiates an mcpd restart.

Impact:
An mcpd core file is generated during shutdown, and it may initially appear as if mcpd coring was the cause of the restart.

Workaround:
None.

Fix:
Ensured that connections are not deleted twice when shutting down, so mcpd no longer cores.


522791-2 : HTML rewriting on client might leave 'style' attribute unrewritten.

Component: Access Policy Manager

Symptoms:
In some cases, the 'style' attribute of HTML tag containing CSS styles is not rewritten.

Conditions:
This happens when HTML is added to a page using document.write or assignment to innerHTML.

Impact:
Images added with inline CSS styles are not displayed. Direct requests to the backend are sent from browser.

Workaround:
Use an iRule to rewrite the 'style' attribute before adding HTML to the page.

Fix:
The HTML 'style' attribute is correctly rewritten for any tag.


522332-1 : Configuration upgrade of httpclass which has the 'hosts' attribute done incorrectly

Component: TMOS

Symptoms:
A config with the deprecated 'httpclass' which has the 'hosts' attribute, on an upgrade to later version, gets converted to an LTM policy with the attributes 'http-host host values <value>'.

Conditions:
Needs a config with the 'httpclass' in it, which has the hosts attribute. F5 has replaced the HTTP Class profile with the introduction of the Local Traffic Policies feature in BIG-IP 11.4.0. During an upgrade to BIG-IP 11.4.0, if your configuration contains an HTTP Class profile, the BIG-IP system attempts to migrate the HTTP Class profile to an equivalent local traffic policy. You can find more information in SOL14409: The HTTP Class profile is no longer available in BIG-IP 11.4.0 and later, available here: https://support.f5.com/kb/en-us/solutions/public/14000/400/sol14409.html.

Impact:
The policy tries to match only the 'host' part of the HTTP Host header. The policy should be trying to match 'all' (that is, 'host' and 'port') instead. Note: F5 has replaced the HTTP Class profile with the introduction of the Local Traffic Policies feature in BIG-IP 11.4.0. During an upgrade to BIG-IP 11.4.0, if your configuration contains an HTTP Class profile, the BIG-IP system attempts to migrate the HTTP Class profile to an equivalent local traffic policy.

Workaround:
Manually edit the config after upgrade to convert 'http-host host' to 'http-host all', for example: http-host host <====== values { tempbus.ladpc.net.il:3433 } } to http-host all <====== values { tempbus.ladpc.net.il:3433 } }

Fix:
Fixed the upgrade script to convert using the attribute 'all' instead of 'host'


521336-6 : pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core

Component: Local Traffic Manager

Symptoms:
The retry of pkcs11d initialization might post misleading error messages and eventually result in a pkcs11d core.

Conditions:
When pkcs11d retries to wait for other services such as tmm or mcpd.

Impact:
After the system reboots, the /var/log/ltm shows initialize errors and the /var/log/daemon.log shows pkcs11_initialize messages: -- err pkcs11d[6247]: 01680002:3: Pkcs11 Initialize error (this is misleading; pkcs11d is actually retrying). -- err pkcs11d[6247]: Nethsm: pkcs11_initialize C_GetSlotList error 0x00000000, number of slots 0.

Workaround:
Retry pkcs11d restart when tmm and mcpd are both ready.

Fix:
The retry of pkcs11d initialization no longer posts misleading error messages when pkcs11d retries to wait for other services such as tmm or mcpd.


521144-5 : Network failover packets on the management interface sometimes have an incorrect source-IP

Component: TMOS

Symptoms:
After reboot, network failover packets might be transmitted with an internal source address, on the 127/8 network.

Conditions:
This problem might occur if the members of a device service clustering (DSC)/high availability (HA) device group have management ports on different IP networks, so that a management-route is necessary for them to communicate.

Impact:
If there are intervening firewalls or routers that drop packets with improper/unroutable source addresses, then the members of the device group cannot communicate on this channel.

Workaround:
Remove the management-route from tmsh, and add a static route to the Linux kernel routing table. For example: # tmsh delete sys management-route 10.208.101.0/24 # tmsh save sys config # echo "10.208.101.0/24 via 10.208.102.254 dev eth0" > /etc/sysconfig/network-scripts/route-eth0 # reboot

Fix:
Network failover packets on the management interface now have the correct source-IP when device service clustering (DSC)/high availability (HA) device group have management ports on different IP networks, so that a management-route is necessary for them to communicate.


520732-3 : XML policy import adds default entities if the relevant element list (in policy xml doc) is specified and empty

Component: Application Security Manager

Symptoms:
Default entities (File types, Parameters, URLs, Cookies, Signatures, Redirection Domains and Brute Force Log-In URLs) are added to the policy upon XML policy import.

Conditions:
ASM policy with entities of some type (File types, Parameters, URLs, Cookies, Signatures, Redirection Domains and Brute Force Log-In URLs) deleted (all entities of that type). Export it to XML and then import that XML back - the default entities are added.

Impact:
XML policy import adds default entities if the relevant element list (in policy XML doc) is specified and empty.

Workaround:
The relevant element list (in the policy XML doc), that is specified and empty, should be completely removed (from the policy XML doc).

Fix:
ASM no longer adds default entities if the relevant element list (in the policy XML document) is specified and empty.


520380-6 : save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory

Component: TMOS

Symptoms:
Unit demonstrates behaviors consistent with out-of-memory condition. 'top' and 'ps' may show multiple tmsh processes waiting to run.

Conditions:
Enable auto-sync and save-on-auto-sync.

Impact:
Low memory condition may result in system instability.

Workaround:
None.

Fix:
Enabled auto-sync and save-on-auto-sync no longer causes out-of-memory condition.


520105-3 : Possible segfault during hardware accelerated compression.

Component: Local Traffic Manager

Symptoms:
Segfault and core-dump of tmm when using gzip, deflate, or zlib hardware accelerated compression compress or decompress operations.

Conditions:
Requests for compression on the hardware accelerator can cause a segfault.

Impact:
Tmm restarts when issue is encountered.

Workaround:
Disable hardware accelerated compression.

Fix:
Cancelled flow contexts involving a compression context no longer segfault when the in-flight operation completes.


520088-2 : Citrix HTML5 Receiver does not properly display initial tour and icons

Component: Access Policy Manager

Symptoms:
When trying to connect with Citrix HTML5 Receiver, the initial tour screen does not display properly.

Conditions:
APM is configured for Citrix replacement mode and Citrix HTML5 Receiver client 1.4-1.6 is used.

Impact:
Issues with GUI user experience. User is presented with an improperly formatted page without icons.

Workaround:
1. Open /config/bigip.conf for edit. 2. Replace 'content-type text/plain' with 'content-type text/css' in HTML5Client(.*).css sections. 3. Replace 'content-type text/plain' with 'content-type text/javascript' in HTML5Client(.*).js sections/ 4. Save the file. 5. From the console, type the following command: tmsh load sys config.

Fix:
Now APM correctly sets content type of CSS and JavaScript files when configuring Citrix HTML5 client bundle.


519257-2 : cspm script isn't injected in text/html chuncked response

Component: Application Visibility and Reporting

Symptoms:
The BIG-IP Client Side Performance Monitoring (CSPM) script does not get injected in chunked response causing the "Page load time" feature to not work properly.

Conditions:
This happens for chunked (large) web pages.

Impact:
The "Page load time" feature does not work properly and page load time stats do not exist for these responses.

Workaround:
None known

Fix:
Page load time is displayed correctly even for chunked responses.


519217-4 : tmm crash: valid proxy

Component: Local Traffic Manager

Symptoms:
tmm might crash in extremely rare circumstances when a virtual server is used during an update. Standard process is for virtual servers to be unavailable until the configuration update is complete; there are extremely rare circumstances when it is possible for a connection to use a virtual server before it is ready.

Conditions:
This requires that traffic is running during a configuration update, including a config sync from an HA peer. There must be a virtual server or configuration that uses a second virtual server while traffic is running: these include vip-on-vip using iRules and WAM prefetch, but might include other internal conditions.

Impact:
Traffic disruption, possible failover to another device if HA is configured. If using keepalive or other means to keep the connection alive, then a long amount of time might pass between the creation of the invalid flow and any impact from the error.

Workaround:
None.

Fix:
If a virtual server is used during an update (that is, before the virtual server is ready), an error message is now posted to tmm log files, and a small amount of memory is used each time this message is logged.


519216-4 : Abnormally high CPU utilization from external SSL/OpenSSL monitors

Component: TMOS

Symptoms:
The BIG-IP system may experience high CPU utilization when SSL/OpenSSL monitors are used to obtain availability status for 30 or more pool members.

Conditions:
External SSL monitors using OpenSSL. This includes but is not limited to EAV, ldap, sip, soap, firepass, snmpdca, real-server, wmi, virtual-location. Builtin monitors are not affected, e.g., https, inband.

Impact:
High CPU utilization reported with potential performance degradation.

Workaround:
To work around this issue, you can use a different type of monitor to obtain pool member availability status. Impact of workaround: Performing the recommended workaround should not have a negative impact on your system.

Fix:
The CPU utilization is reduced when SSL/OpenSSL monitors are used to obtain availability status for 30 or more pool members.


518550-3 : Incorrect value of form action attribute inside 'onsubmit' event handler in some cases

Component: Access Policy Manager

Symptoms:
Incorrect value of 'action' form attribute may be used inside 'onsubmit' event handlers if original 'action' is an absolute path.

Conditions:
HTML form with absolute path in 'action' attribute; 'onsubmit' event handler for this form.

Impact:
Web application may work incorrectly.

Workaround:
There is no general workaround. But if 'action' value can be converted to relative path or to full URL (with host), this can be done using iRule.

Fix:
Now value of form 'action' attribute is correct inside event handlers.


518275-2 : The BIG-IP system may stop the normal processing of SSL traffic and dump a TMM core file

Component: Local Traffic Manager

Symptoms:
During the handshake, an SSL alert is sent. The same alert is then sent repeatedly leading to resource-related issues such as increased memory usage and TMM cores. With db variable log.ssl.level set to Debug, the log might then fill with the alert message.

Conditions:
An SSL alert is sent during the handshake.

Impact:
Resource-depletion leading to TMM core and interruption of service.

Workaround:
None.

Fix:
During the handshake, an SSL alert is sent. In this release, the same alert is sent only once, so there are no resource-related issues such as increased memory usage and TMM cores.


517846-2 : View Client cannot change AD password in Cross Domain mode

Component: Access Policy Manager

Symptoms:
View Client cannot change Active Directory password in Cross Domain mode.

Conditions:
1. Access policy for View Client uses Cross Domain authentication. 2. View Client user trying to log into APM belongs to a different AD domain than the one configured in AD Auth agent (cross-domain auth). 3. User's password is expired.

Impact:
User cannot change expired password, so cannot use VMware View.

Workaround:
None.

Fix:
View Client can now change AD password in Cross Domain mode, as expected.


517465-4 : tmm crash with ssl

Component: Local Traffic Manager

Symptoms:
Under some rare conditions, a problem with SSL might cause TMM to crash.

Conditions:
An SSL alert is sent during the SSL handshake.

Impact:
Service interrupted.

Workaround:
None known

Fix:
A tmm crash related to alerts during a SSL handshake failure has been fixed.


517388-7 : Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs.

Component: TMOS

Symptoms:
The system recognizes and displays to the user a few relative distinguished names (RDNs): division name, state name, locality name, organization name, country name, and common name.

Conditions:
RDNs other than those in the subject/issuer are not parsed correctly.

Impact:
Parsing the DN (for subject or issuer) might combine fields that result in RDN values that are longer than allowed. This causes issues when trying to store these in Enterprise Manager (EM) database.

Workaround:
None.

Fix:
All relative distinguished names (RDNs) are now parsed as expected. Previously, the system correctly parsed RDNs for division name, state name, locality name, organization name, country name, and common name. Now, the system correctly parses all RDNs.


517282-7 : The DNS monitor may delay marking an object down or never mark it down

Component: Local Traffic Manager

Symptoms:
The DNS monitor may not mark an object down within the monitor timeout period or may never mark the object down.

Conditions:
A DNS monitor with no configured recv string and the monitor receives an ICMP error other than port unreachable.

Impact:
The DNS monitor may not mark an object down within the monitor timeout period or may never mark the object down.

Workaround:
Supply an appropriate recv string to the monitor definition: tmsh modify ltm monitor dns mydns recv 10.1.1.1 Or add another monitor to the object: tmsh modify ltm pool dnspool monitor min 2 of { mydns gateway_icmp }

Fix:
DNS monitor should mark server down when getting ICMP admin prohibited error. This is correct behavior.


517209-7 : tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable

Component: TMOS

Symptoms:
The tmsh save sys config file /var/tmp or /shared/tmp or a relative path to these directories (for example, /config/../shared/tmp) saves the scf with the specified real path. However, since the /var/tmp directory is used internally by BIG-IP daemons, some functionality may be rendered unusable till the /var/tmp symlink to /shared/tmp is restored.

Conditions:
Saving the sys config file /var/tmp or /shared/tmp (or a relative patch to one of these directories).

Impact:
Some system functionality may be rendered unusable.

Workaround:
Use the following commands to delete the scf and restore the symlink: -- rm -f /var/tmp. -- ln -s /shared/tmp /var/. -- bigstart restart.

Fix:
The /var/tmp or /shared/tmp are now invalid paths for the tmsh save sys config file command.


517053-2 : bigd detection and logging of load and overload

Component: Local Traffic Manager

Symptoms:
When BIG-IP is configured with a very large number of monitor instances (multiple thousands) probing at relatively fast intervals, BIG-IP may not be able to keep up with its servicing load. This can be indicated by pool members being marked down/up (flapping) that were not actually having connectivity problems.

Conditions:
Heavy monitor instance probe rate (monitor instance probes per second).

Impact:
When overloaded, bigd is unable to probe consistently which may result in odd or unpredictable pool member up/down behavior.

Workaround:
The main way to mitigate overload issues is either to reduce the number of monitor instances, to increase the probe time to probe less often, and/or to switch monitored pool members/nodes to simpler, lower-overhead monitor (i.e. ICMP instead of HTTP, or HTTP instead of HTTPS).

Fix:
This particular fix does not change the problem or mitigation steps. Rather, it helps detect when overloading has occurred. When it has been determined that overloading has occurred, a message will be logged to /var/log/ltm to indicate this. By default, the overload message will be triggered if the main 1/10 second (100 ms) loop takes, on average, more than 150 ms to service. This overload threshold value can be adjusted with the new Bigd.Overload.Latency sys db variable. The variable indicates the number of ms latency at which servicing the 100 ms main loop is considered overload. In addition, main loop latency logging has been added to /var/log/bigdlog. The latency information will be logged every 15 seconds. The main loop latency information will be logged whenever Bigd.Debug is enabled, or if the new sys db variable Bigd.Debug.TimingStats is enabled. The new Bigd.Debug.TimingStats variable allows the main loop latency stats to be emitted even if other debug information, which can be quite verbose, is suppressed. The main loop latency information is such: insts, avg-5m mean-5m stddev5, avg-1m mean-1m stddev1 insts: # of active monitor instances being monitored avg-5m: weighted decaying average loop latency over 5 minutes mean-5m: mean average loop latency over 5 minutes stddev5: standard deviation of loop latency over 5 minutes avg-1m: weighted decaying average loop latency over 1 minute mean-1m: mean average loop latency over 1 minute stddev1: standard deviation of loop latency over 1 minute Once again, these average/mean values are measuring the 100 ms service loop, which under normal circumstances should always complete in close to 100 ms. When the value rises above 100 ms, that means we are not able to service all our monitor instances in a timely fashion.


517020-5 : SNMP requests fail and subsnmpd reports that it has been terminated.

Component: TMOS

Symptoms:
After an unspecified period of time, SNMP requests fail and subsnmpd reports that it has been terminated.

Conditions:
SNMP polls sent to a system start to fail after a few days, until subsnmpd is restarted. When in the failed state, you can determine the status of subsnmpd by running the following command: tmsh show sys services. Here is an example of the status when the system is in this state: subsnmpd run (pid 4649) 26 days, got TERM.

Impact:
Loss of snmp data set to a client. The /var/log/snmpd.log contains numerous messages similar to the following: Received broken packet. Closing session. The /var/log/sflow_agent.log contains numerous messages similar to the following: AgentX session to master agent attempted to be re-opened.

Workaround:
Restart subsnmpd using the following command: bigstart restart subsnmpd.

Fix:
SNMP requests handling has been improved to ensure that requests no longer fail after a number of days.


516816-4 : RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.

Component: Local Traffic Manager

Symptoms:
RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.

Conditions:
The key cert pair type matches one of the following combinations: 1. RSA key/DSA-signed cert. 2. RSA key/ECDSA-signed cert.

Impact:
When this kind of key/cert pair is configured in a Client SSL profile that is used by a virtual server, the SSL handshake to the virtual server fails.

Workaround:
Do not use this kind of 'hybrid' key/cert pair in the Client SSL profile. Instead, use the combination such as RSA key/RSA-signed cert, EC key/ECDSA-signed cert, or DSA key/DSA-signed cert.

Fix:
An RSA key with DSA-signed or ECDSA-signed cert no longer fails the SSL handshake. You can now configure those in the Client SSL profile and the SSL handshake completes as expected.


516322-7 : iApp association removed from virtual server

Component: TMOS

Symptoms:
Merging a config via tmsh load sys config merge or iControl Management.ChangeControl.put_config, where the system updates a partition /Common and modifies an LTM persistence profile (source_addr) associated with an iApp disassociates an iApp from a virtual server.

Conditions:
iApp, virtual server, and persistence profile are configured and associated prior to merge.

Impact:
This removes iApp association with the virtual server.

Workaround:
Modify any associated virtual server as well.

Fix:
Modifying a persistence profile while updating partition /Common during a merge config no longer disassociates the iApp from the virtual server.


515759-3 : Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time

Component: Local Traffic Manager

Symptoms:
tmm memory growth over time.

Conditions:
Conditions leading to this issue include: one or more virtual servers, NATs, SNATs, or LSNs with more than four VLANS in a vlan allow or vlan deny list.

Impact:
tmm memory usage can grow over time eventually causing memory exhaustion.

Workaround:
Mitigation: Minimize the number of VLANs in the VLAN list for virtual servers, NATs, SNATs and LSNs. Minimize the number of configurations changes to Self-IPs, virtual servers, NATs, SNATs and LSNs.

Fix:
Configuration objects with more than four vlans in vlan list no longer causes memory utilization to increase over time.


514313-1 : Logging profile configuration is updated unnecessarily

Component: Application Security Manager

Symptoms:
Logging profile configuration is updated in the ASM data plane unnecessarily, due to changes in pool member state.

Conditions:
Pool member state changes frequently.

Impact:
Unnecessary logging profile configuration updates are sent to ASM data plane.

Workaround:

Fix:
Logging profile configuration is updated in the ASM data plane only when it is modified, and not unnecessarily.


514061-4 : False positive scenario causes SMTP transactions to hang and eventually reset.

Component: Application Security Manager

Symptoms:
Upon specific SMTP traffic, connection hangs and eventually resets.

Conditions:
SMTP profile with 'protocol security' turned on is attached to the virtual server, and the response is processed in bulk.

Impact:
Connection hangs and eventually resets.

Workaround:
None.

Fix:
This release fixes a scenario in which SMTP transactions were hanging and blocked upon specific traffic.


513974-7 : Transaction validation errors on object references

Component: TMOS

Symptoms:
MCP validation error when adding/removing reference and adding/deleting an object in the same transaction.

Conditions:
During device group config sync, iControl transactions, and tmsh operations. For example, delete and create the same virtual server and specify a profile/VLAN, or remove a profile from a virtual server and then delete the profile in the same transaction.

Impact:
Validation error. The system posts an error similar to the following: transaction failed: 01020066:3: The requested virtual server profile (/Common/vs1 /Common/http1) already exists in partition Common. When deleting, the message is: 01020036:3: The requested virtual server profile (/Common/vs1 http1) was not found.

Workaround:
The removal of the object reference must be done in a separate transaction. For example, if you want to delete a profile that is being used, create one transaction removing it from virtual servers, then a second transaction deleting the profile.

Fix:
The system now supports adding/removing a reference and the object in a single transaction.


513659-3 : AAM Policy not all regex characters can be used via the GUI

Component: TMOS

Symptoms:
Cannot specify certain regex syntax when configuring Client IP for 'Matching' or 'Validation' rules in an AAM Policy.

Conditions:
Adding regex characters such as \, [, ], ^, $ to an existing policy. Parentheses appear to be allowed, but do not save the information correctly.

Impact:
Cannot use the GUI to configure the policy with certain regex strings. The system posts the following error message: The field Value has invalid characters.

Workaround:
Use tmsh, and escape special wild-card characters with '\': For example at add 10.[0-9]$: modify wam policy Drafts/test_policy nodes modify { t1 { matching modify { client-ip { values replace-all-with { 10.\[0-9\]$ } } } } }.


513213-5 : FastL4 connection may get RSTs in case of hardware syncookie enabled.

Component: Local Traffic Manager

Symptoms:
Occasionally, ACK is sent to server without SYN, connection get RST.

Conditions:
1) FastL4 virtual server. 2) Hardware syncookie enabled. 3) Might more commonly occur with forwarding virtual servers. 4) Often happens when egress router has ARP timeout.

Impact:
Some connections will be dropped.

Workaround:
Configure a static ARP to all neighbors (routers) to avoid most issues.

Fix:
An issue with hardware syncookies and FastL4 connections has been resolved.


513142-3 : FQDN nodes with a default monitor may cause configuration load failure

Component: Local Traffic Manager

Symptoms:
Attempting to load a configuration containing FQDN nodes, a default-node-monitor and non-Common partitions can fail due to invalid partition reference.

Conditions:
Node in a non-Common partition and a default-node-monitor configured.

Impact:
Configuration fails to load. The system posts an error message similar to the following: 01070726:3: Node /Common/name.of.fqdn.node in partition Common cannot reference monitored object /Common/name.of.fqdn.node /Common/partition1 in partition another_partition.

Workaround:
If possible, use FQDN nodes only in the Common partition.

Fix:
FQDN nodes with a default monitor no longer cause configuration load failure.


512130-4 : Remote role group authentication fails with a space in LDAP attribute group name

Component: TMOS

Symptoms:
Remote role group authentication fails if there is a space in attribute name of remote-role role-info.

Conditions:
This occurs when the auth remote-role role-info attribute name contains a space character.

Impact:
LDAP authentication fails.

Workaround:
Remove space characters from LDAP attribute group name. Another option is to use '\20' in place of spaces in the remote-role's role-info member-of attribute, for example: memberOf=CN=Some Big Group,CN=Users,DC=DOMAIN,DC=COM becomes: memberOf=CN=Some\20Big\20Group,CN=Users,DC=DOMAIN,DC=COM

Fix:
Remote role group authentication now succeeds as expected with a space in LDAP attribute group name.


512119-2 : Improved UDP DNS packet truncation

Component: Local Traffic Manager

Symptoms:
UDP responses from the DNS cache were not truncated properly. This is primarily seen in DNS tools, such as dig or Wireshark that would mark the response as malformed. Regular resolver clients handled the responses correctly noting the tc bit in the response header.

Conditions:
UDP DNS responses larger than the size requested by the client, typically 512 bytes.

Impact:
Packets may be flagged as malformed by DNS packet analyzers. There are no known issues with regular DNS client resolvers.

Workaround:
None

Fix:
The DNS Cache now properly fills in response data and handles truncation as expected.


512069-2 : TMM restart while relicensing the BIG-IP using the base license.

Component: Policy Enforcement Manager

Symptoms:
TMM restart while relicensing the BIG-IP on base license expiration.

Conditions:
- Provisioning the following modules: LTM, AFM, PEM, CGNAT, ASM, FPS, APM, AVR, GTM - Base license should have expired

Impact:
Results in a TMM restart

Workaround:

Fix:
TMM restart has been resolved. Relicensing is not an issue.


511893-5 : Client connection timeout after clicking Log In to Access Policy Manager on a Chassis

Component: Access Policy Manager

Symptoms:
Clients connecting via Edge Client or Network Access to Access Policy Manager running on a chassis will experience a connection timeout after clicking Log In

Conditions:
1. Two or more blades chassis with APM provisioned 2. Create Portal Access/NA. start > logon page > portal resource (portal webtop, resource)> Allow. 3. Create access session using browser.

Impact:
Access session never finishes and browser does not render portal.

Workaround:
None

Fix:
BIG-IP Access Policy Manager running on a chassis will correctly process the client's Log In command.


511527-2 : snmpd segmentation fault at get_bigip_profile_user_stat()

Component: TMOS

Symptoms:
snmpd can core dump due to segmentation fault with the error snmpd[<pid>]: segfault at 0 ip <ip> sp 00000000ff8bec50 error 4 in bigipTrafficMgmt.so

Conditions:
An uncommon race condition.

Impact:
None. snmpd is automatically restarted.

Workaround:

Fix:
A check was added to gracefully handle the race condition and prevent core dump.


511057-5 : Config sync fails after changing monitor in iApp

Component: Local Traffic Manager

Symptoms:
Unable to modify a pool monitor and delete it in the same transaction.

Conditions:
A pool must have the monitor associated with it before the tmsh transaction, and must be the same as the monitor being deleted in the transaction.

Impact:
Unable to submit multiple changes in a single transaction.

Workaround:
Modify the pool monitor and delete it in separate transactions.

Fix:
Monitor modification and deletion can now happen in the same transaction.


510923-2 : TMM crashes on the disabled secondary blade and bigstart restart or reboot is triggered.

Component: Policy Enforcement Manager

Symptoms:
TMM crashes on the disabled secondary blade and bigstart restart or reboot is triggered.

Conditions:
Disabled the secondary blade.

Impact:
TMM crashes and reboot is triggered.

Workaround:
None.

Fix:
TMM no longer crashes after the secondary blade is disabled.


510559-6 : Add logging to indicate that compression engine is stalled.

Component: TMOS

Symptoms:
Hardware compression slowly and progressively fails to handle compression operations. The system posts the following errors in ltm.log: crit tmm3[14130]: 01010025:2: Device error: n3-compress0 Nitrox 3. If the compression engine stalls, there is no logging-trail to indicate there is a problem.

Conditions:
This occurs when the system encounters errors during hardware compression handling and the compression engine stalls.

Impact:
Compression completely stalls, or CPU can be driven up by software-based compression. No indication of what the issue is.

Workaround:
Disable compression, or select 'software only' compression.

Fix:
Previously, if the compression engine stalled, there would be no logging-trail to indicate there was a problem. This release adds logging and stats for detecting a compression engine stall.


510381-3 : bcm56xxd on A108 (B4300 blade) might core when restarting due to bundling config change.

Component: TMOS

Symptoms:
A race condition exists where bcm56xxd might core while restarting due to a bundling configuration change if it is still processing other config messages from MCP

Conditions:
Interface bundling change requiring a restart while still processing configuration messages.

Impact:
Unnecessary core file produced since the daemon is restarting anyway.

Workaround:
None.

Fix:
Fixed possible race condition which resulted in a bcm56xxd core.


510264-1 : TMM core associated with smtps profile.

Component: Local Traffic Manager

Symptoms:
tmm can core when the smtps profile is enabled.

Conditions:
This is an intermittent core seen when the smtps profile is enabled.

Impact:
traffic disruption from TMM core.

Workaround:
n/a

Fix:
tmm will no longer core from using the smtps profile.


509641-3 : Ephemeral pool members may not inherit attributes from FQDN parent

Component: Local Traffic Manager

Symptoms:
Newly resolved pool members do not have the appropriate attributes (priority, connlimit, etc.).

Conditions:
Parent FQDN has non-default attributes and a new ephemeral member is resolved.

Impact:
Ephemeral pool members have unexpected attributes.

Workaround:

Fix:
Ephemeral pool member now correctly inherits attributes from parent node upon resolution.


509284-2 : Improved reliability of a module interfacing with HSM

Component: Local Traffic Manager

Symptoms:
Assuming that tmm has crashed and auto-restarted, traffic may stop for profiles with HSM keys.

Conditions:
This can occur when using HSM keys, and TMM crashes.

Impact:
Encrypted traffic will not be processed, even after daemons restart.

Workaround:
Restart TMM, e.g. with 'bigstart restart tmm pkcs11d'

Fix:
Fixed a race condition that may prevent proper initialization of an inter-process communication between TMM and pkcs11d.


508057-1 : MySQL Vulnerability CVE-2015-0411

Component: TMOS

Symptoms:
CVE-2015-0411 Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Server : Security : Encryption.

Conditions:
Running one of the vulnerable versions. For more information, see SOL16355: Multiple MySQL vulnerabilities, available here: https://support.f5.com/kb/en-us/solutions/public/16000/300/sol16355.html.

Impact:
The CVE numbers included in this advisory are reported to allow (through undisclosed mechanisms) a remote unauthorized attacker to perform read and write MySQL access, receive privilege escalation, or cause a denial-of-service (DoS) of the MySQL service and potentially stop critical data plane services. However, the BIG-IP and Enterprise Manager systems have default mitigations in place through local user authentication requirements and tcp_wrappers (BIG-IP 10.x / EM 2.x) and iptables (BIG-IP 11.x / EM 3.x) that downgrade the access vector for these vulnerabilities limited to local and authenticated users. Important: Enabling the Remote Access feature on Enterprise Manager will modify the tcp_wrappers (2.x) and iptables (3.x) rules to allow database access. As a result, the vulnerable access vector for these vulnerabilities is upgraded back to remote and unauthenticated. The Enterprise Manager Remote Access feature is disabled by default. If you have enabled the Remote Access feature, refer to the Disabling the Remote Access feature procedure in the Recommended Actions section.

Workaround:
Disabling the Remote Access feature Impact of recommended action: You will no longer be allowed to remotely access the MySQL statistical database. Log in to the Enterprise Manager Configuration utility. Click Enterprise Management. Navigate to Options : Statistics : Remote Access. Clear the Allow Remote Access check box. Click Save Changes.

Fix:
CVE-2015-0411


507611-4 : On BIG-IP 2000- and 4000-series platforms BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors.

Component: Local Traffic Manager

Symptoms:
BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors.

Conditions:
BGP, TCP-MD5 on BIG-IP 2000- and 4000-series platforms.

Impact:
BGP session is not established.

Workaround:
Disable TCP-MD5 for neighbor.

Fix:
BGP sessions with TCP MD5 enabled now establish connection to neighbors as expected on BIG-IP 2000- and 4000-series platforms.


507410-2 : Possible TMM crash when handling certain types of traffic with SSL persistence enabled

Component: Local Traffic Manager

Symptoms:
When SSL persistence is used on a virtual, if the SSL session contains unexpected traffic the TMM might crash.

Conditions:
SSL persistence is enabled on a virtual server, and the SSL session contains unexpected traffic.

Impact:
TMM crash

Workaround:
Do not use SSL persistence.

Fix:
SSL persistence will not crash regardless of the SSL traffic seen.


507109-4 : inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade

Component: Local Traffic Manager

Symptoms:
The inherit-certkeychain attribute of a child Client SSL profile can unexpectedly change after upgrade.

Conditions:
This issue occurs when all of the following conditions are met: -- You create a Client SSL profile that does not inherit the certificate, key, and chain certificate settings from the parent profile. -- You upgrade to BIG-IP 11.5.1 (HF6 or later), 11.5.2, 11.5.3, or 11.6.0.

Impact:
An incorrect cert key chain is used in the profile.

Workaround:
Manually fix the Client SSL profile.

Fix:
The certificate, key, and chain certificate settings in a Client SSL profile no longer change after an upgrade.


505089-4 : Spurious ACKs result in SYN cookie rejected stat increment.

Component: Local Traffic Manager

Symptoms:
Sending unsolicited ACK to a virtual server increments the counter 'Total Software Rejected' from tmsh show ltm virtual 'name_of_virtual_server' when syn cookie status is not activated.

Conditions:
This has been observed under the following conditions: 1. The client sends a SYN, the LTM sends an SYN/ACK and then the client sends a bad ACK. 2. A client sends an ACK for a connection that does not exist in the connection table (either it never existed or had been closed).

Impact:
Potentially inaccurate statistics in tmsh show ltm virtual.

Workaround:
None.

Fix:
In this release, the system increments the syncookie reject stat only if a bad ACK could correspond to a syncookie the system issued.


505071-5 : Delete and create of the same object can cause secondary blades' mcpd processes to restart.

Component: TMOS

Symptoms:
A single transaction containing both a delete and a create of the same object can, for certain types of objects, cause the secondary blades' mcpd processes to restart because of validation failure. The validation error appears similar to the following: 01020036:3: The requested object type (object name) was not found.

Conditions:
This has been seen to occur when an APM policy agent logon page is modified, and the error reports that its customization group cannot be found. In BIG-IP v11.6.0 HF6 and BIG-IP v11.5.4 and BIG-IP v11.5.4 HF1, this can also occur when an iApp creates a virtual server.

Impact:
mcpd restarts on every secondary blade, causing most other system services to restart as well. This might result in a temporary loss of traffic on all secondary blades. After mcpd restarts, the new configuration is accepted and the system returns to normal operation.

Workaround:
None.

Fix:
For certain types of objects, an incorrect message was sent to the secondary blades' mcpd processes if an object of that type was deleted and then recreated within a single transaction. This caused mcpd to restart on every secondary blade. The correct message is now sent, even for this type of object.


504545-2 : FQDN: node without service checking reported as 'service checking enabled, no results yet'

Component: Local Traffic Manager

Symptoms:
When an FQDN Node has no Node Default or Node Specific monitor associated, the ephemeral nodes' status is 'Unknown (enabled)- Node address service checking is enabled but result is not available yet.' A standard node configured without a monitor has the correct status: 'Unknown (enabled) - Node address does not have service checking enabled.'

Conditions:
FQDN node created with one or more valid records returned for the FQDN, and no node default or node-specific health monitor configured.

Impact:
Cannot determine actual state of pool member.

Workaround:
None.

Fix:
FQDN node without service checking has the correct status: 'Unknown (enabled) - Node address does not have service checking enabled.'


504508-5 : IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled

Component: TMOS

Symptoms:
When establishing IPsec tunnel from the BIG-IP system to some Cisco devices enabled with an older Dead Peer Detection (DPD) implementation, IPsec tunnel does not stay up because of a mismatched Cookie field in the DPD message.

Conditions:
An IPsec tunnel connection from a BIG-IP system to certain Cisco ASA configurations does not stay up when DPD is enabled

Impact:
IPsec tunnel goes down, traffic stops.

Workaround:
Disable Dead Peer Detection for the Ike Peer configuration to the Cisco devices exhibiting this issue.

Fix:
IPsec Tunnel between the BIG-IP system and CISCO devices with older Dead Peer Detection (DPD) are no longer brought down because of mismatched Cookie Field in the DPD messages.


503696-1 : BD enforcer updates may be stuck after BD restart

Component: Application Security Manager

Symptoms:
If BD enforcer restarts during an update, the current configuration update will get stuck and no further updates will be performed.

Conditions:
BD enforcer restarts during an update.

Impact:
The current configuration update will get stuck and no further updates will be performed.

Workaround:
bigstart restart asm

Fix:
BD enforcer updates continue to process correctly even after BD restart.


503600-6 : TMM core logging from TMM while attempting to connect to remote logging server

Component: TMOS

Symptoms:
TMM crash and coredump while logging to remote logging server.

Conditions:
The problem might occur when a log message is created as the result of errors that can occur during log-connection establishment. The crash specifically occurs when an error occurs while attempting to connect to the remote logging server.

Impact:
TMM runs out of stack and dumps core. Stack trace shows recursion in errdefs. The system cannot function under these conditions. This is an issue that might occur anytime logs are generated when managing resources that are also used by the logging system itself.

Workaround:
Two possible workarounds are available: 1) Create a log filter specifically for message-id :1010235: that either discards or directs such messages to local syslogs. 2) If the problem occurs on TMM startup, disable and then re-enable the corresponding log source once the TMM starts up.

Fix:
TMM no longer crashes and coredumps while logging to remote logging server.


503246-4 : TMM crashes when unable to allocate large amount of provisioned memory

Component: TMOS

Symptoms:
TMM panics and core dumps when unable to allocate the full amount of provisioned memory for each TMM instance.

Conditions:
The situation may occur when TMM starts (or restarts) while a process is still holding into large amounts of memory and TMM is unable to allocate the provisioned memory.

Impact:
crash and core dump.

Workaround:
none

Fix:
The fix is a change in the TMM startup process


502841-2 : REST API hangs due to icrd startup issues

Component: TMOS

Symptoms:
The symptoms are that iControl REST requests can go un-responded or come back with bad responses.

Conditions:
icrd starts much before restjavad

Impact:
Unusable REST API.

Workaround:
The workaround is to restart the icrd service after ascertaining that restjavad is running - 'bigstart status restjavad' followed by 'bigstart restart icrd'.

Fix:
Now the icrd service will wait until the restjavad service is completely up and responding.


502480-1 : Mirrored connections on standby device do not get closed when Verified Accept is enabled

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, the BIG-IP may cause mirrored connections on the standby device to persist.

Conditions:
- Mirror enabled on the Virtual server - Verified accept enabled on the TCP profile

Impact:
Resource leak on the standby device which could cause an outage

Workaround:
Do not enable verified accept on mirrored flows.

Fix:
Mirrored connections to the standby device will now be properly closed on the standby.


500786-6 : Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile

Component: Local Traffic Manager

Symptoms:
When a FastL4/BIGTCP virtual with HTTP profile is used, certain kinds of traffic may cause huge memory growth and result in out-of-memory situation.

Conditions:
If the FastL4 virtual with HTTP profile handles HTTP cloaking traffic, that starts up as HTTP and then switches over to non-HTTP data, memory growth could grow unbounded due to lack of flow control. This may lead to out of memory conditions eventually.

Impact:
Out of memory conditions affecting the availability/stability of the BIG-IP system.

Workaround:
1.) Avoid using FastL4 with HTTP profile, unnecessarily. 2.) If it could not be avoided, use FastL4 + HTTP-Transparent profile combination instead AND set http-transparent profile attribute enforcement.pipeline to "pass-through". This would allow HTTP filter to run in "passthrough" mode. Hence avoid the excessive momery consumption.

Fix:
Use FastL4 + HTTP-Transparent profile combination AND set http-transparent.enforcement.pipeline to "pass-through". This enables HTTP filter to run in "passthrough" mode. Hence avoid the excessive momery consumption.


499430-2 : Standby unit might bridge network ingress packets when bridge_in_standby is disabled

Component: Local Traffic Manager

Symptoms:
On a standby unit with a vlangroup configured with multiple VLAN members and bridge_in_standby attribute set to false, the unit might still bridge network ingress packets across the vlangroup, if those packet happen to match the host monitor traffic flows.

Conditions:
This occurs when the following conditions are met: Configure a vlangroup with multiple VLAN members in HA configuration and set vlangroup's bridge_in_standby attribute to false. Configure monitors to use non-default monitor rules (ICMP, etc.).

Impact:
This results in a traffic bridging loop among active and standby unis. Excessive traffic load might take down monitors on the BIG-IP system.

Workaround:
None.

Fix:
Standby unit no longer bridges network ingress packets when bridge_in_standby is disabled. This is correct behavior.


496679-5 : After renaming /cm device, load fail 'foreign key index (default_device_fk)'.

Component: TMOS

Symptoms:
After renaming a CM device object, subsequent configuration loads may fail because the 'default-device' on traffic-group objects is not automatically updated.

Conditions:
Renaming a device object.

Impact:
Although the configuration can be saved, it fails when being loaded (for example, in response to a ConfigSync operation, during software upgrade, or when running the command: tmsh load sys config).

Workaround:
Modify any traffic-group default-device attributes that refer to the old device name.

Fix:
Renaming a device also renames the associated traffic-group's default device, so configuration load now completes successfully.


495865-2 : iApps/tmsh cannot reconfigure pools that have monitors associated with them.

Component: TMOS

Symptoms:
iApps are unable to reconfigure pools that have monitors associated with them.

Conditions:
Using tmsh or iApps in the GUI to re-configure the pool monitor (for example, changing the monitor from 'http' to 'none').

Impact:
Monitor change does not occur. GUI or tmsh might post an error similar to the following: Monitor rule not found.

Workaround:
None.

Fix:
Users can now remove a monitor from a pool / set it to 'none' through tmsh or a GUI iApp transaction.


495744-1 : Some user defined ASM reports are not loading correctly after upgrade from 11.4 upwards

Component: Application Visibility and Reporting

Symptoms:
Some fields of user defined filters from older versions cannot be loaded in the new version, after an upgrade.

Conditions:
Custom user filter is defined. Most common when Source Client IP field is set.

Impact:
Filters cannot be applied correctly due to values not being recognized.

Workaround:
Before upgrade, the filters should be manually saved, and later on re-created on the new version.

Fix:
A better value upgrade has been implemented, and a warning message is displayed to the user about the situation.


494796 : Unable to create GTM Listener with non-default protocol profile.

Component: Global Traffic Manager

Symptoms:
When attempting to create a GTM Listener with anything besides a default protocol profile causes a duplicate profile error.

Conditions:
Create a GTM Listener with a protocol profile other than udp_gtm_dns or tcp.

Impact:
GTM listener creation does not complete.

Workaround:
Create a GTM Listener using a default protocol profile, and then modify the protocol profile settings.

Fix:
You can now create GTM Listener with non-default protocol profile.


494070-2 : BIG-IP DNS cannot use a loopback address with fallback IP load balancing

Component: Global Traffic Manager

Symptoms:
BIG-IP DNS cannot use a loopback address with fallback IP load balancing.

Conditions:
BIG-IP DNS pool using fallback IP load balancing.

Impact:
Cannot configure a loopback address using fallback IP load balancing.

Workaround:
None.

Fix:
Now, a BIG-IP DNS Pool fallback IP address can be localhost.


492460-3 : Virtual deletion failure possible when using sFlow

Component: TMOS

Symptoms:
This error message might occur intermittently when trying to delete a virtual server: 01070265:3: The Virtual Server (vs_name) cannot be deleted because it is in use by a sflow http data source (ds_name).

Conditions:
sFlow is in use.

Impact:
Virtual may fail to be deleted.

Workaround:
None.

Fix:
This error message used to occur intermittently when trying to delete a virtual and using sFlow: 01070265:3: The Virtual Server (vs_name) cannot be deleted because it is in use by a sflow http data source (ds_name). This no longer occurs.


492122-5 : Now Windows Logon Integration does not recreate temporary user for logon execution each time

Component: Access Policy Manager

Symptoms:
Temporary user 'f5 Pre-Logon User' is created and deleted each time it is used which prevents the performance of domain operations like adding that user to specific domain group or setting properties because the SSID changes every time.

Conditions:
This happens when both of these conditions exist: 1. Windows Logon Integration is used. 2. Enforce access policy execution option is selected.

Impact:
As a result, it is impossible to manage the temporary user 'f5 Pre-Logon User'.

Workaround:

Fix:
Now the 'f5 Pre-Logon User' is created only once, which allows a Domain or System Administrator to manage it, because the SSID does not change. When the user is no longer required (that is, when the logon process is complete), 'f5 Pre-Logon User' is disabled and remains disabled until the next usage.


491727-2 : Upgrade can fail to load config due to tcp profile no longer allowing time-wait-timeout of 4294967295 (indefinite).

Component: TMOS

Symptoms:
Upgrade to v11.6.0 can fail with the following error message: 01070712:3: The value (-1) is outside the acceptable value set [value equal to or less than 600000] for time_wait_timeout in type TCP Profile for item <tcp_profile_name> Unexpected Error: Loading configuration process failed.

Conditions:
A tcp profile exists with tcp_long_timeout equal to 4294967295 (indefinite).

Impact:
Upgrade to v11.6.0 fails and leaves device in INOPERATIVE state.

Workaround:
Change tcp_long_timeout prior to upgrade to a value in the range from 0 to 600000 inclusive OR, if already upgraded, edit bigip.conf to set tcp_long_timeout to a value in the range from 0 to 600000 inclusive and run "tmsh load sys config".

Fix:
BIG-IP configurations now load successfully after an upgrade if the TCP profile's Time Wait value is set to 4294967295


491371-1 : CMI: Manual sync does not allow overwrite of 'newer' ASM config

Component: Application Security Manager

Symptoms:
ASM Sync was designed to only request the ASM portion of the configuration if it recognizes that a peer has a newer configuration. This precludes the ability to 'roll back' changes on a device by pushing from the peer that still has the older configuration.

Conditions:
Devices are set up in a Manual Sync ASM-enabled group.

Impact:
User is unable to 'roll back' changes on a device by pushing from the peer that has an older configuration.

Workaround:
Make a spurious change on the device that has an older config and then push the changes to the peer.

Fix:
An older ASM configuration can now be manually pushed to a peer in a device group.


491352-3 : Added ASM internal parameter to add more XML memory

Component: Application Security Manager

Symptoms:
It is not possible to add more than 1.2 GB of memory to the XML parser.

Conditions:
More than 1.2 GB of XML memory is needed.

Impact:
XML out of memory messages, traffic dropped.

Workaround:

Fix:
We added the internal parameter additional_xml_memory_in_mb that enables an additional amount of XML memory (in MB).


491185-1 : URL Latencies page: pagination limited to 180 pages

Component: Application Visibility and Reporting

Symptoms:
When there is a lot of information in URL Latencies with paging being available for more than 180 pages, no data is being displayed when switching to any of the pages above 180

Conditions:
URLs count exceeds 1800

Impact:
Not all URLs will be visible

Workaround:
Filtering can be used to limit the number of results below 1800.

Fix:
Number of reported URLs is now limited to 1000 (100 pages), consistent with other reporting pages.


491080-5 : Memory leak in access framework

Component: Access Policy Manager

Symptoms:
When multiple concurrent attempts are made to access a resource protected by APM, one of these attempts proceeds to policy execution and the rest get a message stating that session evaluation is in progress. The page that delivers this message has a unique identifier in the URL that causes the caching of this page to be ineffective. Multiple cache entries are created and these entries present themselves as a leak.

Conditions:
Use of APM. Multiple concurrent accesses to a resource protected by a virtual server with an APM profile attached. Note that no prior established sessions must exist for that client for this to happen.

Impact:
A memory leak occurs.

Workaround:
None.

Fix:
The APM page caching now omits the unique identifier in the key. As a result, a single page, or a small fixed number of pages, can serve a multitude of clients without an increase in memory usage.


490999-2 : Subscriber-level AVR statistics display the subscriber-type as "Unknown" for subscribers created using Radius Acct-Start

Component: Application Visibility and Reporting

Symptoms:
Subscriber-level AVR statistics display subscriber-type as "Unknown" instead of "Dynamic" for subscribers created using a RADIUS Accounting-Start message.

Conditions:
Subscriber should be created using a Radius Acct-Start message.

Impact:
Incorrect subscriber-type in subscriber-level AVR statistics.

Workaround:
none

Fix:
Populate the correct subscriber-type in subscriber-level AVR statistics.


490801-2 : mod_ssl: missing support for TLSv1.1 and TLSv1.2

Component: TMOS

Symptoms:
This is due to using older versions of httpd (which includes mod_ssl ...). Newer versions of httpd as of 2.2.15-39 include the necessary support for TLSv1.1 and TLSv1.2.

Conditions:
Any older versions of httpd which are not upgraded to 2.2.15-39 or selectively patched for the mod_ssl component will not be able to provide support for TLSv1.1 and TLSv1.2. Note that in older releases, there is a dependency on openssl 1.0.1 for a backport of the mod_ssl changes to actually support TLSv1.1 and TLSv1.2.

Impact:
No support is provided for TLSv1.1 and TLSv1.2.

Workaround:
Upgrade to one of the following: 12.0.0-hf1 - includes changes to mod_ssl 12.1.0 - includes update to httpd 2.2.15-39

Fix:
Upgrade to httpd 2.2.15-39 (from el6.6) provides the needed changes to mod_ssl to support TLSv1.1 and TLSv1.2.


490537-6 : Persistence Records display in GUI might cause system crash with large number of records

Component: TMOS

Symptoms:
Using the GUI to view Persistence Records statistics in GUI when there are a large number of records might crash the system. (Persistence Records are available for LTM and GTM by navigating to Statistics :: Module Statistics, clicking on Local Traffic, DNS Delivery, or DNS GSLB and then selecting 'Persistence Records' for Statistics Type.)

Conditions:
This occurs when viewing statistics in the GUI for a large number of Persistence Records (approximately 1 million, but the number might be lower depending on network configuration and capacity).

Impact:
The system runs out of memory and fails over.

Workaround:
Use TMSH to see Persistence Records and associated statistics: tmsh show sys conn. For LTM and GTM Delivery: tmsh show ltm persistence persist-records. For GTM GSLB: tmsh show gtm persist destination | level | target-name | key | max-results | target-type.

Fix:
Persistence Records are no longer visible by default in the GUI. You can turn on visibility of Persistence Records using a db variable. When you enable the db variable, the GUI-specific out-of-memory condition might occur if you have a large number of records. In that case, you should use TMSH to see Persistence Records and associated statistics using the command tmsh show ltm persistence persist-records. To set the db variable: -- for LTM Persistence Records, run the command: modify sys db ui.statistics.modulestatistics.localtraffic.persistencerecords value true. -- for DNS Delivery Persistence Records, run the command: modify sys db ui.statistics.modulestatistics.dnsdelivery.persistencerecords value true. -- for DNSGSLB, run the command: modify sys db ui.statistics.modulestatistics.dnsgslb.persistencerecords value true.


489957-9 : RADIUS::avp command fails when AVP contains multiple attribute (VSA).

Component: Service Provider

Symptoms:
The RADIUS::avp command fails when AVP contains multiple attributes (VSA) within an AVP.

Conditions:
One AVP contains multiple attributes (VSA).

Impact:
RADIUS::avp command fails.

Workaround:
None.

Fix:
RADIUS::avp command now completes successfully when AVP contains multiple attribute (VSA).


489816-1 : F5 Enterprise MIB attribute sysTmmStatMemoryTotal returning zero

Component: Performance

Symptoms:
An SNMP query for F5 Enterprise MIB attribue sysTmmStatMemoryTotal and several others were returning zero values after upgrading to v11.6.0 HF6 or higher.

Conditions:
Always

Impact:
These values are incorrect.

Workaround:
Similar queries can be made to equivalent MIB attributes provided in units of kilobytes using SNMP type Gauge. In the case of sysTmmStatMemoryTotal, sysTmmStatMemoryTotalKb can be queried.

Fix:
For the affected MIB attributes in 11.6.0 HF6 and higher, zero values are no longer returned. Units of measurements continue to be in bytes using SNMP attribute type Counter64.


489451-3 : TMM might panic due to OpenSSL failure during handshake generation

Component: Local Traffic Manager

Symptoms:
TMM might panic due to OpenSSL failure during handshake generation.

Conditions:
Low memory. Software-based SSL handshake generation.

Impact:
TMM outage.

Workaround:

Fix:
The system now checks for OpenSSL failures during SSL handshake generation, so TMM no longer panics.


489379-1 : Bot signature is not matched

Component: Advanced Firewall Manager

Symptoms:
Bot signature is not matched although its content appears in request.

Conditions:
Configure several bot signatures and send request that contain the signature. Some signature may not be matched.

Impact:
Signature that should be matched and blocked may reach the application.

Workaround:
This issue has no workaround at this time.

Fix:
All configured signature are now matched.


489329-6 : Memory corruption can occur with SPDY/HTTP2 profile(s)

Component: Local Traffic Manager

Symptoms:
A virtual server using either the SPDY or HTTP2 profiles can experience random memory corruption due to a double free of memory.

Conditions:
SPDY/HTTP2 filter is configured on the virtual.

Impact:
This results in a TMM crash in random components due to memory corruption.

Workaround:
Do not use SPDY2/HTTP2 profiles.

Fix:
A memory corruption in the SPDY/HTTP2 profiles has been fixed.


488921-2 : BIG-IP system sends unnecessary gratuitous ARPs

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends unnecessary gratuitous ARPs for its virtual IP addresses and self IP addresses.

Conditions:
When the virtual server status transitions from online to offline status or vice versa.

Impact:
The BIG-IP system sends out a large number of unwanted gratuitous ARPs if the virtual server changes its status rapidly. If devices connected to the BIG-IP system have rate limits configured, the devices might start ignoring the ARPs sent by the BIG-IP system, which might cause the devices to miss the critical gratuitous ARPs sent on HA failover. This might affect HA functionality.

Workaround:

Fix:
The system no longer sends unnecessary gratuitous ARPs when pool member state changes cause virtual server status changes.


488811-5 : F5-prelogon user profile folder are not fully cleaned-up

Component: Access Policy Manager

Symptoms:
When a user logs on using Network Logon in Windows, it triggers access policy execution, and the policy creates a temporary user, f5 Pre-Logon User. This causes the operating system to create a profile folder on the computer. After several executions, these folders start to accumulate because they are not removed properly after policy execution is complete. Each time the access policy runs, it creates a user folder of the form f5 Pre-Logon User.<HOSTNAME>.xyz in the C:\Users folder.

Conditions:
A user logs on to the computer using Network Logon in Windows. (Windows Logon Integration)

Impact:
Disk runs out of space and user is confused.

Workaround:
To work around the problem, delete folders manually.


488015-1 : Multiple PHP vulnerabilities

Component: TMOS

Symptoms:
CVE-2014-3668 Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument to the xmlrpc_set_type function or (2) a crafted argument to the xmlrpc_decode function, related to an out-of-bounds read operation. CVE-2014-3669 Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value. CVE-2014-3670 The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted JPEG image with TIFF thumbnail data that is improperly handled by the exif_thumbnail function. The vulnerabilities described in this article have been resolved, or do not affect any F5 products. There will be no further updates, unless new information is discovered.

Conditions:
Running one of the vulnerable versions. For more information, see SOL15866: Multiple PHP vulnerabilities CVE-2014-3668, CVE-2014-3669, and CVE-2014-3670, available here: https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15866.html

Impact:
None. No F5 products are affected by this vulnerability.

Workaround:
None needed.

Fix:
Multiple PHP vulnerabilities CVE-2014-3668, CVE-2014-3669, and CVE-2014-3670.


484453-6 : Messages logged when registering with LOP daemon (lopd) or CAN daemon (cand)

Component: TMOS

Symptoms:
When the log filter is configured to filter at the 'Informational' log level, the logs can get filled with 'client /var/run/lopd.chmand.lopuns already registered' messages when registering with either the Lights Out Processor daemon (lopd) or the CAN daemon (cand). These messages appear in the log every two seconds on systems with lopd, or every 20 seconds on systems with cand.

Conditions:
This occurs when using a remote syslog logging filter with the 'Severity' field set to 'Informational'.

Impact:
Logs fill with messages. These messages are related to communication with the Lights Out Processor daemon (lopd) or with the CAN daemon (cand), and are completely benign, so you can safely ignore them.

Workaround:
Change the remote syslog logging level to 'Notice'.

Fix:
Reduced the log level for registering with the LOP (lights out processor) and CAN daemon (cand) to the debug level.


483719-2 : vlan-groups configured with a single member VLAN result in memory leak

Component: Local Traffic Manager

Symptoms:
If a vlan-group contains only a single member VLAN, tmm begins to leak memory as observed in 'tmctl memory_usage_stat'.

Conditions:
Configure a vlan-group with a single member VLAN.

Impact:
Continuous memory leaks might eventuallyresult in traffic disruptions.

Workaround:
Remove vlan-groups containing a single member VLAN or configure at least two member VLANs per vlan-group

Fix:
Single-member vlan-groups no longer leak memory.


482373-3 : Can not delete and re-create a new virtual server that uses the same virtual address in the same transaction

Component: TMOS

Symptoms:
A create followed by a delete of a virtual server in a transaction fails

Conditions:
A virtual server must be deleted in the same transaction as another virtual server being created where both share the same destination address. This applies to operations performed via iControl REST and tmsh.

Impact:
Transaction may fail

Workaround:
Use create and delete in separate transactions

Fix:
Transactions where virtual servers are deleted and re-created with the same virtual IP address will now complete successfully.


482177-4 : Accessing Sharepoint web application portal interferes with IdP initiated SAML SSO

Component: Access Policy Manager

Symptoms:
Accessing SharePoint web application portal with SSO configured for path /* (as part of portal access resource item) first will break IdP intiated Security Assertion Markup Language (SAML) single sign-on (SSO).

Conditions:
Having SharePoint Portal Access resource as well as SAML resource on full webtop. Access SharePoint application by clicking first on SharePoint icon on full webtop and then SAML resource causes SAML SSO to break.

Impact:
End user will see 404 NotFound page.

Workaround:
Disable SSO to Portal Access application SharePoint.

Fix:
Accessing a SAML resource on the webtop after a SharePoint resource no longer causes SSO to break.


481530-1 : Signature reporting details for sensitive data violation

Component: Application Security Manager

Symptoms:
ASM blocks some requests that match signatures of the 'XPath Injection' attack type, but specific details regarding the violations are not visible for the affected requests as the signatures match sensitive parameters.

Conditions:
Request with sensitive data, a signature match inside the sensitive data.

Impact:
You cannot view or learn about violations in the GUI for signatures that match on sensitive parameters.

Workaround:
Suggestions of how to acquire the sig id: 1. Attach a custom remote logger that includes the violation details field and the support id. Note: You can configure only these two. 2. Turn on the ATTACK_SIG logger module for the bd.log and grep for 'Matched SIGID:' messages. 3. Remove the sensitive configuration. Note: This might not work for your environment.

Fix:
Signature names that are matched inside sensitive data are now shown in the violation details in the Configuration utility.


481328-2 : Many 'tmsh save sys config gtm-only partitions all' stack memory issue.

Component: Global Traffic Manager

Symptoms:
Suitably large GTM configurations can take longer to save to the bigip_gtm.conf file than the configured timeout.

Conditions:
This occurs when GSLB automatic configuration save is enabled, many changes are made that require configuration save, and the gtm.global-settings.general.automatic-configuration-save-timeout is less than the length of time it takes to save the configuration to file.

Impact:
Making numerous changes might lead to multiple instances of the save operation running simultaneously. Large memory consumption, potentially leading to a crash.

Workaround:
Set gtm.global-settings.general.automatic-configuration-save-timeout to a larger value or disable automatic configuration saving for GTM / GSLB.

Fix:
Simultaneous GTM configuration saves no longer occur, so memory is not consumed for them.


480246-4 : Message: Data publisher not found or not implemented when processing request

Component: TMOS

Symptoms:
The system posts messages in ltm log similar to the following: err mcpd[7172]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (20594).

Conditions:
This occurs on a bladed system from an snmp query against blade_voltage_stat.

Impact:
For bladed systems, the system does not report the blade voltage. For systems that are not bladed system, there is no publisher for this query. This message is cosmetic for non-bladed systems, and you can safely ignore it.

Workaround:
None.

Fix:
The main query processing file was not included during build-time. The file has been added and the stats should now show as expected.


480071-2 : Backslashes in policy rule added/duplicated when modified in GUI.

Component: TMOS

Symptoms:
Policy no longer matches rule after modification via the GUI.

Conditions:
This occurs when the policy rule contains literal backslash.

Impact:
The policy does not match the expected condition.

Workaround:
Use tmsh to make policy changes.

Fix:
Backslashes in policy rule are now correctly escapsed when modified in GUI.


478351-1 : Changing management IP can lead to bd crash

Component: Application Security Manager

Symptoms:
A bd crashes after a management IP change.

Conditions:
Remote logger is configured, high traffic volume and a configuration changed for the management IP.

Impact:
The impact of this issue is a system outage as the bd restarts.

Workaround:
This issue has no workaround at this time.

Fix:
We fixed a crash that could happen when management IP configuration was changed.


477769-2 : TMM crash (panic) in AFM pktclass code (Assertion 'classifier ref non-zero' failed.) when virtual server has SPDY or HTTP Prefetching enabled along with AFM Rules.

Component: Advanced Firewall Manager

Symptoms:
TMM will crash (panic) in AFM pktclass code with following signature: Assertion 'classifier ref non-zero' failed.

Conditions:
For this to happen, following conditions must be met: - AFM is enabled. - Virtual Server has AFM Rules (policy). - Either SPDY profile OR HTTP prefetching enabled. - Then the AFM Rule (policy) on this Virtual Server is modified.

Impact:
TMM will restart causing traffic disruption.

Workaround:
None.

Fix:
TMM crash (panic) is fixed now and TMM no longer panics in scenarios with SPDY or HTTP Prefetching enabled.


476567-5 : fastL4: acceleration state is incorrectly reported on show sys conn

Component: Local Traffic Manager

Symptoms:
The results of the command show sys conn shows both-sides of two connections are accelerated, which means there should be four accelerated flows. But the ePVA accelerated flow count only shows three accelerated flows, which is what is expected with this combination of IP/port addresses.

Conditions:
This occurs when using FastL4 and acceleration.

Impact:
The system reports incorrect status.

Workaround:

Fix:
The system now updates accelerated status after the flow has been successfully inserted into the ePVA, so the correct state is reported.


476564-5 : ePVA FIX: no RST for an unaccelerated flow targeting a network virtual

Component: Local Traffic Manager

Symptoms:
A network virtual server configured with guaranteed acceleration fails to receive a RST for a flow that is not accelerated. They see a RST when targeting a host virtual. This results in the client sending packet retransmissions continuously, since the client has no indication that the connection was closed.

Conditions:
This occurs with guaranteed latency.

Impact:
The system drops flows.

Workaround:

Fix:
The system now sends RST in guaranteed mode for an ePVA flow when the packet is received in software.


476386-2 : DHE-RSA-AES256-SHA256 and DHE-RSA-AES128-SHA256 should only be supported for tls1.2

Component: Local Traffic Manager

Symptoms:
DHE-RSA-AES256-SHA256 and DHE-RSA-AES128-SHA256 are visible for other protocols, but are only supported for TLS1.2.

Conditions:
These should only show up under TLS1.2 but they are visible for other protocols.

Impact:
Selecting these might have unexpected results.

Workaround:
None.

Fix:
Resolved issue to ensure that DHE-RSA-AES256-SHA256 and DHE-RSA-AES128-SHA256 is supported only for TLS1.2.


475701-2 : FastL4 with FIX late-bind enabled may not honor client-timeout

Component: Local Traffic Manager

Symptoms:
When insufficient initial data is received, the FastL4 fix late-bind timeout recovery action is not taken (no RST sent with disconnection and no default pool use with fallback).

Conditions:
FastL4 profile with FIX late-bind enabled and insufficient data is received.

Impact:
The client-timeout feature does not work. Client connections seem to hang, and RST is not sent (when timeout-recovery disconnect) or the connection does not continue with standard FastL4 behavior (when timeout-recovery fallback) if enough initial data does not arrive within the client-timeout.

Workaround:
Setting tcp-handshake-timeout to a value that is greater than client-timeout might allow this to work.

Fix:
FastL4 with FIX late-bind enabled now honors client-timeout.


474252-1 : Applying ASM security policy repeatedly fills disk partition on a chassis

Component: Application Security Manager

Symptoms:
Applying ASM security policy repeatedly on a chassis will cause /var disk partition to fill.

Conditions:
ASM security policy is applied repeatedly on a chassis.

Impact:
/var disk partition is filled.

Workaround:
Delete the contents of /var/ts/var/cluster/send.

Fix:
An ASM security policy can be repeatedly applied on a chassis without filling the disk partition.


473415-1 : ASM Standalone license has to include URL and HTML Rewrite

Component: TMOS

Symptoms:
After an upgrade to 11.6.0, the system now reports 'URI Translation (Not Licensed)', yet the license package has not changed. There was no issue when running 11.4.1 with an ASM Standalone license and using the URL Rewrite functionality with URI Translation (under Local Traffic :: Profiles :: Services :: Rewrite).

Conditions:
This occurs when the following conditions are met: -- Running 11.6.0. -- ASM Standalone license. -- URL Rewrite functionality with URI Translation.

Impact:
An ASM Standalone license generated for 11.6.0 does not include ltm_rewrite_uri. Therefore, regardless of what is configured in a rewrite profile, the profile is inoperative when assigned to a virtual server.

Workaround:
None available.

Fix:
In this release, ltm_rewrite_html and ltm_rewrite_url are enabled when mod_asm is enabled, so the system functions as expected for URL Rewrite functionality with URI Translation operations.


472696-1 : Multiple Mozilla Network Security Services vulnerabilities

Component: TMOS

Symptoms:
CVE-2014-1544 Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain.

Conditions:
Running one of the vulnerable versions. For more information, see SOL16716: Multiple Mozilla Network Security Services vulnerabilities, available here: https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16716.html.

Impact:
The vulnerable code exists on the system; however, it is not used in a way that exposes the vulnerability.

Workaround:
To mitigate this vulnerability, you should only permit management access to F5 products over a secure network and restrict command line access for affected systems to the trusted users. For more information, refer to SOL13309: Restricting access to the Configuration utility by source IP address (11.x) and SOL13092: Overview of securing access to the BIG-IP system.

Fix:
Multiple Mozilla Network Security Services vulnerabilities


472532-4 : Cipher dhe-rsa-aes256-sha256 is missing from the SSL cipher list

Component: Local Traffic Manager

Symptoms:
Cipher dhe-rsa-aes256-sha256 is missing from the ssl cipher list.

Conditions:
This issue occurs under all conditions.

Impact:
The impact of this issue is that the user will be unable to connect with the specified cipher.

Workaround:
N/A

Fix:
Cipher id 0x006b (dhe-rsa-aes256-sha256) has been added.


472446-2 : Customization Group Template File Might Cause Mcpd to Restart

Component: Access Policy Manager

Symptoms:
A config sync or tmsh transaction might fail and make mcpd restart if the config sync or tmsh transaction includes a misconfigured object and simultaneously includes a customization group template file.

Conditions:
The config sync or tmsh transaction includes a misconfigured object and includes a customization group template file.

Impact:
The config sync or tmsh transaction fails, and mcpd exits. Note: Avoid configurations that put customization group template file objects through a config sync or tmsh transaction, when that transaction might contain an object configured with an invalid value. This results in a configuration error. Here is one example of the types of messages you might see when this occurs: -- info mcpd[12395]: 01071528:6: Device group '/Common/f5omb' sync inconsistent, Incremental config sync may not be complete on one or more devices in this devicegroup, Sync status may not be consistent until incremental config sync is complete. -- err mcpd[12395]: 01070734:3: Configuration error: Cannot apply template as cache path for (customization template file logon.inc customization group /Common/ap_deptSharePt_act_logon_page_ag) cannot be empty. -- err mcpd[12395]: 01070596:3: An unexpected failure has occurred, - apm/validation/APMCustomizationFileObject.cpp, line 1825, exiting... -- info sod[5467]: 010c0009:6: Lost connection to mcpd - reestablishing. -- err zxfrd[12033]: 0153e0f7:3: Lost connection to mcpd.

Workaround:
None.

Fix:
A configuration error in config sync or tmsh transaction is now handled correctly.


471467 : gtmparse segfaults when loading wideip.conf because of duplicate virtual server names

Component: Global Traffic Manager

Symptoms:
gtmparse segfaults when loading wideip.conf with duplicate virtual server names, or whose names differ only by spaces.

Conditions:
wideip.conf contains duplicate virtual server name definitions, or the virtual server names are unique only because of leading or trailing spaces.

Impact:
gtmparse segfaults during a wideip.conf load, causing GTM configuration load to fail.

Workaround:
Change virtual server definitions so that there are no duplicate named virtual servers. Note that adding only leading or trailing spaces does not result in a unique virtual server name.

Fix:
gtmparse will now throw descriptive errors when encountering duplicate vs names in wideip.conf, for example: ./gtm/wideip.conf:61: "opt_vs_long_def: vs set name vs_1 on vs 10.221.43.28:1545 failed, duplicate name exists" at character '1545' in line: name "vs_1" address 10.221.43.28:1545


471318-1 : AD/LDAP group name matching should be case-insensitive

Component: Access Policy Manager

Symptoms:
AD/LDAP Group Name mapping fails due to the case sensitive matching. It should be case insensitive.

Conditions:
This occurs when using AD/LDAP Group name mapping.

Impact:
Cannot find the intended group.

Workaround:
None.

Fix:
AD/LDAP Group Name mapping now is using case-insensitive comparison. This is correct behavior.


470842-1 : Apache Axis vulnerability CVE-2012-5784

Component: TMOS

Symptoms:
Apache Axis 1.4 and earlier does not verify that the server host name matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. The Apache axis.jar file included with iControl Assembly 11.2 and earlier is vulnerable to CVE-2012-5784.

Conditions:
Running one of the vulnerable versions. For more information, see SOL14371: Apache Axis vulnerability CVE-2012-5784, available here: https://support.f5.com/kb/en-us/solutions/public/14000/300/sol14371.html.

Impact:
Affected systems may be vulnerable to a man-in-the-middle attack where attackers spoof SSL servers through an arbitrary valid certificate.

Workaround:
If you are using iControl Assembly 11.2 and earlier, the Apache axis.jar file is vulnerable to CVE-2012-5784. To eliminate this vulnerability, upgrade to iControl Assembly 11.3. To do so, download the latest version of the iControl Assembly package at https://devcentral.f5.com/community/group/aft/1172123/asg/2. Note: A separate DevCentral login is required to access this content; you will be redirected to authenticate or register (if necessary).

Fix:
Apache Axis vulnerability CVE-2012-5784


470715-5 : Excessive IP fragmentation on tmm_bp vlan causes ftp data loss with vlan name >= 16 characters long

Component: Local Traffic Manager

Symptoms:
When a vlan name is >= 16 characters including the /Common/ folder name prefix, the internal packet size will exceed the configured MTU size of 1582 on the MPI channel. This causes excessive IP fragmentation on tmm_bp vlan and high cpu usage. In some cases it can also cause packet loss.

Conditions:
Vlan names (16 characters or longer) are being used. This length also counts the name of the partition.

Impact:
This can cause excessive IP fragmentation on tmm_bp vlan and high cpu usage. In some cases it would also cause packet loss.

Workaround:
Use shorter vlan names.

Fix:
A new db variable vlan.backplane.mtu has been added to configure tmm_bp vlan mtu size, and the new default backplane MTU is set to to 1640.

Behavior Change:
A new db variable vlan.backplane.mtu has been added to configure tmm_bp vlan mtu size, and the new default backplane MTU is set to to 1640.


470559 : TMM crash after traffic stress with rapid changes to Traffic capturing profiles

Component: Application Visibility and Reporting

Symptoms:
Rare condition of TMM crash due to traffic stress with rapid changes made to Traffic capturing profiles.

Conditions:
1. Traffic capturing feature is on, under heavy traffic. 2. Modifications are being made to traffic capturing configuration.

Impact:
This can occasionally cause TMM to crash.

Workaround:
Turn off traffic capturing feature, or minimize making changes to the Traffic capturing profile while under heavy load.

Fix:
A rare condition was fixed where TMM crashed due to traffic stress with rapid changes made to Traffic capturing profiles.


469512-3 : TMM aborted by SOD due to heartbeat failure when trying to load huge firewall policies.

Component: Advanced Firewall Manager

Symptoms:
TMM gets terminated by SOD daemon due to heartbeat failure.

Conditions:
This might occur intermittently when trying to load huge firewall policies.

Impact:
This might (intermittently) trigger TMM abort by DOS due to heartbeat failure.

Workaround:
Disable TMM heartbeat.

Fix:
TMM is no longer terminated by SOD due to heartbeat failure (when trying to load huge firewall policies).


469033 : Large big3d memory footprint.

Component: Global Traffic Manager

Symptoms:
The big3d process might take up a large amount of memory.

Conditions:
Using GTM in various configurations.

Impact:
Large big3d memory footprint. This is a configuration- and usage-dependent issue.

Workaround:
None.

Fix:
Reduced big3d memory footprint.


467256-2 : Deleting OPSWAT/Epsec packages from GUI does not delete files from disk causing UCS packages to bloat

Component: Access Policy Manager

Symptoms:
If there were multiple EPSEC packages installed on a BIG-IP system and if a UCS backup is taken subsequently, that UCS backup will contain all the files causing the UCS to become huge. Installing this UCS may fail due to disk space limitations.

Conditions:
For this issue, multiple EPSEC packages have to be installed in the system and the UCS of this system is created.

Impact:
UCS fails to install due to its large size.

Workaround:
One can do the following: 1. Delete the EPSEC package from the GUI. 2. Then go the /config/filestore/files_d/Common_d/epsec_package_d/ Find the extra files for which there is no corresponding entry in /config/bigip.conf. 3. Delete those extraneous files manually using rm.

Fix:
When you delete EPSEC packages using the GUI, APM now correctly deletes the corresponding EPSEC ISO file from the filestore (/config/filestore/files_d/Common_d/epsec_package_d/). Before creating archives, administrators are now required to delete non-active EPSEC packages using the GUI to make sure that non-active EPSEC ISO files are not included in the archives. Although this issue has been resolved for newly downloaded EPSEC ISO files, you might still need to perform some cleanup: 1. You must remove previous leftover EPSEC ISO files as follows: a. Delete the EPSEC package from the GUI: Select System > Software Management > Antivirus Check Updates; select an existing EPSEC package from the list and click Delete. b. Go to /config/filestore/files_d/Common_d/epsec_package_d/ and find files for which there is no corresponding entry in /config/bigip.conf. c. Delete those extraneous files manually using the rm command. 2. You cannot import huge previously created UCS archives. Instead, you should delete non-active EPSEC packages prior to creating a UCS. 3. If you want to include only one (active) EPSEC ISO in a UCS archive, you must first delete non-active EPSEC packages using the GUI.


462598-4 : Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members.

Component: Access Policy Manager

Symptoms:
When the APM Access renderer or renderer pool (used for serving internal pages) goes down for an unknown reason, tmm goes into retry loop and sod kills the tmm.

Conditions:
For the problem to occur, at the very least, APM must be in use. The problem showed up in the past with a mangled iRule in place.

Impact:
This condition causes a crash due to an unresponsive TMM and will trigger a failover.

Workaround:
This has only been observed with an incorrectly formed iRule. So it is likely that fixing an associated iRule to operate as intended will resolve the problem. If this occurs without an associated iRule, there is no workaround.

Fix:
Now when an APM renderer or renderer pool (used for serving internal pages) goes down, APM detects the unavailability and sends a TCP Reset to the client.


462258-8 : AD/LDAP server connection failures might cause apd to stop processing requests when service is restored

Component: Access Policy Manager

Symptoms:
AD/LDAP server connection failures might cause APM apd to stop processing requests when service is restored. These symptoms accompany the problem: - Too many file descriptors open by apd. - 'Too many open files' error messages in the log file. - Running qkview to gather diagnostic data reveals the information similar to the following in 'netstat -pano' from qkview: tcp 270 0 127.0.0.1:10001 10.10.225.85:53212 ESTABLISHED 12191/apd off (0.00/0/0) tcp 269 0 127.0.0.1:10001 10.10.225.4:56305 ESTABLISHED 12191/apd off (0.00/0/0) tcp 272 0 127.0.0.1:10001 10.10.57.10:57508 CLOSE_WAIT 12191/apd off (0.00/0/0) tcp 0 0 127.1.1.1:56230 127.7.0.1:389 ESTABLISHED 12191/apd keepalive (1909.72/0/0) The last line with timer 'keepalive (1909.72/0/0)' indicates that apd has been waiting for a response for too long. Other lines with Recv-Q '272' indicate that apd is not reading incoming requests as expected (specifically, that the internal worker queue is overloaded because all threads are waiting for the one hanging thread to be processed).

Conditions:
This occurs between the connect and search phases of the AD/LDAP server connection operation, most likely when a AAA Server is configured to use pool as a backend. In this case, apd can always connect locally to layered virtual server, but the pool monitor has a server availability check interval, so a lag in the request to an unavailable server might cause apd to hang.

Impact:
Potential connection failures to backend server.

Workaround:

Fix:
Active Directory and LDAP server connection operations time out in 3 minutes, so a thread does not block any other, and service can recover as soon as the connection to the backend is restored.


461084-3 : Kerberos Auth might fail if client request contains Authorization header

Component: Access Policy Manager

Symptoms:
When the BIG-IP system is configured with Kerberos Auth agent and the client sends a request with an Authorization header prior to the "HTTP 401" challenge, authentication fails.

Conditions:
An auth request to the BIG-IP systems contains Authorization header; Kerberos Auth is configured.

Impact:
Authentication can fail and the client might see a login prompt again when the IP address changes.

Workaround:
None

Fix:
Client's Kerberos auth will succeed now.


460946-2 : NetHSM key is displayed as normal in GUI

Component: Local Traffic Manager

Symptoms:
A NetHSM' key type is displayed as 'normal' in the GUI when it should be displayed as 'nethsm'.

Conditions:
When a key is created using NetHSM.

Impact:
The 'Security Type' field of the key's property appears to be 'Normal,' when it should be NetHSM.

Workaround:

Fix:
NetHSM key is displayed as normal in GUI as NetHSM, as expected.


458348-2 : RESOLV:: iRule commands and sFlow don't function correctly when using non-default CMP hashing.

Component: Local Traffic Manager

Symptoms:
Packets originating from the RESOLV:: iRule commands and sFlow are not routed correctly when using non-default CMP hashing on external and internal VLANs.

Conditions:
External and internal VLANs have, respectively, src-ip and dst-ip cmp hashing configured.

Impact:
Packets are dropped.

Workaround:

Fix:
RESOLV:: iRule commands and sFlow now function correctly when using non-default CMP hashing.


455762-1 : DNS cache statistics incorrect

Component: Local Traffic Manager

Symptoms:
DNS Cache statistics might skew high due to shared information between TMMs incrementing the same statistic multiple times.

Conditions:
Any DNS Cache might see this issue.

Impact:
DNS Cache Statistics are listed as higher than they should have been.

Workaround:
This issue has no workaround.

Fix:
DNS Cache Statistics are no longer being incremented multiple times for the same action.


452482-7 : HTTP virtual servers with cookie persistence might reset incoming connections

Component: Local Traffic Manager

Symptoms:
Incoming TCP connection to HTTP virtual server receives RST during 3-way handshake

Conditions:
Incoming connection matches existing cookie persistence record and would be persisted to a pool member whose connection limit has been reached.

Impact:
TCP connection fails.

Workaround:

Fix:
Cookie persistence records are ignored when the connection limit of the persisted pool member has been reached. This results in incoming connections to be offloaded to another pool member (if available).


452443-2 : DNS cache resolver cannot send egress traffic on a VLAN with src-ip or dst-ip cmp hash configured

Component: Local Traffic Manager

Symptoms:
DNS cache resolver or validating resolver does not function properly and fails to resolve DNS requests.

Conditions:
BIG-IP system is using non-default cmp hashes configured on its egress VLANs.

Impact:
It is difficult to both use non-default cmp hashes on system VLANs and use a DNS cache resolver on the same BIG-IP system.

Workaround:
Configure a separate VLAN for the cache resolver's use that uses the default cmp hash. Set the system's default route to direct resolver traffic to this VLAN. This VLAN can be placed in a new route domain, if other features require route domain zero's default route pointing elsewhere.

Fix:
DNS cache resolver or validating resolver now functions properly, successfully resolving DNS requests when using non-default cmp hashes configured on its egress VLANs.


452439-5 : TMM may crash when enabling DOS sweep/flood if a TMM process has multiple threads

Component: Local Traffic Manager

Symptoms:
There is a bug caused by race condition in the library used by the AFM Sweep/flood feature. When the Sweep/flood feature is enabled, if one TMM process has multiple threads, one thread may attempt to access the memory released by another thread at some time. In this situation, TMM may crash due to access an invalid memory segment.

Conditions:
(1) AFM sweep/flood enabled (2) A single TMM process has multiple threads. (3) race condition occurs

Impact:
TMM crash, site at risk

Workaround:
Disable thread or disable sweep/flood

Fix:
TMM will not crash when enabling DOS sweep/flood detection feature regardless of threading.


449453-5 : Loading the default configuration may cause the mcpd process to restart and produce a core file.

Component: TMOS

Symptoms:
Loading the default configuration may cause the mcpd process to restart and produce a core file.

Conditions:
This issue occurs when the following condition is met: After you successfully load a UCS file that was created on a different system, you attempt to restore the system to factory defaults by loading the default configuration. When you load the default configuration, if the mcpd process is unable to decrypt the master-key, or attributes exist that were encrypted with a key other than the current master-key, the mcpd process restarts and produces a core file. These situations may occur if an RMA has occurred and you install a UCS from one device to another device of the same type, if the device unit key becomes corrupted, or if the master key file (/config/bigip/kstore/master) becomes corrupted.

Impact:
The BIG-IP system may temporarily fail to process traffic and fail over if configured as part of a high-availability system.

Workaround:
None.

Fix:
Fixed crashes in mcpd and other daemons when the master-key cannot be decrypted, or when attributes exist that were encrypted with a key other than the current master-key. These situations may occur when a RMA occurs, when moving a UCS from one device to another device of the same type, if the device unit key becomes corrupted, or if the master key file (/config/bigip/kstore/master) becomes corrupted.


446526-7 : TCP virtual server/UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules might cause TMM crash.

Component: Local Traffic Manager

Symptoms:
When a TCP virtual server, or a UDP virtual server without datagram-LB mode enabled, runs an iRule which suspends itself, and the traffic that virtual server is handling is destined for the DNS cache, subsequent responses attempting to execute an iRule crash TMM because the first response is suspended. Those subsequent responses should be queued before attempting to execute the iRule.

Conditions:
Configuration contains TCP virtual server, or a UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules.

Impact:
TMM restarts.

Workaround:
Enable datagram-LB mode on the UDP profile. There is no workaround in the case of TCP.

Fix:
TMM no longer restarts when configuration contains TCP virtual server, or a UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules.


442871-2 : BIG-IP VE instances created using OpenStack interfaces may fail to detect the KVM hypervisor

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) instances created using OpenStack interfaces may fail to detect the Kernel-based Virtual Machine (KVM) hypervisor.

Conditions:
This issue occurs when all of the following conditions are met: -- You are deploying a BIG-IP VE instance on a KVM hypervisor. -- You are using the OpenStack interface tool set to perform the deployment.

Impact:
As a result of this issue, you may encounter one or more of the following symptoms: -- The BIG-IP VE instance fails to start. -- When starting the BIG-IP VE instance, diagnostic messages may indicate that the hypervisor is not recognized.

Workaround:
To work around this issue, you can modify your OpenStack compute nodes to run all instances as KVM. To do so, perform the following procedure: Note: The workaround assumes that your compute nodes use KVM as the default hypervisor. Impact of workaround: Performing the following procedure should not have a negative impact on your system. 1. Log in to the OpenStack compute node as the root user. 2. Using an editor, create a file in the /etc/nova directory named release. 3. Add the following content to the new file: [Nova] vendor = Red Hat product = Bochs package = RHEL 6.3.0 PC 4. Restart all services or reboot the compute note. 5. Redeploy a new BIG-IP VE instance using the OpenStack interface tool set.

Fix:
BIG-IP VE instances created using OpenStack interfaces now detect the KVM hypervisor. Important: If you performed the steps to work around this issue (as described in the known issue for this bug), removing the workaround might require a license change.


441058 : TMM can crash when a large number of SSL objects are created

Component: Local Traffic Manager

Symptoms:
Administrative operations which trigger a full reload of SSL cert, key, or CRL files can cause TMM to abort. TMM will miss its heartbeat, at which time it will be killed by sod daemon via SIGABRT.

Conditions:
Configuration contains a large number of SSL certs, keys and/or CRLs.

Impact:
TMM crash, leading to possible network outage.

Workaround:
Remove any unused SSL objects from configuration.

Fix:
The system now loads the virtual IP addresses and associated SSL Certs/Keys in batches, so that TMM config load no longer exceeds its allowed CPU time.


439559-2 : APM policy sync resulting in failover device group sync may make the failover sync fail

Component: TMOS

Symptoms:
If an APM policy sync puts the new policy on a member of a sync-failover device group then the sync of the sync-failover group may fail.

Conditions:
* At least three devices in trust. * Two devices in a sync-failover device group. * Two devices in a sync-only device group suitable for APM policy sync. * The policy is synchronized from a device that is not in the sync-failover device group.

Impact:
Sync will fail, but full load sync will then succeed.

Workaround:
Using a full load sync (the force option on the GUI sync page) will work.

Fix:
If an APM policy sync puts the new policy on a member of a sync-failover device group then the sync of the sync-failover group used to fail. This now succeeds.


433466-4 : Disabling bundled interfaces affects first member of associated unbundled interfaces

Component: TMOS

Symptoms:
When the bundled interface (e.g., 2.1) is disabled, it might result in link issues observed with the first member of the associated unbundled interfaces (e.g., 1.1).

Conditions:
Disabling bundled interfaces affects first member of associated unbundled interfaces.

Impact:
Traffic unable to pass due to ports 'Down' status.

Workaround:
Do not disable the associated bundled interface (e.g., 2.1) when intending to use the first member of the associated unbundled interfaces (e.g., 1.1). Same for the interface bundle/unbundle relationships for 2.2/1.5, 2.3/1.9, vice-versa, etc.

Fix:
Disabling bundled interfaces no longer affects the first member of associated unbundled interfaces.


424831-6 : State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover

Component: Local Traffic Manager

Symptoms:
Failovers between devices in a HA pair might result in an unexpected disruption of traffic (for instance, if virtual servers are configured for mirroring). Persistence / session table information would similarly be missing on the newly-active system.

Conditions:
Platform that supports hardwired failover, configured for hardwired failover. (Note: this excludes chassis-based platforms, as well as VCMP guests and VEs) Network failover disabled.

Impact:
- Failovers may result in unexpected disruption of traffic that failed to be mirrored. - Session database (SessionDB things, iRule session table, persistence table, etc) will not be mirrored, as expected, which may result in unknown unexpected traffic failures.

Workaround:
Enable network failover, then restart all TMMs. Note: workaround will temporarily disrupt traffic.

Fix:
State Mirroring now works for HA configurations that use only hardwired (serial) failover, without network failover.


421012-3 : scriptd incorrectly reports that it is running on a secondary blade

Component: TMOS

Symptoms:
scriptd might indicate that it is running on a secondary blade, even when the process is running on a primary blade or an appliance. The error condition generates this log message: 014f000f:7: Becoming secondary cluster member

Conditions:
The conditions under which this occurs are not well understood, but it is a rare occurrence.

Impact:
Perpetual iCall handlers do not run, so scripts running under the control of a daemon do not run.

Workaround:
Issue the command 'bigstart restart scriptd' on an affected blade or device.

Fix:
scriptd no longer incorrectly reports that it is running on a secondary blade when it is not.


418890-2 : OpenSSL bug can prevent RSA keys from rolling forward

Component: Local Traffic Manager

Symptoms:
When trying to upgrade from version 10.x to version 11.x, SSL keys can fail to roll forward. The roll-forward process does not handle what appears to be an OpenSSL bug (tested through OpenSSL 1.0.1c).

Conditions:
This occurs when rolling forward RSA keys from version 10.x to 11.x.

Impact:
Rather than receiving the expected decrypt failure unable to load Private Key with a bad decrypt, approximately 0.3% respond differently, where the return is non-zero and does not contain 'bad decrypt'. In this case, the system considers the key bad even though it is fine.

Workaround:
None.

Fix:
All SSL keys from version 10.x can be loaded correctly using the UCS file.


413708-5 : BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response.

Component: TMOS

Symptoms:
When SNMP IPv6 UDP queries are directed from client to self-ip, response from the BIG-IP system does not preserve source port. An ephemeral source port will be used, instead of the source port 161.

Conditions:
SNMP IPv6 UDP query only.

Impact:
SNMP query fails.

Workaround:

Fix:
A problem of SNMP IPv6 UDP response from the BIG-IP system with an ephemeral source port has been solved.


406001-3 : Host-originated traffic cannot use a nexthop in a different route domain

Component: Local Traffic Manager

Symptoms:
If a route uses a nexthop in a different route domain, traffic originating from the host will not be forwarded to that nexthop.

Conditions:
Multiple route domains, gateway route that matches traffic using a nexthop in a different route domain.

Impact:
Nodes reached by the route cannot be monitored.

Workaround:
none

Fix:
Host-originated traffic can now use a nexthop in a different route domain.


405635-2 : Using the restart cm trust-domain command to recreate certificates required by device trust.

Component: TMOS

Symptoms:
The device trust manages the certificates and keys SSL connections require between devices used for configuration synchronization. You should always have the necessary certificates and keys. If they are not present, device trust fails.

Conditions:
This might occur after manually removing the 'cm' stanzas from the config file, and reloading the configuration.

Impact:
No certificates and keys exist. If there are no certificates and keys, device trust cannot be set up, and the system cannot complete the SSL connections necessary for config synchronization.

Workaround:
To recreate the certs and keys, run the command: restart cm trust-domain.

Fix:
This release contains a new tmsh command 'restart cm trust-domain' to restart device trust in this circumstances.


401893-3 : Allowing tilde in HTTP Profile fields Response Headers Allowed and Encrypt Cookies

Component: TMOS

Symptoms:
You will be unable to use the tilde (~) character in the fields Response Headers Allowed and Encrypt Cookies when using the GUI.

Conditions:
Attempting to use the tilde character in HTTP Profile fields Response Headers Allowed and Encrypt Cookies in HTTP Profiles.

Impact:
The GUI errors out with an error: Bad Characters. Only the following special characters are allowed: period, dash and underscore (.-_). Multiple arguments should be separated by spaces."

Workaround:
Use tmsh to create/update HTTP Profile fields Response Headers Allowed and Encrypt Cookies that need a tilde character.

Fix:
The tilde character can now be used in HTTP Profile fields Response Headers Allowed and Encrypt Cookies.


389328-7 : RSA SecurID node secret is not synced to the standby node

Component: Access Policy Manager

Symptoms:
When RSA SecurID node secret files are created on the active node, the files are not synced to the standby node. As a result, user will not be able to log on after switchover.

Conditions:
RSA node secret files are created on the active node after the first successful authentication.

Impact:
Service will be inaccessible after switchover.

Workaround:
1. Copy node secret files /config/aaa/ace/Common/<rsa_securid_aaa_server>/sdstatus.12 and /config/aaa/ace/Common/<rsa_securid_aaa_server>/securid from the active node to the same directory on the standby node. 2. Wait for at least 30 seconds 3. Execute the command "tmsh save sys config" to commit the changes to disk.

Fix:
The SecurID node secret file monitoring algorithm was updated so that a new node secret file can be detected. Also, aced now authenticates with mcpd so that any node secret file object changes will be accepted by the mcpd.


388274-3 : LTM pool member link in non-Common partition is wrong in Network Map.

Component: TMOS

Symptoms:
Pool member link in the non-Common partition in Network Map is broken.

Conditions:
This occurs for pool members that exist in a partition other than Common.

Impact:
Pool member name contains unusual characters.

Workaround:
None.

Fix:
LTM pool member link in the non-Common partition is now in the correct Network Map.


382157-3 : Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats

Component: TMOS

Symptoms:
Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats.

Conditions:
Running the following command returns data inconsistent with sflow statistics: snmpwalk -v2c -c public localhost F5-BIGIP-SYSTEM-MIB::sysVlanStatTable.

Impact:
Incorrect interpretation of vlan stats. As a result of fixing this issue, F5-BIGIP-SYSTEM-MIB::sysVlanStatTable is obsoleted, IF-MIB::ifXTable should be used instead.

Workaround:
None.

Fix:
The IF-MIB::ifXTable was implemented to use the same stats as sflow. The F5-BIGIP-SYSTEM-MIB::sysVlanStatTable is obsolete.

Behavior Change:
F5-BIGIP-SYSTEM-MIB::sysVlanStatTable is obsoleted, IF-MIB::ifXTable should be used instead.


372473-2 : mcp error 0x1020003 may be logged to /var/log/tmm when TMM crashes

Component: Local Traffic Manager

Symptoms:
A message beginning with 'mcp error: 0x1020003' may be logged to /var/log/tmm when TMM crashes.

Conditions:
TMM crashes.

Impact:
This is an MCP error that is logged erroneously upon TMM shutdown, and does not indicate an issue with MCP.

Workaround:
None.

Fix:
The message is no longer logged when TMM crashes.


365219-2 : Trust upgrade fails when upgrading from version 10.x to version 11.x.

Component: TMOS

Symptoms:
Trust upgrade fails when upgrading from version 10.x to version 11.x. The upgrade fails without apparent error, but there will be one of the two following error messages in /var/log/ltm log: -- com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:425): Trust configuration update for HA Pair has failed: [STACK TRACE: {java.lang.Exception: Config sync password is invalid.}{ at com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:200)}. -- devmgmtd[7983]: 015a0000:3: Trust Config Update: [TrustConfigUpdateForHAPair.cpp:521 ] Skipping already-completed trust.

Conditions:
Upgrading high availability version 10.x configurations that use the factory default admin password.

Impact:
Trust upgrade for version 10.x high availability configuration fails.

Workaround:
Change the default admin password in the 10.x configuration before upgrading to 11.0.0.

Fix:
Upgrades of high availability configurations from version 10.x to version 11.x or later now succeed, even if the 10.x system was still using the factory default admin password. It is recommended that you change the default admin password before deployment.


341928-4 : CMP enabled virtual servers which target CMP disabled virtual servers can crash TMM.

Component: Local Traffic Manager

Symptoms:
TMM daemon crashes with accompanying log message: Assertion 'cmp dest set on incorrect listener type' failed.

Conditions:
A CMP enabled virtual targets (e.g. via 'virtual' iRule command) a CMP disabled virtual.

Impact:
Failover or network outage.

Workaround:
Avoid use of CMP disabled virtual servers.

Fix:
A CMP redirected looped virtual (i.e., VIP targeting VIP on different cluster node) no longer crashes TMM.


291469-2 : SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries.

Component: TMOS

Symptoms:
The SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries.

Conditions:
The following error message is reported in the /var/log/messages file: snmpd[1748]: Error allocating more space for arpcache. Cache will continue to be limited to 2048 entries.

Impact:
The ARP entries up to the boundary are returned. Any ARP entries after the boundary is reached are not returned.

Workaround:
None.

Fix:
Memory validation now allows arpcache to expand, so The SNMP query no longer fails to return ARP entries when the ARP table exceeds 2,048 entries.


223884 : Module not licensed message appears when APM is provisioned and APML is licensed.

Component: TMOS

Symptoms:
Module not licensed message appears when APM is provisioned and APML is licensed.

Conditions:
APM is provisioned and APML is licensed.

Impact:
It appears as if APML isn't licensed when it is.

Workaround:
Ignore the message.

Fix:
Module not licensed message will not appear when APM is provisioned and APML is licensed.




Cumulative fixes from BIG-IP v11.6.0 Hotfix 6 that are included in this release

Note: F5 has recently changed the bug numbering scheme in our bug tracking database. Now all bugs have a single version assigned to them and so bugs can now have sub bugs denoted by a '-' and then the sub bug number, i.e. 404716-4 with 404716 being the parent bug. The release notes for previous rollups will also reflect this change so some bugs may now contain a sub bug prefix.

TMOS Fixes

ID Number Severity Description
473033-5 1-Blocking Datastor Now Uses Syslog-ng
507312-1 1-Blocking icrd segmentation fault
544980-3 1-Blocking Small /var when deploying from OVF for BETTER and BEST
520466-2 1-Blocking Ability to edit iCall scripts is removed from resource administrator role
527630-1 1-Blocking CVE-2015-1788 : OpenSSL Vulnerability
477218-5 1-Blocking Simultaneous stats query and pool configuration change results in process exit on secondary.
506034-3 1-Blocking NTP vulnerabilities (CVE-2014-9297,CVE-2014-9298)
535806-2 1-Blocking Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE
473105 2-Critical FastL4 connections reset with pva-acceleration set to guaranteed
523434 2-Critical mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object
534630-5 2-Critical Upgrade BIND to address CVE 2015-5477
507602-1 2-Critical Data packet over IPsec tunnel might be looping between cores after rekey if IPsec lifebyte is enabled
470813-1 2-Critical Memory corruption in f5::rest::CRestServer::g_portToServerMap
540846-5 2-Critical Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c
420107-2 2-Critical TMM could crash when modifying HTML profile configuration
471860-3 2-Critical Disabling interface keeps DISABLED state even after enabling
540849-5 2-Critical An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c
513454-3 2-Critical An snmpwalk with a large configuration can take too long
506199-4 2-Critical VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles
513382-1 2-Critical Resolution of multiple OpenSSL vulnerabilities
468473-2 2-Critical Monitors with domain username do not save/load correctly
509503-4 2-Critical tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration
479460-5 2-Critical SessionDb may be trapped in wrong HA state during initialization
429018-2 2-Critical tmipsecd cores when deleting a non-existing traffic selector
493791-2 2-Critical iApps do not support FQDN nodes
529509-5 2-Critical CVE 2015-4620 BIND vulnerability
516618-5 2-Critical CVE-2013-7424
364978-1 2-Critical Active/standby system configured with unit 2 failover objects
497078-1 2-Critical Modifying an existing ipsec policy configuration object might cause tmm to crash
438674-5 2-Critical When log filters include tamd, tamd process may leak descriptors
504496-3 2-Critical AAA Local User Database may sync across failover groups
510979-1 2-Critical Password-less SSH access after tmsh load of UCS may require password after install.
529510-2 2-Critical Multiple Session ha state changes may cause TMM to core
464870-7 2-Critical Datastor cores and restarts.
513916-5 3-Major String iStat rollup not consistent with multiple blades
524326-4 3-Major Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips
514726-4 3-Major Server-side DSR tunnel flow never expires
497564-2 3-Major Improve High Speed Bridge diagnostic logging on transmit/receive failures
518039-1 3-Major BIG-IQ iApp statistics corrected for partition use cases
507853-1 3-Major MCP may crash while performing a very large chunked query and CPU is highly loaded
520640-2 3-Major The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method.
493246-2 3-Major SNMP error: Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot
473348-6 3-Major hbInterval value not set to 300 sec after upgrad.
491716-2 3-Major snmp_similint_test_15370.py failed because of bug fix 483508
518283 3-Major Cookie rewrite mangles 'Set-Cookie' headers
470756-6 3-Major snmpd cores or crashes with no logging when restarted by sod
509504-5 3-Major Excessive time to save/list a firewall rule-list configuration
442871-1 3-Major BIG-IP VE instances created using OpenStack interfaces may fail to detect the KVM hypervisor
523125 3-Major Disabling/enabling blades in cluster can result in inconsistent failover state
441297-3 3-Major LACP trunk remains down after restarting mcpd on 2000/4000 series platforms
509782-3 3-Major TSO packets can be dropped with low MTU
416388-1 3-Major vCMPD will not reattach to guest
534251-1 3-Major Live update with moving config breaks password-less ssh access
509037-1 3-Major BIG-IP systems allows creating wild-card IPIP tunnels with the same local-address and tunnel-type
458104-3 3-Major LTM UCS load merge trunk config issue
359774-6 3-Major Pools in HA groups other than Common
517580-3 3-Major OPT-0015 on 10000-series appliance may cause bcm56xxd restarts
483104-3 3-Major vCMP guests report platform type as 'unknown'
493213-1 3-Major RBA eam and websso daemons segfaulting while provisioning
489084-1 3-Major Validation error in MCPD for FQDN nodes
506041-2 3-Major Folders belonging to a device group can show up on devices not in the group
468837-5 3-Major SNAT translation traffic group inheritance does not sync across devices
524753-1 3-Major IPsec interface is not forwarding TCP flow to the host when the destination is tunnel self-ip
523922-4 3-Major Session entries may timeout prematurely on some TMMs
383784-5 3-Major Remote Auth user names containing blank space cannot login through TMSH.
481648-8 3-Major mib-2 ipAddrTable interface index does not correlate to ifTable
491556-7 3-Major tmsh show sys connection output is corrected
513294-8 3-Major LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances
519510-3 3-Major Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware
524490-4 3-Major Excessive output for tmsh show running-config
499260-3 3-Major Deleting trust-domain fails when standby IP is in ha-order
533458-4 3-Major Generate core file on HSB lockup
528310 3-Major Upgrade failure when CertKeyChain exists in non-Common partition
528881 3-Major NAT names with spaces in them do not upgrade properly
527021-1 3-Major BIG-IQ iApp statistics corrected for empty pool use cases
498992-6 3-Major Troubleshooting enhancement: improve logging details for AWS failover failure.
484706-2 3-Major Incremental sync of iApp changes may fail
410398-3 3-Major sys db tmrouted.rhifailoverdelay does not seem to work
504494-2 3-Major Upgrading to 11.5.0 and later might associate a disabled HA group to traffic groups.
516669-1 3-Major Rarely occurring SOD core causes failover.
533257-2 3-Major tmsh config file merge may fail when AFM security log profile is present in merged file
527537 3-Major CGNAT experiences increased CPU utilization with a high concurrent connection load and persistence enabled
473088-4 3-Major Virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile
495526-1 3-Major IPsec tunnel interface causes TMM core at times
510159-1 3-Major Outgoing MAP tunnel statistics not updated
517178-2 3-Major BIG-IP as SAML Service Provider cannot process some messages from simplesamlphp under certain conditions
515667-4 3-Major Unique truncated SNMP OIDs.
510119-4 3-Major HSB performance can be suboptimal when transmitting TSO packets.
464252-2 3-Major Possible tmm crash when modifying html pages with HTML profile.
355661-3 3-Major sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address
501437-3 3-Major rsync daemon does not stop listening after configsync-ip set to none
455264-3 3-Major Error messages are not clear when adding member to device trust fails
480679-1 3-Major The big3d daemon does not receive config updates from mcpd
500234-4 3-Major TMM may core during failover due to invalid memory access in IPsec components
530773 3-Major per-request policy logs frequently in apm logs
527145-4 3-Major On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
524791-3 3-Major non_blocking_send/receive do not correctly handle EINTR situation for poll() == 0
519068-3 3-Major device trust setup can require restart of devmgmtd
505045-1 3-Major MAP implementation not working with EA bits length set to 0.
544888-5 3-Major Idle timeout changes to five seconds when using PVA full acceleration.
526419-1 3-Major Deleting an iApp service may fail
224903-5 3-Major CounterBaseGauge64 MIB values will not work with Network Management Systems
529640 3-Major Improvements in building Cloud images
362267-3 3-Major Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors
514724-1 3-Major crypto-failsafe fail condition not cleared when crypto device restored
507575-1 3-Major An incorrectly formated NAPTR creation via iControl can cause an error.
497304-1 3-Major Unable to delete reconfigured HTTP iApp when auto-sync is enabled
519372 3-Major vCMP guest memory growth due to large number of /var/run/tmstats-rsync.* files.
502238-3 3-Major Connectivity and traffic interruption issues caused by a stuck HSB transmit ring
464024-4 3-Major File descriptor leak when running some TMSH commands through scriptd
527094-1 3-Major iControl REST: the records collection in tm/ltm/data-group/internal/ may show wrong partition and subPath metadata.
522282-1 3-Major iApp templates are visible with only vCMP provisioned.
405752-1 3-Major Monitors sourced from specific source ports can fail
443298-2 4-Minor FW Release: Incorporate Victoria2 LOP firmware v1.20
473163-2 4-Minor RAID disk failure and alert.conf log message mismatch results in no trap
465317-1 4-Minor Failure notice from "/usr/bin/set-rsync-mgmt-fw close" seen on each boot
492163-3 4-Minor Applying a monitor to pool and pool member may cause an issue.
515345-1 4-Minor NTP Vulnerability
524185 4-Minor Unable to run lvreduce
464043-3 4-Minor Integration of Firmware for the 2000 Series Blades
475647-2 4-Minor VIPRION Host PIC firmware version 7.02 update
523863-2 4-Minor istats help not clear for negative increment
356658-2 5-Cosmetic Message logged when remote authenticated users do not have local account login


Local Traffic Manager Fixes

ID Number Severity Description
522784-2 1-Blocking After restart, system remains in the INOPERATIVE state
420341-6 1-Blocking Connection Rate Limit Mode when limit is exceeded by one client also throttles others
505222-2 2-Critical DTLS drops egress packets when traffic is large
530963-4 2-Critical BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms
474601-5 2-Critical FTP connections are being offloaded to ePVA
503343-7 2-Critical TMM crashes when cloned packet incorrectly marked for TSO
497299-5 2-Critical Thales install fails if the BIG-IP system is also configured as the RFS
514108-1 2-Critical TSO packet initialization failure due to out-of-memory condition.
431283-7 2-Critical iRule binary scan may core TMM when the offset is large
552937-1 2-Critical HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.
533388-1 2-Critical tmm crash with assert "resume on different script"
536984 2-Critical Ensure min_path_mtu is functioning as designed.
426328-8 2-Critical Updating iRule procs while in use can cause a core
492352-3 2-Critical Mismatch ckcName between GUI and TMSH can cause upgrade failure
499422-1 2-Critical An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm.
402412-8 2-Critical FastL4 tcp handshake timeout is not honored, connection lives for idle timeout.
523079-2 2-Critical Merged may crash when file descriptors exhausted
528432-2 2-Critical Control plane CPU usage reported too high
502443-4 2-Critical After enabling a blade/HA member, pool members are marked down because monitoring starts too soon.
510837-2 2-Critical Server initiated renegotiation fails with dhe_dss/ecdhe_ecdsa and ecdh_ecdsa ciphers. bigip sends bad client key exchange.
505331-1 2-Critical SASP Monitor may core
538255 2-Critical SSL handshakes on 4200/2200 can cause TMM cores.
539344-1 2-Critical SPDY child flow aborted while stalled leaves freed SPDY stream in SPDY stalled list
527477-4 2-Critical Slot 2 is inactive after reboot
450814-10 2-Critical Early HTTP response might cause rare 'server drained' assertion
531576-1 2-Critical tmm memory leak in traffic handling
506304-2 2-Critical UDP connections may stall if initialization fails
481677-2 2-Critical A possible TMM crash in some circumstances.
481162-2 2-Critical vs-index is set differently on each blade in a chassis
478257-7 3-Major Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed
496758-5 3-Major Monitor Parameters saved to config in a certain order may not construct parameters correctly
521522-3 3-Major Traceroute through BIG-IP may display destination IP address at BIG-IP hop
517556-3 3-Major DNSSEC unsigned referral response is improperly formatted
497742-3 3-Major Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address
447043-3 3-Major Cannot have 2 distinct 'contains' conditions on the same LTM policy operand
479674-1 3-Major bigd crash on improper monitor configuration (timeout less than the interval) for Tcl monitors.
495557-1 3-Major Ephemeral node health status may report as 'unknown' rather than the expected 'offline'
226892-13 3-Major Packet filter enabled, default action discard/reject and IP fragment drop
503384-1 3-Major SMTP monitor fails on multi line greeting banner in SMTP server
352925-2 3-Major Updating a suspended iRule and TMM process restart
476097-1 3-Major TCP Server MSS option is ignored in verified accept mode
510638-1 3-Major [DNS] Config change in dns cache resolver does not take effect until tmm restart
503979-1 3-Major High CPU usage when DNS cache resolver sends a large number of DNS queries to the backend name server.
474356-1 3-Major Client SSL on partition other than /Common does not load if no key/cert/inherit-certkeychain
422107-8 3-Major Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set
515322-1 3-Major Limit the number of extra callbacks scheduled from inside the cache resolver
460627-3 3-Major SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists
495836-2 3-Major SSL verification error occurs when using server side certificate.
512148-1 3-Major Self IP address cannot be deleted when its VLAN is associated with static route
514246-3 3-Major connflow_precise_check_begin does not check for NULL
515817-2 3-Major TMM may not reset connection when receiving an ICMP error
551612 3-Major BIGIP SSL does not support sending multiple certificate verification requests to cavium at the same time in 11.6.0.
348000-1 3-Major HTTP response status 408 request timeout results in error being logged.
490429-2 3-Major The dynamic routes for the default route might be flushed during operations on non-default route domains.
522147-2 3-Major 'tmsh load sys config' fails after key conversion to FIPS using web GUI
501516-5 3-Major If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted.
375887-4 3-Major Cluster member disable or reboot can leak a few cross blade trunk packets
515072-4 3-Major Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased
512383-3 3-Major Hardware flow stats are not consistently cleared during fastl4 flow teardown.
525557 3-Major FQDN ephemeral nodes not repopulated after deleted and re-created
504105-4 3-Major RRDAG enabled UDP ports may be used as source ports for locally originated traffic
465052-6 3-Major Some HTTP::cookie iRule commands can cause TMM to core if required arguments are missing
521408-3 3-Major Incorrect configuration in BigTCP Virtual servers can lead to TMM core
530829 3-Major UDP traffic sent to the host may leak memory under certain conditions.
485472-3 3-Major iRule virtual command allows for protocol mismatch, resulting in crash
488600-2 3-Major iRule compilation fails
465607-7 3-Major TMM cores with TMM log error 'Assertion "flow in use" failed.' when isuing FastHTTP.
478439-6 3-Major Unnecessary re-transmission of packets on higher ICMP PMTU.
510720-1 3-Major iRule table command resumption can clear the header buffer before the HTTP command completes.
490713-3 3-Major FTP port might occasionally be reused faster than expected
510921-1 3-Major Database monitors do not support IPv6 nodes
465590-9 3-Major Mirrored persistence information is not retained while flows are active
521774-3 3-Major Traceroute and ICMP errors may be blocked by AFM policy
516598-1 3-Major Multiple TCP keepalive timers for same Fast L4 flow
506282-1 3-Major GTM DNSSEC keys generation is not sychronized upon key creation
512062-2 3-Major A db variable to disable verification of SCTP checksum when ingress packet checksum is zero
530431 3-Major FQDN nodes: ephemeral nodes not being created for resolved FQDN hosts
488581 3-Major 'SSL::disable clientside' inside HTTP_REQUEST causes tmm core if crypto is in progress
520540-1 3-Major HTTP Basic authentication may cause the TMM to crash if the header is too large
507529-1 3-Major Active crash with assert: tmm failed assertion, non-zero ha_unit required for mirrored flow
521538-2 3-Major Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known
447874-5 3-Major TCP zero window suspends data transfer
504306-2 3-Major https monitors might fail to re-use SSL sessions.
462714-2 3-Major Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server
478617-6 3-Major Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
504899-2 3-Major Duplicated snat-translation addresses are possible (a named and an anonymous (created by snatpool) one)
374339-4 3-Major HTTP::respond/redirect might crash TMM under low-memory conditions
342013-6 3-Major TCP filter doesn't send keepalives in FIN_WAIT_2
422087-5 3-Major Low memory condition caused by Ram Cache may result in TMM core
517790-1 3-Major When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped
516320-2 3-Major TMM may have a CPU spike if match cross persist is used.
524666-3 3-Major DNS licensed rate limits might be unintentionally activated.
518020-11 3-Major Improved handling of certain HTTP types.
471059-4 3-Major Malformed cookies can break persistence
487696-3 3-Major Number of CPU allocated for ASM guests
505059-1 3-Major Some special characters are not properly handled for username and password fields in TCL monitors
364994-7 3-Major Disabling OneConnect must be done on Client and Server sides
454692-4 4-Minor Assigning 'after' object to a variable causes memory leaks
442647-5 5-Cosmetic IP::stats iRule command reports incorrect information past 2**31 bits


Global Traffic Manager Fixes

ID Number Severity Description
515797-1 2-Critical Using qos_score command in RULE_INIT event causes TMM crash
513464-1 2-Critical Some autodiscovered virtuals may be removed from pools.
471819-2 2-Critical The big3d agent restarts periodically when upgrading the agent on a v11.4.0 or prior system and Common Criteria mode is enabled.
517083-1 3-Major Some autodiscovered virtuals may be removed from pools.
516680-2 3-Major ZoneRunner might fail when loading valid zone files.
465951-2 3-Major If net self description size =65K, gtmd restarts continuously
516685-2 3-Major ZoneRunner might fail to load valid zone files.
515033 3-Major [ZRD] A memory leak in zrd
496775-3 3-Major [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for bigip monitor
479142-1 3-Major Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD)
515030-1 3-Major [ZRD] A memory leak in Zrd
353556-4 4-Minor big3d https monitor is unable to correctly monitor the web server when SSL protocol is changed
479084-1 4-Minor ZoneRunner can fail to respond to commands after a VE resume.


Application Security Manager Fixes

ID Number Severity Description
524004-1 2-Critical Adding multiple signatures concurrently via REST
513822-1 2-Critical ASM REST: Expected Content Value Is Not Set When Setting The responseActionType For A Response Page
511196-1 2-Critical UMU memory is not released when remote logger can't reach its detination
524428-1 2-Critical Adding multiple signature sets concurrently via REST
520280-1 2-Critical Perl Core After Apply Policy Action
532030-3 3-Major ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI
519053-1 3-Major Request is forwarded truncated to the server after answering challenge on a big request
526856-1 3-Major "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency
516522-1 3-Major After upgrade from any pre-11.4.x to 11.4.x (or later) the configured redirect URL location is empty
520585-2 3-Major Changing Security Policy Application Language Is Not Validated or Propagated Properly
486829-1 3-Major HTTP Protocol Compliance options should not be modified during import/upgrade
523201-2 3-Major Expired files are not cleaned up after receiving an ASM Manual Synchronization
531539-1 3-Major A brute force attack is not detected in NTLM under some conditions
523260-1 3-Major Apply Policy finishes with coapi_query failure displayed
527861 3-Major When Many entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen, the Configuration utility becomes unresponsive.
467930-1 3-Major Searching ASM Request Log for requests with specific violations
518201-1 3-Major ASM policy creation fails with "ASMConfig exception ... Policy ... already exists" after upgrade
523261-1 3-Major ASM REST: MCP Persistence is not triggered via REST actions
514117-1 4-Minor Store source port higher than 32767 in Request Log record


Application Visibility and Reporting Fixes

ID Number Severity Description
518663-1 3-Major Client waits seconds before page finishes load
519022-2 3-Major Upgrade process fails to convert ASM predefined scheduled-reports
499315-1 3-Major Added "Collect full URL" functionality.
531526-2 3-Major Missing entry in SQL table leads to misleading ASM reports
485251-1 3-Major AVR core witch include tmstat backtrace
525708-1 3-Major AVR reports of last year are missing the last month data
472117-2 3-Major Analytics scheduled report: "predefinedReportName" and "multiLeveledReport" are mutually exclusive
479334-5 3-Major monpd/ltm log errors after Hotfix is applied
530356-2 3-Major Some AVR tables that hold ASM statistics are not being backed up in upgrade process.


Access Policy Manager Fixes

ID Number Severity Description
482266-3 1-Blocking Network Access can't be established for Windows 10
488736-5 1-Blocking Fixed problem with iNotes 9 Instant Messaging
439880-2 1-Blocking NTLM authentication does not work due to incorrect NetBIOS name
482241-1 1-Blocking Windows 10 cannot be properly detected
492149-3 1-Blocking Inline JavaScript with HTML entities may be handled incorrectly
405769-3 1-Blocking APM Logout page is not protected against CSRF attack.
532340-1 2-Critical When FormBased SSO or SAML SSO are configured, tmm may restart at startup
514220-1 2-Critical New iOS-based VPN client may fail to create IPv6 VPN tunnels
525562-1 2-Critical Debug TMM Crashes During Initialization
509490-2 2-Critical [IE10]: attachEvent does not work
518260-1 2-Critical Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message
517988-2 2-Critical TMM may crash if access profile is updated while connections are active
526754-2 2-Critical F5unistaller.exe crashes during uninstall
520145-3 2-Critical [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy
520298-2 2-Critical Java applet does not work
519864-3 2-Critical Memory leak on L7 Dynamic ACL
506223-2 2-Critical A URI in request to cab-archive in iNotes is rewritten incorrectly
507681-5 2-Critical Window.postMessage() does not send objects in IE11
493993-6 2-Critical TMM crashes on the standby when starting up in HA config and Active processing traffic in APM module
523313-1 2-Critical aced daemon might crash on exit
492287-1 2-Critical Support Android RDP client 8.1.3 with APM remote desktop gateway
480272-6 2-Critical During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID
527799-9 2-Critical OpenSSL library in APM clients updated to resolve multiple vulnerabilities
531483-2 3-Major Copy profile might end up with error
500938-3 3-Major Network Access can be interrupted if second NIC is disconnected
540778-3 3-Major Multiple SIGSEGV with core and failover with no logged indicator
475403-2 3-Major Tunnel reconnect with v2.02 does not occur
492305-1 3-Major Recurring file checker doesn't interrupt session if client machine has missing file
471117-4 3-Major iframe with JavaScript in 'src' attribute not handled correctly in IE11
533566-1 3-Major Support for View HTML5 client v3.5 shipped with VCS 6.2
526578-1 3-Major Network Access client proxy settings are not applied on German Windows
532761 3-Major APM fails to handle compressed ICA file in integration mode
452010-3 3-Major RADIUS Authentication fails when username or password contain non-ASCII characters
531883-2 3-Major Windows 10 App Store VPN Client must be detected by BIG-IP APM
462514-1 3-Major Support for XMLHttpRequest is extended
494637-2 3-Major localdbmgr process in constant restart/core loop
531529-1 3-Major Support for StoreFront proxy
525429-4 3-Major DTLS renegotiation sequence number compatibility
526514-1 3-Major Open redirect via SSO_ORIG_URI parameter in multi-domain SSO
518981-2 3-Major RADIUS accounting STOP message may not include long class attributes
523431-2 3-Major Windows Cache and Session Control cannot support a period in the access profile name
494565-4 3-Major CSS patcher crashes when a quoted value consists of spaces only
483286-3 3-Major APM MySQL database full as log_session_details table keeps growing
501494-1 3-Major if window.onload is assigned null, then null should be retrieved
526084-3 3-Major Windows 10 platform detection for BIG-IP EDGE Client
521506-2 3-Major Network Access doesn't restore loopback route on multi-homed machine
525384-2 3-Major Networks Access PAC file now can be located on SMB share
513969-3 3-Major UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running
513098-1 3-Major localdb_mysql_restore.sh failed with exit code
483501-1 3-Major Access policy v2 memory leak during object deletion in tmm.
531541-1 3-Major Support Citrix Receiver 4.3 for Windows in PNAgent mode
509677-1 3-Major Edge-client crashes after switching to network with Captive Portal auth
532096-2 3-Major Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used
519966-2 3-Major APM "Session Variables" report shows user passwords in plain text
521773-2 3-Major Memory leak in Portal Access
482269-8 3-Major APM support for Windows 10 out-of-the-box detection
516839-3 3-Major Add client type detection for Microsoft Edge browser
526492-2 3-Major DNS resolution fails for Static and Optimized Tunnels on Windows 10
520205-3 3-Major Rewrite plugin could crash on malformed ActionScript 3 block in Flash file
530800-1 3-Major Messages can't be sent from OWA2010 via Portal Access if form-based SSOv2 is in use.
474779-1 3-Major EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails.
492701-3 3-Major Resolved LSOs are overwritten by source device in new Policy Sync with new LSO
512245-7 3-Major Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname
483792-5 3-Major when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources
473488-6 3-Major In AD Query agent, resolving of nested groups may cause apd to spin
426209-2 3-Major exporting to a CSV file may fail and the Admin UI is inaccessible
522878-1 3-Major Hide the cleartext Session ID (MRHSessionCookie) visible as part of URL query param to prevent unauthorized access.
520390-1 3-Major Reuse existing option is ignored for smtp servers
488105-3 3-Major TMM may generate core during certain config change.
340406-10 3-Major Localization of BIG-IP Edge Client™ for Macintosh
534755-1 3-Major Deleting APM virtual server produces ERR_NOT_FOUND error
512345-2 3-Major Dynamic user record removed from memcache but remains in MySQL
523327-2 3-Major In very rare cases Machine Certificate service may fail to find private key
528727-1 3-Major In some cases HTML body.onload event handler is not executed via portal access.
446860-4 3-Major APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348
523305-1 3-Major Authentication fails with StoreFront protocol
526617-1 3-Major TMM crash when logging a matched ACL entry with IP protocol set to 255
515943-2 3-Major "Session variables" report may show empty if session variable value contains non-English characters
520705-5 3-Major Edge client contains multiple duplicate entries in server list
423282-8 3-Major BIG-IP JavaScript includes can be improperly injected in case of conditional commment presence
473255-3 3-Major Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement.
517441-5 3-Major apd may crash when RADIUS accounting message is greater than 2K
524909-2 3-Major Windows info agent could not be passed from Windows 10
490830-4 3-Major Protected Workspace is not supported on Windows 10
442698-10 3-Major APD Active Directory module memory leak in exception
472256-3 3-Major tmsh and tmctl report unusually high counter values
468137-6 3-Major Network Access logs missing session ID
466745-3 3-Major Cannot set the value of a session variable with a leading hyphen.
523222-6 3-Major Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.
521835-2 3-Major [Policy Sync] Connectivity profile with a customized logo fails
539013-6 3-Major DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases
482251-3 3-Major Portal Access. Location.href(url) support is added
431467-1 3-Major Mac OS X support for nslookup and dig utilities to use VPN DNS
528726-3 3-Major AD/LDAP cache size reduced
475735-4 3-Major Failed to load config after removing peer from sync-only group
500450-1 3-Major ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso.
513283-1 3-Major Mac Edge Client doesnt send client data if access policy expired
481663-5 3-Major Disable isession control channel on demand.
478751-6 3-Major OAM10g form based AuthN is not working for a single/multiple domain.
510709-1 3-Major Websso start URI match fails if there are more than 2 start URI's in SSO configuration.
513545-1 3-Major '-decode' option produce incorrect value when it decodes a single value
457760-5 3-Major EAM not redirecting stdout/stderr from standard libraries to /var/log/apm
537000-2 3-Major Installation of Edge Client can cause Windows 10 crash in some cases
520118-2 3-Major Duplicate server entries in Server List.
529392-2 3-Major Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script
513953-1 3-Major RADIUS Auth/Acct might fail if server response size is more than 2K
511854-4 3-Major Rewriting URLs at client side does not rewrite multi-line URLs
513706-2 3-Major Incorrect metric restoration on Network Access on disconnect (Windows)
402793-12 3-Major APM Network Accces tunnel slows down and loses data in secure renegotiation on Linux and Mac clients
530697-2 3-Major Windows Phone 10 platform detection
509722-1 3-Major BWC traffic blocked
519198-3 3-Major [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user
408851-7 3-Major Some Java applications do not work through BIG-IP server
532522-3 3-Major CVE-2015-1793
528768-1 3-Major Relaxing validation against "_" character for ActiveDirectory server FQDN for NTLM authentication
531910-1 3-Major apmd, apd, localmgr random crash
518432 3-Major [Mac][Linux][NA] TLS tunnel freezes on Mac and Linux in case of SSL renegotiation
537614-1 3-Major Machine certificate checker fails to use Machine cert check service if Windows has certain display languages
517564-1 3-Major APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port
528675-2 3-Major BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired
482699-4 3-Major VPE displaying "Uncaught TypeError"
461189-5 3-Major Generated assertion contains HEX-encoded attributes
472062-3 3-Major Unmangled requests when form.submit with arguments is called in the page
523390-2 3-Major Minor memory leak on IdP when SLO is configured on bound SP connectors.
458450-2 3-Major Memory allocation metadata corruption when debugging log is enabled on ECA
504031-1 3-Major document.write()/document.writeln() redefinition does not work
481987-6 3-Major Allow NTLM feature to be enabled with APM Limited license
518573 3-Major The -decode option should be added to expressions in AD and LDAP group mapping.
519415-3 3-Major apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual )
495336-1 3-Major Logon page is not displayed correctly when "force password change" is on for local users
520642-3 3-Major Rewrite plugin should check length of Flash files and tags
516462-2 3-Major Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines
526677-1 3-Major VMware Horizon HTML5 View access client can not connection when using View Connection Server running version 6.1.1
526275-1 3-Major VMware View RSA/RADIUS two factor authentication fails
514912-3 3-Major Portal Access scripts had not been inserted into HTML page in some cases
483020-1 3-Major [SWG] Policy execution hang when using iRule event in VPE
480761-1 3-Major Fixed issue causing TunnelServer to crash during reconnect
478492-7 3-Major Incorrect handling of HTML entities in attribute values
533723-4 4-Minor [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag.
507321-3 4-Minor JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields
486661-3 4-Minor Network Access should provide client IP address on reconnect log records
478261-2 4-Minor WinInet handle leak in Edge Client on Windows
510459-1 4-Minor In some cases Access does not redirect client requests
517872-1 4-Minor Include proxy hostname in logs in case of name resolution failure
513201-6 4-Minor Edge client is missing localization of some English text in Japanese locale
478658-6 4-Minor Window.postMessage() does not send objects
473685-1 4-Minor Websso truncates cookie domain value
523158-2 4-Minor In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails
524756 4-Minor APM Log is filled with errors about failing to add/delete session entry
497627-3 4-Minor Tmm cores while using APM network Access and no leasepool is created on bigip.
482145-3 4-Minor Text in buttons not centered correctly for higher DPI settings


WebAccelerator Fixes

ID Number Severity Description
522231-3 3-Major TMM may crash when a client resets a connection
521455-2 3-Major Images transcoded to WebP format delivered to Edge browser


Wan Optimization Manager Fixes

ID Number Severity Description
480910 3-Major A TCP profile with 'Rate Pace" or "Tail Loss Probe" enabled fails to successfully establish a connection.
497389-1 3-Major Extraneous dedup_admin core
442884-1 3-Major TMM assert "spdy pcb initialized" in spdy_process()
485182-2 3-Major wom_verify_config does not recognize iSession profile in /Common sub-partition


Service Provider Fixes

ID Number Severity Description
516057-3 2-Critical Assertion 'valid proxy' can occur after a configuration change with active IVS flows.
503652-4 2-Critical Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit.
521556-1 2-Critical Assertion "valid pcb" in TCP4 with ICAP adaptation
480311-1 3-Major ADAPT should be able to work with OneConnect
478920 4-Minor SIP::discard is not invoked for all request messages
489957-5 4-Minor RADIUS::avp command fails when AVP contains multiple attribute (VSA).


Advanced Firewall Manager Fixes

ID Number Severity Description
506286-1 2-Critical TMSH reset of DOS stats
524748-1 2-Critical PCCD optimization for IP address range
534886-1 3-Major AFM Security checks were not being done for DNS over TCP
531761-1 3-Major Web navigation flow may be reset when main page responds with non-HTML content
509600-1 3-Major Global rule association to converted policy is lost on one device in HA configuration.
509934-1 3-Major Blob activation fails due to counter revision
525522 3-Major Redirect loop when Proactive Bot Defense is enabled and deployment has multiple domains
510224-2 3-Major All descriptions for address-list members are flushed after the address-list was updated
532022-1 3-Major tmm can crash when the reply pkt to a service flow request is a DoS pkt
481706-2 3-Major AFM DoS Sweep Vector could log attack detected msgs from a non-attacking src IP
530865-2 3-Major AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists)
526774 3-Major Search in FW policy disconnects GUI users
523465-2 3-Major Log an error message when firewall rule serialization fails due to maximum blob limit being hit.
515112-1 3-Major Delayed ehash initialization causes crash when memory is fragmented.
526277-1 3-Major AFM attack may never end on AVR dos overview page in a chassis based BIGIP
509919-2 3-Major Customer may experience incorrect counter update for SelfIP traffic on cluster
521763-1 3-Major Attack stopped and start messages should not have source/dst ip addresses in log messages
491165-1 4-Minor Legal IP addresses sometimes logged in Attack Started/Stopped message.
533808-1 4-Minor Unable to create new rule for virtual server if order is set to "before"/"after"
528499 4-Minor AFM address lists are not sorted while trying to create a new rule.
510226-2 4-Minor All descriptions for ports-list's members are flushed after the port-list was updated
533336-2 4-Minor Display 'description' for port list members
495432-2 5-Cosmetic Add new log messages for AFM rule blob load/activation in datapath.


Policy Enforcement Manager Fixes

ID Number Severity Description
524780-1 1-Blocking TMM crash when quering the session information
525175-1 1-Blocking Fix a crash issue when querying SSP with multi-ip.
533929 1-Blocking PEM::subscriber info irule command can cause tmm core
522933-1 1-Blocking diam_app_process_async_lookup may cause TMM crash
491771-2 2-Critical Using catch to supress 'invalid command' errors resulting from invalid use of [] around a parking command in a proc can cause TMM to panic
527016-1 2-Critical CLASSIFICATION_DETECTED irule event results in tmm core
534018-1 2-Critical Memory leak while running some of PEM::session and PEM::subscriber commands.
519506-1 2-Critical Flows dropped with initiate data from sever on virtual servers with HTTP
533203 2-Critical TMM may core on resuming iRule if the underlying flow has been deleted.
534490 2-Critical Fixed TMM crash when IRULE configuration is modified.
528715-1 2-Critical rare tmm crash when ipother irule parks
524374-1 2-Critical TMM may crash if PEM report format script with iRule are executed on top of existing parked iRule
533734-1 2-Critical DHCPv6 packets arriving via tunnel are not forwarded to backend server on VIPRION
523296-1 2-Critical TMM may core when using iRule custom actions in PEM policies
528787-1 3-Major PEM: RAR after session being deleted from Radius/TMSH when connection down will return RAA with success code.
541592-1 3-Major PEM : Diameter virtual reconfiguration might stop CCR-I/U/T going out for subscriber sessions
521655-2 3-Major Session hangs when trying to switch state to provisioned
499778-1 3-Major A static subscriber's session is not deleted if master-IP is deleted from the subscriber's list of IPs
522141-1 3-Major Tmm cores while changing properties of PEM policies and rules.
529414-1 3-Major PEM: After Diameter Fatal-Grace time expiry, Some subscriber sessions might be deleted very soon
504627-1 3-Major Valid sessions won't be deleted any more due to session inactivity.
524198-1 3-Major PEM: Invalid HSL log generated when when session with static subscriber deleted.
522579-1 3-Major TMM memory leak when RAR messages received from PCRF to delete for a non-existing sessions in PEM
527725-1 3-Major BigIP crash caused by PSC::ip_address iRule is fixed
526368-1 3-Major The number of IPv4 addresses per Gx session exceeds the limit of 1
525860-2 3-Major PEM: Duplicate sessions formed with same IP
527289-1 3-Major TMM crashes with core when PSC::ip_address iRule is used to list IPs
521683-1 3-Major PEM: Session is not replaced by third and subsequent RADIUS start messages containing specific multiple IPs
524409-1 3-Major Fix TMSH show and reset-stats commands for multi-ip sessions defect.
471926-1 3-Major Static subscriber sessions lost after bigstart restart
528247-1 3-Major PEM: New Requested units empty for when used units matches granted service units
522934 3-Major Provide and option to encode subscription ID in CCR-U/CCR-T messages over Gx/Gy
527292-1 3-Major BigIP crash caused by PSC::user_name iRule is fixed
525633-1 3-Major Configurable behavior if PCRF returns unknown session ID in middle of session.
534323-1 3-Major Session will be replaced rather than re-created when we update a new IP addr along with the existing IP addr.
528238-1 3-Major Quota Policy Added multiple times will lead to reset of Subscriber flows
526786-1 3-Major Session lookup fails
537034 3-Major PEM: CPU spike seen when irule is used to update non existent sessions
527076-1 3-Major TMM crashes with core when PSC::policy iRule is used to set more than 32 policies
533513-1 3-Major Data plane Listener summary does not show LSN translation correctly
525416-1 3-Major List of IPs in "tmsh show pem sessiondb subscriber-id " may be reversed.
522140-1 3-Major Multiple IP is not added through iRule after setting the state of a session to provision by iRule
526295-3 3-Major BigIP crashes in debug mode when using PEM irule to create session with calling-station-id and called-station-id
539677-1 4-Minor The file /etc/wr_urldbd/bcsdk.cfg needs to be included in the .ucs file


Carrier-Grade NAT Fixes

ID Number Severity Description
533562-1 2-Critical Memory leak in CGNAT can result in crash
490893-4 2-Critical Determinstic NAT State information incomplete for HSL log format
515646-1 2-Critical TMM core when multiple PPTP calls from the same client
509108-1 2-Critical CGNAT PBA may log port-block allocation and port-block release log messages for a port-block which is already allocated to a different subscriber
494743-1 2-Critical Deterministic NAT translation cannot reverse-map after blade failure on p8
494122-2 2-Critical Deterministic NAT state information from HSL is not useable on p8
480119-2 3-Major Vague error - Error ERR_BOUNDS connflow ... processing pullup of control message.
500424-2 3-Major dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error
505097-1 3-Major lsn-pool backup-member not propagated to route table after tmrouted restart
504021-1 3-Major lsn-pool member routes not properly propagated to routing table when lsn-pool routing-advertisement is enabled
486762-1 3-Major lsn-pool connection limits may be invalid when mirroring is enabled
455020-1 3-Major RTSP profile idle timeout is not applied if it is longer than the TCP profile timeout


Manufacturing Fixes

ID Number Severity Description


Fraud Protection Services Fixes

ID Number Severity Description
520090-1 2-Critical FPS plugin
526124 2-Critical Parameter matching inconsistency
531994-1 2-Critical Case-sensitivity on upgrade
532002 3-Major False-Positive Phishing alert in Safari on iPad
527476 3-Major Some FPS alerts logged without User GUID
529573 3-Major CSS attribute name
503461-1 3-Major Intermittent Javascript failure on Safari on Mac
530867-1 3-Major New Dyre Signature added to Generic Malware Detection
524032-1 3-Major Control sending alerts during the source integrity learning process
513860-1 3-Major Incomplete support for special characters in input field names
525283-1 3-Major Add obfuscator tuning tools
527075 3-Major Update domain availability default settings
529587 4-Minor Errornous JS injections
527085 4-Minor User-agent in alerts


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
514236-1 3-Major [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses


Centralized Management Fixes

ID Number Severity Description
525595 1-Blocking Fix memory leak of inbound sockets in restjavad
509273 2-Critical hostagentd consumes memory over time
521272 3-Major Fixed memory leak in restjavad's Authentication Token worker
533307 3-Major Increasing memory usage due to continual creation of authentication tokens


iApplications Fixes

ID Number Severity Description
495525-1 4-Minor iApps fail when using FQDN nodes in pools


Cumulative fix details for BIG-IP v11.6.0 Hotfix 6 that are included in this release

552937-1 : HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.

Component: Local Traffic Manager

Symptoms:
An iRule that calls HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the TMM to core on the next pipelined request.

Conditions:
HTTP::respond or HTTP::redirect used in a non-HTTP iRule event. A pipelined request follows the request that triggers the iRule response.

Impact:
TMM core.

Workaround:
Add the close header to the HTTP::response, and the connection will be automatically closed.

Fix:
The TMM will no longer core due to not being able to handle the next pipelined request after a HTTP::respond or HTTP::redirect is used in a non-HTTP iRule event.


551612 : BIGIP SSL does not support sending multiple certificate verification requests to cavium at the same time in 11.6.0.

Component: Local Traffic Manager

Symptoms:
In 11.6.0, when SSL sends multiple certificate verification requests to cavium at the same time, the handshake is disconnected with "bad certificate".

Conditions:
SSL sends multiple certificate verification request.

Impact:
SSL does not support this case and the SSL handshake is disconnected with "bad certificate".

Workaround:

Fix:
Fix certificate signature verification problem. In 11.6.0, SSL can only send one certificate signature verification to crypto at one time, so checking hs->crypto value. If it is FALSE, no pending request, then SSL sends the request. Otherwise, wait for the pending request finish.


544980-3 : Small /var when deploying from OVF for BETTER and BEST

Component: TMOS

Symptoms:
The size of /var volume is 500MB instead of 3GB for BETTER and BEST offerings.

Conditions:
BIGIP VE BETTER and BEST vm_bundle images.

Impact:
Not enough space in /var.

Workaround:
/var can be resized to 3GB. From tmsh, run: modify /sys disk directory /var new-size 3145728 then reboot.

Fix:
Fixed the build process to generate BETTER and BEST images with /var of 3GB.


544888-5 : Idle timeout changes to five seconds when using PVA full acceleration.

Component: TMOS

Symptoms:
When FastL4 performs hardware acceleration during the TCP handshake, the FastL4 handshake timeout is not updated to match the profile timeout value after the connection is established.

Conditions:
Accelerated, established TCP flows with no traffic for more than five seconds.

Impact:
TCP flows in the established state are dropped if they have more than five seconds of inactivity.

Workaround:
Disable embedded Packet Velocity Acceleration (ePVA) acceleration.

Fix:
Once the TCP connection reaches established state, the idle timeout is now set to the value found in the associated profile. By default the profile timeout value is 300 seconds.


541592-1 : PEM : Diameter virtual reconfiguration might stop CCR-I/U/T going out for subscriber sessions

Component: Policy Enforcement Manager

Symptoms:
Radius Start, Stop does not trigger any diameter traffic except DWR/DWA.

Conditions:
Diameter virtual reconfiguration and possibly any virtual configuration change might trigger this behavior.

Impact:
Subscriber sessions created by radius are not provisioned by the PCRF. Sessions that are deleted are also not reported to PCRF or Usage reports are also not reported.

Workaround:
Restarting TMM is the only work around for now.

Fix:
Issue has been fixed now. Even if diameter configuration is changed there should be no impact on CCR-I/U/T being stopped.


540849-5 : An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c

Component: TMOS

Symptoms:
An incorrect boundary check in openpgpkey_61.c can cause named to terminate due to a REQUIRE assertion failure

Conditions:
BIND Versions affected: 9.9.7 -> 9.9.7-P2, 9.10.2 -> 9.10.2-P3

Impact:
A server which encounters this error will terminate due to a REQUIRE assertion failure, resulting in denial of service to clients

Workaround:
N/A

Fix:
Upgrade BIND to latest: 9.9.7-P3


540846-5 : Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c

Component: TMOS

Symptoms:
Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c

Conditions:
BIND Versions affected: 9.9.0->9.9.7-P2, 9.10.0->9.10.2-P3

Impact:
It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a deliberately malformed key

Workaround:
N/A

Fix:
Upgrade BIND to latest: 9.9.7-P3


540778-3 : Multiple SIGSEGV with core and failover with no logged indicator

Component: Access Policy Manager

Symptoms:
A multimodule HA pair under high load experiences 3 failover events.

Conditions:
Configure HA pair for GBB multimodule testing (AFM, ASM, APM, GTM, LTM) and apply high concurrent load.

Impact:
Instability in HA. The current HA config under test has not had a unit remain active for more than ~12 hours.

Workaround:
None.

Fix:
Fix to free memory with same length as used for alloc using umem_alloc.


539677-1 : The file /etc/wr_urldbd/bcsdk.cfg needs to be included in the .ucs file

Component: Policy Enforcement Manager

Symptoms:
/etc/wr_urldbd/bcsdk.cfg is not included in the .ucs file when saving the configuration.

Conditions:
using tmsh to save sys ucs <file_name>. The /etc/wr_urldbd/bcsdk.cfg is not saved in the file

Impact:
URLcat webroot configuration is not included in the ucs

Workaround:
no workaround

Fix:
After the fix, now tmsh save ucs command will save the /etc/wr_urldbd/bcsdk.cfg in the .ucs file


539344-1 : SPDY child flow aborted while stalled leaves freed SPDY stream in SPDY stalled list

Component: Local Traffic Manager

Symptoms:
If a SPDY child flow is aborted while stalled, the SPDY stream cleanup does not remove the stream from the SPDY PCB's stalled list, thus leaving the freed stream in the list.

Conditions:
SPDY child flow is aborted while stalled

Impact:
Aborted flow is not removed from the SPDY PCB's stalled list

Workaround:
N/A

Fix:
Do not keep a reference to a freed stream


539013-6 : DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases

Component: Access Policy Manager

Symptoms:
DNS resolution stops working on a Windows 10 desktop when the VPN connection is established.

Conditions:
This occurs when the client system meets all of the following conditions: - Running BIG-IP software version Hotfix-BIGIP-11.5.3.1.0.167-HF1. - Running Windows 10. - Has multiple NICs and one of them is in the disconnected state, with a statically assigned IPv4 configuration.

Impact:
User cannot access resources by DNS name.

Workaround:
Disable disconnected NICs that have a statically assigned IPv4 configuration.

Fix:
After VPN connection has been established, DNS resolution works, in the case of a Windows 10 desktop with multiple NICs and one of them is in a disconnected state and has a statically assigned IPv4 configuration.


538255 : SSL handshakes on 4200/2200 can cause TMM cores.

Component: Local Traffic Manager

Symptoms:
When processing SSL handshakes in the crypto acceleration hardware, a 4200/2200 can experience a TMM core.

Conditions:
This can occur when processing SSL handshakes in the crypto acceleration hardware.

Impact:
TMM cores.

Workaround:
This issue has no workaround at this time.

Fix:
The crypto acceleration hardware driver for the 2200/4200 has been fixed to avoid memory corruption.


537614-1 : Machine certificate checker fails to use Machine cert check service if Windows has certain display languages

Component: Access Policy Manager

Symptoms:
Machine certificate checker agent fails to use machine certificate checker service for Windows if it has certain display language, for example Polish. In failed case logs contain: 2015-08-04,18:37:59:042, 924,756,, 1, , 330, CCertCheckCtrl::CheckPrivateKey, EXCEPTION caught: CCertCheckCtrl::CheckPrivateKey - EXCEPTION 2015-08-04,18:38:00:618, 924,756,, 1, \RPCConnector.cpp, 85, UCredMgrService::RpcConnect, EXCEPTION - Failed to set binding handle's authentication, authorization and security QOS info (RPC_STATUS: 1332) 2015-08-04,18:38:00:618, 924,756,, 1, \RPCConnector.cpp, 88, RPCConnector::Connect, EXCEPTION caught: UCredMgrService::RpcConnect - EXCEPTION 2015-08-04,18:38:00:618, 924,756,, 1, \MCClient.h, 86, MCClient::Verify, Failed to perform PRC-call:error=1702

Conditions:
Windows with non-english display language Machine certificate checker is supposed to use Machine Certificate Checker service

Impact:
Machine certificate checker cannot be passed using Machine cert service.

Workaround:
Switch display language to English.

Fix:
Machine certificate checker service works now with a display language other than English.


537034 : PEM: CPU spike seen when irule is used to update non existent sessions

Component: Policy Enforcement Manager

Symptoms:
CPU spikes seen and remains high which will lead to TMM core eventually.

Conditions:
Irule is used to update session with policies for a session which are non existent.

Impact:
CPU Spike, TMM going down will cause service down time.

Workaround:
Make sure Irule are not used to update session for which session not existent.

Fix:
Issue is fixed now. No more CPU spike seen even if irule exists to update non existent sessions.


537000-2 : Installation of Edge Client can cause Windows 10 crash in some cases

Component: Access Policy Manager

Symptoms:
connecting to an APM box which has support for Windows 10 can cause the OS to crash. After reboot the next attempt will be successful

Conditions:
- Windows 10 - APM box supporting Windows 10 - user installed F5 VPN driver from an APM box, not supporting Windows 10

Impact:
User can lose some data

Workaround:
Before connecting old VPN driver instances must be manually removed using Device Manager

Fix:
Installation of Edge Client on Windows 10 does not cause system crash anymore


536984 : Ensure min_path_mtu is functioning as designed.

Component: Local Traffic Manager

Symptoms:
A route metrics mtu value lower than min_path mtu could be set

Conditions:
A mtu lower than min_path_mtu.

Impact:
The expected db variable min_path_mtu was not be correctly followed with unexpected results in certain conditions.

Workaround:

Fix:
Resolved error to ensure min_path_mtu is enforced as lowest mtu value as designed.


535806-2 : Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE

Component: TMOS

Symptoms:
Not enough free disk space for live install of 12.0.0.

Conditions:
Initial install of BIG-IP VE GOOD 11.5.3. Upgrade to 12.0.0

Impact:
Unable to install 12.0.0 on 2nd slot.

Workaround:
Grow the virtual disk before installing 12.0.0.

Fix:
Increase the size of virtual disk of 11.5.3


534886-1 : AFM Security checks were not being done for DNS over TCP

Component: Advanced Firewall Manager

Symptoms:
We had disabled DNS Query Filtering and DNS DoS checks for DNS over TCP.

Conditions:
DNS over TCP and either DNS DoS configured or DNS Query filtering configured.

Impact:
Query Filtering and DNS DoS feature was not present for DNS over TCP.

Workaround:
Use DNS over UDP.

Fix:
We have now enabled DNS Query filtering and DNS DoS checks regardless of the L4 protocol.


534755-1 : Deleting APM virtual server produces ERR_NOT_FOUND error

Component: Access Policy Manager

Symptoms:
When a APM virtual server is deleted on the active, the following error message will be seen in the APM log on the standby. "Failed to delete profile stats namespaces"

Conditions:
This issue happens when a APM virtual is deleted on the active and the change is subsequently synced to the standby

Impact:
There is no functional impact.

Workaround:

Fix:
Access Filter now ignores the ERR_NOT_FOUND error when deleting the profile stats namespace.


534630-5 : Upgrade BIND to address CVE 2015-5477

Component: TMOS

Symptoms:
See SOL https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16909.html for complete information. BIND will issue a REQUIRE assert and exit under certain conditions. It will automatically be restarted by bigstart.

Conditions:
A deliberately constructed packet can exploit an error in the handling of queries for TKEY records, permitting denial of service.

Impact:
DNS resolutions that are answered by the on box BIND server may be interrupted.

Workaround:
Please see F5 Solution SOL16909.

Fix:
BIND was upgraded, which addresses this vulnerability. F5 is less vulnerable than the industry rating due to system design.


534490 : Fixed TMM crash when IRULE configuration is modified.

Component: Policy Enforcement Manager

Symptoms:
IRULE configuration modification may result in TMM crash.

Conditions:
When IRULE configuration is modified.

Impact:
TMM may crash

Workaround:
N/A

Fix:
Fixed TMM crash when IRULE configuration is modified.


534323-1 : Session will be replaced rather than re-created when we update a new IP addr along with the existing IP addr.

Component: Policy Enforcement Manager

Symptoms:
Session will be deleted and re-created when we update a new IP addr along with the original IP addr in the session.

Conditions:
It happens when we try to update a new IP addr with the existing IP addr for an existing session.

Impact:
Session replaced when updating a new IP along with the existing IP address.

Workaround:

Fix:
Session will be replaced rather than re-created when we update a new IP addr along with the existing IP addr.


534251-1 : Live update with moving config breaks password-less ssh access

Component: TMOS

Symptoms:
Authorized_keys file changed with link to /var/ssh/admin/authorized_keys but file in /var/ssh/... not created.

Conditions:
Use clean tmos-bugs-staging based VM. Do Live install. Do change boot location via GUI with 'Install Configuration' = 'Yes'

Impact:
breaks password-less ssh access

Workaround:
If save and load sys ucs before live install then file will be created in /var/.. and successfully moved to new volume.


534018-1 : Memory leak while running some of PEM::session and PEM::subscriber commands.

Component: Policy Enforcement Manager

Symptoms:
When running an irule that has PEM::session info commands, it was observed that the memory consumption by the PEM module kept going up till and the system eventually ran out of memory.

Conditions:
Create an irule that has PEM::session info commands that run asynchronously and attach it to one of the virtuals in use.

Impact:
System runs out of memory.

Workaround:

Fix:
The memory leak while executing the commands - <PEM::session info /PEM::subscriber info/PEM::session config policy/PEM::subscriber config policy> has been fixed. The leak only occurs when these commands run asynchronously.


533929 : PEM::subscriber info irule command can cause tmm core

Component: Policy Enforcement Manager

Symptoms:
Running an irule script that contains the PEM::subscriber info command can result in a tmm core. If the command runs synchronously, the core will not be observed.

Conditions:
The core occurs only if the PEM::subscriber info command runs asynchronously.

Impact:
Tmm always cores when this irule command is executed.

Workaround:

Fix:
PEM::subscriber info commands no longer cause tmm to core.


533808-1 : Unable to create new rule for virtual server if order is set to "before"/"after"

Component: Advanced Firewall Manager

Symptoms:
Not able to create a new rule for virtual server when the order is set to "before"/"after".

Conditions:
Happens only when the order is set to "before"/"after"

Impact:
Unable to create a new rule from the virtual server page

Workaround:


533734-1 : DHCPv6 packets arriving via tunnel are not forwarded to backend server on VIPRION

Component: Policy Enforcement Manager

Symptoms:
Packet traces show DHCPv6 packets arriving via IP6 IP4 tunnel, are forwarded to the VIP but the packet is not forwarded to the backend server on VIPRION.

Conditions:
DHCPv6 packets arriving via IPv6 Ipv4 tunnel interface on a multi-blade VIPRION system.

Impact:
The DHCP packet is not forwarded to the backend server

Workaround:
Use single blade system

Fix:
The fix is to process DHCP packet at local blade if it comes from tunnel interface instead of dropping them.


533723-4 : [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag.

Component: Access Policy Manager

Symptoms:
The client-side HTML rewriter rewrites content within the "textarea" tag.

Conditions:
Web-application dynamically creates HTML content on the client side that contains the textarea tag.

Impact:
Web-application misfunction is possible.

Workaround:
There is no workaround at this time

Fix:
Content rewriting is suppressed on the client side for the textarea tag.


533566-1 : Support for View HTML5 client v3.5 shipped with VCS 6.2

Component: Access Policy Manager

Symptoms:
The upcoming release of VMware Horizon View Connection Server 6.2 introduces a few changes to the View HTML5 client. This fix catches up with those changes to provide seamless support at APM side.

Conditions:
BIG-IP APM configured as PCoIP proxy and set up against VMware VCS 6.2 with HTML5 client installed.

Impact:
Launching View HTML5 client from APM webtop may not work properly.

Workaround:

Fix:
Support for View HTML5 client v3.5 shipped with VCS 6.2


533562-1 : Memory leak in CGNAT can result in crash

Component: Carrier-Grade NAT

Symptoms:
tmm leaks "cmp" memory, resulting in crash. "tmctl memory_usage_stat" will show very high "cmp" memory utilization.

Conditions:
Configure "hairpin mode" or "inbound connection handling" set to "automatic".

Impact:
BIG-IP will run out of memory and crash

Workaround:
Avoid "hairpin mode" or "inbound connection handling" set to "automatic".

Fix:
Memory leak has been fixed.


533513-1 : Data plane Listener summary does not show LSN translation correctly

Component: Policy Enforcement Manager

Symptoms:
When configuring a new data plane virtual server group, and CGNAT is licensed, you have the ability to select an address translation value of LSN, and then select an LSN pool. This is accepted and configured correctly, but when viewing the data plane group after this point, the address translation type shows as "{{renderSnatValue(listenerVs}}", and should show as "LSN"

Conditions:
Create a CGNAT LSN pool. Create a new PEM data plane listener, set the address translation to LSN, select the pool, save, then view the resulting group summary .

Impact:
Data plane Listener summary does not show LSN translation correctly

Workaround:
none

Fix:
Correct the UI so that it handles the LSN address translation type correctly.


533458-4 : Generate core file on HSB lockup

Component: TMOS

Symptoms:
When an HSB lockup occurs, limited data is available for root cause analysis.

Conditions:
An HSB lockup.

Impact:
Generate core file on an HSB lockup.

Workaround:
none


533388-1 : tmm crash with assert "resume on different script"

Component: Local Traffic Manager

Symptoms:
In a rare race condition involving stalled server-side TCP connections on which a RST is received and a asynchronously executing client-side iRule for event CLIENT_CLOSED the tmm can crash with assert "resume on different script".

Conditions:
The conditions under which this assert/crash is triggered are hard to reproduce.

Impact:
tmm crashes and restarts. Traffic while stop flowing while tmm is restarting.

Workaround:
Avoid asynchronously executing CLIENT_CLOSED iRules (e.g. those that use 'after' or 'table' or 'session' commands - this is not an exhaustive list).

Fix:
tmm no longer crashes with assert "resume on different script"


533336-2 : Display 'description' for port list members

Component: Advanced Firewall Manager

Symptoms:
Descriptions for port list's members are not displayed in GUI

Conditions:
Create a port list with 'description' set for its members (using tmsh). When the portlist list page is accessed from GUI, the description set for the members (on tmsh) is not displayed.

Impact:
Users will not be able to see the description

Workaround:
Use tmsh to view the description for portlist members on tmsh

Fix:
Descriptions for port list members are now displayed in the GUI.


533307 : Increasing memory usage due to continual creation of authentication tokens

Component: Centralized Management

Symptoms:
The AuthTokenWorker creates new indexed state objects. Some are unable to be deleted because they are shared between instances. Generations of tokens build up, however the generational scavenger only runs when disk space is tight. Restjavad can run out of memory before the scavenger ever gets to run.

Conditions:
Tokens shared between instances

Impact:
Generations of tokens build up

Workaround:
N/A

Fix:
Add another trigger to the generational scavenger such that it also triggers when memory is tight as well as when disk space is tight.


533257-2 : tmsh config file merge may fail when AFM security log profile is present in merged file

Component: TMOS

Symptoms:
During a config file merge into an existing config may fail with "unknown-property" message.

Conditions:
The customers who have default configuration parameters may be affected.

Impact:
All releases and modules are affected.

Workaround:
The offending parameter may be deleted from the merge file, however this may result in the value for the deleted parameter not set correctly in the existing config.

Fix:
Fixed a problem with tmsh config file merge failing when AFM security log profile is present in merged file.


533203 : TMM may core on resuming iRule if the underlying flow has been deleted.

Component: Policy Enforcement Manager

Symptoms:
TMM may core

Conditions:
A flow is deleted (RST from the other end is one way) while an iRule operating on that flow is parked. On resumption, the iRule accesses freed memory.

Impact:
Datapath resets

Workaround:
Do not use iRules that may cause parking.

Fix:
Don't forward any messages if the connflow is aborted while the irule is parked. Also set the pem pcb to NULL after being freed


532761 : APM fails to handle compressed ICA file in integration mode

Component: Access Policy Manager

Symptoms:
Citrix application or desktop cannot be started in integration mode with Citrix StoreFront 3.0

Conditions:
APM is configured for StoreFront 3.0 proxy and HTTP compression is enabled on the StoreFront server.

Impact:
Citrix application or desktop cannot be started.

Workaround:

Fix:
Now APM supports Citrix StoreFront 3.0 in integration mode with HTTP compression enabled on the StoreFront server.


532522-3 : CVE-2015-1793

Component: Access Policy Manager

Symptoms:
Resolved vulnerabilities in OpenSSL. CVE-2015-1793

Conditions:
CVE-2015-1793

Impact:
CVE-2015-1793

Workaround:

Fix:
OpenSSL library in APM clients updated to resolve vulnerabilities in OpenSSL. CVE-2015-1793


532340-1 : When FormBased SSO or SAML SSO are configured, tmm may restart at startup

Component: Access Policy Manager

Symptoms:
Under unlikely circumstances, tmm threads may run into synchronization issue at startup initialization, causing BIG-IP Failover

Conditions:
- SAML SSO or Form Based SSO are configured. - TMM is in process of starting (during reboot or for any other reason).

Impact:
Impact is BIG-IP will failover at start time. If tmm has successfully started - no further impact will be observed.

Workaround:
Remove Form Based SSO, and SAML objects from configuration.

Fix:
A thread synchronization issue that caused tmm startup issues has been fixed.


532096-2 : Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used

Component: Access Policy Manager

Symptoms:
Machine Certificate Checker (client side) is not backward compatible with BIG-IP 11.4.1 and earlier when MatchFQDN rule is used

Conditions:
Machine Certificate checker agent uses MatchFQDN rule in Access Policy of BIG-IP version 11.4.1 and earlier. New BIG-IP Edge Client (version greater than 11.4.1) is used against old BIG-IP.

Impact:
Machine Certificate checker agent may fail. Policy goes wrong way.

Workaround:

Fix:
Fixed issue causing Machine Certificate checker agent backward incompatibility.


532030-3 : ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI

Component: Application Security Manager

Symptoms:
When importing a policy that utilizes a custom signature set, ASM checks whether that signature set is already exists on the system. If it does not exist, then it creates a new set. When a set is created via REST it does not correctly set an internal field that does get set via creation by the GUI or XML import. This causes unexpected behavior and extra signatures being created when a REST client, such as BIG-IQ, attempts to co-ordinate changes across devices utilizing import via XML and REST calls.

Conditions:
A Custom filter-based signature set is created by the GUI and then attached to a security policy. The security is exported in XML format. On a different device an identical signature set is created via REST. The security policy is then imported on that device.

Impact:
Extraneous signature sets are created, and false differences appear with regards to which signature sets are attached to which policies across multiple devices.

Workaround:
As a workaround, custom filter-based signature sets should be created only via REST or only via GUI across multiple devices.

Fix:
Custom filter-based signature sets created using REST or the Configuration utility now have the same internal settings and match for XML security policy export/import.


532022-1 : tmm can crash when the reply pkt to a service flow request is a DoS pkt

Component: Advanced Firewall Manager

Symptoms:
tmm can crash

Conditions:
If a service flow (or any flow which does not have a listener) sends a request out and we get back a packet which needs to be counted towards a network DoS vector, it can cause the tmm to crash.

Impact:
tmm might crash

Workaround:
Don't configure AFM DoS vectors.

Fix:
A crash bug in DoS protection has been fixed.


532002 : False-Positive Phishing alert in Safari on iPad

Component: Fraud Protection Services

Symptoms:
Very intermittent issue of false positive phishing alerts seen in alerts dashboard, all coming from ipads.

Conditions:
ipad accesses page with Websafe phishing protection.

Impact:
False positive phishing alert.

Workaround:
None

Fix:
Obfuscator updated to work around a bug in Apple's Safari javascript engine.


531994-1 : Case-sensitivity on upgrade

Component: Fraud Protection Services

Symptoms:
Case-sensitive setting of the default profile is saved in bigip.conf

Conditions:
Save button was pressed in GUI before upgrade.

Impact:
Upgrade failure.

Workaround:
Remove case-sensitive from bigip.conf manually.

Fix:
We fixed in GUI a Save issue that caused upgrade failure of the default profile.


531910-1 : apmd, apd, localmgr random crash

Component: Access Policy Manager

Symptoms:
APMD, APD, and localmgr crash upon invalid mcpd request with certain DB variables.

Conditions:
This problem rarely happens: mcpd sends null db variables conncrtl.

Impact:
APMD, APD, and localmgr will crash.

Workaround:
There is no workaround.

Fix:
The problem was fixed by variable protection in related modules.


531883-2 : Windows 10 App Store VPN Client must be detected by BIG-IP APM

Component: Access Policy Manager

Symptoms:
Windows 10 App Store VPN Client is not detected by BIG-IP APM out of the box via client type agent

Conditions:
Windows 10 App Store VPN Client, BIG-IP APM , client type agent

Impact:
Windows 10 App Store VPN Client is not detected by BIG-IP APM out of the box

Workaround:

Fix:
Windows 10 App Store VPN Client is now detected by BIG-IP APM out of the box via client type agent


531761-1 : Web navigation flow may be reset when main page responds with non-HTML content

Component: Advanced Firewall Manager

Symptoms:
In some web applications, the navigation flow may break (connection reset) if a main URL (login page, for example) is responding with a content that is not an HTML one, or if the response is dynamic, and occasionally not an HTML one.

Conditions:
Proactive Bot Defense is enabled on a DOS profile that is attached to a Virtual Server, and one of the main URLs of the web application (login page, home page, etc.) occasionally responds with a non-HTML content, blank content, or redirect response with no body.

Impact:
Users may experience a connection reset while navigating through the website, usually after several minutes.

Workaround:

Fix:
Connection resets are no longer experienced on normal web navigation of a site that is protected by the Proactive Bot Defense mechanism, and and one of the main pages of the web application occasionally responds with a non-HTML content.


531576-1 : tmm memory leak in traffic handling

Component: Local Traffic Manager

Symptoms:
In certain scenarios TMM may suffer from a memory leak while handling certain types of TCP traffic.

Conditions:
Undisclosed conditions for packet processing.

Impact:
TMM will leak memory.

Workaround:

Fix:
TMM no longer leaks memory while processing certain types of TCP traffic.


531541-1 : Support Citrix Receiver 4.3 for Windows in PNAgent mode

Component: Access Policy Manager

Symptoms:
Citrix Receiver for Windows 4.3 fails to authenticate in PNAgent mode in both integration and replacement configurations.

Conditions:
APM is configured for Citrix integration or replacement and Citrix Receiver for Windows 4.3 is used in PNAgent mode.

Impact:
Citrix Receiver for Windows 4.3 fails to authenticate.

Workaround:
Use Citrix Receiver for Windows 4.1 or 4.2. Launch applications from Web.

Fix:
Now APM supports Citrix Receiver 4.3 for Windows in PNAgent mode.


531539-1 : A brute force attack is not detected in NTLM under some conditions

Component: Application Security Manager

Symptoms:
A NTLM configured login page. The username arrives in UTF-16 (as curl sends it) or in another encoding that can't be converted. The login fails.

Conditions:
The NTLM login is not recognized as failed login.

Impact:
The brute force mitigation will not work in this case.

Workaround:

Fix:
We fixed an issue regarding login pages with the NTLM authentication type.


531529-1 : Support for StoreFront proxy

Component: Access Policy Manager

Symptoms:
Citrix Receivers fail to auth when APM is configured in the integration mode against Citrix StoreFront 3.0 in ICA patching mode

Conditions:
APM configured in the integration mode

Impact:
Storefront responds with "error-bad-request" error on ExplicitForms request from APM

Workaround:
N/A

Fix:
Support Citrix StoreFront 3.0 in ICA patching proxy mode


531526-2 : Missing entry in SQL table leads to misleading ASM reports

Component: Application Visibility and Reporting

Symptoms:
Some reports of ASM violations were generated with missing activity.

Conditions:
When there are many entities to report and some are getting aggregated, then the aggregated activity was not reported.

Impact:
Misleading reports of ASM activity.

Workaround:
The workaround is to manually insert the missing entry to mysql. The exact values that need to be inserted vary from one customer to another and require mysql dump to be created and the PD team to inspect it, in order to decide which values should be inserted. It is better that customers upgrade to a fixed version rather than trying to work around it.

Fix:
Aggregated activity is now reported even when there are many entities to report and some are aggregated.


531483-2 : Copy profile might end up with error

Component: Access Policy Manager

Symptoms:
Copy profile might end up with error about two items are sharing the same agent

Conditions:
Very rare - long policy names, similar name parts

Impact:
Minor - customer would need to choose different name for new policy

Workaround:

Fix:
Issue resolved


530963-4 : BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms

Component: Local Traffic Manager

Symptoms:
The BIG-IP does not verify every byte in the Finished message of an TLS handshake but does properly validate the MAC of the Finished message.

Conditions:
* The BIG-IP platform contains a Cavium SSL accelerator card but the affected TLS connection is not accelerated by the Cavium SSL accelerator card. The following list some examples when a TLS connection is not accelerated by the Cavium card: * The ciphers used by the TLS connection are not fully accelerated in the Cavium card. For more information about ciphers that are fully hardware accelerated, refer to SOL13213: SSL ciphers that are fully hardware accelerated on BIG-IP platforms (11.x) * The BIG-IP platform does not contain a Cavium SSL accelerator card. The following list the BIG-IP platforms that do not contain a Cavium SSL accelerator card: * BIG-IP 2000 platforms * BIG-IP 4000 platforms * BIG-IP Virtual Edition

Impact:
F5 believes the reported behavior does not have security implications at this time.

Workaround:


530867-1 : New Dyre Signature added to Generic Malware Detection

Component: Fraud Protection Services

Symptoms:
Some variants of Dyre were not detected.

Conditions:
Some variants of Dyre were not detected.

Impact:
Some variants of Dyre were not detected.

Workaround:
Receive updated bait signatures from F5 Websafe representative.

Fix:
New Dyre Signature added.


530865-2 : AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists)

Component: Advanced Firewall Manager

Symptoms:
Due to a related change in AFM ACL handling, global and route domain rule's were being logged (incorrectly) by the virtual server's AFM log profile (if it exists). This is incorrect since the behavior has always been that Global and Route Domain AFM rule logging is controlled by global-network log profile only.

Conditions:
Global or Route Domain AFM ACL rule matches and logging is enabled. Also, the matched virtual server has a logging profile attached to it.

Impact:
This causes a regression (and inadvertent change in behavior) for Global and Route Domain AFM rule logging.

Workaround:
None

Fix:
With the fix, global and route domain AFM rule logging is controlled by global-network log profile (as has been the case since inception).


530829 : UDP traffic sent to the host may leak memory under certain conditions.

Component: Local Traffic Manager

Symptoms:
Possible memory leak with UDP traffic.

Conditions:
When UDP traffic is sent to the host.

Impact:
If memory leak becomes large enough over time, there could be a reboot.

Workaround:
Block UDP traffic to the host.

Fix:
Memory no longer leaks when UDP traffic is sent to the host.


530800-1 : Messages can't be sent from OWA2010 via Portal Access if form-based SSOv2 is in use.

Component: Access Policy Manager

Symptoms:
OWA displays error message when trying to send new email. POST request size is more than 300Kb and POST data contains large "SCRIPT id=F5_helperDataStringsId" tag. Due to this issue request data becomes large enough to be affected by Bug502269 in SSOv2. Therefore if SSOv2 is enabled in this Access Policy, request content will be corrupted and OWA server will respond with '400 Bad Request' code instead of sending email.

Conditions:

Impact:
Users can't send messages in some versions of OWA.

Workaround:

Fix:
Fixed an issue where extra data was added to some OWA2010 requests making it impossible to send messages in configuration with Form-based SSOv2


530773 : per-request policy logs frequently in apm logs

Component: TMOS

Symptoms:
Many logs from per-request policy execution framework are seen in APM logs

Conditions:
SWG is licensed and provisioned and response analytics agent is part of per-request policy.

Impact:
Many logs in APM and excessive logging might impact the performance too.

Workaround:
Remove /Common/All-Images from Response analytics agent in per-request policy.

Fix:
Correctly fixed the issue for excluded contents in response analytics agent, so these logs are not written frequently to APM logs.


530697-2 : Windows Phone 10 platform detection

Component: Access Policy Manager

Symptoms:
Windows Phone 10 platform is not currently detected

Conditions:
Windows Phone 10 platform , BIG-IP APM system

Impact:
Windows Phone 10 platform is not detected correctly by BIG-IP

Workaround:

Fix:
Windows Phone 10 platform is detected correctly now.


530431 : FQDN nodes: ephemeral nodes not being created for resolved FQDN hosts

Component: Local Traffic Manager

Symptoms:
After upgrading to HF5 the ephemeral fqdn node lists are no longer auto-populating.

Conditions:
Use the fqdn nodes feature. Have correctly configured dns name-servers

Impact:
The fqdn nodes feature is unusable and possible upgrades must be rolled back.

Workaround:
This issue has no workaround at this time.

Fix:
FQDN node lists now correctly auto-populate.


530356-2 : Some AVR tables that hold ASM statistics are not being backed up in upgrade process.

Component: Application Visibility and Reporting

Symptoms:
Some AVR tables that hold ASM statistics are not being backed up in the upgrade process when upgrading to a new version with ASM data present in AVR stat tables.

Conditions:
Upgrading to new version.

Impact:
Some ASM data is lost after upgrade.

Workaround:

Fix:
We now correctly back up AVR tables that hold ASM statistics that were previously not backed up when upgrading to a new version.


529640 : Improvements in building Cloud images

Component: TMOS

Symptoms:
Improvements in building Cloud images.

Conditions:
Building Cloud images.

Impact:
Internal

Workaround:
N/A

Fix:
Improvements in building Cloud images.


529587 : Errornous JS injections

Component: Fraud Protection Services

Symptoms:
JS was injected into pages with any "Content-Type" and it broke functionality of some pages.

Conditions:
Page "Content-Type" is not "text/html".

Impact:
Page functionality may be broken.

Workaround:

Fix:
The FPS plugin now injects JavaScript only in responses where the value of the header "Content-Type" starts from "text/html".


529573 : CSS attribute name

Component: Fraud Protection Services

Symptoms:
CSS attribute name was configured in the profile, but not passed to JavaScript where the hard-coded default value was used.

Conditions:
Default value of CSS attribute name is changed in the profile.

Impact:
False positive CSS alerts.

Workaround:
Do not change default value of CSS attribute name.


529510-2 : Multiple Session ha state changes may cause TMM to core

Component: TMOS

Symptoms:
The cause of the crash is due to multiple session ha state changes in session_ha_peer_status in a very short period of time. On the active unit when the peer comes back up the session ha state changes to SESSION_HA_RESEND_NEEDED. This state change requires a call to session_ha_marker_reset to prevent the session sweeper from queueing the session ha marker when it is already in the session ha marker queue. Queueing the marker when it’s already queued results in corruption of the queue which is caught by the QUEUEDEBUG_TAILQ_INSERT_TAIL macro.

Conditions:
Multiple session HA state changes

Impact:
TMM cores

Workaround:
N/A

Fix:
Remove session ha maker when peer comes back up.


529509-5 : CVE 2015-4620 BIND vulnerability

Component: TMOS

Symptoms:
A flaw was found in the way BIND performed DNSSEC validation.

Conditions:
Red Hat Product Security has rated this update as having Important security impact. Due to F5 architecture and design this has restricted impact and can only impacts GTM and only in a non-default configuration.

Impact:
An attacker able to make BIND (functioning as a DNS resolver with DNSSEC validation enabled) resolve a name in an attacker-controlled domain could cause named to exit unexpectedly with an assertion failure. (CVE-2015-4620)

Workaround:

Fix:
Upgrade to the latest version.


529414-1 : PEM: After Diameter Fatal-Grace time expiry, Some subscriber sessions might be deleted very soon

Component: Policy Enforcement Manager

Symptoms:
Some subscriber sessions getting deleted as soon they are created even if there is no trigger to delete these sessions

Conditions:
Fatal-grace time too low and PCRF connection going down for a long period of time and then coming up later.

Impact:
Subscribers traffic is not policed as the corresponding sessions are deleted as soon as they are created.

Workaround:
Make sure Fatal-grace timer is disabled.

Fix:
Issue is fixed now. Fatal Grace time expiry will not cause sessions to be deleted as soon as they are created.


529392-2 : Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script

Component: Access Policy Manager

Symptoms:
Windows 10 and Internet Explorer 11 is not determined in case of DIRECT rule is used to connect to BIG-IP in proxy autoconfig script configured locally.

Conditions:
Local proxy autoconfig scrip, DIRECT rule for BIG-IP virtual server, Internet Explorer 11.

Impact:
Internet Explorer 11 is not detected properly.

Workaround:

Fix:
Internet Explorer 11 on Microsoft Windows 10 is detected correctly now if local proxy autoconfig script is configured with DIRECT rule for BIG-IP.


528881 : NAT names with spaces in them do not upgrade properly

Component: TMOS

Symptoms:
When upgrading to an affected version, if a NAT has a name with spaces in it, the upgraded configuration does not load.

Conditions:
The BIG-IP system must be configured with NATs that have spaces in their names.

Impact:
The configuration does not load on the upgraded system.

Workaround:
Remove spaces in NAT names before upgrading. Specifically: the initial letter must be a letter, underscore ( _ ), or forward slash ( / ), and subsequent characters may be letters, numbers, periods ( . ), hyphens ( - ), underscores ( _ ), or forward slashes ( / ).


528787-1 : PEM: RAR after session being deleted from Radius/TMSH when connection down will return RAA with success code.

Component: Policy Enforcement Manager

Symptoms:
PEM responds with RAA with DIAMETER_SUCCESS code even though session has been deleted.

Conditions:
If a session delete is initiated through tmsh or RADIUS when connection is down, the session delete does not seem to be complete. When the connection comes up and RAR is sent immediately with an empty policy,

Impact:
PCRF might be misled as it thinks session exists.

Workaround:
Make sure PCRF sends RAR with at least 1 policy and the PEM will responds with RAA with unable to comply

Fix:
Issue has been fixed now. PEM will send RAA with UNABLE_TO_COMPLY code if session is marked for deleted.


528768-1 : Relaxing validation against "_" character for ActiveDirectory server FQDN for NTLM authentication

Component: Access Policy Manager

Symptoms:
The BIG-IP system applies standard fully qualified domain name (FQDN) validation for Active Directory server FQDN. Unfortunately, Microsoft allows non-standard FQDN as well. (https://technet.microsoft.com/en-us/library/cc959336.aspx) At Non RFC strictness level, Active Directory allows additional "_" characters to be used everywhere in the DNS name. AD server that has "_" in its DNS name cannot be used for domain join operation for creating machine account or for authentication AD server for NTLM authentication. Both Multibyte and Any Character strictness level predictably can cause problem to our internal code; we do not support them.

Conditions:
AD server DNS name contains "_".

Impact:
Cannot be used for domain join for machine account creation or for target authentication server for NTLM authentication.

Workaround:
To work around the problem, you can rename the Active Directory server.

Fix:
Now an Active Directory server DNS name that contains an underscore (_) can be used for a machine account and NTLM authentication.


528727-1 : In some cases HTML body.onload event handler is not executed via portal access.

Component: Access Policy Manager

Symptoms:
Internet Explorer 7 (and any newer version in compatibility mode) ignores inline body.onload event handler if it is already assigned in previously executed script. This may prevent execution of user-defined body.onload event handler in some cases if the page is accessed using Portal Access.

Conditions:
The problem occurs under these conditions: Internet Explorer version 7 or newer in compatibility mode, and HTML page with inline body.onload event handler _and_ <script> or <meta> tags before <body> tag.

Impact:
Web application may work incorrectly.

Workaround:
It is possible to change the HTML page in an iRule converting inline body.onload event handler into an explicit JavaScript function assigned to the body.onload event using the attachEvent() call.

Fix:
Now HTML inline body.onload event handler is executed correctly in all cases if the page is accessed through Portal Access.


528726-3 : AD/LDAP cache size reduced

Component: Access Policy Manager

Symptoms:
When AD or LDAP Query module built a group cache, that cache contained an unnecessary attribute that was never used.

Conditions:
AD/LDAP Query module is configured with option that requires building of a local group cache.

Impact:
apd process size grows significantly after group cache is built. If several different caches are maintained at the same time, the process size can hit the 4 GB limit.

Workaround:

Fix:
Removed an unnecessary attribute from cache. As a result, the group cache size and APD process size have been reduced.


528715-1 : rare tmm crash when ipother irule parks

Component: Policy Enforcement Manager

Symptoms:
TMM System may crash under rare condition for traffic that goes through IPOther virtual with an iRule script that parks the data flow. This occurs rarely, and it will only happen if a data flow that goes through IPOther VIP is aborted when an iRule is parked on the same flow. When the iRUle resumes, the IPOther VIP forward the original packet and tmm may crash when PEM uses the freed data of the flow that is already freed.

Conditions:
With PEM licensed/enalbed, associate an iRule script with iRule command that will park (e.g., the table command) against the IPOther virtual. At last, the data traffic that goes through PEM IPOther virtual get aborted.

Impact:
The customer may be impacted by the service interruption due to tmm restart.

Workaround:
A possible workaround is not to use iRule command that will park in the iRule script that is attached to IPOther virtual. For example, there are information that could be retrieved by PEM::session command instead of using table command. If iRule command that will cause parking must be used, then this fix along with the fix of bug 484278.

Fix:
The crash has been fixed and the should no longer be observed.


528675-2 : BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired

Component: Access Policy Manager

Symptoms:
Edge Client can stuck in "disconnecting..." state if connected through with captive portal session and captive portal session expired. This happens when BIG-IP EDGE client keep HTTP connection to captive portal probe URL alive.

Conditions:
BIG-IP EDGE Client for Windows connecting to BIG-IP APM on network with active captive portal. Captive portal session expired before user terminate active Network Access connection.

Impact:
When user run into this condition BIG-IP EDGE client for Windows cannot connect to BIG-IP APM server without restart.

Workaround:
User can exit and restart BIG-IP EDGE client.

Fix:
Captive portal detection request modified to properly close HTTP connection.


528499 : AFM address lists are not sorted while trying to create a new rule.

Component: Advanced Firewall Manager

Symptoms:
AFM address lists are not sorted while trying to create a new rule.

Conditions:
Seen only in the rule creation page.

Impact:
AFM address lists are not sorted in the rule creation page.

Workaround:
none

Fix:
AFM address lists are now sorted in the rule creation page.


528432-2 : Control plane CPU usage reported too high

Component: Local Traffic Manager

Symptoms:
The system CPU usage is reported as the higher of the data plane averaqe and the control plane average. In certain cases, the control plane average was being calculated at about double.

Conditions:
When the data plane CPU usage was lower than the control plane CPU usage. This can occur when there is little client traffic flowing through the BIG-IP but the control plane is busy, say installing software.

Impact:
Typically, since client traffic drives data plane CPU usage, control plane CPU usage is less than data plane CPU usage at normal client loads.

Workaround:
This can safely be ignored at low data plane usage and will not be evident when data plane usage increases.

Fix:
The calculation of the control plane CPU usage no longer includes other CPUs.


528310 : Upgrade failure when CertKeyChain exists in non-Common partition

Component: TMOS

Symptoms:
Pre-11.6.0 configuration may fail to load on a BIG-IP system running version 11.6.0 (or greater).

Conditions:
Configuration contains a SSL profile with an explicit Certificate Key Chain in a non-Common partition.

Impact:
This issue leads to a configuration load failure.

Workaround:
This issue has no workaround at this time.

Fix:
Certificate Key Chain will inherit its partition from the parent SSL profile on creation.


528247-1 : PEM: New Requested units empty for when used units matches granted service units

Component: Policy Enforcement Manager

Symptoms:
Requested Service Units field in CCR-U message in Gy will be empty for certain rating group requests in MSCC AVP

Conditions:
If used Service units matches exactly with granted service units. (Extremely rare!)

Impact:
RSU being empty might trigger OCS allocating incorrect granted service unit for the rating group

Workaround:
Work around is to ignore Requested service Unit AVP if zero by the OCS or just use used service units AVP since RSU is empty.

Fix:
This issue is fixed now. RSU will be not be empty even if used service units matches Granted service units AVP.


528238-1 : Quota Policy Added multiple times will lead to reset of Subscriber flows

Component: Policy Enforcement Manager

Symptoms:
Subscriber flows getting reset when session is provisioned to do Gy quota management.

Conditions:
If a same policy with quota management action is added multiple times to the session through RAR (or CCA-u) then after 32 installs, any flow for the session is reset.

Impact:
Flows getting reset means subscribers having issue with using service.

Workaround:
PCRF should make sure that for the session same policy is not being added to multiple times.

Fix:
Issue has been fixed now. Even is same Policy is added multiple Times for the subscriber, flows are not reset.


527861 : When Many entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen, the Configuration utility becomes unresponsive.

Component: Application Security Manager

Symptoms:
When around 500 entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen, the Configuration utility becomes unresponsive.

Conditions:
When around 500 entities are displayed on the "Illegal Meta Character in Value" manual traffic learning screen.

Impact:
The Configuration utility becomes unresponsive.

Workaround:
None.

Fix:
We limited the number of entities displayed on the "Illegal Meta Character in Value" manual traffic learning screen to a realistic limit in order to prevent the Configuration utility from becoming unresponsive.


527799-9 : OpenSSL library in APM clients updated to resolve multiple vulnerabilities

Component: Access Policy Manager

Symptoms:
Multiple vulnerabilities in OpenSSL library: CVE-2015-4000, CVE-2015-1792, CVE-2015-1791, CVE-2015-1790, CVE-2015-1789, CVE-2015-1788, CVE-2014-8176.

Conditions:
Widows, Linux or Mac OS OX networkaccess connection to BIG-IP APM

Impact:
CVE-2015-4000, CVE-2015-1792, CVE-2015-1791, CVE-2015-1790, CVE-2015-1789, CVE-2015-1788, CVE-2014-8176.

Workaround:
n/a

Fix:
OpenSSL library in APM clients updated to resolve multiple vulnerabilities in OpenSSL. CVE-2015-4000,CVE-2015-1792,CVE-2015-1791,CVE-2015-1790,CVE-2015-1789,CVE-2015-1788,CVE-2014-8176


527725-1 : BigIP crash caused by PSC::ip_address iRule is fixed

Component: Policy Enforcement Manager

Symptoms:
When using PSC::ip_address iRule to get the ip list for DHCP-based subscriber discovery and RADIUS Authentication message, BigIP crashed and restarted.

Conditions:
Using PSC::ip_address iRule to get ip address list in DHCP-based subscriber discovery and RADIUS Authentication messages

Impact:
Causing bigip tmm to restart

Workaround:


527630-1 : CVE-2015-1788 : OpenSSL Vulnerability

Component: TMOS

Symptoms:
https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16938.html

Conditions:
See F5 Solution for complete information. https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16938.html

Impact:
A potential denial-of-service (DoS) by way of a session that uses an Elliptic Curve algorithm against a server that supports client authentication.

Workaround:


527537 : CGNAT experiences increased CPU utilization with a high concurrent connection load and persistence enabled

Component: TMOS

Symptoms:
Elevated CPU with CGNAT when carrying the same load between 11.5 and 11.6

Conditions:
CGNAT lsn-pools high number of concurrent connections persistence = address-port and/or inbound enabled

Impact:
Elevated CPU = reduced capacity

Workaround:

Fix:
Change the sessionDB sweeper to reduce the amount of work it does managing large bins.


527477-4 : Slot 2 is inactive after reboot

Component: Local Traffic Manager

Symptoms:
After reboot slot 2 is not listed as active in the management panel

Conditions:
Reboot chasis

Impact:
Slot 2 is not active

Workaround:
N/A

Fix:
Moved Startup dependencies in order to resolve.


527476 : Some FPS alerts logged without User GUID

Component: Fraud Protection Services

Symptoms:
FPS alerts were sometimes sent without session identifiers, resulting in them becoming anonymous, as no user name could be associated with them.

Conditions:
When malicious words alert is sent before the user logs in, the alert details are not updated with the username after login.

Impact:
Malicious words alerts in alert dashboard may be shown without the username.

Workaround:
None

Fix:
GUID is now sent on all javascript and Plugin alerts.


527292-1 : BigIP crash caused by PSC::user_name iRule is fixed

Component: Policy Enforcement Manager

Symptoms:
When using PSC::user_name iRule to get user name for DHCP-based subscriber discovery and RADIUS Authentication messages, BigIP crashed and restarted. And the log is also showing garbage information.

Conditions:
Using PSC::user_name iRule to get user name in DHCP-based subscriber discovery and RADIUS Authentication messages

Impact:
Causing bigip tmm to restart

Workaround:

Fix:
After the fix, no more crash when using PSC::user_name iRule


527289-1 : TMM crashes with core when PSC::ip_address iRule is used to list IPs

Component: Policy Enforcement Manager

Symptoms:
TMM crashes with core when trying to readPSC::ip_address list

Conditions:
iRule is used to list IPs after setting it with the same iRule

Impact:
TMM crashe

Workaround:
N/A

Fix:
Fix crash caused by PSC::ip_address PSC::user_name iRules


527145-4 : On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.

Component: TMOS

Symptoms:
Occasionally SOD core dumps on shutdown during memory cleanup.

Conditions:
System shutdown. Cannot reproduce the issue reliably, so conditions for the crash are unknown.

Impact:
Minimal additional impact on services because a shutdown was already in process.

Workaround:
None.

Fix:
Daemon no longer cores on shutdown due to internal processing error.


527094-1 : iControl REST: the records collection in tm/ltm/data-group/internal/ may show wrong partition and subPath metadata.

Component: TMOS

Symptoms:
GET on tm/ltm/data-group/internal/dg-name might show the following record entries - ... "records": [ ... { "name": "triple", "partition": "single", "subPath": "double", "data": "three" }, ... ] } In actuality, the identifiers of the record are not pathed, and hence the 'partition' and 'subPath' properties do not make any sense.

Conditions:
Performing a GET operation on a device group, for example: GET tm/ltm/data-group/internal/dg-name.

Impact:
Misinformation in the API output. This is a cosmetic issue only. Ignore the 'partition' and 'subPath' properties.

Workaround:
None.

Fix:
iControl REST: the records collection in tm/ltm/data-group/internal/ now shows the correct partition and subPath metadata.


527085 : User-agent in alerts

Component: Fraud Protection Services

Symptoms:
Alerts have no user agent information.

Conditions:

Impact:
Easier debugging

Workaround:

Fix:
User-agent header is now sent in alerts generated by FPS plugin.


527076-1 : TMM crashes with core when PSC::policy iRule is used to set more than 32 policies

Component: Policy Enforcement Manager

Symptoms:
iRules used to set 32 or more polices

Conditions:
iRule containing 32 or more polices

Impact:
TMM crashes with core

Workaround:
N/A

Fix:
Check added to validate number of policies contained in iRule.


527075 : Update domain availability default settings

Component: Fraud Protection Services

Symptoms:
The Domain Availability feature default settings were not the latest from the research team. Sometimes resulted in an ERR_INSECURE_RESPONSE error in the browser's debugging console.

Conditions:
Some varieties of Citadel were not detected.

Impact:
Some varieties of Citadel were not detected.

Workaround:
Receive updated settings from F5 Websafe representative.

Fix:
New defaults were imported.


527021-1 : BIG-IQ iApp statistics corrected for empty pool use cases

Component: TMOS

Symptoms:
BIG-IQ statistics gathering fails for HTTP iApps. The stats are collected periodically by an iCall script. A bug in the script causes a failure when the pool member count = 0.

Conditions:
The virtual has an empty pool (a common use case in SDN).

Impact:
Causes out-of-memory errors in scriptd.

Workaround:

Fix:
BIG-IP iApps now correctly provide statistics to BIG-IQ in empty-pool use cases.


527016-1 : CLASSIFICATION_DETECTED irule event results in tmm core

Component: Policy Enforcement Manager

Symptoms:
If an irule script which uses the CLASSIFICATION_DETECTED is used, then it may result in a tmm core.

Conditions:
Configure an ltm irule with CLASSIFICATION_DETECTED event, and the body of the script contains atleast one irule command that runs asynchronously.

Impact:
If the irule is configured as mentioned above, a tmm core will be observed always.

Workaround:

Fix:
Using the CLASSIFICATION_DETECTED irule event does not cause tmm to core.


526856-1 : "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency

Component: Application Security Manager

Symptoms:
"Use of uninitialized value" appears as a warning rarely upon UCS installation due to ASM signature inconsistency.

Conditions:
UCS file is installed with internal ASM signature inconsistency.

Impact:
"Use of uninitialized value" warning appears in output.

Workaround:

Fix:
"Use of uninitialized value" warning no longer appears upon UCS install.


526786-1 : Session lookup fails

Component: Policy Enforcement Manager

Symptoms:
1. Existing session S1 is created with IP1 and IP2 2. Session get replaced by S2 with IP1 and IP2 address. Delete being called for S1. 3. IP1 will be master so IP2 will be forwarded to remote TMM to set mapping. 4. Remote TMM will lookup for existing mapping for IP2, find session S2. Tries to lookup for Session S2. 5. Before lookup is complete, S2 gets deleted 6.Now callback for S2 lookup will be a failure

Conditions:
Remote TMM will lookup for existing mapping for IP2, find session S2. Tries to lookup for Session S2.

Impact:
Callback fails

Workaround:
N/A

Fix:
Fix IP mapping set when session being replaced gets deleted


526774 : Search in FW policy disconnects GUI users

Component: Advanced Firewall Manager

Symptoms:
GUI disconnects due to a timeout when doing search on the active rules page with a large number of context objects.

Conditions:
wildcard search in active rules page with lots of objects causes GUI to hang

Impact:
Makes the BOX unusable

Workaround:
The query to search for matches was optimized to omit context objects that did not have any rules.

Fix:
The query to search for matches was optimized to omit context objects that did not have any rules.


526754-2 : F5unistaller.exe crashes during uninstall

Component: Access Policy Manager

Symptoms:
f5unistaller.exe crashes, dmp points to a double free in SGetRegistryAsString function

Conditions:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\*\DisplayName contains 0 length data

Impact:
f5unistaller crashes

Workaround:
Using the crash dump created. PD can determine the value of * from there if data is placed into the DisplayName key - it will no longer trigger this defect


526677-1 : VMware Horizon HTML5 View access client can not connection when using View Connection Server running version 6.1.1

Component: Access Policy Manager

Symptoms:
When an APM & Horizon v6.1.1 deployment is configured to use an APM Full Webtop, the HTML5 client will not correctly launch. A new tab will open and the user will see a HTTP 405 error on that page.

Conditions:
View Connection Server backend is running version 6.1.1.

Impact:
HTML5 Client access will stop working.

Workaround:

Fix:
Starting with the 6.1.1 release of View Connection Server, the communication protocol used by the View HTML5 client has changed. This change breaks BIG-IP APM's HTML5 View client implementation. As such, APM users cannot use this client to access their View Desktop. This fix implements the new View communication protocol to support launch the View HTML5 client from an APM Full Webtop.


526617-1 : TMM crash when logging a matched ACL entry with IP protocol set to 255

Component: Access Policy Manager

Symptoms:
When TMM finds a matching ACL entry while enforcing the ACL, and that ACL entry is configured to produce a log entry as well, and the IP protocol for that packet is 255, then TMM crashes.

Conditions:
1. Log is enabled for that ACL entry. 2. IP protocol is set to 255

Impact:
TMM crash

Workaround:
Disable ACL logging

Fix:
TMM no longer crashes when logging a matching ACL entry for IP datagram with protocol set to 255.


526578-1 : Network Access client proxy settings are not applied on German Windows

Component: Access Policy Manager

Symptoms:
Network Access client proxy settings are not applied on German Windows with Internet Explorer 10 under obscure conditions. If APM address is not in the Trusted Sites List, then this issue has good reproducibility. Windows shows empty fields in proxy settings UI of Internet Explorer.

Conditions:
Client machine has Windows with German localization. Client machine has Internet Explorer 10. APM is not in trusted sites list or other obscure conditions.

Impact:
Network Access works in unexpected way: client ignores proxy settings.

Workaround:
Run IE under administrator Update to IE11

Fix:
Now proxy settings are correctly applied on client machine with German localization and Internet Explorer 10. However, Windows still shows empty fields in proxy settings GUI of Internet Explorer.


526514-1 : Open redirect via SSO_ORIG_URI parameter in multi-domain SSO

Component: Access Policy Manager

Symptoms:
The URL which is used to redirect the user from primary auth service to the slave host in multi-domain SSO is base64 encoded

Conditions:
GET request which contains SSO_ORIG_URI and TOKEN can be intercepted

Impact:
Token can be intercepted which could result in a hijacked URL getting created that BIG-IP would accept and redirect to.

Workaround:
N/A

Fix:
Validate the host in SSO_ORIG_URI in multidomain SSO usecase to prevent random unnecessary redirects and attacks


526492-2 : DNS resolution fails for Static and Optimized Tunnels on Windows 10

Component: Access Policy Manager

Symptoms:
When Static and Optimized Tunnels are used on Windows 10 desktop, accessing a backend server by hostname will fail.

Conditions:
1. Windows 10 desktop 2. Static or Optimized Tunnels are used

Impact:
No access to backend servers using hostnames.

Workaround:
none

Fix:
DNS resolution is successful for static and optimized tunnels on Microsoft Windows 10.


526419-1 : Deleting an iApp service may fail

Component: TMOS

Symptoms:
Deleting an iApp service may fail with an error message like this: 01070712:3: Can't load node: 839 type: 4

Conditions:
Unknown.

Impact:
You can't delete an iApp.

Workaround:
Save the configuration. Edit the relevant configuration file to remove the iApp service. Reload the configuration.

Fix:
Deleting an iApp service formerly could fail with an error message like this: 01070712:3: Can't load node: 839 type: 4 This is no longer possible.


526368-1 : The number of IPv4 addresses per Gx session exceeds the limit of 1

Component: Policy Enforcement Manager

Symptoms:
TMM may crash when it detects the number of IPv4 addresses per Gx session exceeds the limit of 1.

Conditions:
Number of IPv4 addresses per Gx session exceeds the limit of 1

Impact:
TMM crash

Workaround:
N/A

Fix:
Reprovision session only if PPE session ID set


526295-3 : BigIP crashes in debug mode when using PEM irule to create session with calling-station-id and called-station-id

Component: Policy Enforcement Manager

Symptoms:
When using PEM irule to create session with calling-station-id and called-station-id, BigIP will crash in debug mode

Conditions:
1. PEM is provisioned. 2. Bigip is running in debug mode 3. PEM iRule is used to create session with calling-station-id and called-station-id

Impact:
Causing the bigip to crash

Workaround:
Creating PEM session with irules that do not have calling-station-id and called-station-id. And add the two attributes using separately using PEM info iRule

Fix:
With the fix, the problematic irule is now working as expected and does not cause any crash.


526277-1 : AFM attack may never end on AVR dos overview page in a chassis based BIGIP

Component: Advanced Firewall Manager

Symptoms:
In a BIGIP chassis, it is possible that the AFM "attack started" event and "attack stopped" event happen on two different slots of the chassis. In that case avrd is not able to detect and report "attack stopped" event and the user would continue to see "attack ongoing" in the DoS Overview Page.

Conditions:
This will only happen in a BIGIP chassis based system with multiple slots, and if the AFM DoS "attack started" and "attack stopped" events are given to different slots.

Impact:
User will get confused when he see that the AFM DoS Overview Page still shows the attack as ongoing when it has actually stopped.

Workaround:
No workaround

Fix:
With this change the bug has been fixed and now the AFM DoS Overview Page will always know when a attack has stopped.


526275-1 : VMware View RSA/RADIUS two factor authentication fails

Component: Access Policy Manager

Symptoms:
VMware View client fails to authenticate with APM configured for RSA/RADIUS two factor authentication.

Conditions:
APM is configured for VMWare View proxy with RSA or RADIUS two factor authentication and VMware View client is used.

Impact:
User sees a confusing error message.

Workaround:
Click "OK" on an error message "The username or password is not correct. Please try again.". Enter valid AD credentials and login again.

Fix:
Now APM correctly handles VMware View RSA/RADIUS two factor authentication.


526124 : Parameter matching inconsistency

Component: Fraud Protection Services

Symptoms:
Sometimes valid parameters from request are not matched to configured protected parameters. May work correctly in one browser while failing to work in another.

Conditions:
Request is bigger than one xfrag and parameter name is divided between two xfrags.

Impact:
Configured parameter won't be matched.

Workaround:
Remove unimportant cookies or add dummy cookies in order to shift parameter name inside the request. May resolve the issue. Differ between browsers.


526084-3 : Windows 10 platform detection for BIG-IP EDGE Client

Component: Access Policy Manager

Symptoms:
The session.client.platform variable contains "Win8.1" for BIG-IP Edge Client on Windows 10.

Conditions:
n/a

Impact:
n/a

Workaround:
n/a

Fix:
BIG-IP APM was enhanced to report session.client.platform session variable for BIG-IP Edge Client on Windows 10.


525860-2 : PEM: Duplicate sessions formed with same IP

Component: Policy Enforcement Manager

Symptoms:
For a single IP address we see 2 sessions in the system when we do pem_sessiondump --list.

Conditions:
Create a static subscriber configuration without the IP address and send radius start to create session with 2 IP address. Delete the master IP (first one) and send radius start with same IP.

Impact:
Duplicate sessions creates confusion as to which session is the active one used for an IP.

Workaround:
Make sure radius stop is received for both the IP addresses before sending a new one.

Fix:
Issues has been fixed now. No more duplicate sessions for the same IP address.


525708-1 : AVR reports of last year are missing the last month data

Component: Application Visibility and Reporting

Symptoms:
Reports are missing the latest data collected for them. Each report-type is missing a different portion of the data which is relatively to the report-type. This issue becomes very noticeable when creating a long-term reports. For example, a 'last-year' report might omit the last month data, 'last-month' report might omit the last week data, etc'

Conditions:
Every report that is done on a long history time range.

Impact:
The presented data can be confusing and misleading.

Workaround:

Fix:
A new data aggregation mechanism was inserted, so that all reports will be included with all activity up to the last hour. There is an option to make it available even for last 5 minutes, although that might lead to too much CPU and disk load every 5 minutes. There is also an option to turn off this new aggregation mechanism, in case a customer is not interested in accurate long-history reports, and the aggregation task that takes place once in an hour is too heavy for his machine.


525633-1 : Configurable behavior if PCRF returns unknown session ID in middle of session.

Component: Policy Enforcement Manager

Symptoms:
Currently if PEM sends CCR-U and PCRF responds with CCA-U (PCRF lost session) , PEM ignores and sends CCR-U. PCRF session is lost, that impliess reboot or failover and it responds to session update requests with unknown session id.

Conditions:
PCRF lost session (reboot/failover) and responds to session update requests with unknown session id.

Impact:
Session being present for a long period of time with PCRF not acknowledging.

Workaround:
It is desirable to delete the session on PEM end (configurable) and also recreate the same session (configurable) so that PCRF can get the context back up. Sys db variables tmm.pem.diameter.application.trigger.delete.onPeer.failure should be set to TRUE if PEM should delete the session based when PCRF complains session ID unknown. tmm.pem.session.ppe.recreate.afterPeerFailure Should be set to true if PEM should recreate the session.


525595 : Fix memory leak of inbound sockets in restjavad

Component: Centralized Management

Symptoms:
restjavad will get out of memory due to inactive sockets piling up in memory. The symptom will be "Out of memory" messages in the /var/logrestjavad.0.log , and any new rest calls will fail. The YURL that fails is random

Conditions:
Occurs after a few hours

Impact:
restjavad becomes inoperative

Workaround:
restjavad must be restarted: bigstart restart restjavad that could be put in a cron script.


525562-1 : Debug TMM Crashes During Initialization

Component: Access Policy Manager

Symptoms:
Debug version of TMM (tmm.debug) generates core file and fails to start up.

Conditions:
This issue happens when running debug version of TMM on a multi-blade chassis/vCMP.

Impact:
The BIG-IP system cannot be functional without TMM being up and running

Workaround:
Revert to use default version of TMM (tmm.default)

Fix:
Removed unnecessary debug assert statements from TMM.


525557 : FQDN ephemeral nodes not repopulated after deleted and re-created

Component: Local Traffic Manager

Symptoms:
Under certain circumstances, ephemeral nodes that are force deleted may not repopulate as expected.

Conditions:
Sync group, multiple FQDNs resolving to same IP address.

Impact:
Ephemeral nodes may not repopulate as expected.

Workaround:


525522 : Redirect loop when Proactive Bot Defense is enabled and deployment has multiple domains

Component: Advanced Firewall Manager

Symptoms:
A redirect loop may happen for some users, when the Proactive Bot Defense feature is enabled, and the deployment consists of multiple domains.

Conditions:
Proactive Bot Defense is enabled on a DOS profile that is assigned to a Virtual Server, and the deployment consists of multiple domains.

Impact:
Some users may occasionally be blocked from accessing certain URLs of a website due a redirect loop that could happen. In most cases, a page-refresh attempted by the user will load the page properly.

Workaround:
Applying the following iRule will workaround the problem: when HTTP_REQUEST { if { [HTTP::cookie exists "TSPD_101_R0"] } { if { [HTTP::cookie exists "TSPD_101"] } { HTTP::cookie remove "TSPD_101" } } }

Fix:
Occasional redirect loops caused by the Proactive Bot Defense mechanism no longer occur when multiple domains are deployed.


525429-4 : DTLS renegotiation sequence number compatibility

Component: Access Policy Manager

Symptoms:
OpenSSL library modified to keep it compatible with RFC 6347 complaint DTLS server renegotiation sequence number implementation.

Conditions:
The old OpenSSL library is not compatible with RFC6347, the new OpenSSL library is modified to be compatible with RFC6347. The current APM client is compatible with old OpenSSL code, not the new OpenSSL code.

Impact:
The current APM client is not compatible with new OpenSSL libary.

Workaround:

Fix:
Modify OpenSSL library in APM client to let it compatible with both old and new OpenSSL library.


525416-1 : List of IPs in "tmsh show pem sessiondb subscriber-id " may be reversed.

Component: Policy Enforcement Manager

Symptoms:
IPs show up in an order that is not expected.

Conditions:
Occurs always

Impact:
Nothing functional.

Workaround:
None

Fix:
Added code to display the IP addresses in the order they were added to the session.


525384-2 : Networks Access PAC file now can be located on SMB share

Component: Access Policy Manager

Symptoms:
Network Access web components or Edge Client fail to download PAC file if it is located on SMB share as file:////pac.file.hoster.local/config.pac.

Conditions:
Network Access with Client Proxy Settings Enabled, PAC file path is set to somewhere on SMB share.

Impact:
Impossible to configure Network Access with PAC file located on SMB share.

Workaround:
Put PAC file to HTTP server, configure Network Access accordingly.

Fix:
Now Network Access components can obtain PAC file from SMB share.


525283-1 : Add obfuscator tuning tools

Component: Fraud Protection Services

Symptoms:
Difficult for F5 consultants to debug Websafe module.

Conditions:
When support for Websafe is requested by customers.

Impact:
Difficult for F5 consultants to debug Websafe module.

Workaround:
None

Fix:
Tools have been added to help consultants fine-tune the FPS obfuscator for better performance.


525175-1 : Fix a crash issue when querying SSP with multi-ip.

Component: Policy Enforcement Manager

Symptoms:
TMM crash when querying SSP with multi-ip configured.

Conditions:
TMM crash when querying SSP with multi-ip configured.

Impact:
TMM crash

Workaround:
N/A

Fix:
Fix TMM crash when querying SSP with multi-ip configured.


524909-2 : Windows info agent could not be passed from Windows 10

Component: Access Policy Manager

Symptoms:
APM endpoint check action "Windows Info agent" was not able to detect Windows 10 clients.

Conditions:
n/a

Impact:
n/a

Workaround:
n/a

Fix:
Now BIG-IP APM support Windows Info action on Windows 10 clients.


524791-3 : non_blocking_send/receive do not correctly handle EINTR situation for poll() == 0

Component: TMOS

Symptoms:
Interrupted poll() function in RemoteMcpConn.cpp functions non_blocking_receive and send is not properly handled.

Conditions:
Run a script processing async transactions in parallel with a script running basic REST calls.

Impact:
Either icrd_child will lock up or various calls will fail with 'operation canceled' response messages.

Workaround:
none


524780-1 : TMM crash when quering the session information

Component: Policy Enforcement Manager

Symptoms:
TMM crash when quering the session information using "tmsh show pem sessiondb subscriber-id "

Conditions:
Using tmsh show pem sessiondb subscriber-id to query session information

Impact:
TMM may crash

Workaround:
N/A

Fix:
Restore the display order of the multiple IP based on the order they are added


524756 : APM Log is filled with errors about failing to add/delete session entry

Component: Access Policy Manager

Symptoms:
APM log is filled with the following error when the issue occurs: May 21 16:34:16 bigip4013mgmt err tmm2[20158]: 01490558:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND)

Conditions:
If a session times out before it completes policy evaluation, APM will still attempt to delete its marker from the established session namespace and, hence, results in ERR_NOT_FOUND error

Impact:
There is no functional impact. However, APM log may become useless if the volume of the error is big.

Workaround:

Fix:
Access Filter now skips session marker deletion if the timed-out session is not in established state.


524753-1 : IPsec interface is not forwarding TCP flow to the host when the destination is tunnel self-ip

Component: TMOS

Symptoms:
IPsec tunnel interface presents IPsec service via the regular network interface. Inherently, the self-IP address should allow external hosts to connect to the BigIP via TCP/UDP to this IP address. However, the connection is hairpinned back to the IPsec tunnel interface.

Conditions:
Create IPsec tunnel interface and assigned a self-IP with "allow-service all" so that the self-IP may accept external connections. At the other end of the IPsec tunnel, try TCP connection using "telnet", observe the "telnet" command fail.

Impact:
BigIP cannot accomplish certain services provided on the BigIP host, such as BGP over TCP.

Workaround:
A iRule can be created to forward the external connection on the IPsec tunnel self-IP to the host IP 127.0.0.1. Example, ltm virtual http_host { destination 10.99.0.11:80 ip-forward ip-protocol tcp mask 255.255.255.255 profiles { fastl4_stateless { } } rules { local_node } source 0.0.0.0/0 translate-address disabled translate-port disabled } ltm rule local_node { when CLIENT_ACCEPTED { node 127.0.0.1 80 } } 10.99.0.11 is the self-IP of the IPsec tunnel interface.

Fix:
BigIP can properly handle TCP/UDP connections to the BigIP over IPsec interface using its tunnel self-IP.


524748-1 : PCCD optimization for IP address range

Component: Advanced Firewall Manager

Symptoms:
Pccd blob size grow too big with large scale policy configuration. Which cause slow compilation and serialization.

Conditions:
large scale policy configuration.

Impact:
Slow compilation/serialization and large pccd blob.

Workaround:
N/A

Fix:
With PCCD ip address range optimization, PCCD will reduce it's compilation/serialization time and blob size.


524666-3 : DNS licensed rate limits might be unintentionally activated.

Component: Local Traffic Manager

Symptoms:
DNS licensed rate limits might be unintentionally activated.

Conditions:
This might occur with a license in which DNS services is unlimited, but BIG-IP DNS (formerly GTM) is limited.

Impact:
DNS licensed rate limits might be unintentionally activated. Rate counters will activate, even though rates are unlimited, which unnecessarily uses CPU cycles. Also, features that indirectly look at rate flags such as hardware DNS, might deactivate improperly even though rates are unlimited.

Workaround:
None.

Fix:
DNS licensed rate limits are now handled as expected.


524490-4 : Excessive output for tmsh show running-config

Component: TMOS

Symptoms:
The tmsh show running-config displays many default configuration items. Although the output does display the user-configuration items as expected, it is not expected to include default configuration items in the output.

Conditions:
tmsh show sys running-config.

Impact:
The presence of excessive default configuration items makes the tmsh show running-config output parsing difficult.

Workaround:
None.

Fix:
tmsh show sys running-config shows minimal default configuration.


524428-1 : Adding multiple signature sets concurrently via REST

Component: Application Security Manager

Symptoms:
Adding multiple ASM signature sets concurrently in REST actions causes deadlock.

Conditions:
Multiple ASM signature sets are added concurrently using REST.

Impact:
Some signature set REST add actions will fail due to deadlock.

Workaround:
Wait until signature set add action has completed in REST before issuing the next add.

Fix:
Multiple signature sets can be added concurrently using REST.


524409-1 : Fix TMSH show and reset-stats commands for multi-ip sessions defect.

Component: Policy Enforcement Manager

Symptoms:
TMSH show and reset-stats commands doesn't work properly for multi-ip sessions.

Conditions:
Sessions are multi-ip sessions with at least on ipv6 addr.

Impact:
reset-stats does not clear individual IP stats

Workaround:
N/A

Fix:
Fix TMSH pem sessiondb show and reset-stats commands with all-properties option. The pem_session_mult_ip_data_stats struct doesn't include the ipv6 prefix length information.


524374-1 : TMM may crash if PEM report format script with iRule are executed on top of existing parked iRule

Component: Policy Enforcement Manager

Symptoms:
TMM may crash under race condition, that if there is PEM flow reporting with format script that contains iRules accessing info from/to different TMMs gets executed when there is already an iRule executed and access different iRules on top of a connection/flow, and the connection/flow is reset. The fix will not execute the format script if it sees an irule is already parked for that flow. As a result, no log message will be sent in this case. In the versions before the fix, the user may have seen a log with stale info, or might see duplicate logs. After the fix, no log will be sent out in the situation described above.

Conditions:
1. PEM flow reporting is enabled with format script that contains iRules access info from/to different TMMs 2. an iRule script that will access info from/to different TMM (that is, it will be parked on the connection/flow) is being executed and parked on the connection/flow 3. the connect/flow is reset 4. the PEM flow reporting with format script in #1 gets executed.

Impact:
TMM may crash which can introduce service interruption

Workaround:
A patch will be needed for such tmm crash under race condition, when PEM flow reporting with format script are required along with iRules.

Fix:
The issue is fixed by making sure that PEM flow reporting with format script will not be executed if it detects another iRule script is already parked on the flow. However, given this is quite rare race condition, the PEM flow reporting with format script will be triggered again when reporting condition (volume or time based) is met and there is no concurrent iRule scripted parked.


524326-4 : Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips

Component: TMOS

Symptoms:
Current configuration validation will allow a user to delete the last (only remaining) IP address on a GTM server. However, since a GTM server cannot be created/loaded without at least one IP address, the configuration will fail to load.

Conditions:
User has deleted the last IP address on a GTM server.

Impact:
Configuration load will fail. If the GTMs are in a sync group, this will also break sync because the config change cannot be loaded by any GTM.

Workaround:
User must either delete the server from the config if it has no more valid IPs, or must add at least one IP to the server's IP address list.

Fix:
Extended MCPD validation to ensure any deleted GTM link/GTM server addresses do not leave parent objects without addresses.


524198-1 : PEM: Invalid HSL log generated when when session with static subscriber deleted.

Component: Policy Enforcement Manager

Symptoms:
Invalid HSL logs generated when static subscriber session is deleted

Conditions:
HSL logging configured in the subscriber policy and static subscriber session is deleted.

Impact:
Invalid HSL log lines will create discrepancy.

Workaround:
Manually filter out these lines from HSL logs.

Fix:
Issues has been fixed now. NO more extra lines in HSL logs.


524185 : Unable to run lvreduce

Component: TMOS

Symptoms:
Unable to run lvreduce due to missing program 'blockdev'

Conditions:
Attempting to reallocate disk resources when upgrading a vCMP

Impact:
Unable to shrink the vmdisks app volume

Workaround:
N/A

Fix:
Move blockdev back to util-linux.rpm from util-linux-extras.rpm


524032-1 : Control sending alerts during the source integrity learning process

Component: Fraud Protection Services

Symptoms:
False positive alerts might be sent while source integrity learning process.

Conditions:
Learn mode is configured for a tag, and URL's content is dynamic.

Impact:
Source integrity low severity alerts will be sent on every mismatch, before a mature valued has learned.

Workaround:

Fix:
The sending of low score alerts during the source integrity learning process is now controlled by a DB variable.


524004-1 : Adding multiple signatures concurrently via REST

Component: Application Security Manager

Symptoms:
Adding multiple ASM signatures concurrently in REST actions causes deadlock.

Conditions:
Multiple ASM signatures are added concurrently using REST.

Impact:
Some signature REST add actions will fail due to deadlock.

Workaround:
Wait until signature add action has completed in REST before issuing the next add.

Fix:
Multiple signatures can be added concurrently using REST.


523922-4 : Session entries may timeout prematurely on some TMMs

Component: TMOS

Symptoms:
In certain scenarios, session entries may not be refreshed when the TMM that owns the entry is used to process the connection.

Conditions:
When the TMM owning the session entry is a different one to the TMM handling the connection and the entry is retrieved, for example via irule, "session lookup uie"; the timeout will be extended. When the TMM owning the entry and the one handling the connection is the same, then the entry may not have its timeout changed and lead to premature removal.

Impact:
Different TMMs may behave differently and cause confusion when using the session table.

Workaround:
None

Fix:
Session table entries now consistently get their timeout values touched in all scenarios.


523863-2 : istats help not clear for negative increment

Component: TMOS

Symptoms:
The help for the istats command line tool was not clear on how to specify a negative increment for a gauge iStat.

Conditions:
Try to increment a gauge iStat by a negative amount using the istats command line tool.

Impact:
Bash shell would print a cryptic error and the help did not clarify how to make it work

Workaround:
Research bash shell options for the cryptic error.

Fix:
The help for the istats command line was augmented to clearly state that the double-dash option should be specified before the negative number.


523465-2 : Log an error message when firewall rule serialization fails due to maximum blob limit being hit.

Component: Advanced Firewall Manager

Symptoms:
Prior to fix, if AFM rule serialization fails due to OOM condition in pktclass-daemon, it's not identifiable if the failure is due to Out of Memory condition or the Max Blob limit being reached. Both the errors were logged as OOM in /var/log/ltm

Conditions:
AFM rule serialization fails due to max blob limit

Impact:
Hard to isolate the problem that serialization failed due to max blob limit

Workaround:
None

Fix:
With the fix, AFM rule serialization failure due to max blob limit is logged appropriately in /var/log/ltm making it easier to identify the cause of the failure.


523434 : mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object

Component: TMOS

Symptoms:
mcpd on secondary blades may restart and log an error of the following form: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_http_virtual_data_source) object ID (44). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_http_virtual_data_source status:13)... failed validation with error 17237812.

Conditions:
The exact conditions under which this occurs are not well understood. The immediately triggering event is a change in the cluster's primary blade.

Impact:
All services on an affected blade restart.

Workaround:
None.

Fix:
mcpd on secondary blades may restart and log an sflow_http_virtual_data_source error after a change in the cluster's primary blade.


523431-2 : Windows Cache and Session Control cannot support a period in the access profile name

Component: Access Policy Manager

Symptoms:
An access profile name containing a period will not work when using Windows Cache and Session Control. For example '/Common/test.profile' will not work. When evaluating the access policy, an end-user will be redirected to an error page.

Conditions:
Applies to any APM with Windows Cache and Session Control.

Impact:
Access Profile names cannot include a dot. Invalid name: '/Common/profile.name' Valid name: '/Common/profile_name'

Workaround:

Fix:
One of the PHP files for cache control has a regex that looks for invalid access profile names. This regex had previously flagged any profile name with a period to be invalid. The regex has been updated to allow periods.


523390-2 : Minor memory leak on IdP when SLO is configured on bound SP connectors.

Component: Access Policy Manager

Symptoms:
Several bytes of memory are leaked when SAML SSO is executed on BIG-IP system, configured as an Identity Provider (IdP), when the Service Provider (SP) connector has single logout (SLO) configured.

Conditions:
BIG-IP is used as Identity Provider, and SLO is configured for bound SP Connector.

Impact:
Several bytes of memory are leaked.

Workaround:
To work around the problem, disable SLO on SP connectors.

Fix:
Fixed memory leaks in SAML Identity Provider (IdP) when when SLO is configured in a Service Provider (SP) connector.


523327-2 : In very rare cases Machine Certificate service may fail to find private key

Component: Access Policy Manager

Symptoms:
Non-elevated client component is able to find certificate but not the key, while machine cert service/F5 Elevation Helper fails to find certificate. f5certhelper.txt (helper) or logterminal.txt (in windows\temp folder for service) contains: 1, , 0, , EXCEPTION - CCertInfo::FindCertificateInStore: CertFindCertificateInStore failed with error code: 80092004

Conditions:
IE/Edge Client is not running under Admin user. Special certificate is used.

Impact:
User fails to pass access policy.

Workaround:
Run IE/BIG-IP Edge Client under administrator.

Fix:
Now both service and elevation helper can find those specific certificates.


523313-1 : aced daemon might crash on exit

Component: Access Policy Manager

Symptoms:
When the aced process is going to exit (daemon shutdown/restart), it might generate a core file intermittently.

Conditions:
aced daemon shuts down

Impact:
NA

Workaround:

Fix:
The aced process no longer intermittently generates a core file.


523305-1 : Authentication fails with StoreFront protocol

Component: Access Policy Manager

Symptoms:
Wyse fails to authenticate through APM

Conditions:
Wyse fails to auth through APM when it configured for SF proxy protocol

Impact:
Authentication fails

Workaround:
N/A

Fix:
Support StoreFront Protocol for Wyse client


523296-1 : TMM may core when using iRule custom actions in PEM policies

Component: Policy Enforcement Manager

Symptoms:
TMM shall core

Conditions:
When using custom iRule actions in a PEM policy, triggering a use of the action or modifying the action will cause the TMM to reset.

Impact:
Datapath resets.

Workaround:
Avoid using custom iRule actions in PEM policies.

Fix:
Freeing of memory for storing the custom action was done to a different pool than whence it was allocated; used the correct free routine.


523261-1 : ASM REST: MCP Persistence is not triggered via REST actions

Component: Application Security Manager

Symptoms:
Some REST calls that affect Security policies should be persistent to bigip config files after their completion (create, delete, association to virtual servers, and changing language encoding), but are not.

Conditions:
REST API is being used to manage Security Policies.

Impact:
If the device is restarted configuration may be lost.

Workaround:
Any other action that will persist configuration (like an ASM config change through the GUI, or any LTM configuration change).

Fix:
Configuration is now correctly persisted when required after ASM REST actions.


523260-1 : Apply Policy finishes with coapi_query failure displayed

Component: Application Security Manager

Symptoms:
GUI actions to apply policy appear to fail with an error message regarding coapi_query.

Conditions:
Unknown.

Impact:
The policy is correctly applied locally, the error message occurs after the commit. This error, however, prevents correct behavior for device group synchronization of the change.

Workaround:
Use REST API to apply the policy: POST https://<MGMT_IP>/mgmt/tm/asm/tasks/apply-policy { "policy": { "fullPath": "/Common/<POLICY_NAME>" } }

Fix:
We fixed an error that intermittently caused the Apply Policy action to fail.


523222-6 : Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.

Component: Access Policy Manager

Symptoms:
Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending. If an access policy has Redirect ending, the Citrix HTML5 client will fail to start with HTTP 400 error.

Conditions:
Citrix Storefront configured in integration mode through APM.

Impact:
HTML5 client not usable for this sort of integration

Workaround:

Fix:
Fixed Citrix HTML5 handling code so that it works fine with the Redirect endings in access policies.


523201-2 : Expired files are not cleaned up after receiving an ASM Manual Synchronization

Component: Application Security Manager

Symptoms:
If a device only receives full ASM sync files from its peers, it never performs cleanup of files that are no longer needed.

Conditions:
An ASM manual synchronization device group is being used.

Impact:
May eventually lead to disk space exhaustion.

Workaround:
None.

Fix:
Files are now correctly cleaned up after loading a new configuration.


523158-2 : In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails

Component: Access Policy Manager

Symptoms:
In rare case when dn is returned with cn= in lower case VPE is failing to match groupnames

Conditions:
Server that returns cn in low case

Impact:
Group mapping doesn't work

Workaround:
No workaround.

Fix:
Fixed to support CN in both upper & lower cases.


523125 : Disabling/enabling blades in cluster can result in inconsistent failover state

Component: TMOS

Symptoms:
Not all blades in the cluster agree about the high availability (HA) status.

Conditions:
Disabling and enabling blades in a chassis that is configured to use HA Groups can sometimes result in a blade staying in standby even though the other blades in the chassis have gone active.

Impact:
When the blades disagree about active/standby state, traffic might be disrupted.

Workaround:
None.

Fix:
Disabling/enabling blades in cluster no longer results in inconsistent failover state.


523079-2 : Merged may crash when file descriptors exhausted

Component: Local Traffic Manager

Symptoms:
The merged daemon crashes.

Conditions:
The limit on file descriptors is exceeded.

Impact:
Merged crashes leaving a core file. The collection of system stats and merging of blade stats will not work until merged restarts.

Workaround:
Monitor the system file descriptor use and avoid exceeding the limit.

Fix:
Fixed a crash bug in Merged.


522934 : Provide and option to encode subscription ID in CCR-U/CCR-T messages over Gx/Gy

Component: Policy Enforcement Manager

Symptoms:
Some PCRF's require subscription ID in all CCR messages over Gx/Gy for easier session management.

Conditions:

Impact:
Some PCRF's will not work properly with PEM if subscription ID is not specified in CCR-u and CCR-T messages.

Workaround:
Set sys db varaible Tmm.diameter.application.encode.subscriber.id.in.all.ccr to True to see Subscription ID in CCR-u and CCR-T messages as well. By default it is set to True.


522933-1 : diam_app_process_async_lookup may cause TMM crash

Component: Policy Enforcement Manager

Symptoms:
TMM may crash

Conditions:
TMM may crash with diam_app_process_async_lookup when the traffic is triggered to the virtual which has gx profile

Impact:
TMM crash

Workaround:
N/A

Fix:
Fix double free for serdes message


522878-1 : Hide the cleartext Session ID (MRHSessionCookie) visible as part of URL query param to prevent unauthorized access.

Component: Access Policy Manager

Symptoms:
Customer does not want to clearly expose the MRHSession cookie value in the URL because they found that they could bypass the authentication by putting the F5SSO_SID value into the MRHSession cookie from another laptop and gain access to the same virtual server.

Conditions:
Set up multidomain SSO, use httpwatch or tcpdump to capture the traffic and look at the F5SSO_SID in the URL. Set this value into the cookie from another location, and gain access to the virtual.

Impact:
Unauthorized access allows security breach.

Workaround:
iRule Workaround: when HTTP_RESPONSE_RELEASE { if { [HTTP::is_redirect] } { log local0. "Redirect detected with Location header: [HTTP::header Location]" set loc [HTTP::header Location] if { $loc contains "F5SSO_SID" } { # Using F5SSO_SID hashed value inside Location header set F5_sid [string range $loc [expr {[string last "F5SSO_SID" $loc] + 10}] [string length $loc]] log local0. "F5_sid: $F5_sid" set shasid [URI::encode [b64encode [sha512 $F5_sid]]] # we create one subtable to access the hash from the sessionid table add -subtable "sha" $shasid $F5_sid indefinite indefinite log local0. "adding sessionID $F5_sid to ssha subtable with value $shasid" set newloc [string map [list $F5_sid $shasid] $loc] log local0. "Location after obfuscation: $newloc" HTTP::header replace Location $newloc unset loc unset newloc } } } when HTTP_REQUEST { log local0. "received [HTTP::method] [HTTP::host] [HTTP::uri]" if { [HTTP::uri] contains "F5Networks-SSO-Resp" } { # Switch F5SSO_SID value back from hash to real value log local0. "[HTTP::uri] contains F5Networks-SSO-Resp" set newuri2 [HTTP::uri] set F5_hash_b64 [string range $newuri2 [expr {[string first "F5SSO_SID=" $newuri2] + [string length "F5SSO_SID="]} ] [string length $newuri2] ] log local0. "F5SSO_SID value in base64 is: $F5_hash_b64" set lookup_sid [table lookup -subtable "sha" $F5_hash_b64] log local0. "lookup_sid is: $lookup_sid" set newuri2 [string map [list $F5_hash_b64 $lookup_sid] [HTTP::uri]] HTTP::uri $newuri2 log local0. "URI with SID: $newuri2" unset newuri2 unset lookup_sid unset F5_hash_b64 } # route traffic to internal APM VS accordingly if { [HTTP::host] == "www.primaryauth.com" } { use virtual VS_internal_primaryauth } elseif { [HTTP::host] == "www.site.com" } { use virtual VS_internal_site1 } }

Fix:
Following changes were made to avoid vulnerability attack of F5SSO_SID: 1.) While re-directing, Append a 8 byte generated random token in place of F5SSO-ID and store the value of SID in session-DB with the token as key. 2.) When the response comes with the token, lookup in session-DB to identify the SID value and delete the token to prevent future use of token by any illegitimate user attack.


522784-2 : After restart, system remains in the INOPERATIVE state

Component: Local Traffic Manager

Symptoms:
After restarting, it is normal for the system to remain in some state other than "Green/Active" for a few minutes while the system daemons complete their initialization. During this time the following advanced shell command may produce one or more lines of output: # bigstart status | grep waiting However, if this condition persists for more than five minutes after access to the root shell via the management interface is available, then you may be experiencing this defect.

Conditions:
BIG-IP versions 11.5.x, 11.6.x or 12.0.x that have received the fix for bug 502443 but *not* 522784, may experience this issue. There are no officially supported BIG-IP releases that have this condition.

Impact:
As long as the system remains in the INOPERATIVE state, neither LTM nor ASM will function.

Workaround:
In order to work around this problem, de-provision ASM.

Fix:
Resolves a deadlock at startup, when LTM and ASM are provisioned, that may occur as a result of the fix for 502443.


522579-1 : TMM memory leak when RAR messages received from PCRF to delete for a non-existing sessions in PEM

Component: Policy Enforcement Manager

Symptoms:
TMM memory leak. Memory consumption of TMM increases constantly and never reduces.

Conditions:
RAR messages with session-release cause received from PCRF for sessions where PEM does not have.

Impact:
Memory leak and eventually TMM will have to be restarted.

Workaround:
Make sure RAR messages are not sent for sessions which are non-existent in PEM

Fix:
This issues has been fixed now. No more memory leaks when RAR messages with session-release AVP set for non-existent sessions in PEM


522282-1 : iApp templates are visible with only vCMP provisioned.

Component: TMOS

Symptoms:
iApp templates are visible with only vCMP provisioned. Depending on the iApp template, other modules must also be provisioned, for example, LTM, GTM, and so on, must be provisioned for certain iApp. Although template authors can templates even with only vCMP provisioned, the application does not work without the required modules provisioned.

Conditions:
This occurs when vCMP is provisioned as Dedicated and an author makes changes in an iApp with the assumption that the functionality is available because the iApp is visible.

Impact:
iApps are visible that are inappropriate for the provisioning. The system posts an error message if the user attempts to create an app from that template.

Workaround:
Provision the modules needed for the iApp to work.

Fix:
Hide a DNS and iApps menu when VCMP is provisioned


522231-3 : TMM may crash when a client resets a connection

Component: WebAccelerator

Symptoms:
When a client resets a connection while AAM is preparing to serve a response from cache TMM may crash causing failover and restart of AAM. A profile on a virtual from another BIG-IP module (other than AAM and LTM) may contribute to the issue.

Conditions:
1) AAM must be provisioned. 2) A response to the requested URL must be cached and fresh. 3) Client resets a connection immediately after the request is done and the response has not started to serve.

Impact:
TMM crashes when the issue occurs causing failover for a high availability group or service disruption on a standalone device or temporary load increase if the device is a member of a cluster (AAM farm, for example).

Workaround:
Install the fix.

Fix:
Fix removes the condition when AAM starts to serve the response to the already aborting connection.


522147-2 : 'tmsh load sys config' fails after key conversion to FIPS using web GUI

Component: Local Traffic Manager

Symptoms:
Web GUI does not save config after key conversion to FIPS

Conditions:
On a Cavium-FIPS BIG-IP, create a normal key and then covert to FIPS using web GUI

Impact:
'tmsh load sys config' fails

Workaround:
Two possible workarounds: 1) Run 'tmsh save sys config' after the key conversion to FIPS using web GUI 2) Convert normal key to FIPS using tmsh instead of web GUI

Fix:
Web GUI is now fixed to properly save config after key conversion to FIPS


522141-1 : Tmm cores while changing properties of PEM policies and rules.

Component: Policy Enforcement Manager

Symptoms:
If a policy with session reporting is configured on the bigip, and the policy is changed to remove this action, then a tmm core is observed rarely.

Conditions:
This core only occurs when session reporting is configured, and while traffic is being processed, this policy is modified to remove the session reporting action.

Impact:
This core occurs rarely, and hence would not have a significant impact.

Workaround:

Fix:
Deleting a session reporting action will not cause a tmm core.


522140-1 : Multiple IP is not added through iRule after setting the state of a session to provision by iRule

Component: Policy Enforcement Manager

Symptoms:
Provisioning an iRule may not add multiple IP's when state is set to provisioned

Conditions:
iRule with multiple IP's may not get added when provisioned

Impact:
IP's not present in the session

Workaround:
N/A

Fix:
Release the call back ctx connflow after setting session state asynchronously.


521835-2 : [Policy Sync] Connectivity profile with a customized logo fails

Component: Access Policy Manager

Symptoms:
Policy sync failed with a customized logo in connectivity profile.

Conditions:
Configure a customized logo on the connectivity profile. Associate the profile with the access profile through a virtual server. Start a policy sync.

Impact:
Policy Sync fails.

Workaround:
Keep the default logo for connectivity profile. After syncing to target, customize directly on the devices.

Fix:
A user can include a customized logo in a connectivity profile and sync it.


521774-3 : Traceroute and ICMP errors may be blocked by AFM policy

Component: Local Traffic Manager

Symptoms:
ICMP error packets for existing connections can be blocked by AFM policy. Diagnostics that use ICMP error messages, such as traceroute, may fail to display information beyond the AFM device.

Conditions:
The AFM policy has a rule to drop or reject that can match the IP header of ICMP messages going from a router IP address back to the client or server IP address that sent the original packet.

Impact:
Network diagnostics such as traceroute through an AFM device will not display information from routers between the AFM device and the destination IP address.

Workaround:
If possible and allowed, create an AFM rule matching the affected ICMP packets with an action of accept-decisively.


521773-2 : Memory leak in Portal Access

Component: Access Policy Manager

Symptoms:
Memory consumption of "rewrite.*" processes is growing constantly. On manually taken core file, result of following command is large (more than 100000). zcat <core-file.gz> | strings -n 15 | grep "^/f5-w-" | wc -l

Conditions:
Memory leaks in cases when POST request content could be modified by Portal Access (for example, xml).

Impact:
Rewrite processes may use all available memory on the box and then cause 'Out of memory' condition and failover.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed a memory leak of request urls in rewrite plug-in.


521763-1 : Attack stopped and start messages should not have source/dst ip addresses in log messages

Component: Advanced Firewall Manager

Symptoms:
We don't want attack and stop messages to have srcip/dstip in DoS logging but in the code we were printing that.

Conditions:
dstip/srcip were getting logged when the attack was started/stopped in DoS AFM code.

Impact:
Attack start and stop log messages in DoS will not have srcip and destip.

Workaround:
None

Fix:
Attack stopped and start messages are logged as NULL


521683-1 : PEM: Session is not replaced by third and subsequent RADIUS start messages containing specific multiple IPs

Component: Policy Enforcement Manager

Symptoms:
PEM session is not replaced with a new one when for the subscriber

Conditions:
When the same radius start message is sent 3 times and more.

Impact:
Session not being replaced will still be applying old policy for the session.

Workaround:
Make sure radius stop is being for the subscriber before a new radius start is sent.

Fix:
Issue has been fixed now. Session should be replaced when any number of radius start messages are received associated to the subscriber,


521655-2 : Session hangs when trying to switch state to provisioned

Component: Policy Enforcement Manager

Symptoms:
iRule sessions may hang when switching state

Conditions:
Applying iRule to a client data virtual may cause state to hang

Impact:
Session state will hang

Workaround:
N/A

Fix:
Release the call back ctx connflow after setting session state asynchronously


521556-1 : Assertion "valid pcb" in TCP4 with ICAP adaptation

Component: Service Provider

Symptoms:
TMM crashes with assertion "valid pcb" in tcp4.c

Conditions:
Virtual server with request-adapt or response-adapt profile. Congested client or TCP small window (flow-control is active). Multiple HTTP requests in a single client connection. More likely with iRules that park.

Impact:
Intermittent crash under load.

Workaround:

Fix:
Assertion "valid pcb" does not occur.


521538-2 : Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known

Component: Local Traffic Manager

Symptoms:
After failover of an L4 flow that is using keep-alive, the keep-alive transmissions do not resume after traffic has flowed through the BIG-IP system.

Conditions:
Using HA mirroring of L4 connections, with keep-alive enabled on the profile for TCP. After a failover, there was traffic before the flow timed out, then the traffic becomes idle. If there is no traffic after failover, the correct sequence numbers are unknown, then this is expected behavior: the flow times out due to inactivity. If there is traffic after failover, the correct TCP sequence numbers are known; if there is traffic after failover, and then the flow becomes idle, keep-alive transmissions should resume.

Impact:
Flows after failover with TCP keep-alive age out and expire even if traffic is available to set the sequence numbers. Depending on the configuration options, subsequent packets may reset or transparently create a new flow (if TCP loose initiation is enabled).

Workaround:
None.

Fix:
Keep-alive transmissions now resume after failover of flows on an L4 virtual, when the sequence number is known


521522-3 : Traceroute through BIG-IP may display destination IP address at BIG-IP hop

Component: Local Traffic Manager

Symptoms:
When performing traceroute through a BIG-IP device, the traceroute utility may display the destination IP in place of the hop where BIG-IP is located, instead of a Self IP address of the BIG-IP device at that hop.

Conditions:
No return route for the client IP address exists on the BIG-IP device.

Impact:
There is no impact to the performance of traffic through the BIG-IP device. The impact occurs only when reading and interpreting the results of a traceroute utility.

Workaround:
If possible and allowed, add route entry for the traceroute client subnet.

Fix:
Traceroute through BIG-IP now displays a Self IP address of the BIG-IP device at that hop. This is correct behavior.


521506-2 : Network Access doesn't restore loopback route on multi-homed machine

Component: Access Policy Manager

Symptoms:
Network Access on Windows doesn't restore loopback route for one adapter on multi-homed (Ethernet + Wi-Fi) machine.

Conditions:
This issue happens if: 1. Network Access was established via Ethernet 2. Ethernet cable was unplugged 3. Network Access reconnects using Wi-Fi 4. Ethernet cable is plugged in back

Impact:
Minor routing issues may occur if one special loopback is removed. To restore this route affected adapter should be disabled and enabled.

Workaround:

Fix:
Fixed issues causing improper routing table management.


521455-2 : Images transcoded to WebP format delivered to Edge browser

Component: WebAccelerator

Symptoms:
The Microsoft Edge browser does not support, and cannot render WebP format images. The AAM image optimization framework improperly classifies the Edge browser as being capable of supporting WebP and delivers WebP-transcoded images to such clients.

Conditions:
The AAM system's image optimization as well as the "optimize for client" setting must both be enabled, and the associated acceleration policy and application associated with one or more virtual servers.

Impact:
Some images will fail to render on the Edge browser.

Workaround:
Disable the "optimize for client" attribute in the applicable policies' acceleration assembly settings.

Fix:
Transcoded WebP images are no longer served to the Edge browser. By default, transcoded JPEG-XR is also no longer served to the Edge browser, but the db variable ccdb.allow.edge.jpegxr may be used to override this.


521408-3 : Incorrect configuration in BigTCP Virtual servers can lead to TMM core

Component: Local Traffic Manager

Symptoms:
An incorrect configuration on an irule associated to a BigTCP virtual server can lead to TMM to core.

Conditions:
The following circumstances are needed: - BigTCP Virtual server - FastL4 profile with syncookies enabled. - Invalid iRule that will fail to execute, on LB_FAILED - Syncookie currently activated in that moment.

Impact:
TMM will core leading to unwanted outage of varying impact.

Workaround:
Correct or remove the irule event and coring will no longer occur.

Fix:
TMM now correctly handles the specific scenario to no longer core.


521272 : Fixed memory leak in restjavad's Authentication Token worker

Component: Centralized Management

Symptoms:
There is a memory leak that causes the Authentication Token worker to run Out of Memory after approximately 27,000 token requests, when running with 96 MB image on a BIG-IP system. Any service might receive the OutOfMemory exception, so the external symptoms might vary (e.g., Socket failure, Bad Gateway, and others). To identify this issue, check for Out Of Memory exceptions in /var/log/restjavad.0.log.

Conditions:
This usually occurs when scripting against the rest interface. On a vCMP guest, guestagentd generates an authentication token every 90 seconds so that hostagentd on the vCMP hypervisor can make periodic REST calls to the guest. This info is used to populate the 'tmsh show vcmp health' stats.

Impact:
It takes a long time to log in 27,000 times, when logons come in through the GUI.

Workaround:
Restart restjavad after 10,000 tokens. To stop auth token generation on vCMP guests, on the hypervisor run the commands: -- tmsh modify vcmp guest all capabilities add { stats isolated-mode }. -- bigstart restart hostagentd

Fix:
Fixes a memory leak in Authentication Token mechanism in restjavad.


520705-5 : Edge client contains multiple duplicate entries in server list

Component: Access Policy Manager

Symptoms:
Edge client contains multiple duplicate entries in the server list.

Conditions:
Edge client with duplicate entries in connectivity profile.

Impact:
Edge client shows duplicate entries.

Workaround:
Do not create duplicate entries in connectivity profile

Fix:
BIG-IP Edge Client for Mac doesn't show duplicate entries in the servers list.


520642-3 : Rewrite plugin should check length of Flash files and tags

Component: Access Policy Manager

Symptoms:
Portal Access Flash patcher could crash or apply incorrect modifications on some malformed Flash files.

Conditions:
This occurs when a Flash file is truncated or contains incorrect length value in file or tag headers.

Impact:
It may cause a crash and restart of Portal Access services.

Workaround:

Fix:
Rewrite plugin now correctly processes Adobe Flash files with invalid length in file or tag header.


520640-2 : The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method.

Component: TMOS

Symptoms:
Using the string returned in the options_seq field by the iControl Management.Zone.get_zone method in the Management.Zone.set_zone_option method can result in an 'Invalid zone option syntax...' error.

Conditions:
Use of the string returned by the iControl Management.Zone.get_zone method in the Management.Zone.set_zone_option() method.

Impact:
Strings returned in the options_seq field by the iControl Management.Zone.get_zone method cannot be used in the Management.Zone.set_zone_option() method unless they are reformatted consistent with the format expected by the Management.Zone.set_zone_option() method.

Workaround:
Use the GUI to set the zone options. Alternatively, modify the strings returned in the options_seq field by the iControl Management.Zone.get_zone method to a format consistent with those expected by the Management.Zone.set_zone_option() method. For example, modify options_seq to have each option as a single string (rather than the masters string, which is returned as 3 separate options strings).

Fix:
The iControl Management.Zone.get_zone_v2() method returns a value in the options_seq field in a format that is consistent with the format expected by the Management.Zone.set_zone_option() method.


520585-2 : Changing Security Policy Application Language Is Not Validated or Propagated Properly

Component: Application Security Manager

Symptoms:
After changing the Application Language for a Security Policy and pushing the changes over a manual sync device group, the CMI device group's status immediately returns to "Changes Pending". Additionally calls through the REST interface erroneously allowed a client to change the language for a policy where it was already set.

Conditions:
A Security Policy was set to "Auto-Detect" the Application Language, and then set to a specific encoding. Or an application language is already set and is changed through the REST API. Issue is seen most prominently in CMI when ASM sync is enabled on a Manual Sync Failover Group

Impact:
1) The change to encoding is not seen if looking at the result in tmsh. 2) In a manual sync group, after the change has been pushed to its peers, the change is correctly written to the MCP configuration when it is loaded. This appears as a new pending change from the peer device, and the device group appears out of sync again.

Workaround:
Push another sync from the peer to the original device.

Fix:
Changes to Language encoding are now validated and propagated correctly.


520540-1 : HTTP Basic authentication may cause the TMM to crash if the header is too large

Component: Local Traffic Manager

Symptoms:
Accessing the information within a HTTP Authorization header via the HTTP::username, HTTP::password (or other method), may cause the TMM to crash if the header is too large.

Conditions:
An overlarge Authorization HTTP header, together with an iRule that accesses it via the HTTP::username or HTTP::password commands, or via the sflow feature.

Impact:
The TMM will crash

Workaround:
One possible work-around is to manually truncate the size of the HTTP Authorization header by an iRule.

Fix:
Overlarge HTTP Authorization headers will no longer cause the TMM to crash if they are inspected via the HTTP::username, HTTP::password iRule commands, or via the sflow feature.


520466-2 : Ability to edit iCall scripts is removed from resource administrator role

Component: TMOS

Symptoms:
A user account with resource administrator role assignment is able to modify user accounts using iCall scripts.

Conditions:
Resource administrators attempting to modify iCall scripts will be denied access. Such users will still be able to create iCall handlers that reference existing scripts.

Impact:
Resource administrators are no longer able to modify iCall script objects.

Workaround:
To manage iCall scripts the user account must be assigned the administrator role.

Fix:
We have removed access to modify iCall scripts for the Resource Administrator role. iCall handlers can still be created that refer to scripts created by an administrator.


520390-1 : Reuse existing option is ignored for smtp servers

Component: Access Policy Manager

Symptoms:
If policy is imported with reuse existing objects option and there is appropriate SMTP server, the newly imported policy would create and use a new one instead reusing the existing one.

Conditions:
Always

Impact:
Minor - easy to fix after import

Workaround:
Open assignment and reuse existing SMTP server, then delete old one.

Fix:
Reuse existing option works properly for SMTP servers.


520298-2 : Java applet does not work

Component: Access Policy Manager

Symptoms:
Web applications may work incorrectly through Portal Access if they use Java applets.

Conditions:
Website uses Java applet that is loaded with deprecated <applet> HTML tag.

Impact:
Websites can't use Java applets.

Workaround:

Fix:
Java applets now work correctly through Portal Access.


520280-1 : Perl Core After Apply Policy Action

Component: Application Security Manager

Symptoms:
Apply policy causes a perl core Further apply policy do not work

Conditions:
ASM provisioned. LTM provisioned. An ASM policy exists that is referenced by an LTM (L7) policy which is not assigned to any LTM virtual server.

Impact:
Apply policy causes a perl core and ASM config event dispatcher crash. ASM config event dispatcher then is not restarted and remains down. Further apply policy do not work.

Workaround:
Make sure that if an ASM policy exists that is referenced by an LTM (L7) policy then such LTM (L7) policy is assigned to some LTM virtual server. one can create a dummy LTM virtual server for that purpose.

Fix:
Perl no longer cores and crashes ASM config event dispatcher in the case of an apply policy to an ASM policy that is referenced by an LTM (L7) policy which is not assigned to any LTM virtual server.


520205-3 : Rewrite plugin could crash on malformed ActionScript 3 block in Flash file

Component: Access Policy Manager

Symptoms:
The rewrite plugin crashes. The following log message is in the log: ../fm_patchers/abc/abcScanner.cpp:70: void abc::abcScanner::has(size_t): Assertion `GetRemaining() >= (ssize_t)l' failed.

Conditions:
Input file is truncated or contains invalid bytecode instructions at the end of doabc/doabcdefine tag.

Impact:
Portal Access services restart.

Workaround:

Fix:
Rewrite plugin no longer crashes on truncated or malformed Adobe Flash files with incorrect ActionScript 3 method body blocks.


520145-3 : [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy

Component: Access Policy Manager

Symptoms:
Policy sync fails with out-of-memory error on target device with big and complex policy.

Conditions:
Profile of big size, for example, excessive use of ACL resource.

Impact:
Policy Sync fails.

Workaround:

Fix:
APM allows a user to sync a large and complex policy.


520118-2 : Duplicate server entries in Server List.

Component: Access Policy Manager

Symptoms:
There are multiple entries in the server list, possibly with different connection strings.

Conditions:
Client ends up with duplicate entries in the server list if it connects to different virtual servers that have the same aliases in the connectivity profile.

Impact:
Duplicate server entries in Server List.

Workaround:
Avoid duplicate aliases across connectivity profiles on servers that client connects to.

Fix:
Single entry in the server list.


520090-1 : FPS plugin

Component: Fraud Protection Services

Symptoms:
Flows are closed as expired rather than gracefully.

Conditions:
BIG-IP is passing about 400 RPS and bottlenecks.

Impact:
response timeouts

Workaround:

Fix:
The BIG-IP now closes TCP connection after requests for FPS JavaScript.


519966-2 : APM "Session Variables" report shows user passwords in plain text

Component: Access Policy Manager

Symptoms:
APM Session Variables report shows user passwords in plain text.

Conditions:
Has password session variable.

Impact:
It is not safe to show users' password in plain text.

Workaround:

Fix:
APM Session Variables report masks user passwords, displaying ************ instead.


519864-3 : Memory leak on L7 Dynamic ACL

Component: Access Policy Manager

Symptoms:
There is a memory leak on Dynamic ACL with regard for HTTP related configuration such as HTTP host name, and HTTP URI path in ACL entry. The leaks occurs for every session as these entries are generated per session bases.

Conditions:
Use L7 Dynamic ACL

Impact:
The memory usage is slowly increasing, and cause unstability in the overall system.

Workaround:
Use static ACL whenever possible.

Fix:
L7 Dynamic ACL is no longer leaking memory.


519510-3 : Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware

Component: TMOS

Symptoms:
TCP throughput might be severely impacted for traffic traversing a tagged VLAN and BCM57800/BCM57810 NIC on BIG-IP VEs. The 'rxbadsum' counts increase as received LRO'd traffic is ignored by TMM.

Conditions:
1. Traffic traverses a tagged VLAN. 2. This issue might be related to systems using Broadcom BCM57800 or BCM57810 NICs. However in general, the required condition is reception of packets with VLAN header are received in uNIC driver.

Impact:
Potential throughput drop during a high volume of data transfer.

Workaround:
You can use either of the following workarounds: 1. Avoid using tagged VLANs. 2. Run the following commands on the ESX hypervisor to disable LRO/GRO system-wide, followed by a reboot. -- esxcli system settings advanced set -o /Net/Vmxnet2HwLRO -i 0. -- esxcli system settings advanced set -o /Net/Vmxnet3HwLRO -i 0. -- esxcli system settings advanced set -o /Net/Vmxnet2SwLRO -i 0. -- esxcli system settings advanced set -o /Net/Vmxnet3SwLRO -i 0. -- esxcli system settings advanced set -o /Net/VmxnetSwLROSL -i 0.

Fix:
Change in L4 packet header offset, resulting from VLAN header insertion, is being accounted for to verify checksum.


519506-1 : Flows dropped with initiate data from sever on virtual servers with HTTP

Component: Policy Enforcement Manager

Symptoms:
Accepted Events held when HTTP is present on the hudchain

Conditions:
HTTP present on on hudchain

Impact:
Data flows dropped

Workaround:
N/A

Fix:
Enable checking of HTTP state and pass Accepted events


519415-3 : apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual )

Component: Access Policy Manager

Symptoms:
If a customer wants to change timeout values for server-side initiated flows inside Network Access tunnels, ephemeral listeners ignore irules. There seems to be a workaround for this through tmsh (not ui) by attaching iRules (related-rules) to main virtual that gets run on ephemeral listeners. (These ephemeral listeners are created by Network Access tunnels for lease-pool IPs.) The command for this is (for example): tmsh modify ltm virtual vs_dtls related-rules { idle_time } The problem here was APM Network Access used to ignore the related-rules on main virtual and the rules weren't triggered.

Conditions:
APM Network access use case.

Impact:
Related rules on main virtual are not applied to ephmeral listeners; (these ephemeral listeners are created by Network Access tunnels for lease-pool IPs).

Workaround:
none.

Fix:
iRules get executed on Ephemeral listeners.


519372 : vCMP guest memory growth due to large number of /var/run/tmstats-rsync.* files.

Component: TMOS

Symptoms:
Extremely large and increasing number of files present, of the form /var/run/tmstats-rsync.*. This is a memory-backed directory, and these files are never automatically moved or deleted, hence the vCMP guest may eventually experience swap and out of memory conditions.

Conditions:
vCMP guests upload statistics to the VCMP host periodically. In a small percentage of vCMP guests which have large configurations, these statistics take up an unusually high amount of space. This is not an error, but it exceeds the 6 MB limit that the host accepts. The host's refusal to accept the file triggers behavior in the guest that logs the condition to /var/run/tmstats-rsync.*. If the file size never decreases, this happens repeatedly and indefinitely.

Impact:
In swap and low memory conditions, the vCMP guest suffers performance problems and instability.

Workaround:
To work around this issue, you can disable guest health statistic collection on the vCMP host. To do so, perform one of the following procedures: Disabling statistic collection for the tmsh show vcmp health command. Impact of workaround: This procedure affects values returned by the tmsh show vcmp health stats command. 1. Log in to the command line of the vCMP host. If the device is a VIPRION, ensure you are logged in to the primary blade. 2. To disable statistic collection, type the following command: tmsh modify vcmp guest all capabilities add { stats-isolated-mode }.

Fix:
The /var/run/tmstats-rsync.* files are no longer generated. Instead, statistics are kept in the vCMP guest to track failures to send stats to the host. You can see these by running the following command in the guest: tmctl -d blade vcmpd/rsync_stat. If the guest is a multi-slot guest on a VIPRION platform, this command shows separate stats for each slot it's run on.


519198-3 : [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user

Component: Access Policy Manager

Symptoms:
Failed to sync a policy in non-Common partition as a non-default admin user.

Conditions:
Log in as different admin user than the default "admin". Sync a policy that was created in a non-Common partition..

Impact:
Policy Sync fails

Workaround:
Log in as default "admin" user.

Fix:
APM allows a user to log in as any admin user to sync policy in any partition.


519068-3 : device trust setup can require restart of devmgmtd

Component: TMOS

Symptoms:
Depending on the order of operations, the device trust might enter a state in which the device trust connections between devices are continuously reset and messaging about self-signed certificates.

Conditions:
This occurs when devices are being added to and deleted from the device trust.

Impact:
This prevents devices from being able to communicate with each other. The device trust goes to Disconnected and cannot synchronize.

Workaround:
A restart of the devmgmtd daemon clears any stale cached information that it has. However, the administrator may still need to reset the device trust (remove devices from the trust and re-add them).

Fix:
The system now correctly resets device trust when devices are being added to and deleted from the device trust.


519053-1 : Request is forwarded truncated to the server after answering challenge on a big request

Component: Application Security Manager

Symptoms:
Large requests (over 5K) arrive truncated to the server when web scraping bot detection is enabled, or a brute force/session opening attack is ongoing with client-side mitigation.

Conditions:
The request size is between 5k-10k. Web scraping bot detection is turned on, or a brute force/session opening attack is ongoing with client-side mitigation.

Impact:
The client side challenge mechanism causes a truncation of the request forwarded to the server. Only the first 5k of the request arrives to the server.

Workaround:
Change the internal parameter size max_raw_request_len to 10000.

Fix:
The system’s client-side challenge mechanism no longer truncates large requests (those over 5K) forwarded to the server.


519022-2 : Upgrade process fails to convert ASM predefined scheduled-reports

Component: Application Visibility and Reporting

Symptoms:
Upgrade from versions prior to 11.5 fail, if the scheduled report is using the predefined settings named: "Top alerted and blocked policies".

Conditions:
There is a scheduled report that is using the predefined settings named: "Top alerted and blocked policies".

Impact:
Upgrade process fails.

Workaround:

Fix:
A scheduled report using the predefined settings named: "Top alerted and blocked policies" no longer causes upgrades from versions prior to 11.5 to fail. The upgrade process now rename the predefined report-type to the correct one and thus the upgrade process does not fail anymore.


518981-2 : RADIUS accounting STOP message may not include long class attributes

Component: Access Policy Manager

Symptoms:
The class attribute should be sent back to RADIUS server unmodified. However, if the RADIUS server is configured to send lots of long class attributes, the BIG-IP system might drop them when sending accounting stop message.

Conditions:
The BIG-IP system is configured with an Access Policy that contains RADIUS Acct agent. The RADIUS server is configured to send class attributes with total size of greater than 512bytes.

Impact:
RADIUS Accounting server doesn't receive STOP message when user session is over.

Workaround:

Fix:
Previously, the BIG-IP system would not send an accounting stop message if class attributes were more than 512 bytes total size. Now, BIG-IP system sends the accounting stop message, but does not include class attributes.


518663-1 : Client waits seconds before page finishes load

Component: Application Visibility and Reporting

Symptoms:
If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR will "promise" to the client a CSPM injection in the response by adding to the Content-length header. If the response contains no <html> tag, AVR will "change its mind" and won't inject the JavaScript, causing the client to wait for the missing bytes until timeout.

Conditions:
Page-load-time is enabled in the AVR profile,

Impact:
Client waits many seconds until timeout.

Workaround:

Fix:
If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR will "promise" to the client a CSPM injection in the response by adding to the Content-length header. If no <html> tag is found in the response, the system now injects empty spaces to fill in the missing bytes in order to prevent the client from timing out.


518573 : The -decode option should be added to expressions in AD and LDAP group mapping.

Component: Access Policy Manager

Symptoms:
-decoded option is needed.

Conditions:
upgrade to 11.6.0

Impact:
in 11.6.0, if you create a rule to match an AD group in an "AD group resource assign" it will create something like this in the bigip.conf: expression "expr { [mcget -decode {session.ad.last.attr.memberOf}] contains \"CN=TEST,\" }" Prior to 11.6.0 the generated config was: expression "expr { [mcget {session.ad.last.attr.memberOf}] contains \"CN=TEST,\" }" The upgrade script does not take care of adding the "-decode" option which result in no groups being displayed in the VPE after an upgrade to 11.6.0

Workaround:
No workaround

Fix:
issue resolved, the -decode and lower string comparison added to expressions in AD and LDAP Group Mapping during upgrade.


518432 : [Mac][Linux][NA] TLS tunnel freezes on Mac and Linux in case of SSL renegotiation

Component: Access Policy Manager

Symptoms:
TLS tunnel freezes on Mac and Linux in case of SSL renegotiation.

Conditions:
TLS tunnel on Mac and Linux and SSL renegotiation happens

Impact:
Tunnel freezes and user cannot pass data traffic.

Workaround:
Restart session with BIG-IP

Fix:
Tunnel no longer freezes on SSL renegotiation on MAC and Linux.


518283 : Cookie rewrite mangles 'Set-Cookie' headers

Component: TMOS

Symptoms:
'Set-Cookie' headers are syntactically invalid.

Conditions:
Rewrite profile and 'Set-Cookie' header has 'Expires' attribute before 'Path' attribute.

Impact:
'Set-Cookie' headers in the client side become syntactically invalid (two 'Path' values that can be contradictory, plus a broken 'Expires' string).

Workaround:
Put the 'Path' attribute before 'Expires' attribute.

Fix:
The 'Expires' attribute is now properly parsed.


518260-1 : Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message

Component: Access Policy Manager

Symptoms:
NTLMSSP_TARGET_INFO flag is set on NTLMSSP_CHALLENGE message that is generated by ECA, although Target Info attribute itself is included. Certain NTLM clients may ignore the target info attribute due to this issue, and fall back to use NTLM v1 authentication. With ActiveDirectory default configuration this is not an issue. However, if the customer had specifically required NTLMv2 in their policy, then the authentication never succeeded due to mismatch of the protocol.

Conditions:
Customer has specifically required NTLMv2 and denied NTLMv1 in their ActiveDirectory policy.

Impact:
Users cannot authenticate.

Workaround:

Fix:
NTLM client that depends on NTLMSSP_TARGET_INFO flag can complete NTLM authentication using NTLMv2 protocol.


518201-1 : ASM policy creation fails with "ASMConfig exception ... Policy ... already exists" after upgrade

Component: Application Security Manager

Symptoms:
policy creation should fail like this: ------------------ # tmsh create asm policy /Common/blabla active encoding utf-8 Unexpected Error: ASMConfig exception: [101] Policy 'Security Policy /Common/blabla' already exists in this policy. ------------------ Same if created by any other means (GUI, etc...)

Conditions:
ASM provisioned Upgrade to 11.6.X

Impact:
ASM policies cant be created

Workaround:
Please apply the following workaround, as root user, from CLI of the affected BIGIP. Please execute the exact commands (spaces are significant!!!) - copy and paste into the CLI: --------------------------------------- # mount -o remount,rw /usr # cp /usr/share/ts/config/default_rows_config.yaml /usr/share/ts/config/default_rows_config.yaml.orig # perl -pi -e 's/PL_SESSION_AWARENESS_VIOLATIONS_DEFAULTS\n/PL_SESSION_AWARENESS_VIOLATIONS_DEFAULTS\n insert_ignore: 1\n/m' /usr/share/ts/config/default_rows_config.yaml # mount -o remount,ro /usr --------------------------------------- Validate the workaround by diffing the updated file (.yaml) against the original file (.yaml.orig): --------------------------------------- # diff /usr/share/ts/config/default_rows_config.yaml /usr/share/ts/config/default_rows_config.yaml.orig 45d44 < insert_ignore: 1 --------------------------------------- Make sure that the diff is exactly "< insert_ignore: 1" (spaces are significant!!!).

Fix:
We've fixed ASM policy creation so that it does not fail after upgrade


518039-1 : BIG-IQ iApp statistics corrected for partition use cases

Component: TMOS

Symptoms:
When the f5.http iApp is deployed in a partition, the icall script fails to get stats because it assumes the application is in /Common.

Conditions:
iApps are running in an administrative partition.

Impact:
BIG-IQ customers fail to get statistics from iApps running on BIG-IP.

Workaround:

Fix:
Certain iApps deployed by BIG-IQ now provide statistics.


518020-11 : Improved handling of certain HTTP types.

Component: Local Traffic Manager

Symptoms:
Improperly formatted HTTP connection through BIG-IP may cause the connection to hang and eventually timeout.

Conditions:
If the HTTP version token in the request is improperly crafted, BIG-IP ends up treating the request as HTTP 0.9. Hence any data after the first CRLF is held back by BIG-IP due to pipeline handling, and is not passed to the backend server. If the backend server is Apache or IIS, this improperly crafted HTTP request line causes the request to be treated as 1.1, and both the servers wait for the Host header and CRLFs. Since no data is forthcoming, the connection hangs and the backend servers timeout the connection a few seconds later. F5 Networks would like to acknowledge Eitan Caspi, Security Researcher of Liacom Systems, Israel for bringing this to our attention.

Impact:
This has the potential to exhaust the number of connections at the backend.

Workaround:
Mitigations: 1) iRule that can drop the connections after a specified amount of idle time. 2) iRule to validate the request line in an iRule and fix it. 3) Tuning of profile timeouts 4) ASM prevents this issue.

Fix:
This release has improved handling of certain HTTP types, so that an HTTP request with a version token that is not properly crafted is no longer treated as HTTP 0.9. This has the effect of all of the request data being forwarded to the backend.


517988-2 : TMM may crash if access profile is updated while connections are active

Component: Access Policy Manager

Symptoms:
The BIG-IP system has a virtual server with an access profile. There is live traffic using that virtual. If the access profile is updated, enforcement of certain behaviors on the live traffic may end up accessing stale profile data, and result in a crash.

Conditions:
If an access profile is attached to a virtual server, and the profile is updated while the virtual has active connections.

Impact:
TMM may crash. Connections may be interrupted. Access sessions are lost.

Workaround:
(These are untested...) Without HA, (1) disable virtuals using access profile, (2) delete any active connections on the virtuals, (3) update access profile, and, (4) enable virtuals. With HA, (1) update access profile on standby, (2) failover to the standby, and (3) sync the configuration.

Fix:
Upon access profile update, cleanup of the previous profile data is deferred until there are no active connections referencing it.


517872-1 : Include proxy hostname in logs in case of name resolution failure

Component: Access Policy Manager

Symptoms:
It's hard to troubleshoot cases when proxy name resolution failure happens.

Conditions:
Troubleshooting is required in proxy name resolution area.

Impact:
Network Engineer has problems with identifying root cause.

Workaround:

Fix:
Now proxy hostname is printed to logfile when resolution fails.


517790-1 : When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped

Component: Local Traffic Manager

Symptoms:
Non-HTTP traffic can have the server-side send data outside the usual request-response pairing. (Either before a request, or extra data after a response is complete.) If so, HTTP will reject the connection as the server state is now unknown. However, if HTTP is acting as a Transparent proxy, switching to pass-through mode and disabling HTTP may be a better course of action.

Conditions:
Non-HTTP data sent to the server-side not belonging to a response.

Impact:
Banner protocols, where the a server will respond before seeing any data will not pass through the Transparent HTTP proxy. Non-HTTP protocols that start with a pseudo-HTTP response, followed by extra data will reject the connection when the extra data is seen.

Workaround:
It may be possible to use HTTP::disable to disable the HTTP filter when some signature of the non-HTTP protocol is seen.

Fix:
The passthrough-pipeline option now allows unexpected server-side ingress to switch the Transparent HTTP proxy into pass-through mode.


517580-3 : OPT-0015 on 10000-series appliance may cause bcm56xxd restarts

Component: TMOS

Symptoms:
Changing configuration (enable/disable/auto-negotiation) on copper SFPs on 10000-series appliance might cause an internal bus to hang. Symptoms are bcm56xxd process restarts, and the interfaces may show as unknown.

Conditions:
Only copper SFPs OPT-0015 on 10000-series appliances exhibit this problem.

Impact:
The bcm56xxd process restarts, and the interfaces may show as unknown.

Workaround:
To work around this issue, follow these steps: 1) Force the system offline. 2) Reboot the system. 3) Release the system's offline status.

Fix:
The bcm56xxd daemon detects a bus problem and resets the bus to recover communications with SFP transceivers.


517564-1 : APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port

Component: Access Policy Manager

Symptoms:
Starting from BIG-IP APM 11.6.0, there is a new feature called LDAP Group Resource Assign agent. The agent relies on a group list that is retrieved at AAA > LDAP Server > Groups configuration page. AAA LDAP Server fails to update the group list when the backend LDAP server is configured to use a port other than 389 (the default port).

Conditions:
Backend LDAP server is configured to use a non-default port (a port other than 389). LDAP Group Resource Assign agent is added to an Access Policy.

Impact:
It is impossible to update group list from LDAP server. LDAP Group Resource Assign agent does not provide a list of LDAP groups for easy configuration.

Workaround:

Fix:
LDAP groups can now be retrieved from an LDAP server that uses a non-default port (a port other than 389).


517556-3 : DNSSEC unsigned referral response is improperly formatted

Component: Local Traffic Manager

Symptoms:
When DNSSEC signs an unsigned referral response, the contained NSEC3 resource record has an empty type bitmap. Type bitmap should contain an NS type.

Conditions:
DNSSEC processing an unsigned referral response from DNS server.

Impact:
DNSSEC referral response is not RFC compliant.

Workaround:
None.

Fix:
NS type added to NSEC3 type bitmap, so that DNSSEC unsigned referral response is properly formatted.


517441-5 : apd may crash when RADIUS accounting message is greater than 2K

Component: Access Policy Manager

Symptoms:
If the RADIUS Acct agent is configured for an access policy, and there are a lot of attributes with total size greater than 2K, apd may crash.

Conditions:
RADIUS Acct agent is configured and an AP with numerous attributes in RADIUS Acct request

Impact:
service becomes unavailable while restarting apd process

Workaround:

Fix:
The maximum size of RADIUS packet is now set to 4K (RFC2865). If the total size of attributes is greater than 4K, the packet will be truncated to 4K.


517178-2 : BIG-IP as SAML Service Provider cannot process some messages from simplesamlphp under certain conditions

Component: TMOS

Symptoms:
When BIG-IP is used as Service Provider with Simplesamlphp as Identity Provider, processing of signed artifact response messages from IdP may fail with following error: "Digest of SignedInfo mismatch".

Conditions:
- BIG-IP is configured as SP. - Artifact binding is used for SSO. - Artifact response message from IdP is signed.

Impact:
User SSO may not work.

Workaround:
Use POST binding instead of Artifact.

Fix:
Fixed exclusive (exc-c14n) canonicalization in the XML so it would produce result with missing namespaces.


517083-1 : Some autodiscovered virtuals may be removed from pools.

Component: Global Traffic Manager

Symptoms:
As part of a larger effort to refine Virtual Server Auto Discovery and monitoring, several changes were made to improve cross version interoperability and Virtual Server matching. As part of these fixes, an error was introduced which caused some virtual servers to be deleted and rediscovered. This removed them from the Pool they were assigned to, which can cause load balancing errors.

Conditions:
This can occur with Virtual Servers that were originally specified on a pre-folder aware version of BIGIP, such as 10.2.x. When they are discovered by a folder aware version, they may be deleted from the GTM config and re-added with "/Common/" prepended to the name.

Impact:
Some virtual servers will be removed from Pools. The virtual server will be deleted and recreated, but not added back to the pool. This will result in incorrect load balancing decisions.

Workaround:
Changing the GTM config to add the virtual servers back to the pool will resolve the issue.

Fix:
The discovery and monitoring of virtual servers has been made more robust to deal with cases of multiple GTM VSes pointing at the same LTM virtual, as well as naming/folderization issues.


516839-3 : Add client type detection for Microsoft Edge browser

Component: Access Policy Manager

Symptoms:
Microsoft Edge browser cannot be detected by Client Type action item agent in access policy.

Conditions:
Microsoft Edge browser, Client Type action item agent in access policy on BIG-IP APM.

Impact:
Microsoft Edge browser is not detected by Client Type action item and the webtop might not display properly or might display resources that are not supported.

Workaround:

Fix:
Improvement: Microsoft Edge browser is now detected properly and only supported resources are shown on the webtop now. All components that require ActiveX are not supported.


516685-2 : ZoneRunner might fail to load valid zone files.

Component: Global Traffic Manager

Symptoms:
ZoneRunner might fail to load valid zone files which contain two or more consecutive lines which are $TTL directives, blank lines, comment-only lines, or some combination of the above.

Conditions:
DNS : Zones : Zonerunner : Zone List: Create. Select 'Load from File' in Records Creation Method.

Impact:
The user cannot load a zone file via the GUI.

Workaround:
Workaround 1: Remove consecutive blank lines, and comment-only lines from the zone file before uploading it to the GUI. Specify the domain in the line following any $ directive lines before uploading the zone file to the GUI. Workaround 2: 1. Freeze zones, stop zrd. 2. Copy zone file from donor GTM to new GTM. 3. Check and adjust chown of zone file. 4. Start zrd, thaw zones. 5. Restart named.

Fix:
ZoneRunner now successfully loads zone files that contain $TTL directives, blank lines, comment-only lines, or some combination of the above.


516680-2 : ZoneRunner might fail when loading valid zone files.

Component: Global Traffic Manager

Symptoms:
ZoneRunner might fail to load valid zone files which contain two or more consecutive lines which are $TTL directives, blank lines, comment-only lines, or some combination of the above.

Conditions:
DNS : Zones : Zonerunner : Zone List: Create. Select 'Load from File' in Records Creation Method.

Impact:
The user cannot load a zone file via the GUI.

Workaround:
Workaround 1: Remove consecutive blank lines, and comment-only lines from the zone file before uploading it to the GUI. Specify the domain in the line following any $ directive lines before uploading the zone file to the GUI. Workaround 2: 1. Freeze zones, stop zrd. 2. Copy zone file from donor GTM to new GTM. 3. Check and adjust chown of zone file. 4. Start zrd, thaw zones. 5. Restart named.

Fix:
ZoneRunner will no longer crash when parsing zone files containing $TTL directives, blank lines, comment-only lines, or some combination of the above.


516669-1 : Rarely occurring SOD core causes failover.

Component: TMOS

Symptoms:
Spontaneous failover occurs rarely due to a SOD core dump.

Conditions:
Cannot reproduce the issue reliably, so conditions for the crash are unknown.

Impact:
When SOD cores, all traffic groups fail over to another device. Non-mirrored flows will be interrupted.

Workaround:
None.

Fix:
Errors in handling memory have been fixed to prevent allocation failure.


516618-5 : CVE-2013-7424

Component: TMOS

Symptoms:
CVE-2013-7424 : An invalid free flaw was found in glibc's getaddrinfo() function when used with the AI_IDN flag.

Conditions:
Using getaddrinfo() with the AI_IDN flag can result in a bogus call to free() which glibc detects and possibly crashes the calling program.

Impact:
This is a low impact vulnerability since the BIGIP usage is limited to utilities that require local shell access.

Workaround:

Fix:
Updated glibc with upstream fix for this issue.


516598-1 : Multiple TCP keepalive timers for same Fast L4 flow

Component: Local Traffic Manager

Symptoms:
Multiple TCP keepalive timers for same Fast L4 flow.

Conditions:
Fast L4 profile with TCP Keepalive option enabled.

Impact:
TMM core.

Workaround:
Disable TCP Keepalive option from the Fast L4 profile.

Fix:
Prevent starting multiple TCP keepalive timer for the same fastL4 flow


516522-1 : After upgrade from any pre-11.4.x to 11.4.x (or later) the configured redirect URL location is empty

Component: Application Security Manager

Symptoms:
After upgrade from any pre-11.4.x to 11.4.x (or later) the configured redirect URL location is empty.

Conditions:
1) asm provisioned and redirect URL configured on any pre-11.4.x. 2) upgrade to 11.4.x (or later)

Impact:
After upgrade from any pre-11.4.x to 11.4.x (or later) the configured redirect URL location is empty.

Workaround:
N/A

Fix:
The configured redirect URL location is now preserved after upgrade from any pre-11.4.x to 11.4.x (or later).


516462-2 : Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines

Component: Access Policy Manager

Symptoms:
Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines.

Conditions:
Client Windows machine roams between different networks (Wi-Fi or Ethernet) when the BIG-IP system has configured split-tunneling.

Impact:
Excluded address space routes are not applied.

Workaround:

Fix:
Fixed reason causing this issue; now excluded address routes are applied correctly even if a client machine roams between different networks.


516320-2 : TMM may have a CPU spike if match cross persist is used.

Component: Local Traffic Manager

Symptoms:
TMM may have a CPU spike. A few(very few) connections may fail.

Conditions:
1) Match cross persist is used. 2) Long idle time out makes the symptom worse. 3) Persist HA makes the symptom worse.

Impact:
TMM may have a CPU spike. A few(very few) connections may fail.

Workaround:
Avoid using match across persist.

Fix:
Match across persistence no longer causes CPU spike.


516057-3 : Assertion 'valid proxy' can occur after a configuration change with active IVS flows.

Component: Service Provider

Symptoms:
When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), and a new connection is initiated during the update, the TMM can assert 'valid proxy' and crash. If there were are no preexisting active connections, the assertion does not occur, but connections initiated during the configuration update might be in a bad state and cause unpredictable effects.

Conditions:
1. Active flows exist on an internal virtual server (IVS). Necessary to trigger the assertion. 2. A configuration update or sync affecting that IVS is in progress. 3. A new connection is initiated to that IVS during the update.

Impact:
This is intermittent and rarely encountered. When all preexisting connection flows on this IVS tear down, a 'valid proxy' assertion can trigger and cause a TMM crash and restart, resulting in lost connections across the BIG-IP system or blade. New IVS connection flows initiated during the configuration update might be in a bad state and exhibit unpredictable effects, even if there is no crash.

Workaround:
Try to avoid configuration changes affecting any IVS while connections are active. This is intermittent so most likely will not manifest, even with active connections.

Fix:
When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), new connections fail and log an error message indicating that the IVS is not ready for connections. If the connections are to an ICAP server, the BIG-IP system performs the service-down-action configured in the request-adapt or response-adapt profile of the virtual server that attempted to initiate the connection. There are no assertions or unpredictable effects. Any new connections that failed for this reason may be retried after the configuration update is complete.


515943-2 : "Session variables" report may show empty if session variable value contains non-English characters

Component: Access Policy Manager

Symptoms:
"Session variables" report may show empty if session variable value contains non-English characters

Conditions:
For active session only.

Impact:
User cannot see the Session Variable information for active session.

Workaround:
Use English characters for network configuration, such as host name, user name...

Fix:
"Session variables" report shows correct information for any language characters.


515817-2 : TMM may not reset connection when receiving an ICMP error

Component: Local Traffic Manager

Symptoms:
Connection is not reset after receiving an ICMP error

Conditions:
TMM receives an ICMP error after sending a TCP/SYN on a FastL4 virtual

Impact:
Delayed shutdown of connection

Workaround:

Fix:
TMM will now reset FastL4 connections when receiving an ICMP error in response to TCP/SYN.


515797-1 : Using qos_score command in RULE_INIT event causes TMM crash

Component: Global Traffic Manager

Symptoms:
TMM crashes when the iRule with qos_score command in RULE_INIT event is added to a wide IP.

Conditions:
Configured iRule with qos_score command in RULE_INIT event that is added to a wide IP.

Impact:
TMM crashes.

Workaround:
Mitigation: Do not use qos_score command in RULE_INIT event.

Fix:
qos_score command is disallowed in RULE_INIT event.


515667-4 : Unique truncated SNMP OIDs.

Component: TMOS

Symptoms:
When a BIG-IP generates SNMP OID-required truncation in order to stay within the OID max length limit of 128, the truncated OID is not always consistent or unique.

Conditions:
An SNMP table has a unique index (key) consisting of one or more table attributes of various types. String type index attributes with values lengths approaching or exceeding 128 characters expose this truncation issue.

Impact:
SNMP get, get-next, and set commands might fail or even operate on incorrect data when the target OID is not consistent or unique.

Workaround:
The long string values triggering this issue are typically identified as user-supplied names that were introduced as part of BIG-IP configuration. Often these names can be reconfigured to a shorter length.

Fix:
Truncated OIDs are now appended with a unique check-sum value that remains unchanged from one query to the next.


515646-1 : TMM core when multiple PPTP calls from the same client

Component: Carrier-Grade NAT

Symptoms:
TMM can core when there are multiple PPTP calls arrive from the same client.

Conditions:
PPTP ALG VS with CGNAT.

Impact:
TMM crash.

Workaround:

Fix:
TMM no longer core when multiple PPTP calls arrives from the same client.


515345-1 : NTP Vulnerability

Component: TMOS

Symptoms:
BIG-IP is NOT VULNERABLE with DEFAULT configuration. BIG-IP versions can become VULNERABLE with a NON DEFAULT configuration. A customer would be exposed to this vulnerability in a situation where manual configuration of the system was done inline with the requirements in the advisory.

Conditions:
All NTP4 releases starting with ntp-4.2.5p99 up to but not including ntp-4.2.8p2 where the installation uses symmetric keys to authenticate remote associations

Impact:
An attacker may be able to inject network packets without knowledge of the symmetric key

Workaround:
N/A

Fix:
Apply patches form ntp.org's 4.2.8p2


515322-1 : Limit the number of extra callbacks scheduled from inside the cache resolver

Component: Local Traffic Manager

Symptoms:
Cache configuration is removed

Conditions:
When a cache configuration is "removed" there are conditions where a refcount is not properly managed that would lead to memory being deleted before the last user is done with it.

Impact:
TMM core

Workaround:
N/A

Fix:
Schedule the special cache release hudevent for all cache completion callbacks


515112-1 : Delayed ehash initialization causes crash when memory is fragmented.

Component: Advanced Firewall Manager

Symptoms:
When first using a new feature (fpm, firewall) under memory fragmentation conditions, if the feature uses an ehash table, TMM may crash.

Conditions:
Severe memory fragmentation, where contiguous allocations are not satisfied, combined with initial use of a new feature.

Impact:
TMM crashes.

Workaround:
Utilize all features shortly after TMM comes up, so all initial allocations are performed.

Fix:
Certain allocations are no longer delayed. Delayed allocations which fail retry with smaller sizes, possibly reducing performance.


515072-4 : Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased

Component: Local Traffic Manager

Symptoms:
When a virtual server has priority groups and connection limit configured, if the connection limit is reached and is increased while the member is limited, then subsequent connections will be reset rather than allowed.

Conditions:
Using priority groups and a non-zero connection limit, with one of the following load balancing methods: least-connections-member, least-sessions, ratio-member, ratio-least-connections-member, ratio-session. The issue occurs when the connection limit is adjusted higher when the connection limit is reached on the high-priority pool.

Impact:
New connections are reset without being able to send traffic.

Workaround:
If it is feasible to adjust the priorities, adjust the connection limit to its initial value, and adjust the priority groups so that the traffic currently on the limited pool drains out. When the pool has no connections, increase the limit to restore the correct priorities.

Fix:
Make pool member eligible for load balancing if its not connection limited after modifying its connection limit.


515033 : [ZRD] A memory leak in zrd

Component: Global Traffic Manager

Symptoms:
Memory leaks for zrd when performing wide IP alias updating.

Conditions:
When an add, modification, or deletion of a GTM Wide IP Alias is made through the GUI or tmsh, there is a small memory leak in zrd. Although this memory leak is small for any one change, it could be noticeable after hundreds or thousands of changes when viewing memory consumption through 'top' or other tools.

Impact:
Memory leak after multiple wide IP alias create/update operations.

Workaround:
If the zrd memory usage is negatively impacting system performance, you can restart zrd and clear out the memory usage by running the command: bigstart restart zrd.

Fix:
Memory no longer leaks for zrd when performing wide IP alias updating.


515030-1 : [ZRD] A memory leak in Zrd

Component: Global Traffic Manager

Symptoms:
Memory leaks for zrd when performing multiple wide IP alias updating.

Conditions:
When an add, modification, or deletion of a GTM Wide IP Alias is made through the GUI or tmsh there is a small memory leak in zrd. This memory leak is not significant for any one change, but it might become noticeable after hundreds or thousands of changes when viewing memory consumption through 'top' or other tools.

Impact:
Memory leak after multiple wide IP alias updates.

Workaround:
Although there is no workaround, you can mitigate potential system performance impacts by restarting zrd, which clears out the memory usage. To do so, run the command: bigstart restart zrd.

Fix:
Memory no longer leaks in zrd when performing multiple wide IP alias updating.


514912-3 : Portal Access scripts had not been inserted into HTML page in some cases

Component: Access Policy Manager

Symptoms:
If HTML page contains forms with absolute action paths, Portal Access scripts must be inserted into this page. But if there are no other reasons to include them, these scripts were not included.

Conditions:
HTML page which consists of the form with absolute action path, for instance: <form action='/cgi-bin/a.gci"> </form>

Impact:
The form can not be submitted because browser fires JavaScript error.

Workaround:
It is possible to use iRule to insert Portal Access scripts into rewritten HTML page.

Fix:
Now Portal Access scripts are inserted into HTML page if it contains forms with absolute action path.


514726-4 : Server-side DSR tunnel flow never expires

Component: TMOS

Symptoms:
TMM cores and memory exhaustion using Direct Server Return (DSR). DSR establishes a one-way tunnel between the BIG-IP system and the back-end servers using the clients' IP addresses as the tunnel local-address on the BIG-IP system. These flows never expire.

Conditions:
BIG-IP virtual servers using DSR tunnels to send client traffic to the server.

Impact:
Server-side DSR tunnel flow never expires. Because the DSR tunnels use client's IP address as the tunnel local-address and the server's IP address as the tunnel remote-address, a single DSR setup might introduce as many tunnels as the clients' requests. When these tunnels do not expire, the BIG-IP system memory resource might be used up eventually, causing TMM cores.

Workaround:
None.

Fix:
Individual DSR tunnels are removed after the corresponding client's user flows expire.


514724-1 : crypto-failsafe fail condition not cleared when crypto device restored

Component: TMOS

Symptoms:
If a crypto device fails, the crypto-failsafe fail condition will not be cleared when the crypto device is restored.

Conditions:
This issue affects systems with failed crypto devices that are restored.

Impact:
In an HA pair, the failing unit will fail over, but it will always stay down.

Workaround:
To restore the crypto-failsafe HA fail status, restart tmm by issuing a 'bigstart restart tmm'. Note that on a VIPRION system, this command must be run on the appropriate blade.

Fix:
Allowed the crypto device to be restored and not keep the crypto-failsafe HA status in the fail state.


514246-3 : connflow_precise_check_begin does not check for NULL

Component: Local Traffic Manager

Symptoms:
Currently connflow_precise_check_begin does not check for NULL for its parameters while hudproxy has plenty of places where it calls connflow_precise_check_begin with NULL.

Conditions:
Connection Rate Limit is configured

Impact:
This leads to NULL pointer dereference and subsequent tmm crash

Workaround:
N/A

Fix:
Fix NULL pointer dereference in connflow_precise_check_begin


514236-1 : [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses

Component: Global Traffic Manager (DNS)

Symptoms:
IP addresses associated with a BIG-IP DNS server object may not be viewable from the Configuration utility.

Conditions:
This issue occurs when all of the following conditions are met: -- You use the Configuration utility to create a BIG-IP DNS server object with one or more IP addresses. -- You then use the Configuration utility to add one or more IP addresses to a BIG-IP DNS server object. -- You use the Traffic Management Shell (tmsh) to add one or more additional IP addresses to the BIG-IP GTM server object. -- From the Configuration utility, you navigate to DNS :: GSLB :: Servers :: [BIG-IP DNS Server Name] and then view the BIG-IP DNS server object IP addresses in the Address List box.

Impact:
Only the BIG-IP GTM server object IP addresses that are added from the tmsh utility display in the Configuration utility. After tmsh modifies the BIG-IP DNS server by adding another IP address, the GUI fails to show those IP addresses previously added using the GUI.

Workaround:
Use tmsh to create and modify IP addresses on BIG-IP DNS servers. Or use only the Configuration utility or only the tmsh utility to create and modify BIG-IP GTM server object IP addresses.

Fix:
GUI now adds the partition prefix to device-name for BIG-IP DNS Server IP addresses, so IP addresses associated with a BIG-IP DNS server object are now viewable from the Configuration utility.


514220-1 : New iOS-based VPN client may fail to create IPv6 VPN tunnels

Component: Access Policy Manager

Symptoms:
Newer iOS-based VPN client does not provide MAC address during IPCP negotiation. This prevents the IPv6 VPN tunnel from getting established.

Conditions:
It affects only iOS-based IPv6 VPN connection requests.

Impact:
This impacts only IPv6 VPN tunnel requests from iOS-based devices.

Workaround:
None.

Fix:
Newer iOS-based VPN clients can successfully create IPv6 VPN tunnels.


514117-1 : Store source port higher than 32767 in Request Log record

Component: Application Security Manager

Symptoms:
Any Request Log record for request with source port higher than 32767 will have source port equal to 32767.

Conditions:
Request Log record get wrong source port when source port value of request higher than 32767.

Impact:
Request Log record has wrong source port if source port value higher than 32767.

Workaround:
There is no workaroud

Fix:
The Request log record now gets the correct source port even when the source port value of the request is higher than 32767.


514108-1 : TSO packet initialization failure due to out-of-memory condition.

Component: Local Traffic Manager

Symptoms:
TCP Segmentation Offload (TSO) packet initialization failure due to out-of-memory condition with the message: packet is locked by a driver.

Conditions:
Requires a specific packet layout and memory allocation to fail in a specific place at a specific time.

Impact:
TMM posts the assert message: packet is locked by a driver.

Workaround:
None.

Fix:
TCP Segmentation Offload (TSO) packet is now cleared correctly with no packet-locked message.


513969-3 : UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running

Component: Access Policy Manager

Symptoms:
UAC prompt is shown for machine cert check for non-limited users, even if Machine Cert Check service is running on client Windows machine.

Conditions:
Current user is non-limited. Machine Cert Check service is running. User tries to pass Access Policy.

Impact:
Non-limited user has to press 'ok' in UAC window.

Workaround:

Fix:
Now Machine Certificate Check service is used for certificate verification even for non-limited users.


513953-1 : RADIUS Auth/Acct might fail if server response size is more than 2K

Component: Access Policy Manager

Symptoms:
RADIUS authentication or accounting fails when a response from the backend server is bigger than 2048 bytes

Conditions:
Response from backend server is bigger than 2048 bytes

Impact:
RADIUS Auth/Acct agent failed.

Workaround:

Fix:
Now RADIUS Auth and RADIUS Acct agents can successfully parse packets of sizes up to 4K, which is the maximum allowed RADIUS packet size. At the moment the BIG-IP system does not support RADIUS packet fragmentation.


513916-5 : String iStat rollup not consistent with multiple blades

Component: TMOS

Symptoms:
An iStat of type string does not merge consistently in a multi-bladed chassis, so the value read on different blades at the same time may differ.

Conditions:
The iStat must be of type string, and the chassis must have multiple blades.

Impact:
The value of the iStat after the merge differs on different blades.

Workaround:
Use clsh to write the string iStat value to all blades together.

Fix:
The rollup of strings is based on a timestamp of the last update, but this value was not preserved through the first level of merge so the second level done on each blade was arbitrary. Now, the value is preserved, so the iStat value for multiple blades is correct.


513860-1 : Incomplete support for special characters in input field names

Component: Fraud Protection Services

Symptoms:
When HTML input fields with special character in their names were configured for data integrity, false positive alerts were sent

Conditions:
HTML fields with special characters in their names.

Impact:
False positive automatic transactions (data integirty) alerts.

Workaround:
Do not configure data integrity checks on fields with special characters in the name.

Fix:
Encoding was fixed and now special characters are supported.


513822-1 : ASM REST: Expected Content Value Is Not Set When Setting The responseActionType For A Response Page

Component: Application Security Manager

Symptoms:
When setting the responseActionType, such as "default" or "soap-fault", to a value that has an expected related unmodifiable responseContent value, the expected responseContent is not set. As a result an empty response page is returned when ASM blocks a request.

Conditions:
Via ASM REST a client changes the responseActionType from "custom" to "default" or "soap-fault".

Impact:
An empty response page is returned when ASM blocks a request.

Workaround:
The alternate response body can be set explicitly via REST

Fix:
Expected responseContent is now set when changing responseActionType to a static content type like "default" or "soap-fault" using ASM REST.


513706-2 : Incorrect metric restoration on Network Access on disconnect (Windows)

Component: Access Policy Manager

Symptoms:
The metric after Network Access disconnect differs from metric before Network Access for default route.

Conditions:
Using Network Access on Windows systems.

Impact:
A multi-home environment might experience routing issues after disconnecting Network Access, for example, by default traffic might go through Wi-Fi instead of wired networks.

Workaround:
Disable and enable the network adapter.

Fix:
Fixed an issue causing incorrect metric restoration on Network Access on disconnect.


513545-1 : '-decode' option produce incorrect value when it decodes a single value

Component: Access Policy Manager

Symptoms:
When a session variable set by AD/LDAP module is HEX-encoded, it is possible to decode it with the -decode option for the mcget command. The option works correctly when the session variable contains multiple values (such as | 0xABCD | 0xDCBA |), but it does not work properly with a single encoded value (such as0xABCD).

Conditions:
The problem occurs under these conditions: the -decode option is specified when retrieving a HEX-encoded variable, and the session variable contains only one value/

Impact:
As a result, the access policy does not follow the expected branch rule.

Workaround:
While decoding a single value, the mcget command produces a result like EncodedValueDecodedValue. For example, for encoded string 0x616161, the result of the operation will be 616161aaa. It is possible to write a Tcl expression in the Variable Assign agent that truncates the left half of the string and leaves aaa, the decoded value only.

Fix:
The -decode option works as expected for single-value and multi-value session variables.


513464-1 : Some autodiscovered virtuals may be removed from pools.

Component: Global Traffic Manager

Symptoms:
As part of a larger effort to refine Virtual Server Auto Discovery and monitoring, several changes were made to improve cross version interoperability and Virtual Server matching. As part of these fixes, an error was introduced which caused some virtual servers to be deleted and rediscovered. This removed them from the Pool they were assigned to, which can cause load balancing errors.

Conditions:
This can occur with Virtual Servers that were originally specified on a pre-folder aware version of BIGIP, such as 10.2.x. When they are discovered by a folder aware version, they may be deleted from the GTM config and re-added with "/Common/" prepended to the name.

Impact:
Some virtual servers will be removed from Pools. The virtual server will be deleted and recreated, but not added back to the pool. This will result in incorrect load balancing decisions.

Workaround:
Changing the GTM config to add the virtual servers back to the pool will resolve the issue.

Fix:
The discovery and monitoring of virtual servers has been made more robust to deal with cases of multiple GTM VSes pointing at the same LTM virtual, as well as naming/folderization issues.


513454-3 : An snmpwalk with a large configuration can take too long

Component: TMOS

Symptoms:
The snmpwalk will fail and the mcpd daemon could be restarted.

Conditions:
The configuration must be large so that the number of configured items related to the snmpwalk are in the tens of thousands.

Impact:
Failure to read SNMP data, mcpd restart and temporary loss of service.

Workaround:
Spread the configuration among more BIG-IPs or avoid running snmpwalks.

Fix:
Cache internal query data to optimize statistical queries.


513382-1 : Resolution of multiple OpenSSL vulnerabilities

Component: TMOS

Symptoms:
Resolved multiple vulnerabilities in OpenSSL. CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288

Conditions:
None.

Impact:
Update of OpenSSL to resolve multiple vulnerabilities.

Workaround:

Fix:
Resolved multiple vulnerabilities in OpenSSL. CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288


513294-8 : LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances

Component: TMOS

Symptoms:
The following issues may be observed on BIG-IP 5000-/7000-series appliances: 1. When a system shuts down due to a over temperature condition, the name of the sensor that triggered the shutdown does not display. 2. Unable to configure AOM IP address using the DHCP Menu Option, with the system responding with the message: Error: Failed to configure AOM management port. 3. TMOS may log a critical alarm for the 0.9 volt sensor even though the voltage is in the nominal range.

Conditions:
BIG-IP 5000-/7000-series appliances with LBH firmware versions prior to v3.07 may experience each of the above issues under the following corresponding conditions: 1. Over temperature, thermal shutdown. 2. When trying to configure an IP address for AOM using the N - Configure AOM network option. 3. When the host is powered off using the AOM menu, the LBH will detect an under voltage condition for all non-standby voltage rails.

Impact:
The impacts of these issues are: 1. The user cannot determine which sensor triggered the thermal shutdown. 2. Unable to configure the AOM address using DHCP. 3. There will be a single ltm log message indicating this critical alarm, however the voltage reported in the log message will be in the nominal range.

Workaround:
Corresponding workarounds include: 1. None. 2. None. 3. Do not power cycle the host with the AOM menu. This error does not occur with an AC power cycle.

Fix:
LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances now works as expected.


513283-1 : Mac Edge Client doesnt send client data if access policy expired

Component: Access Policy Manager

Symptoms:
If an access policy expires (for example, if a user took too long to enter password ) then BIG-IP Edge Client displays a new page with link "Start a New session". Clicking this link causes Edge Client for Mac to be detected as browser by BIG-IP APM.

Conditions:
Edge Client fpr <ac, access policy expires.

Impact:
Edge Client is detected as browser.

Workaround:
Click disconnect button and Connect buttons on Edge Client.

Fix:
APM no longer detects BIG-IP Edge Client for Mac as a browser when a user clicks "Start a New session" on access policy expired page.


513201-6 : Edge client is missing localization of some English text in Japanese locale

Component: Access Policy Manager

Symptoms:
Edge Client is missing localization of some English text in Japanese locale.

Conditions:
Edge Client in Japanese locale

Impact:
Edge Client shows some text in english

Workaround:

Fix:
BIG-IP Edge Client is correctly localized for Japanese locale.


513098-1 : localdb_mysql_restore.sh failed with exit code

Component: Access Policy Manager

Symptoms:
In certain scenarios, deleting a dynamic user entry from memory does not clear the entry from the underlying table.

Conditions:
This might occur when a dynamic user record is marked for deletion but has not yet been removed when the dynamic user representing that record is re-authenticated.

Impact:
Over time, the table grows in size due to stale records.

Workaround:

Fix:
Orphaned dynamic user records are now correctly deleted.


512383-3 : Hardware flow stats are not consistently cleared during fastl4 flow teardown.

Component: Local Traffic Manager

Symptoms:
The PVA stat curr_pva_assist_conn is not being updated properly for certain Fast L4 flows.

Conditions:
1) Fast L4 virtual server. 2) PVA-acceleration enabled. This occurs when the connection flow is not created because UDP traffic arrives at an undefined port on the virtual server. The curr_pva_assist_conn value is incremented though there are no active PVA flows. This can also occur when LTM get ICMP unreachable messages from the serverside.

Impact:
Stats counts for Fast L4 virtual server, curr_pva_assist_conn value and 'Current SYN Cache', show invalid counts. If the hardware SYN cookie protection is on, the SYN cookie protection may be activated when it is not supposed to.

Workaround:
None.

Fix:
Stats counts for Fast L4 virtual server, curr_pva_assist_conn value and 'Current SYN Cache', now show the correct counts.


512345-2 : Dynamic user record removed from memcache but remains in MySQL

Component: Access Policy Manager

Symptoms:
When the system fetches a dynamic user record from MySQL and places the record into memcache, the record might remain there in an unmodified state for ten days.

Conditions:
This occurs when a dynamic user record is removed from memcache but remains in MySQL, due to an intermittent race condition between apmd/memcache and localdbmgr.

Impact:
Dynamic user, if locked out, remains in memcache for ten days. During this interval, the dynamic user record is unusable.

Workaround:
The Admin can remove the user by deleting the associated memcache record.

Fix:
Now APM handles the condition in which a dynamic user record is removed from memcache but remains in MySQL due to an intermittent race condition between apmd/memcache and localdbmgr.


512245-7 : Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname

Component: Access Policy Manager

Symptoms:
Machine certificate agent checker on client might extract wrong certificate based on LocalHostName if it is not same as hostname. Machine certificate agent checker might fail.

Conditions:
BIG-IP APM with machine certificate agent.

Impact:
Machine certificate check might fail

Workaround:

Fix:
Machine Cert Auth agent passes on OS X 10.8 and OS X 10.9.


512148-1 : Self IP address cannot be deleted when its VLAN is associated with static route

Component: Local Traffic Manager

Symptoms:
A self IP address cannot be deleted when its VLAN is associated with a static route

Conditions:
The self IP address' VLAN is associated with a static route.

Impact:
Self IP address cannot be deleted.

Workaround:
Temporarily remove the static route entries, delete the self IP, and then add the static route entries again.

Fix:
A self IP now can be deleted even when its VLAN is associated with a static route, as long as at least one self IP exists on that VLAN. If the static route is IPv4, then an IPv6 self IP does not meet the requirement, and vice versa.


512062-2 : A db variable to disable verification of SCTP checksum when ingress packet checksum is zero

Component: Local Traffic Manager

Symptoms:
SCTP INIT multi-homing message will be dropped by BIGIP with checksum "0x00000000".

Conditions:
SCTP packet's verification tag is 0x00000000 and checksum also is 0x00000000.

Impact:
The SCTP packets with verification tag is 0x00000000 and checksum is 0x00000000 will be dropped.

Workaround:
N/A

Fix:
Add a db variable to disable verification of SCTP checksum when ingress packet's checksum is zero. The current default behavior is not changed if this db variable is not enabled.


511854-4 : Rewriting URLs at client side does not rewrite multi-line URLs

Component: Access Policy Manager

Symptoms:
Exception posted when rewriting multi-line URLs on the client side.

Conditions:
Using multi-line URLs in client-side JavaScript code.

Impact:
Web-application logic might not work as expected. The system might post a message similar to the following: Unable to get property '2' of undefined or null reference.

Workaround:
None.

Fix:
This release fixes client-side URL rewriting for multi-line URLs.


511196-1 : UMU memory is not released when remote logger can't reach its detination

Component: Application Security Manager

Symptoms:
UMU memory is printed in the bd.log as being held although there is no traffic in the system.

Conditions:
Remote logger has an unreachable detination

Impact:
Some memory is wasted and is not released for a long time

Workaround:
Fix the remote logger configuration, or the network issue

Fix:
We fixed UMU memory slow releases that occurred when the remote logger's destination was unreachable.


510979-1 : Password-less SSH access after tmsh load of UCS may require password after install.

Component: TMOS

Symptoms:
Should an account such as admin have password-less SSH access, after loading the UCS config or doing a live install and moving the config, their SSH access no longer works without a password.

Conditions:
User has .ssh/authorized_keys file owned with uid=0.

Impact:
tmsh load sys ucs config replaces the uid ownership of /home/user_name/.ssh/authorized_keys incorrectly, which prevents SSH access without passwords.

Workaround:
Create a directory in /var/ssh for each user, move .ssh/authorized_keys there, and then link to the moved file in the ~/.ssh directory. In that case, UCS load affects the link, but not the linked file, so password-less SSH access is maintained.

Fix:
Password-less SSH access is now maintained after tmsh load (or install and move config) of UCS.


510921-1 : Database monitors do not support IPv6 nodes

Component: Local Traffic Manager

Symptoms:
Unable to monitor IPv6 nodes.

Conditions:
Pool configured with a DB monitor (MySQL, MSSQL, Oracle or Postgres) and IPv6 nodes.

Impact:
IPv6 nodes are reported down and do not receive traffic.

Workaround:

Fix:
Database monitors now support monitoring IPv6 nodes.


510837-2 : Server initiated renegotiation fails with dhe_dss/ecdhe_ecdsa and ecdh_ecdsa ciphers. bigip sends bad client key exchange.

Component: Local Traffic Manager

Symptoms:
BIG-IP SSL when serves as a SSL client and the ciphers used are ECDHE_ECDSA or DHE_DSS, it will send a bad client key exchange to SSL server in server initiated renegotiation.

Conditions:
BIG-IP acts as a SSL client and the ciphers used are ECDHE_ECDSA or DHE_DSS in server initiated renegotiation.

Impact:
SSL handshake failed. The SSL server may reset the SSL connection with an error: digest check failed, or ssl handshake failed.

Workaround:
Do not use ciphers ECDHE_ECDSA or DHE_DSS.

Fix:
BIG-IP SSL now works well with ciphers ECDHE_ECDSA or DHE_DSS in server initiated renegotiation where BIG-IP acts as a client.


510720-1 : iRule table command resumption can clear the header buffer before the HTTP command completes.

Component: Local Traffic Manager

Symptoms:
iRule table command resumption can clear the header buffer before the HTTP command completes.

Conditions:
An HTTP request was attempted with an iRule table command that resumed after parking.

Impact:
Results in a SIGABRT. The header names might intermittently output incorrectly, and report empty names and/or parts of the request line.

Workaround:
None.

Fix:
iRule resumption after halting now works correctly.


510709-1 : Websso start URI match fails if there are more than 2 start URI's in SSO configuration.

Component: Access Policy Manager

Symptoms:
If more than 2 start URIs are configured, start URI parsing does not work correctly. This results in no start URI match and websso failure.

Conditions:
SSO error happens only if there are more than 2 start URIs configured in the SSO configuration.

Impact:
SSO V1(websso) fails for configured start URI due to start URI mismatch.

Workaround:
No workaround

Fix:
Websso config start URI parsing was wrong when there are multiple lines in start URI configuration. Websso start URI parsing is fixed.


510638-1 : [DNS] Config change in dns cache resolver does not take effect until tmm restart

Component: Local Traffic Manager

Symptoms:
Config change in DNS cache resolver does not take effect until tmm restart.

Conditions:
Make changes to LTM DNS cache resolver.

Impact:
Changes made to DNS cache resolver are not in effect until tmm restarts. For example, changes to the DNS cache resolver's parameters Max. Concurrent Queries and Allowed Query Time do not load into the system until tmm restarts.

Workaround:
Restart tmm after making changes, or create a new DNS cache profile.

Fix:
Config change in DNS cache resolver now take effect immediately and no longer require tmm restart.


510459-1 : In some cases Access does not redirect client requests

Component: Access Policy Manager

Symptoms:
A client may receive the following error message upon request: "The requested file could not be found on the server. Please contact system administrator."

Conditions:
Client requests received by Access running on BIG-IP versions 11.4.0 to 11.6.0 may encounter this issue.

Impact:
Client request is not fulfilled and error message received.

Workaround:
None

Fix:
Resolved issue in which clients receive a file not found message from Access due to out of date White List entry in OPSWAT.


510226-2 : All descriptions for ports-list's members are flushed after the port-list was updated

Component: Advanced Firewall Manager

Symptoms:
'Description' for port-list entries created from tmsh gets deleted when the corresponding port-list object is updated from GUI.

Conditions:
When a user updates an port-list object with member's description set, it gets deleted.

Impact:
User will lose the description value set for its members.

Workaround:
Not update the port list entry from GUI when its members have a 'description', or use tmsh to update port list

Fix:
Descriptions created for port list members from tmsh no longer get deleted when a user updates the port list object.


510224-2 : All descriptions for address-list members are flushed after the address-list was updated

Component: Advanced Firewall Manager

Symptoms:
'Description' for address-list entries created from tmsh gets deleted when the corresponding address-list object is updated from GUI.

Conditions:
When a user updates an address-list object with member's description set, it gets deleted.

Impact:
User will lose the description value set for its members.

Workaround:
Not update the address list entry from GUI when its members have a 'description.'

Fix:
Descriptions created for address list members from tmsh no longer get deleted when a user updates the address list object.


510159-1 : Outgoing MAP tunnel statistics not updated

Component: TMOS

Symptoms:
Outgoing statistics for MAP tunnels are not being shown in the 'tmsh show net tunnels command.

Conditions:
When sending bidirectional traffic over a MAP tunnel between a client and server across a DUT.

Impact:
Only incoming traffic is shown in the 'tmsh show net tunnels' command output. This is a cosmetic error, and does not indicate incorrect functionality.

Workaround:

Fix:
Outgoing statistics for MAP tunnels are now included in the 'tmsh show net tunnels command.


510119-4 : HSB performance can be suboptimal when transmitting TSO packets.

Component: TMOS

Symptoms:
For heavily fragmented TSO packets, it is possible to populate a high percentage of the HSB's transmit ring.

Conditions:
This can happen when transmitting large fragmented TSO packets.

Impact:
Suboptimal behavior might be seen when transmitting large fragmented TSO packets. There is a rare chance it can lead to a full or stuck transmit ring.

Workaround:
Disable TSO.


509934-1 : Blob activation fails due to counter revision

Component: Advanced Firewall Manager

Symptoms:
Activation of Blob failed after config from ucs files (saved config has policy with atleast 1 rule) and running config has a policy (with same name) without any rules

Conditions:
Running config has a policy (say policy name = X) with no rules and associated to a context. Saved config (UCS) has a different policy (but same name X) with at least 1 rule. When loading UCS (saved config), blob activation fails due to TMM not being able to revise counters for the new container.

Impact:
Activation fails

Workaround:
N/A

Fix:
Correct counter tracking


509919-2 : Customer may experience incorrect counter update for SelfIP traffic on cluster

Component: Advanced Firewall Manager

Symptoms:
SelfIP traffic is always handled on the primary blade on a cluster and if it's disaggregated to non-primary blade, it gets internally forwarded to the primary blade. Due to this, AFM was double classifying this traffic (only on cluster) causing incorrect AFM ACL/IPI counts.

Conditions:
SelfIP traffic is disaggregated to non-primary blade on a cluster and AFM is enabled

Impact:
Incorrect AFM ACL/IPI rule counters due to internal forwarding of SelfIP traffic on a cluster from non-primary to primary blade causing AFM to match/classify these packets twice.

Workaround:
None

Fix:
With the fix, self IP traffic on a cluster is counted correctly for AFM ACL/IPI matches.


509782-3 : TSO packets can be dropped with low MTU

Component: TMOS

Symptoms:
If an interface is configured with a low MTU, it is possible for the system to drop TSO packets. This can be observed looking at the tx_drop_tso_bigpkt stat in the tmm/hsb_internal_fsc table.

Conditions:
The interface is configured with a low MTU, usually 750 or lower. If TMM then attempts to use TSO for a packet, there is a chance this packet will be dropped.

Impact:
Large TSO packets are dropped.

Workaround:
Increase the MTU or disable TSO. If TSO is not disabled, three related fixes are needed to fully address the issue: -- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message. -- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded. -- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here: -- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html

Fix:
Three related fixes are needed to fully address the issue: -- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message. -- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded. -- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here: -- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html


509722-1 : BWC traffic blocked

Component: Access Policy Manager

Symptoms:
BWC traffic blocked when configured using percentages and the configuration is modified.

Conditions:
Modifying configurations of BWC categories using percentages.

Impact:
BWC traffic is blocked.

Workaround:
The workaround is to not configure with percentages but configure with bandwidth.

Fix:
The problem with modifying BWC configured percentages has been corrected.


509677-1 : Edge-client crashes after switching to network with Captive Portal auth

Component: Access Policy Manager

Symptoms:
When switching to a network with Captive Portal authentication, the Edge-client becomes unresponsive.

Conditions:
- Captive Portal uses https logon page - Network switching done by unplugging network cable from NIC or disconnecting from wireless network (not disabling network interface).

Impact:
Edge-client crashes

Workaround:
N/A

Fix:
Corrected invalid pointer by update pointer name.


509600-1 : Global rule association to converted policy is lost on one device in HA configuration.

Component: Advanced Firewall Manager

Symptoms:
Global policy appears to no longer be enabled after a period of time.

Conditions:
Using global rules on HA configuration.

Impact:
Global rule associations to converted policies are lost on one device.

Workaround:
Manually add back rules.

Fix:
Global rule associations to converted policies remain on both devices.


509504-5 : Excessive time to save/list a firewall rule-list configuration

Component: TMOS

Symptoms:
A configuration containing a large number of firewall rule-list::rules might take an excessively long time to save. Similarly, excessive times are seen for listing the firewall configuration.

Conditions:
Large number of AFM rules.

Impact:
A long time to save or list the configuration. While this issue was noticed for a firewall rule-list::rules configuration, the same issue might occur for deeply nested configurations.

Workaround:

Fix:
The save and list times for the numerous firewall rules/deeply nested configurations [example: firewall rule-list::rules] is significantly reduced.


509503-4 : tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration

Component: TMOS

Symptoms:
For certain configurations with deeply nested structures in it ex: some of the firewall rule rule-list configuration, requires excessive time for the tmsh load config file merge operation.

Conditions:
Configurations containing deeply nested structures.

Impact:
The time for the merge is significantly more than the time needed for load operation.

Workaround:
For customers who are affected of long load times during merging a configuration file into existing one, they can instead append the config file to the respective bigip_base.conf or bigip.conf file manually.

Fix:
The tmsh load sys config merge operation performance was optimized. With this optimization the time for merge operation is slightly greater than the load operation.


509490-2 : [IE10]: attachEvent does not work

Component: Access Policy Manager

Symptoms:
Websites are broken in Internet Explorer if they use postMessage to send objects. There could be errors in the JavaScript console.

Conditions:
Web application in Internet Explorer 8, 9 or 10 that uses window.postMessage() and recieves message with handler added through window.attachEvent() working through Portal Access.

Impact:
Web-Application cannot use Window.postMessage() to send data with Portal Access in Internet Explorer.

Workaround:
No

Fix:
The 'onmessage' handler added with window.attachEvent() now correctly recieves data sent through window.postMessage().


509273 : hostagentd consumes memory over time

Component: Centralized Management

Symptoms:
The hostagentd process on a vCMP host might consume more memory over time.

Conditions:
BIG-IP appliance or VIPRION blade/cluster with vCMP guests.

Impact:
Rarely, the vCMP host might run out of memory.

Workaround:
To work around this issue, you can disable guest health statistic collection on the vCMP host. To do so, perform one of the following procedures: Option 1: Disabling statistic collection for the tmsh show vcmp health command. Impact of workaround: This procedure affects values returned by the tmsh show vcmp health stats command. 1. Log in to the command line of the vCMP host appliance or primary blade of the cluster. 2. To disable statistic collection, type the following command: tmsh modify vcmp guest all capabilities add { stats-isolated-mode }. 3. To restart the hostagentd process, type the following command: a. On a BIG-IP appliance: bigstart restart hostagentd. b. On a blade in a VIPRION cluster: clsh bigstart restart hostagentd. Option 2: Disabling the hostagentd process Impact of workaround: This procedure affects health statistic collection, as well as the ability for guests to install from a host-provided ISO. 1. Log in to the command line of the vCMP host appliance or primary blade of the cluster. 2. To disable the hostagentd process, type the following command: a. On a BIG-IP appliance: bigstart stop hostagentd. b. On a blade in a VIPRION cluster: clsh bigstart stop hostagentd. 3. To exclude the hostagentd process from starting up after rebooting the system, type the following command: a. On a BIG-IP appliance: bigstart disable hostagentd. b. On a blade in a VIPRION cluster: clsh bigstart disable hostagentd.

Fix:
Fixed a rare vCMP host memory growth issue.


509108-1 : CGNAT PBA may log port-block allocation and port-block release log messages for a port-block which is already allocated to a different subscriber

Component: Carrier-Grade NAT

Symptoms:
CGNAT PBA may log port-block allocation(LSN_PB_ALLOCATED) and immediately followed by a port-block release(LSN_PB_RELEASE) log message for a port-block which is already allocated to a different subscriber.

Conditions:
This can happen if subscriber traffic is received when blade is being added/removed or when blade is failing or while HA failover is in progress

Impact:
Causes ambiguity in reverse mapping subscriber connections

Workaround:

Fix:
CGNAT PBA does not log port-block allocation and port-block release log messages for a port-block which is already allocated to a different subscriber during a blade add/remove/fail/HA failover


509037-1 : BIG-IP systems allows creating wild-card IPIP tunnels with the same local-address and tunnel-type

Component: TMOS

Symptoms:
MCPD accepts the wild-card IPIP tunnels with the same local-address and tunnel type (ip4ip6, ipip, ip6ip4, ip6ip6) without validation, although the configuration is eventually discarded in TMM.

Conditions:
Creating wild-card tunnels with the same local-address and IPIP tunnel-type.

Impact:
This incorrect configuration is allowed on the BIG-IP system without error.

Workaround:
Specify wild-card tunnel using different local-address and tunnel-type.

Fix:
Wild-card tunnel setup trials are now detected by BIG-IP system validation during creation time. The system disallows creation of wild-card tunnels with the same local-address and tunnel-type.


507853-1 : MCP may crash while performing a very large chunked query and CPU is highly loaded

Component: TMOS

Symptoms:
MCP crashes while performing a chunked query (such as 'tmsh show sys connection) that returns a large result if a connection to a TMM is severed (due to a zero-window timeout).

Conditions:
CPU is highly loaded.

Impact:
Failover (in a device cluster) or temporary outage (in a standalone system). A core file is generated that has a stack trace that includes a message similar to the following: error reading variable: Cannot access memory at address 0x1.

Workaround:
None.

Fix:
Ensured that MCP no longer crashes when performing a large chunked query and a connection to a TMM is severed.


507681-5 : Window.postMessage() does not send objects in IE11

Component: Access Policy Manager

Symptoms:
Websites are broken if they use postMessage to send objects in Internet Explorer 11. There could or could not be error in JavaScript console based on web application.

Conditions:
Web-Application that uses Window.postMessage() with Portal Access working in Internet Explorer 11.

Impact:
Web-Application can't use Window.postMessage() to send non-string data with Portal Access in Internet Explorer 11.

Workaround:
No

Fix:
Window.postMessage() now works in Internet Explorer 11.


507602-1 : Data packet over IPsec tunnel might be looping between cores after rekey if IPsec lifebyte is enabled

Component: TMOS

Symptoms:
IPsec lifebyte might cause inconsistent Security Association state among different cores. This might cause a memory leak and in some case data packets going through the IPsec tunnel can be looping between cores.

Conditions:
IPsec lifebyte is enabled in IPsec Policy configuration object on BIG-IP system or 3rd party IPsec device.

Impact:
Possible data packets looping and memory leak.

Workaround:
Disable lifebyte on IPsec devices on both end of the IPsec tunnel.

Fix:
IPsec lifebyte functions properly and leaves no inconsistent state on the BIG-IP device after rekey.


507575-1 : An incorrectly formated NAPTR creation via iControl can cause an error.

Component: TMOS

Symptoms:
NAPTR records are somewhat complicated and if an incorrect set of string arguments are passed to iControl, the string parsing can fail and generate unhelpful error messages.

Conditions:
Specifically, it is valid to have empty strings as some of the fields of a NAPTR record. However, these empty strings must be quoted as empty strings. An example of a valid empty string parameter foo.example.com. 19799 IN NAPTR 100 7 "u" "good" "" bar.example.com. Not quoting the empty parameter (after "good") confuses the parser into thinking that not enough parameters were passed. This causes a segfault and the error.

Impact:
Potential failure of iControl parsing.

Workaround:
Use quotes around empty strings such as: foo.example.com. 19799 IN NAPTR 100 7 "u" "good" "" bar.example.com.

Fix:
The string parser has been made tolerant of missing parameters for these records and will now report an error.


507529-1 : Active crash with assert: tmm failed assertion, non-zero ha_unit required for mirrored flow

Component: Local Traffic Manager

Symptoms:
A blade on the active system crashes in a configuration containing a performance layer 4 virtual server with connection mirroring enabled.

Conditions:
The chassis is configured for network mirroring within cluster. There is more than one blade installed in the system or vcmp guest. A virtual server has connection mirroring enabled and is associated with a virtual address that is not assigned a traffic-group (traffic-group is none).

Impact:
When the crash occurs, the blade posts the following assert: 'tmm failed assertion, non-zero ha_unit required for mirrored flow' and crashes.

Workaround:
Ensure that mirrored virtual servers are utilizing virtual addresses that are associated with a traffic group.


507321-3 : JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields

Component: Access Policy Manager

Symptoms:
If JavaScript application uses user-defined object which contains 'origin', 'source' and 'data' fields with NULL values, any attempt to get these values fires an error.

Conditions:
User-defined JavaScript object with 'origin', 'source' and 'data' fields and with NULL value in any of these fields, for example: var a = { origin: null , data:null , source:null }; Any attempt to read these values leads to JavaScript error in Portal Access scripts.

Impact:
Web application does not work correctly.

Workaround:

Fix:
Now user-defined JavaScript objects with 'origin', 'source' and 'data' fields may contain any values in these fields.


507312-1 : icrd segmentation fault

Component: TMOS

Symptoms:
icrd segmentation fault generates a core

Conditions:
Multiple signals to the same Quit signal handler

Impact:
Core generated

Workaround:
N/A

Fix:
Simplify std::map to an array to avoid problems with signal races.


506304-2 : UDP connections may stall if initialization fails

Component: Local Traffic Manager

Symptoms:
UDP connections that never expire. tmm logs containing 'hud queue full' errors.

Conditions:
UDP connections fail to initialize if the tmm's hud message queue is full. If these connections are flagged to not expire then they will linger forever.

Impact:
Stalled connections. Increased memory usage.

Workaround:

Fix:
UDP connections no longer stall if initialization fails.


506286-1 : TMSH reset of DOS stats

Component: Advanced Firewall Manager

Symptoms:
DOS stat reset via TMSH results in TMM restarts and cores.

Conditions:
Reset DOS stats via TMSH command

Impact:
TMM restarts and core files

Workaround:
N?A

Fix:
Corrected reset command to prevent core and restarts


506282-1 : GTM DNSSEC keys generation is not sychronized upon key creation

Component: Local Traffic Manager

Symptoms:
DNSSEC key generation is not synchronized upon key creation.

Conditions:
This occurs when creating LTM DNSSEC keys on one unit of a sync group.

Impact:
The keys are synced, but the key generation information is not.

Workaround:
Modify another parameter on the GTM system after DNSSEC key generation to trigger the sync operation.

Fix:
DNSSEC key generation is now synchronized upon key creation.


506223-2 : A URI in request to cab-archive in iNotes is rewritten incorrectly

Component: Access Policy Manager

Symptoms:
There are direct (not rewritten) requests in web application traffic (iNotes 8.5, 9)

Conditions:
Web application runs through Portal Access

Impact:
Installation of iNotes plug-ins is impossible. Some resources may be not loaded.

Workaround:

Fix:
Portal Access rewrites URIs correctly.


506199-4 : VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles

Component: TMOS

Symptoms:
When multiple VCMP guests are configured on a VDAG platform, It is possible through cycles of provisioning and deprovisioning the guests to cause switch rules that play a role in disaggregation to be programmed in an order that causes packets to reach the wrong TMM in a guest, thus causing lower dataplane performance.

Conditions:
On a configuration with at least two VCMP guests that share at least one blade on a VDAG-based platform, change the vCMP state to provisioned, then to configured, then to provisioned, and so on.

Impact:
The potential for decreased dataplane performance. In addition to potentially lower performance, the guest's tmm flow redirect statistics increment quickly in conjunction with traffic. To determine these stats, run a command similar to the following: config # tmctl -d blade tmm/flow_redir_stats. This presents results similar to the following: pg pu redirect_pg redirect_pu packets -- -- ----------- ----------- ------- 0 0 0 1 636991 Also, VDAG statistics on the host might show an imbalance in destination port hits for those assigned to a single guest. To determine these stats, run a command similar to the following: config # tmctl -d blade switch/vdag_dest_hits -w 200. This presents results similar to the following: slot dst_mod dst_port dst_trunk hits red_hits ---- ------- -------- --------- ------ -------- 1 1 0 0 0 0 1 7 0 0 0 0 1 13 0 0 0 0 1 19 0 0 0 0 1 0 0 0 0 0 1 1 5 0 509100 0 1 1 6 0 0 0

Workaround:
During a window in which a brief traffic interruption is acceptable, restart bcm56xxd on each effected blade in the host. On the host, run a command similar to the following: clsh bigstart restart bcm56xxd

Fix:
The system now ensures that VDAG entries get ordered correctly to avoid cases where VCMP guests on VDAG platforms might experience excessive TMM redirects after multiple guest provisioning cycles


506041-2 : Folders belonging to a device group can show up on devices not in the group

Component: TMOS

Symptoms:
All folders and partitions always get synced regardless of whether they are in the device group. If a user wants to utilize the same folder/partition scheme across multiple devices, this can lead to conflicts. In particular it can clobber the default route domain on a partition or rewrite the device group of a folder.

Conditions:
This only occurs during a full sync. This can occur if two different device groups use the same folder or partition names. For example, if there are two separate failover-sync groups in the same trust and they both sync a different set of objects in /MyHAFolder. This can also occur if a device has a local folder or partition with the same name as one in a device group.

Impact:
If a conflicted partition uses different default route domains, they will be overridden and may result in a sync error. Conflicted folders will inherit the configuration of the source of the config sync. This can override the device group, traffic group, and iApp reference of the folder.

Workaround:
Use unique partition and folder names across all devices in the trust group.

Fix:
Only folders and partitions in the device group will get synced. However, since multiple device groups can still share the same partition, there is still a chance that the route domain on the partition could get overridden if the two device groups use different route domains.


506034-3 : NTP vulnerabilities (CVE-2014-9297,CVE-2014-9298)

Component: TMOS

Symptoms:
CVE-2014-9297 CVE-2014-9298

Conditions:
CVE-2014-9297 CVE-2014-9298

Impact:
CVE-2014-9297 Summary: The vallen packet value is not validated in several code paths in ntp_crypto.c which can lead to information leakage or a possible crash of ntpd. CVE-2014-9298 Summary: While available kernels will prevent 127.0.0.1 addresses from "appearing" on non-localhost IPv4 interfaces, some kernels do not offer the same protection for ::1 source

Workaround:
Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.

Fix:
Applied patches for CVE-2014-9297 and CVE-2014-9298


505331-1 : SASP Monitor may core

Component: Local Traffic Manager

Symptoms:
The SASP monitor unexpectedly terminates with a core dump.

Conditions:
More than one Group Workload Manager (GWM) server, and all servers are down at the same time.

Impact:
When the monitor cores, a pool member gets marked down, which might lead to an outage.

Workaround:
None.

Fix:
SASP monitor no longer cores when multiple Group Workload Manager (GWM) servers are down.


505222-2 : DTLS drops egress packets when traffic is large

Component: Local Traffic Manager

Symptoms:
DTLS drops egress packets when traffic is large

Conditions:
DTLS has egress queue with maximum elements 127(default). When traffic is large enough, the queue reaches the maximum limit and some packets are dropped.

Impact:
DTLS drops egress packets.

Workaround:
We can change the maximum elements from 127 to some bigger value by DB variable.

Fix:
In current implementation, DTLS sends CN requests one by one. DTLS sends one request, waits for the response and then sends another one. The fix is sending multiple requests currently to CN.


505097-1 : lsn-pool backup-member not propagated to route table after tmrouted restart

Component: Carrier-Grade NAT

Symptoms:
The lsn-pool backup-member prefix is not in the route table after tmrouted restart, when lsn-pool route-advertisement is enabled.

Conditions:
An lsn-pool with route-advertisement enabled, and backup-members, backup-member prefix not properly propagated to the route-domain routing table after tmrouted restart.

Impact:
No routes for lsn-pool backup-member prefix.

Workaround:
Remove and re-add lsn-pool backup members.

Fix:
The lsn-pool backup-member prefix is now present in the route table after tmrouted restart, when lsn-pool route-advertisement is enabled.


505059-1 : Some special characters are not properly handled for username and password fields in TCL monitors

Component: Local Traffic Manager

Symptoms:
Pool members are taken down

Conditions:
special characters like ", \ in the username or password fields in FTP, IMAP, POP3

Impact:
Pool members are taken down

Workaround:
Remove the special characters from the password and username.

Fix:
Handle special characters properly for username and password fields


505045-1 : MAP implementation not working with EA bits length set to 0.

Component: TMOS

Symptoms:
MAP implementation not working with EA bits length set to 0.

Conditions:
MAP-E tunnel profile is configured with (ea-bits-length == 0) and (ip4-prefix-length greater than 0). - Case when (ea-bits-length == 0) and (ip4-prefix-length is greater than 0). - Case when (ip6-prefix-length plus ea-bits-length, which is the MAP domain prefix-length) is greater than 48 bits. In this case, the Interface ID in the IPv6 destination address will be overwritten.

Impact:
MAP-E tunnel does not work.

Workaround:
None.

Fix:
MAP implementation is now working with EA bits length set to 0.


504899-2 : Duplicated snat-translation addresses are possible (a named and an anonymous (created by snatpool) one)

Component: Local Traffic Manager

Symptoms:
It is possible to have duplicated snat-translation addresses if one is explicitly created (named one) and the other is implicitly created when adding anonymous addresses to a snatpool.

Conditions:
No special conditions required other than to perform the configuration changes.

Impact:
As duplicated snat-translation addresses may exist, any change to an address entry which is assigned to an snatpool may not be affecting the right entry, this is: we have the following snat-addresses: snat_address_01 address 1.2.3.1 1.2.3.1(anonymous) address 1.2.3.1 And the following snatpool: snat_pool { 1.2.3.1 1.2.3.2 } If there is a change in snat_address_01 (which address is part of snat_pool (1.2.3.1)), then the actual snat_pool member (anonymous 1.2.3.1) will not be updated with the new setting and there will be no effect.

Workaround:


504627-1 : Valid sessions won't be deleted any more due to session inactivity.

Component: Policy Enforcement Manager

Symptoms:
Valid sessions may be deleted after 2 mins without session activity (traffic).

Conditions:
Sessions are created through RADIUS but stay with no traffic over 2 mins.

Impact:
Valid sessions fail due to lack of activity and the user must re-authenticate.

Workaround:

Fix:
Alive or Valid sessions won't be deleted before the timeout any more due to a lack of traffic.


504496-3 : AAA Local User Database may sync across failover groups

Component: TMOS

Symptoms:
APM units that are not in the same BIG-IP Sync-Failover group are sharing local user entries. The system may possibly also experience higher management CPU load as a result of frequently syncing the local user database.

Conditions:
There is at least one sync-failover group in the Device Management :: Device Groups list, and there are devices listed in Device Management :: Devices list that are not members of that sync-failover group (either standalone or members of another device group), and those devices are provisioned with APM.

Impact:
Unwanted sharing of local user database between sync-failover groups and/or standalone devices. The system may also experience higher management CPU load as a result of frequently syncing the local user database. Under severe conditions where the database is synced multiple times per minute continually for hours or days, the rapid syncing of the database may result in unexpected failover.

Workaround:

Fix:
AAA Local User Database now syncs correctly.


504494-2 : Upgrading to 11.5.0 and later might associate a disabled HA group to traffic groups.

Component: TMOS

Symptoms:
If the BIG-IP system has a disabled HA Group and is upgraded to 11.5.x or later, the disabled group might be associated with traffic groups on upgrade.

Conditions:
Pre-upgrade there is exists a HA Group that is disabled. Upgrade to 11.5.x or later from 10.2.x or 11.x (pre-11.5.0)

Impact:
If the BIG-IP system is rebooted after the upgrade, it's possible that the switch will fail over because the HA group score is used even though the HA group is disabled.

Workaround:
After the upgrade, check all traffic groups and ensure that none of them are configured to use a disabled HA Group.

Fix:
Upgrading to 11.5.0 and later no longer associates a disabled HA group to traffic groups. This is correct behavior.


504306-2 : https monitors might fail to re-use SSL sessions.

Component: Local Traffic Manager

Symptoms:
SSL handshakes for https monitors might fail to correctly re-use SSL session IDs.

Conditions:
A configuration that utilizes https monitors to servers that implement an SSL session cache. More servers utilizing the same https monitor make the problem more likely to occur. For the monitor flapping or false negative symptom in 11.5.0 or higher, a monitor must be configured for a combination of TLS 1.0 and TLS 1.2 servers.

Impact:
The bigd process might consume more CPU than necessary because it might always be performing complete SSL handshakes with monitored servers. BIG-IP version 11.5.0 or higher in environments with both TLS 1.0 and TLS 1.2 servers that perform SSL session caching may experience monitor flapping or servers that are marked down unexpectedly.

Workaround:
None.

Fix:
https monitors now properly perform SSL session re-use.


504105-4 : RRDAG enabled UDP ports may be used as source ports for locally originated traffic

Component: Local Traffic Manager

Symptoms:
RRDAG enabled UDP ports may be used as the source port on locally originated connections.

Conditions:
RRDAG is enabled

Impact:
Connections may be forwarded between tmms resulting in a performance impact

Workaround:

Fix:
RRDAG enabled ports can no longer be selected as a source port for locally originated connections.


504031-1 : document.write()/document.writeln() redefinition does not work

Component: Access Policy Manager

Symptoms:
document.write()/document.writeln() redefinition does not work. Initial function is used instead.

Conditions:
When web application JavaScript tries to redefine document.write() and/or document.writeln().

Impact:
Web application layout an/or logic can be broken.

Workaround:

Fix:
Web application JavaScript can successfully redefine document.write and document.writeln.


504021-1 : lsn-pool member routes not properly propagated to routing table when lsn-pool routing-advertisement is enabled

Component: Carrier-Grade NAT

Symptoms:
lsn-pool with route-advertisement enabled does not have routes properly propagated to the routing-table.

Conditions:
when route-domain routing protocol is enabled after lsn-pool route-advertisement is enabled and lsn-pool member added.

Impact:
route entries for lsn-pool members with route-advertisement enabled.

Workaround:
Either 1) restart tmrouted after enable routing-protocol for the desired route-domain. 2) toggle routing-advertisement on lsn-pool after enable routing-protocol for the desired route-domain.

Fix:
route-domain with routing-protocol enabled will have routes for lsn-pool members, regardless of ordering in which routing-protocol or route-advertisement is enabled.


503979-1 : High CPU usage when DNS cache resolver sends a large number of DNS queries to the backend name server.

Component: Local Traffic Manager

Symptoms:
When DNS cache resolver is resolving a DNS query, it might send queries to the backend name server iteratively. If the name server is responding slowly and the cache resolver is sending queries to name servers at a high rate, the CPU usage of the BIG-IP system might be vary high.

Conditions:
(1) Configure the cache resolver to have a large value (, for example, 40 KB) for both max-concurrent-queries and max-concurrent-udp. (2) The cache resolver sends queries to the name servers at a high rate. (3) The backend name server is responding slowly to the cache resolver.

Impact:
The CPU usage might be extremely high. Site might be unstable.

Workaround:
Configure the cache resolver to have a default value for both max-concurrent-queries and max-concurrent-udp.

Fix:
The CPU usage does not increase unexpectedly when the cache resolver sends a large number of DNS queries to slow backend name servers.


503652-4 : Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit.

Component: Service Provider

Symptoms:
When a blade is enabled on a cluster while it is actively processing SIP UDP traffic, some packets might be lost.

Conditions:
This occurs in an Active HA cluster containing VIPRION B2100 blades with the udp.hash value set to 'ipport' and client-side round robin TMM disaggregation enabled.

Impact:
Some SIP UDP traffic packets might be lost.

Workaround:
Do not enable a blade in a cluster while the blade is processing SIP UDP traffic.

Fix:
Some SIP UDP connections are now retained after enabling a blade on the Active HA unit.


503461-1 : Intermittent Javascript failure on Safari on Mac

Component: Fraud Protection Services

Symptoms:
On first page load, JavaScript encryption occasionally fails due to a bug in Safari's Javascript interpreter.

Conditions:
Open protected page in Safari

Impact:
Protection fails

Workaround:
Install 11.6.0 hotfix 4 or later

Fix:
FPS client-side code has been adapted to suit Safari on iOS and OSX.


503384-1 : SMTP monitor fails on multi line greeting banner in SMTP server

Component: Local Traffic Manager

Symptoms:
SMTP monitor fails

Conditions:
This issue occurs when a multi line greeting banner is configured in SMTP server.

Impact:
SMTP monitor fails.

Workaround:
To work around this issue, configure a single line greeting banner in SMTP server.

Fix:
SMTP monitor succeeds with multi line greeting banner in SMTP server.


503343-7 : TMM crashes when cloned packet incorrectly marked for TSO

Component: Local Traffic Manager

Symptoms:
TMM cores

Conditions:
1. Clone pool configured 2. Clone MTU > Client or Server MTU 3. tm.tcpsegmentationoffload db var in "disable" state 4. TSO enabled in client or server side interface 5. TSO disabled in clone interface

Impact:
Traffic disruption

Workaround:
Remove the configured clone pool

Fix:
Prevent TMM crash due to cloned packet incorrectly marked for TSO.


502443-4 : After enabling a blade/HA member, pool members are marked down because monitoring starts too soon.

Component: Local Traffic Manager

Symptoms:
The external monitoring daemon (bigd) sends monitoring traffic before tmm is ready to receive those responses. The response traffic is routed to a tmm on another blade/HA member. This tmm responds to the server with an ICMP "Unreachable" message. Meanwhile, the originating tmm on the new blade/HA member marks the pool member "down" because it never received the server's response.

Conditions:
Start with at least 1 blade enabled in a chassis or one HA member configured, and pass traffic constantly through a virtual server with a monitor-enabled pool attached. Then, enable a new blade in the cluster or a new HA member.

Impact:
Some packets are lost for several seconds. It can be longer depending on the total number of pool member.

Workaround:
Before adding a new blade to a chassis or a member to the HA configuration that is actively processing traffic, temporarily remove the monitor(s) from the pool. Once the new blade/HA member is up, manually add the monitor(s) back to the pool.

Fix:
When a VIPRION blade or BIG-IP HA member comes on-line, the bigd process on the blade/HA member no longer starts health monitors prematurely, which could have caused some monitored objects to be marked down incorrectly.


502238-3 : Connectivity and traffic interruption issues caused by a stuck HSB transmit ring

Component: TMOS

Symptoms:
Customers can experience sudden and permanent traffic interruption, impacting all traffic through TMM.

Conditions:
With TCP Segmentation Offload (TSO) enabled, it is possible to fill up the High-Speed Bridge (HSB) transmit ring, resulting in a stuck transmit ring. The exact conditions under which this occurs is unknown, but it requires sudden transmission of a number of large packets that require TSO in order to result in a full transmit ring.

Impact:
The HSB's transmit ring becomes stuck. This requires a TMM restart in order to clear.

Workaround:
Disable TSO. This can be done using the following steps: 1. tmsh modify sys db tm.tcpsegmentationoffload value disable 2. bigstart restart tmm. If TSO is not disabled, three related fixes are needed to fully address the issue: -- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message. -- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded. -- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here: -- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html

Fix:
Three related fixes are needed to fully address the issue: -- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message. -- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded. -- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here: -- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html -- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html


501516-5 : If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted.

Component: Local Traffic Manager

Symptoms:
When using a very large number of monitors, bigd may run out of file descriptors when it is restarted.

Conditions:
A system with a large number of monitors configured.

Impact:
bigd cores and gets into a restart loop; monitors no longer work properly. The ltm log might contain error messages similar to the following: socket error: Too many open files.

Workaround:
Reduce the number of monitors on the system.

Fix:
bigd no longer runs out of file descriptors during restart when using a very large number of monitors.


501494-1 : if window.onload is assigned null, then null should be retrieved

Component: Access Policy Manager

Symptoms:
After window.onload=null, non null value is returned from window.onload.

Conditions:
Web application that assigns null to window.onload and expects to obtain null in window.onload then.

Impact:
Web application logic can be broken.

Workaround:

Fix:
After window.unload=null, null is returned by getting value of window.onload;


501437-3 : rsync daemon does not stop listening after configsync-ip set to none

Component: TMOS

Symptoms:
If a device is not in a CMI configuration, but has configsync-ip set on its self device object, and this configsync-ip is set to none, an rsync daemon continues to listen on the old configsync-ip.

Conditions:
This occurs when the following conditions are met: -- Device is not in a CMI configuration. -- Self device has a configsync-ip set.

Impact:
The rsync server may continue to listen even after it is expected that it will not listen.

Workaround:

Fix:
The rsync daemon is now shut down properly when the configsync-ip is set to none, and no longer listens on configsync-ip.


500938-3 : Network Access can be interrupted if second NIC is disconnected

Component: Access Policy Manager

Symptoms:
Networks Access connection breaks if second NIC disconnects. Both NICs should be connected to same network. This happens for a specific Network Access configuration.

Conditions:
Network Access configuration: * Full tunnel with "Prohibit routing table changes during Network Access connection" set to true. * Split tunneling with "Prohibit routing table changes during Network Access connection" set to true, Address space is 0.0.0.0/0. Client with 2 NICs both connected to the same network.

Impact:
NA is interrupted.

Workaround:


500450-1 : ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso.

Component: Access Policy Manager

Symptoms:
With APM and ASM configured on the same virtual server, cookie validation on ASM could modify the Set-Cookie header sent by the application server or inject another Set-Cookie header. APM websso module does not honor the Set-Cookie modification, nor the injection. ASM subsequently causes the connection to reset.

Conditions:
With APM and ASM configured on the same virtual server, if cookie validation on ASM modifies the Set-Cookie header sent by the application server or injects another Set-Cookie header, then APM websso module does not honor this.

Impact:
Connection reset on the above condition.

Workaround:
Use layered virtual servers with an iRule virtual command to send traffic from the ASM virtual server to an APM virtual server with ARP disabled instead of having everything on one virtual server.

Fix:
The APM websso module is modified to handle an ASM use case. Now the websso reparses the HTTP 401 response header from the server at the client side in addition to the current parsing at server-side processing. With this fix any Set-Cookie modification or addition by ASM is sent to server in the response to 401 header.


500424-2 : dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error

Component: Carrier-Grade NAT

Symptoms:
DNATutil exits with the error "dnatutil: No tmms on the blade."

Conditions:
A DNAT state log entry that is interpreted as invalid

Impact:
DNATUtil will not be able to parse the whole log file for reverse mappings

Workaround:
remove the DNAT state chunk that produces the error.

Fix:
DNATUtil will continue on even if it encounters an error. It will report the error but not exit.


500234-4 : TMM may core during failover due to invalid memory access in IPsec components

Component: TMOS

Symptoms:
TMM cores when transitioning from standby to active.

Conditions:
This might occur when the following conditions are met: -- An IPsec tunnel is enabled. -- The BIG-IP system is a member of an HA pair. -- The BIG-IP system transitions from standby to active.

Impact:
TMM core leading to outage.

Workaround:

Fix:
Fixed a race condition that might have caused IPsec components to access previously freed memory.


499778-1 : A static subscriber's session is not deleted if master-IP is deleted from the subscriber's list of IPs

Component: Policy Enforcement Manager

Symptoms:
A stale session is left behind.

Conditions:
1. Create a session by sending radius start messages to static subscriber that learns IP addresses dynamically. 2. remove master IP from static subscriber list. 3. delete static subscriber. 4. Use pem_sessiondump --list to see that the session is not deleted.

Impact:
No functional issue.

Workaround:

Fix:
Reprovison session if IP removed/added in SSP case too. This will fix session delete if Master IP being removed


499422-1 : An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm.

Component: Local Traffic Manager

Symptoms:
An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm.

Conditions:
When an ACK with an "invalid" sequence number is received, the resulting calculations involving the incoming seqno and rcv_nxt causes an outgoing ACK to be generated which will repeat if the server behavior repeats.

Impact:
Many connections delayed and CPU usage is very high, peak usage is around 90%. Traffic suffer a severe deterioration.

Workaround:

Fix:
This problem is now corrected by ensuring that when outgoing ACK is being generated that the FIN is stripped if it is not a retransmission of the FIN.


499315-1 : Added "Collect full URL" functionality.

Component: Application Visibility and Reporting

Symptoms:
Added functionality to collect the full URL (with host name) to AVR statistics.

Conditions:
In tmsh, run the command: modify sys db avr.includeserverinuri value disable Run traffic with the URL http://172.29.33.87/debug The URL that will be written to the lookup table is: "/debug" In tmsh, run the command: modify sys db avr.includeserverinuri value enable Run traffic with the URL http://172.29.33.87/debug The URL that will be written to the lookup table is: "172.29.33.87/debug"

Impact:
Now possible to collect full URLs

Workaround:

Fix:
Added functionality to collect the full URL (with host name) to AVR statistics.


499260-3 : Deleting trust-domain fails when standby IP is in ha-order

Component: TMOS

Symptoms:
Deleting trust-domain fails when the ha-order traffic group contains a standby unit's IP address.

Conditions:
This occurs when there is a non-local device that is used by the HA order in one of the traffic groups.

Impact:
Unable to delete trust domain. The tmsh command 'delete cm trust-domain all' intermittently hangs. Pressing Ctrl + C shows: Unexpected Error: Could not reset trust-domain (error from devmgmtd): Error reading from server...' In the /var/log/ltm the system posts the message: 'err devmgmtd[7887]: 015a0000:3: -unknown- failed on -unknown-.devicegroup: 01071761:3: Cannot delete device (bigipsystem.example.com) from device group (/Common/sync-failover-1) because it is used by HA order on traffic group (/Common/traffic-group-2)'.

Workaround:
Retrying sometimes succeeds. Removing the ha-order traffic group also allows the operation to succeed.

Fix:
Deletion of a device trust domain now completes successfully when the BIG-IP system is a member of a device trust domain configured with a traffic group high-availability order that references a device other than the local system.


498992-6 : Troubleshooting enhancement: improve logging details for AWS failover failure.

Component: TMOS

Symptoms:
Logging information on BIG-IP VE for Failover on AWS was inadequate and did not provide the reason for failures in Failover.

Conditions:
Traffic-group failover sometimes failed without providing specific reason for the failure.

Impact:
Because of the lack of proper logging messages that could pin-point the mis-configuration or connectivity issues on AWS, it was difficult for customers to figure out what is causing the Failover to fail.

Workaround:
Adding more logging information in failover script resolves this issue and provides enough information to the customer to detect problems in failover.

Fix:
Added more logging details for AWS failover failure to assist in detecting problems in failover.


497742-3 : Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address

Component: Local Traffic Manager

Symptoms:
Some packets re-transmitted as part of a full-proxy, non-SNAT'd TCP virtual server on a translucent-mode vlangroup do not correctly have the translucent-mode bit-flip applied.

Conditions:
This occurs with a translucent vlangroup and full virtual server with no SNAT.

Impact:
Egressing traffic with the source-MAC of another host can potentially lead to traffic loops.

Workaround:
Enable SNAT on the virtual server.

Fix:
All TCP re-transmits have the proper source MAC address.


497627-3 : Tmm cores while using APM network Access and no leasepool is created on bigip.

Component: Access Policy Manager

Symptoms:
TMM cores in Network Access scenario when no leasepool is created on the BIG-IP system and IP address assignment is done through the Variable Assign agent (mcget {session.ldap.last.attr.vpnClientIp}).

Conditions:

Impact:
TMM process cores.

Workaround:
To work around the problem, create a leasepool on the BIG-IP system; it does not need to be attached to an access policy.

Fix:
TMM does not core now.


497564-2 : Improve High Speed Bridge diagnostic logging on transmit/receive failures

Component: TMOS

Symptoms:
When an HSB transmitter or receive failure occurs, no information is provided on the state of the HSB transmit/receive rings prior to the failure.

Conditions:
The HSB experiences a transmitter or receive failure.

Impact:
The unit is rebooted.

Workaround:


497389-1 : Extraneous dedup_admin core

Component: Wan Optimization Manager

Symptoms:
There have been some extraneous dedup_admin cores generated during system shutdown.

Conditions:
Race condition during shutdown of vcmp with 2 blades.

Impact:
Extraneous dedup_admin core generated.

Workaround:
None

Fix:
Missing virtual destructor was added.


497304-1 : Unable to delete reconfigured HTTP iApp when auto-sync is enabled

Component: TMOS

Symptoms:
When deleting an HTTP iApp, the system posts errors similar to this in the LTM log, along with similar sync errors in the GUI: -- err mcpd[6629]: 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16). -- err mcpd[6629]: 01071488:3: Remote transaction for device group /Common/HA_Group to commit id 895 6070871290648001573 /Common/cr-ltm-bb2.ns.uwaterloo.ca 0 failed with error 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16).

Conditions:
Auto-sync must be enabled. HTTP iApp must have been reconfigured prior to deleting the iApp.

Impact:
Sync failure. Cannot delete the iApp manually after the error occurs.

Workaround:
Do not use auto-sync. If the sync failure has already occurred, refer to SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) for information on how to restore configuration sync.

Fix:
Ensure the sFlow data source is removed from an HTTP profile when it is deleted.


497299-5 : Thales install fails if the BIG-IP system is also configured as the RFS

Component: Local Traffic Manager

Symptoms:
Thales install fails.

Conditions:
This occurs when the BIG-IP system is also configured as the RFS.

Impact:
Cannot use Thales HSM with the BIG-IP system.

Workaround:
In the following procedure, when running nethsm-thales-rfs-install.sh, the script returns the IP address used by the RFS server. Use that IP address when running the 'rfs-setup' command. When prompted with: Did you successfully run the above 'rfs-setup' command on the RFS server? (Yes/No), perform the following steps: 1. Open a new SSH connection to the BIG-IP system. 2. Run the following command: /opt/nfast/bin/rfs-setup --force -g --write-noauth x.x.x.x. 3. Return to nethsm-thales-install.sh SSH screen and answer 'Yes'. The script should now exit with a success message.

Fix:
Thales install script now runs successfully when the BIG-IP system is also configured as the RFS.


497078-1 : Modifying an existing ipsec policy configuration object might cause tmm to crash

Component: TMOS

Symptoms:
Modifying an existing ipsec policy configuration object might cause tmm to crash

Conditions:
Modifying an existing ipsec policy configuration object that's not associated with any traffic selector that's assigned to an ikev2 ike peer configuration object.

Impact:
tmm crash

Workaround:
Delete and re-create the ipsec policy mcp object

Fix:
tmm will not crash when user modify an existing ipsec policy configuration object


496775-3 : [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for bigip monitor

Component: Global Traffic Manager

Symptoms:
[GTM] [big3d] Unable to mark LTM virtual server up if there is another virtual server with same ltm_name for bigip monitor.

Conditions:
LTM (running BIG-IP software older than v11.2.X) with a virtual server: /Common/http_vip with destination /Common/192.168.10.34:80. GTM (running BIG-IP software newer than v11.5.0) with this LTM as a BIG-IP Server. Two virtual servers on LTM: One with the original LTM virtual server address, and the other with the translated address: 1. name ltm_http_vip :: destination 192.168.10.34:80 :: monitor /Common/bigip. 2. name ltm_http_trans_vip :: destination 10.10.10.34:80 :: translation-address 192.168.10.34:80 :: monitor /Common/bigip.

Impact:
Both virtual servers are marked up for a brief interval. After a few minutes, one of them is marked down.

Workaround:
You can use either of the following workarounds: -- Use a monitor other than bigip. -- Replace /shared/bin/big3d on the LTM system with a copy of a version v11.2.1 big3d.

Fix:
The bigip health monitor no longer incorrectly marks down virtual servers with a duplicate ltm-name when there are BIG-IP GTM systems with differing software versions monitoring BIG-IP LTM virtual servers using the bigip monitor.


496758-5 : Monitor Parameters saved to config in a certain order may not construct parameters correctly

Component: Local Traffic Manager

Symptoms:
When configuring both a monitor and a child monitor, if the two monitors are saved in reverse order, the default monitor parameters will not be created. For example: ltm monitor tcp /Common/child { defaults-from /Common/parent destination *.990 interval 5 ip-dscp 0 time-until-up 0 timeout 16 } ltm monitor tcp /Common/parent { defaults-from /Common/tcp destination *:* interval 5 ip-dscp 0 time-until-up 0 timeout 16 } Some of the default parameters for the above configuration will not be created upon loading config.

Conditions:
This occurs when there are at least two monitors, and the child custom monitor appears before the parent monitor. Must have a parent that derives from a root monitor, and a child that derives from the parent monitor.

Impact:
Possible undefined behavior in bigd, and failing iControl calls. On performing a 'tmsh load sys config verify' the system posts an error message similar to the following: 01070740:3: Performance monitor /Common/http-a may not have the manual resume feature. Unexpected Error: Validating configuration process failed.

Workaround:
A possible workaround involves switching the order of the monitors in the config file. This can either be accomplished manually, or by naming things in alphabetical order, such that the parent precedes the child: ltm monitor tcp /Common/aaa_parent { defaults-from /Common/tcp destination *:* interval 5 ip-dscp 0 time-until-up 0 timeout 16 } ltm monitor tcp /Common/bbb_child { defaults-from /Common/aaa_parent destination *.990 interval 5 ip-dscp 0 time-until-up 0 timeout 16 }

Fix:
The system now handles a configuration in which a child custom monitor precedes the parent's, so that monitor parameters are constructed properly.


495836-2 : SSL verification error occurs when using server side certificate.

Component: Local Traffic Manager

Symptoms:
SSL is stuck at signature check for server side certificates and hence can't complete the SSL handshake.

Conditions:
The issue can be seen when it meets the following conditions: 1. The backend server is Microsoft IIS or Netty. 2. serverSSL profile requires server side certificate authentication.

Impact:
SSL handshake fails. The handshake hangs until the timeout.

Workaround:
To work around this issue, you can configure the back-end Netty based SSL servers to use a Certificate Authority (CA) signed certificate. Otherwise, do not use use 'peer-cert-mode require'.

Fix:
SSL verification error no longer occurs when using server side certificate.


495557-1 : Ephemeral node health status may report as 'unknown' rather than the expected 'offline'

Component: Local Traffic Manager

Symptoms:
Ephemeral node health status may report as 'unknown' rather than the expected 'offline'.

Conditions:
Change the monitor rule on the node several times.

Impact:
Node may be in unknown status when it should be offline.

Workaround:
Reset bigd.

Fix:
Ephemeral node health status now reports 'offline' rather than 'unknown' in cases in which the monitor is offline.


495526-1 : IPsec tunnel interface causes TMM core at times

Component: TMOS

Symptoms:
Before traffic passes through an IPsec tunnel interface, if users choose to modify the tunnel interface attributes, such as MTU value, TMM cores.

Conditions:
When IPsec tunnel interface has its configuration is modified.

Impact:
Site unavailable.

Workaround:
Avoid modifying IPsec tunnel interface. Configure IPsec tunnel interface in one shot, using either create or delete.

Fix:
TMM no longer cores if users choose to modify the tunnel interface attributes, such as MTU value.


495525-1 : iApps fail when using FQDN nodes in pools

Component: iApplications

Symptoms:
Use of FQDN nodes causes errors in almost all f5-supported iapps.

Conditions:
1. create an FQDN node named "foo" that refers to the fqdn "www.foo.com" 2. create an iapp instance using the attached ephemeral_example template 3. enter "foo" when prompted by the iapp for a node name 4. click "finished" and observe the pool in the component view 5. click "reconfigure" 6. click "finished".

Impact:
iApp will throw an error: "0107189b:3: Cannot delete ephemeral object: /Common/foo-173.194.33.144."

Workaround:
none

Fix:
The iApp mark-and-sweep framework should be modified to ignore ephemeral pool members when modifying iApp-managed pools.


495432-2 : Add new log messages for AFM rule blob load/activation in datapath.

Component: Advanced Firewall Manager

Symptoms:
Prior to fix, as AFM rule blob is compiled/serialized by pktclass-daemon and TMM is notified to activate it in datapath, there is no visibility to identify if the activation failed or succeeded.

Conditions:
AFM rule serialization message is processed by TMM

Impact:
End user lacks any visibility if the AFM rule serialized blob is successfully being used in the data path.

Workaround:
None

Fix:
With the fix, now we log message (in /var/log/ltm) as AFM rule serialized blob is activated in data path.


495336-1 : Logon page is not displayed correctly when "force password change" is on for local users

Component: Access Policy Manager

Symptoms:
When more than one logon page is configured in the Access policy and the localdb user has "force password change" enabled, the user is required to change password after successful first login. However, the system prompts the user to "Change Password" again instead of displaying the second logon page.

Conditions:
The issue is caused by not clearing certain session variable after the successful password change.

Impact:
HIGH

Workaround:
The current workaround is to add 'Variable Assign' agent in the LocalDB Auth Successful branch with custom variable, for example: session.logon.page.challenge = expr { 0 }

Fix:
The code has been fixed to reset the relevant session variable after the successful password change.


494743-1 : Deterministic NAT translation cannot reverse-map after blade failure on p8

Component: Carrier-Grade NAT

Symptoms:
TMM translation after blade failure or startup does not agree with dnatutil reverse map results for client address.

Conditions:
On p8 platform, when a blade fails, translation made by TMM can not be reverse map by dnatutil. This can also occur on startup.

Impact:
p8 platform with multiple blades with LSN deterministic NAT

Workaround:
Change LSN Pool members for LSN deterministic NAT pools, which will trigger a deterministic NAT data rebuild.

Fix:
TMM translations after blade failure or startup can be properly reverse-mapped by dnatutil.


494637-2 : localdbmgr process in constant restart/core loop

Component: Access Policy Manager

Symptoms:
The localdbmgr process keeps crashing repeatedly.

Conditions:
The issue is caused by corruption in the contents stored in the memcache. Although the conditions under which the memory corruption occurs are not reproducible, this is a rarely occurring issue.

Impact:
The localdbmgr process crashes repeatedly.

Workaround:
None.

Fix:
The localdbmgr process has been updated in order to gracefully handle corruption in the memcache contents.


494565-4 : CSS patcher crashes when a quoted value consists of spaces only

Component: Access Policy Manager

Symptoms:
CSS content that contains some spaces between quotes leads to rewrite crash. Example: ... background: url(' ') // some spaces between quotes ...

Conditions:
Conditions leading to this problem include any case when CSS content contains a quoted value which consists of spaces only.

Impact:
The impact of this issue causes a rewrite crash which leads to a possible web application malfunction.

Workaround:
To work around this issue, create a particular iRule that removes mentioned spaces between quotes.


494122-2 : Deterministic NAT state information from HSL is not useable on p8

Component: Carrier-Grade NAT

Symptoms:
Deterministic NAT HSL state information is not useable by dnatutil, resulting in "Unparseable line" error.

Conditions:
Deterministic NAT and HSL logging for LSN pool on a p8 platform

Impact:
using the HSL logged state information for dnatutil

Workaround:
Use LTM logged deterministic NAT state information.

Fix:
dnatutil can use HSL logged state information for deterministic NAT on p8


493993-6 : TMM crashes on the standby when starting up in HA config and Active processing traffic in APM module

Component: Access Policy Manager

Symptoms:
On a standby unit, TMM dumps core files when it is starting up and continues to do so when the active unit is handling traffic in the APM module.

Conditions:
The issue happens on APM systems when high availability is configured and the following conditions are met: 1. The active device is busy processing traffic. 2. Some sessions on the active device are terminated. 3. The TMM in standby device is starting up.

Impact:
TMM on the standby device crashes with SEGV, which causes existing sessions not stored on the standby device and users have to re-login should failover occur.

Workaround:

Fix:
In APM HA environments, the system now prevents global status from being updated before the initialization is completed on a standby device. TMM on the standby no longer dumps core files on startup.


493791-2 : iApps do not support FQDN nodes

Component: TMOS

Symptoms:
All iApps fail when FQDN nodes are included as pool members in an iApp-generated pool.

Conditions:
- Create an pool with nodes devined by FQDN - Attempt to Reconfigure, or even just open, make no change, and click update button, on an iApp

Impact:
GUI shows errror 'script did not successfully complete: (field not present: "address"...'

Workaround:
Create the pool outside of the iApp and attach it with the "use existing pool" option, which is a feature of all recent F5 iapps.


493246-2 : SNMP error: Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot

Component: TMOS

Symptoms:
An SNMP query for sysCpuSensorSlot 0 returns 'Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot'.

Conditions:
SNMP query for sysCpuSensorSlot 0.

Impact:
SNMP MIB variable sysCpuSensorSlot 0 is not available.

Workaround:
Use the command 'tmctl cpu_info_stat' on the BIG-IP system to retrieve the sysCpuSensorSlot value.

Fix:
The software that generates the F5 BIG-IP MIBs has been updated to allow a slot 0 return value.


493213-1 : RBA eam and websso daemons segfaulting while provisioning

Component: TMOS

Symptoms:
Crash while provisioning

Conditions:
This sometimes seem to happen with only APM being provisioned and not being tested for APM functionality.

Impact:
RBA eam and websso daemons are segfaulting

Workaround:
none


492701-3 : Resolved LSOs are overwritten by source device in new Policy Sync with new LSO

Component: Access Policy Manager

Symptoms:
Previously resolved Location-Specific Object (LSO) on target devices are overwritten by values on source device in a new Policy Sync operation with new LSO to resolve.

Conditions:
Perform a Policy Sync on a profile with LSO, make changes to the LSO on resolution. Perform another Policy Sync on the same profile with new LSO that requires resolution

Impact:
Previously customized values for LSO on target device are lost.

Workaround:
Config the value back on target device after the new sync.

Fix:
Customized LSO values on target device from previous Policy Sync will be retained after a new Policy Sync with new LSO.


492352-3 : Mismatch ckcName between GUI and TMSH can cause upgrade failure

Component: Local Traffic Manager

Symptoms:
Make the ckcName of clientssl_certkeychain same as TMSH. Case 1: clientssl_certkeychain includes key/cert TMSH uses <key-name> as ckcName GUI uses <key-name>.key as ckcName Case 2: clientssl_certkeychain includes key/cert/chain TMSH uses <key-name>_<chain-name> as ckcName GUI uses <key-name>.key as ckcName The fix is making GUI same as TMSH.

Conditions:
Use GUI to create one SSL profile, then upgrade it.

Impact:
The upgrade failure since the mismatch ckcName between GUI and TMSH.

Workaround:

Fix:
Make ckcName same for both GUI and TMSH


492305-1 : Recurring file checker doesn't interrupt session if client machine has missing file

Component: Access Policy Manager

Symptoms:
If file required for recurring file checker agent is deleted on client machine when session already established - session would not be interrupted.

Conditions:
File checker agent is used. Recurring check is enabled for it.

Impact:
Session is not interrupted when it should be.

Workaround:

Fix:
Now session is interrupted when file required for recurring file check is missing.


492287-1 : Support Android RDP client 8.1.3 with APM remote desktop gateway

Component: Access Policy Manager

Symptoms:
Support Android RDP client 8.1.3 with APM remote desktop gateway

Conditions:

Impact:
User's cannot run up-to-date official Android RDP client against APM as RDG.

Workaround:

Fix:
Support Android RDP client 8.1.3 with APM remote desktop gateway


492163-3 : Applying a monitor to pool and pool member may cause an issue.

Component: TMOS

Symptoms:
Typically, when applying a monitor to pool and a monitor to pool member, there are no issues. In a scenario where the pool monitor is incompatible with the pool member, it can cause validation issue.

Conditions:
A scenario where the pool monitor is incompatible with the pool member, it can cause validation issue. For example, a pool with an http monitor and a wildcard pool member (even if pool member had its own monitor).

Impact:
Failed transaction or configuration load.

Workaround:
Remove the pool monitor, load, then add pool monitor back.

Fix:
Instances in which the pool monitor is incompatible with the pool member are now validated correctly.


492149-3 : Inline JavaScript with HTML entities may be handled incorrectly

Component: Access Policy Manager

Symptoms:
If JavaScript code is included into an HTML page and contains HTML entities inside, it may be processed incorrectly by Portal Access.

Conditions:
HTML page which contains inline JavaScript code with HTML entities inside.

Impact:
Web application does not work as expected.

Workaround:
Use an iRule for each individual case to correct this behavior.

Fix:
Now JavaScript code with HTML entities inside is processed correctly.


491771-2 : Using catch to supress 'invalid command' errors resulting from invalid use of [] around a parking command in a proc can cause TMM to panic

Component: Policy Enforcement Manager

Symptoms:
If inside a proc, a parking command (like table, session, open, send, RESOLVE::lookup) is incorrectly placed within square brackets (meaning the result is to be evaluated as a command by the superior "catch" block) and the error is suppressed by the catch block, TMM will core with a SIGFPE panic and this message: panic: TclExecuteByteCode execution failure: end stack top < start stack top Example (THIS CODE MAY CAUSE TMM TO CRASH if this procedure is called): proc id491771 { # WILL CAUSE TMM TO CRASH catch { [table lookup "key"] } } The correct usage of "catch" is without the brackets: proc id491771 { catch { table lookup "key" } }

Conditions:
1) A parking command like "table" 2) The very next operation generates an error 3) Both commands are inside a "catch" block 4) And this catch block exists within a proc

Impact:
TMM cores with a SIGFPE and this panic string: panic: TclExecuteByteCode execution failure: end stack top < start stack top

Workaround:
Any command which completes without parking after the parking command but before the error will prevent the issue. For instance set A "a" Another solution is to move "catch" statement outside of proc into body of script. Alternately remove the square brackets that indicate that the result of the command should be evaluated in this specific case. The use of brackets in this way is likely a mistake in coding of the iRule.


491716-2 : snmp_similint_test_15370.py failed because of bug fix 483508

Component: TMOS

Symptoms:
Bug fix 483508 introduced an attribute translation of a ulong value limited by a range to MIB type Gauge rather than Integer. MIB attributes with ranges must always be type Integer and this mismatch was correctly detected by the snmp_similint_test.

Conditions:
SNMP queries to some F5 enterprise OIDs.

Impact:
The attribute type mismatch may cause some MIB browsers to report errors because of a failure to strictly adhere to the SNMP standard.

Workaround:

Fix:
All F5 enterprise MIB attribute which include a limited value range have been changed to type Integer.


491556-7 : tmsh show sys connection output is corrected

Component: TMOS

Symptoms:
tmsh show sys connection output is corrupted for certain user roles.

Conditions:
This occurs for users with user roles that do not have access to all partitions.

Impact:
The output from tmsh show sys connection is corrupted. After issuing this command, the output of subsequent tmsh commands might not be correct or complete.

Workaround:
Quit out of tmsh. Restart the shell. Do not use the show sys connection command for users that do not have access to all partitions. Use the GUI instead to get this information.

Fix:
tmsh show sys connection output is correct for users that do not have access to all partitions.


491165-1 : Legal IP addresses sometimes logged in Attack Started/Stopped message.

Component: Advanced Firewall Manager

Symptoms:
Sometimes legal IP addresses are logged as attack started/stopped messages.

Conditions:
AFM licensed and provisioned and Sweep & Flood Vector enabled.

Impact:
Logging.

Workaround:
N/A

Fix:
IP addresses are not logged any more for START/STOP messages. Only sampled messages will have packet details.


490893-4 : Determinstic NAT State information incomplete for HSL log format

Component: Carrier-Grade NAT

Symptoms:
Deterministic NAT state information incomplete for HSL log format, could possibly result in incorrect reverse and forward map for dnatutil when using with HSL logged state information.

Conditions:
Found to affect A112 with HTSPLIT enabled, when using dnatutil with HSL logged deterministic NAT state for reverse map.

Impact:
Reverse and forward map could be incorrect when use with HSL logged deterministic NAT state information.

Workaround:
Use LTM logged deterministic NAT state information for reverse or forward map.

Fix:
HSL logged deterministic NAT state information can be use to correctly forward and reverse map.


490830-4 : Protected Workspace is not supported on Windows 10

Component: Access Policy Manager

Symptoms:
APM does not support Protected Workspace on Windows 10

Conditions:
Protected Workspace action configured on BIG-IP APM server. Users connecting to BIG-IP APM using Windows 10 client.

Impact:
Users cannot use Protected Workspace feature on Windows 10.

Workaround:
n/a

Fix:
Protected Workspace disabled on Windows 10 client.


490713-3 : FTP port might occasionally be reused faster than expected

Component: Local Traffic Manager

Symptoms:
FTP port is randomly selected and occasionally might be reused quickly.

Conditions:
FTP active mode. Source Port is set to change.

Impact:
FTP port might occasionally be reused faster than expected.

Workaround:

Fix:
FTP port selection uses a round robin method to avoid quick-reuse as much as possible.


490429-2 : The dynamic routes for the default route might be flushed during operations on non-default route domains.

Component: Local Traffic Manager

Symptoms:
The dynamic routes for the default route might be flushed during operations on non-default route domains. For example when non-default route domain is deleted TMM, the operation also removes routes in the default route domain.

Conditions:
This happens on configuration changes and failover.

Impact:
Routing in default route domain might be impacted until tmrouted is restarted.

Workaround:
Avoid deleting non-default route domains. Issuing a bigstart restart tmrouted returns the system to a consistent state.

Fix:
The dynamic routes for the default route are no longer flushed during operations on non-default route domains.


489957-5 : RADIUS::avp command fails when AVP contains multiple attribute (VSA).

Component: Service Provider

Symptoms:
The RADIUS::avp command fails when AVP contains multiple attributes (VSA) within an AVP.

Conditions:
One AVP contains multiple attributes (VSA).

Impact:
RADIUS::avp command fails.

Workaround:
None.

Fix:
RADIUS::avp command now completes successfully when AVP contains multiple attribute (VSA).


489084-1 : Validation error in MCPD for FQDN nodes

Component: TMOS

Symptoms:
Validation does not enforce unique FQDN nodes across folders.

Conditions:
Create two nodes with the same FQDN in two different folders.

Impact:
This issue can cause undefined behavior

Workaround:
Ensure FQDN nodes, like regular IP nodes, to be unique across folders.

Fix:
Ensure FQDN nodes, like regular IP nodes, to be unique across folders.


488736-5 : Fixed problem with iNotes 9 Instant Messaging

Component: Access Policy Manager

Symptoms:
iNotes 9 IM (Sametime) is not working. There are errors in JS Console.

Conditions:
User is connected to iNotes 9 through Portal Access.

Impact:
Sametime in iNotes 9 is not accessible.

Workaround:
No

Fix:
iNotes 9 Sametime (instant messaging) is working now.


488600-2 : iRule compilation fails

Component: Local Traffic Manager

Symptoms:
Previously created iRules may fail on upgrade

Conditions:
Upgrade to 11.6.x versions may cause iRule compilation failures

Impact:
iRule may not work after upgrade

Workaround:
N/A

Fix:
Fix tickle parse if there is a whitespace before the new line.


488581 : 'SSL::disable clientside' inside HTTP_REQUEST causes tmm core if crypto is in progress

Component: Local Traffic Manager

Symptoms:
'SSL::disable clientside' inside HTTP_REQUEST might cause tmm core with a SIGSEGV if crypto is in progress when the iRule makes the request.

Conditions:
This occurs in iRules that contain 'SSL::disable clientside' inside HTTP_REQUEST and crypto is in progress when HTTP_REQUEST occurs.

Impact:
TMM dumps a core file and the system fails over.

Workaround:
Do not put 'SSL::disable clientside' inside HTTP_REQUEST.


488105-3 : TMM may generate core during certain config change.

Component: Access Policy Manager

Symptoms:
While the sandbox file is being used by data-plane, if the admin changes configuration to delete this sandbox file, the TMM may generate core due to accessing freed up memory.

Conditions:
While data-plane is handling requests for the sandbox files, if admin deletes it from the control plane.

Impact:
TMM may core, which may cause APM service to become unavailable for some time.

Workaround:

Fix:
Access whitelist entries are refcount-ed to prevent freeing of the memory while it is still being used.


487696-3 : Number of CPU allocated for ASM guests

Component: Local Traffic Manager

Symptoms:
The TMM plugin manager does not expect/support an ASM guest configuration of 10 cores, thus its calculations as to the number of devices required and numbering does not match the existing number of threads/devices.

Conditions:
This occurs when there are 10 CPUs allocated for ASM guests.

Impact:
System does not start up or has intermittent failures if running.

Workaround:
Reduce the number of cores to 8 or increase the number to 12.

Fix:
This release disables channel splitting/division when number of TMMs is not a supported number, so ASM guests work correctly.


486829-1 : HTTP Protocol Compliance options should not be modified during import/upgrade

Component: Application Security Manager

Symptoms:
HTTP Protocol Compliance options are enabled upon version upgrade or security policy import from a prior version.

Conditions:
This issue occurs when configuration was upgraded to 11.6.0, or security policy was imported from prior version to 11.6.0.

Impact:
HTTP Protocol Compliance options are enabled.

Workaround:
Set HTTP Protocol Compliance options to desired values after import/upgrade.

Fix:
HTTP Protocol Compliance options are correctly preserved after a security policy import or a version upgrade.


486762-1 : lsn-pool connection limits may be invalid when mirroring is enabled

Component: Carrier-Grade NAT

Symptoms:
A client may not be able to create as many connections as allowed because mirroring may cause a connection to be counted more than once against the connection limit.

Conditions:
An lsn-pool with connection limits enabled, assigned to a virtual server.

Impact:
Clients may not be able to open as many connections as they should be able to open. The connections will fail.

Workaround:
This issue has no workaround at this time.

Fix:
With the fix in place, clients may open the full number of allowable connections.


486661-3 : Network Access should provide client IP address on reconnect log records

Component: Access Policy Manager

Symptoms:
Network Access should provide client IP address on reconnect log records

Conditions:
- Connect a client via network access - observe log of Client IP - Disconnect and reconnect from a different client IP (or the same one)

Impact:
note that the log messages generated for the session do not include the client IP address.

Workaround:
none


485472-3 : iRule virtual command allows for protocol mismatch, resulting in crash

Component: Local Traffic Manager

Symptoms:
iRule 'virtual' command allows for protocol mismatch.

Conditions:
A virtual server with an iRule which leverages the 'virtual' command targeting a virtual server that differs in protocol. For example, a UDP virtual server targeting a TCP virtual server.

Impact:
tmm might crash with assert: 'Must be syncookie'. Traffic is interrupted.

Workaround:
This is the result of a misconfiguration. Modify iRules to ensure L4 protocols match between virtual servers.

Fix:
Resolved issue where TMM might crash with assert: 'Must be syncookie' when the iRule 'virtual' command leads to a protocol mismatch.


485251-1 : AVR core witch include tmstat backtrace

Component: Application Visibility and Reporting

Symptoms:
due to a synchronization problem in AVR, some tmstat data (relevant to AVR only) got corrupted.  This corruption can cause AVR core.

Conditions:
Provision AVR.

Impact:
This bug cause AVR core.

Workaround:

Fix:
The synchronization problem fixed.


485182-2 : wom_verify_config does not recognize iSession profile in /Common sub-partition

Component: Wan Optimization Manager

Symptoms:
The wom_verify_config does not recognize iSession profile in /Common sub-partition.

Conditions:
iApps creates some objects (virtual, profiles) under /Common/DMZPrimary.vysbank.com.app/. These objects are invisible to wom_verify_config.

Impact:
wom_verify_config cannot verify the system configuration.

Workaround:

Fix:
The wom_verify_config now recognizes objects in sub-partitions.


484706-2 : Incremental sync of iApp changes may fail

Component: TMOS

Symptoms:
Incremental sync of the deletion of an iApp instance may fail, with the error message indicating that certain objects owned by the application are still in use. Alternatively, child objects that should have been deleted when reconfiguring an iApp instance may remain on peer devices after incremental sync has completed.

Conditions:
Incremental sync of the deletion of an iApp instance. Incremental sync of deleting a child object, if the iApp implementation script creates the parent object without child objects, and then separately adds the replacement child objects.

Impact:
An attempt to delete an iApp may cause a sync failure. An attempt to reconfigure an iApp without a previously existing child object (pool member, etc.) may cause the object to continue to exist on peer devices.

Workaround:
Full load sync (either the 'Overwrite Configuration' option on the Device Management Overview page, or temporarily setting the device group to full load only), and then performing the sync operation completes successfully.

Fix:
Incremental sync of the deletion of an iApp instance now completes successfully. Incremental sync of iApp changes, where the iApp template creates a parent object separately from child objects now syncs correctly.


483792-5 : when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources

Component: Access Policy Manager

Symptoms:
Customers running into iSession related issues.

Conditions:
This happens when APM has been running.

Impact:
Some of the Network Access resources may not run properly when iSession control channel is disabled.

Workaround:
None

Fix:
When the iSession control channel is disabled through db variable, then some of the Network Access resources, including App tunnel, Microsoft RDP, and optimized tunnel resources, will not be assigned to the session.


483501-1 : Access policy v2 memory leak during object deletion in tmm.

Component: Access Policy Manager

Symptoms:
A small memory leak everytime a per request access policy is deleted.

Conditions:
If the access policy delete was done before execute_access_policy' released the ref count, the access policy was getting deleted even though its still being used for one session. If the access policy delete was done when the access policy was not being used by any session, the access policy was not getting deleted.

Impact:
A small memory leak everytime a per request access policy is deleted.

Workaround:
None

Fix:
1) In 'access_policy_add', increment the access policy reference count before adding the access policy to the global access policy hash table. 2) In 'release_access_policy' dont return 'access_policy->ref_count' at the end of the function. The 'access_policy' could have potentially been deleted and freed by this point. The return value is not really used so just dont return any value.


483286-3 : APM MySQL database full as log_session_details table keeps growing

Component: Access Policy Manager

Symptoms:
APM stores session reporting data in "apm" MySQL database, under log_session_details table, but never does any cleanup. This causes the table to continuously grow. Eventually this consumes all disk, potentially corrupting the SQL data, and stopping services on the BIG-IP system that rely on MySQL.

Conditions:
Conditions leading to this issue include: APM is provisioned; and 350M APM sessions are created over any period of time (each row in log_session_details consumes ~20 bytes).

Impact:
MySql volume (12G) will fill with data, potentially stopping or degrading services in the box that rely on MySQL. Including: ASM, AVR, APM Reporting, Web UI, and QkView.

Workaround:
Workaround is to manually clean up the log_session_details table in MySQL database. First, retrieve the randomly generated MySQL password per box, using the following shell command as the root user. For example, # perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw PjL7mq+fFJ where PjL7mq+fFJ is the random password at MySQL installation in this example. Use this password in the following command for clean-up. # /usr/bin/mysql -uroot -pPjL7mq+fFJ --database=apm -e "delete from log_session_details where active = 'N';" This will delete all those rows that are referred to by an inactive session.


483104-3 : vCMP guests report platform type as 'unknown'

Component: TMOS

Symptoms:
vCMP guests report 'unknown' as platform type.

Conditions:
This occurs on vCMP guests.

Impact:
Customer is unable to remotely determine exactly which platform is being monitored.

Workaround:
None.

Fix:
vCMP guests now report bigipVcmpGuest as platform type.


483020-1 : [SWG] Policy execution hang when using iRule event in VPE

Component: Access Policy Manager

Symptoms:
Using the iRule Event Visual Policy Editor (VPE) object creates hang in the policy. The event is started, but never finishes, just hangs.

Conditions:
This issue occurs when the iRule event is in the access policy.

Impact:
The access policy evaluation never finishes.

Workaround:
None.

Fix:
[SWG] Policy execution with the iRule event in place no longer hangs.


482699-4 : VPE displaying "Uncaught TypeError"

Component: Access Policy Manager

Symptoms:
VPE displaying "Uncaught TypeError"

Conditions:
While editing on Chrome ver >=37

Impact:
Really hard to Edit VPE on chrome

Workaround:
Use different browser

Fix:
Visual policy editor works correctly on Google Chrome.


482269-8 : APM support for Windows 10 out-of-the-box detection

Component: Access Policy Manager

Symptoms:
APM does not support out-of-the-box detection for Windows 10 in visual policy editor configuration.

Conditions:
Windows 10, APM

Impact:
Windows 10 cannot be detected in visual policy editor rules.

Workaround:

Fix:
APM now supports out-of-the-box detection of Microsoft Windows 10 in visual policy editor action items, such as, Client OS and Client Type.


482266-3 : Network Access can't be established for Windows 10

Component: Access Policy Manager

Symptoms:
Connection fails with "Network Access Connection Device was not found." message.

Conditions:
1. Clean installation of Windows 10 (not upgrade) OR 2. Windows has been upgraded from previous version of Windows OS and it did not have NA driver installed.

Impact:
User can not establish a VPN connection.

Workaround:


482251-3 : Portal Access. Location.href(url) support is added

Component: Access Policy Manager

Symptoms:
Some pages can't be loaded in specific web-applications.

Conditions:
IE browser specific coded which uses: location.href(some_url) in it's code.

Impact:
Web-application can't load some web-pages.

Workaround:

Fix:
Added rewriting for: Location.href(some_url)


482241-1 : Windows 10 cannot be properly detected

Component: Access Policy Manager

Symptoms:
Windows 10 cannot be properly detected by BIG-IP

Conditions:
Windows 10 desktop operating system and BIG-IP APM access policy with client OS and Windows info agents.

Impact:
Windows 10 will not be detected out-of-the-box by BIG-IP client OS and Windows info agents.

Workaround:
User agent can be parsed in access policy for windows 10 tokens.

Fix:
Windows 10 can now be detected out-of-the-box by client OS and windows info agents.


482145-3 : Text in buttons not centered correctly for higher DPI settings

Component: Access Policy Manager

Symptoms:
When high DPI setting are used in Windows, text in buttons is not centered correctly and may run outside the boundaries of buttons.

Conditions:
User interface is displayed and user has set a higher DPI setting for Windows.

Impact:
Button text does not look correct.

Workaround:
Set DPI settings back to default.

Fix:
Buttons are now correctly scaled for Windows DPI setting.


481987-6 : Allow NTLM feature to be enabled with APM Limited license

Component: Access Policy Manager

Symptoms:
When a BIG-IP system has an APM Limited license, NTLM is silently disabled and the connection goes through. This breaks many (all) use-cases for Exchange + APM.

Conditions:
APM and Exchange are deployed together with APM Limited / Lite license.

Impact:
Exchange cannot be used with APM Limited license when NTLM frontend authentication is selected, which is used in essentially all APM + Exchange deployments.

Workaround:

Fix:
The NTLM frontend authentication (ECA) feature can now be used with an APM Limited license. Typically, this is for Exchange deployments.


481706-2 : AFM DoS Sweep Vector could log attack detected msgs from a non-attacking src IP

Component: Advanced Firewall Manager

Symptoms:
When a AFM DoS Sweep/Flood attack is ongoing there is a chance that we could log a non-attacking src IP (which is sending packets which are below the detect threshold) as an attacker in the "attack_sampled" AFM DoS log message.

Conditions:
When the AFM DoS Sweep or Flood attack is ongoing, and we have multiple src IPs (attackers and non-attackers) sending packets which match the AFM DoS Sweep or Flood vector, we could see the "attack sampled" log from a IP which is not actually sending packets above the configured attack rate.

Impact:
The log message could list an innocent src IP as an attacker. In AVR also you could see this IP as an attacker.

Workaround:
None, since the log message is cosmetic.

Fix:
Improved security logging to reduce incorrect messages.


481677-2 : A possible TMM crash in some circumstances.

Component: Local Traffic Manager

Symptoms:
If TCP::Close is called during the SSL handshake, the TMM might crash.

Conditions:
TCP::close is called during an SSL handshake

Impact:
TMM crash.

Workaround:
When closing the connection before or during an SSL/TLS handshake, use the "drop" or "reject" command instead of the TCP::close command.

Fix:
A TMM crash bug has been fixed.


481663-5 : Disable isession control channel on demand.

Component: Access Policy Manager

Symptoms:
Customers running into isession related issues.

Conditions:
This happens when APM has been running.

Impact:
TMM could run out of memory because of these issues.

Workaround:
This issue has no workaround at this time.

Fix:
If customer does not need optimized tunnels, app tunnels, remote desktop then he can safely disable the db variable "isession.ctrl.apm" which disables isession. Then do "bigstart restart tmm apd" so that the db variable takes effect.


481648-8 : mib-2 ipAddrTable interface index does not correlate to ifTable

Component: TMOS

Symptoms:
The ipaddrTable's ipAdEntIfIndex value does not match the ifTable's ifIndex value for the same interface.

Conditions:
Using SNMP to monitor F5 and other network devices.

Impact:
Data in the mib-2 ifTable does not correlate to the data in the ipAddrTable.

Workaround:
Use the F5 MIB to monitor F5 devices.

Fix:
The ipaddrTable's ipAdEntIfIndex value now matches the ifTable's ifIndex value for the same interface.


481162-2 : vs-index is set differently on each blade in a chassis

Component: Local Traffic Manager

Symptoms:
The vs-index field on virtual servers differs on each blade in a chassis.

Conditions:
This occurs on chassis systems when creating a virtual server on a multi-blade VIPRION and on multi-blade vCMP guests.

Impact:
The recently created virtual server holds different vs_index across blades (typically, the virtual servers differ by one, when compared with the active blade). From that point on, every newly created virtual server carries that inconsistency, so that vs-index is set differently on each blade in a chassis.

Workaround:
Follow the procedure in SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) to clear the configuration cache and reload configuration after reboot.


480910 : A TCP profile with 'Rate Pace" or "Tail Loss Probe" enabled fails to successfully establish a connection.

Component: Wan Optimization Manager

Symptoms:
TCP connection establishment fails on some virtuals.

Conditions:
A TCP profile with advanced options like "Rate Pace" or "Tail Loss Probe" enabled, needs to be in use.

Impact:
All TCP connections using a tcp profile which has advanced options like "Rate Pace" or "Tail Loss Probe" enabled will fail to establish a connection.

Workaround:
Avoid using the tcp profile options like "Rate Pace" or "Tail Loss Probe". If these options are a must requirement then there is no other workaround, other than to upgrade to a build with fix.

Fix:
Properly handle the internal events in mptcp handler.


480761-1 : Fixed issue causing TunnelServer to crash during reconnect

Component: Access Policy Manager

Symptoms:
TunnelServer may crash in rare conditions during reconnect.

Conditions:
Crash may happens when PC wakes up after hibernate

Impact:
User sees confusing message about crashed TunnelServer.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed issue that caused TunnelServer to crash during reconnect.


480679-1 : The big3d daemon does not receive config updates from mcpd

Component: TMOS

Symptoms:
Any Enterprise Manager device connected to a BIG-IP v11.6.0 will not receive configuration change notifications (including status) for nodes, pool members, or pools and will require manual refresh of configuration for those types. Stats and other configuration items remain unaffected.

Conditions:
This only affects EM devices and potentially MangementPack connections to a BIG-IP. The BIG-IP must be version 11.6.0 only, but the EM may be any version.

Impact:
The impact of this bug is that Enterprise Manager devices will not receive configuration update notifications for nodes, pool members, or pools. This includes status changes. Stats and other configuration items remain unaffected.

Workaround:
This issue has no workaround at this time.

Fix:
The mapping for subscription groups has been fixed so that the SUBSCRIPTION_NODE_ADDRESS and other similar subscription groups will not be overwritten by the SUBSCRIPTION_MONITOR group.


480311-1 : ADAPT should be able to work with OneConnect

Component: Service Provider

Symptoms:
The request-adapt and response-adapt profiles are unable to work with the OneConnect profile, and so those combinations are not allowed in the same virtual server.

Conditions:
Attempt to combine request-adapt or response-adapt profile with OneConnect profile on the same virtual server.

Impact:
When adaptation is being used, the connection cannot be kept open and reused for multiple HTTP transactions.

Workaround:

Fix:
The OneConnect profile can be combined with either or both of request-adapt and response-adapt profiles on a virtual server. Both client and server HTTP connections are reused.


480272-6 : During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID

Component: Access Policy Manager

Symptoms:
OAM ObConfig Initialization returns wrong accessgate ID, and that resulted in EAM setting wrong domain for the ObSSOCookie.

Conditions:
After network connection failure with backend OAM server, ObConfig initilization returned past Accessgate ID.

Impact:
The impact of this issue is that ObConfig initialization returns the wrong accessgate ID.

Workaround:
This issue has no workaround at this time.

Fix:
AccessGate init should now fail initialization and retry in case of an AccessGate ID mismatch. If all retries fail, then the AccessGate remains uninitialized. The administrator should clear the config cache for all the AccessGates and restart the EAM process.


480119-2 : Vague error - Error ERR_BOUNDS connflow ... processing pullup of control message.

Component: Carrier-Grade NAT

Symptoms:
PPTP filter emits a vague error message in the ltm log, for example: 'Error ERR_BOUNDS connflow 74.14.223.32:1723 -- 121.54.54.11:34976 processing pullup of control message,' or 'Error ERR_BOUNDS connflow 65.93.152.110:1723 -- 121.54.54.11:2004 processing egress message.'

Conditions:
PPTP ALG is configured. CGNAT is configured. Non-PPTP traffic is being directed to port 1723.

Impact:
These messages are cosmetic only, and can be ignored safely, but may indicate that another protocol is using port 1723.

Workaround:
None.

Fix:
Error ERR_BOUNDS loglevel has changed from ERR to DEBUG, which is correct behavior.


479674-1 : bigd crash on improper monitor configuration (timeout less than the interval) for Tcl monitors.

Component: Local Traffic Manager

Symptoms:
bigd crash on improper monitor configuration (timeout less than the interval) for Tcl monitors.

Conditions:
Tcl Monitors: FTP, SMTP, POP3, IMAP, when the timeout is less than the interval. Might also occur if the Tcl worker is in a stuck state, due to pool member not responding within the configured timeout.

Impact:
bigd crashes and posts an error message similar to the following: Received invalid magic value in the stream'.

Workaround:
Correct the monitor timeout to be higher than interval. Generally, the timeout should be ((3 * interval) + 1) seconds. Note: This workaround might not work in cases where the failure is due to Tcl worker being in a stuck state due to the pool member not responding within the configured timeout.

Fix:
The system no longer crashes when Tcl monitors are improperly configured, that is, when the timeout specified is less than the interval.


479460-5 : SessionDb may be trapped in wrong HA state during initialization

Component: TMOS

Symptoms:
An error case may happen on BIG-IP if the following conditions are met: 1. There are two BIG-IPs configured as inter-cluster HA. 2. These two BIG-IPs are multi-blade chasis system. 3. Master record with independent subkeys is added to SessionDB. The observed symptom this that you can explicitly deleted such a master record, but auto expiration mechanisms (timeout & lifetime) will not work on it, and this record will live forever until it is explicitly deleted.

Conditions:
Inter-chassis mirroring Chassis w/ multiple blades

Impact:
an inconsistent state between systems can cause persistence entries to never timeout. This will impact CGNAT records stored in SessionDB such as persistence records and PBA blocks.

Workaround:


479334-5 : monpd/ltm log errors after Hotfix is applied

Component: Application Visibility and Reporting

Symptoms:
When you apply a hotfix on an already configured and working volume, many errors are logged in the monpd/ltm logs.

Conditions:
Applying a hotfix to a configured and working volume.

Impact:
None, cosmetic benign errors only.

Workaround:
Run the following commands: 1. mysql -p`perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw` AVR < /var/avr/avr_srv_code.sql 2. bigstart restart monpd


479142-1 : Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD)

Component: Global Traffic Manager

Symptoms:
The resource record (RR) in ZoneRunner Daemon (ZRD) is not deleted when the associated Virtual Server is deleted from the Global Traffic Manager (GTM) server object.

Conditions:
Conditions that lead to this issue include a GTM server object with a Virtual Server; a pool with the above virtual server; a wideip using the above pool as resources; and deleting the virtual server from the GTM server object.

Impact:
BIND will contain and return RRs that were intended to be deleted. The RR is orphaned and could only be deleted manually from ZRD.

Workaround:
To workaround this issue you can delete the GTM server associated with the virtual server to be deleted, but this would delete other associated virtual servers too. Alternatively, you can manually delete the RR in ZRD.

Fix:
Deleting a virtual server now correctly deletes the resource record (RR) in ZoneRunner Daemon (ZRD).


479084-1 : ZoneRunner can fail to respond to commands after a VE resume.

Component: Global Traffic Manager

Symptoms:
The ZoneRunner GUI can become unresponsive after a VE resume.

Conditions:
This is due to the "lo:" interface not being recreated during the resume processing. ZoneRunner relies on this interface to communicate with the on box BIND server.

Impact:
ZoneRunner cannot create/modify/delete/query records from the on box BIND server

Workaround:
Restart ZoneRunner after a VE resume with the command: bigstart restart zonerunner.

Fix:
ZoneRunner now uses the tmm0 interface to communicate with BIND.


478920 : SIP::discard is not invoked for all request messages

Component: Service Provider

Symptoms:
SIP::discard is invoked only for the first two request messages, and the other request messages are allowed to pass through.

Conditions:
This occurs when an iRule that uses SIP::discard, for example: when SIP_REQUEST { SIP::discard }.

Impact:
Any iRule that uses SIP::discard might not work as expected.

Workaround:
To work around this issue, you can use MR::message drop in MR event to drop the message instead

Fix:
The ingress queue for the messages is cleared properly when SIP::discard iRule is present. Now all request messages are correctly dropped if the SIP::discard iRule is present in SIP_REQUEST event.


478751-6 : OAM10g form based AuthN is not working for a single/multiple domain.

Component: Access Policy Manager

Symptoms:
OAM10g form based AuthN is not working for a single/multiple domain.

Conditions:
Conditions leading to this issue include double encoding of parameters and race condition on parsing form body.

Impact:
Form based OAM authentication might not work.

Workaround:
This issue has no workaround at this time.

Fix:
Fixed all the issues found during the testing of OAM Form-based AuthN scheme, for both single domain and multiple domain.


478658-6 : Window.postMessage() does not send objects

Component: Access Policy Manager

Symptoms:
Websites are broken if they use postMessage to send objects. There could or could not be an error in the JavaScript console based on web application.

Conditions:
Web-Application that uses Window.postMessage() with Portal Access.

Impact:
Web-Application can't use Window.postMessage() to send non-string data with Portal Access.

Workaround:
No

Fix:
Window.postMessage supports sending objects.


478617-6 : Don't include maximum TCP options length in calculating MSS on ICMP PMTU.

Component: Local Traffic Manager

Symptoms:
TCP segment size is 40 bytes less.

Conditions:
ICMP implementation using Path MTU (PMTU)

Impact:
The impact of this issue is less data per TCP segment.

Workaround:
Disable Path MTU Discovery by doing the following, "tmsh modify sys db tm.enforcepathmtu value disable"

Fix:
Don't include maximum TCP options length in calculating MSS on ICMP PMTU.


478492-7 : Incorrect handling of HTML entities in attribute values

Component: Access Policy Manager

Symptoms:
If an HTML tag attribute contains HTML entities inside its value, this value may not be processed correctly by Portal Access.

Conditions:
For example, if a form action begins with '&#x2f;' instead of '/', it will be rewritten although absolute action path should be left untouched. This leads to incorrect behavior of this web application.

Impact:
Web application may not work correctly.

Workaround:
This issue has no workaround at this time.

Fix:
Now HTML tag attributes with HTML entities inside their values are processed correctly.


478439-6 : Unnecessary re-transmission of packets on higher ICMP PMTU.

Component: Local Traffic Manager

Symptoms:
LTM re-transmits TCP segments even when ICMP Path maximum transmission unit (PMTU) is higher than existing MTU.

Conditions:
ICMP PMTU is higher than existing MTU.

Impact:
Burst traffic generated.

Workaround:
Disable Path MTU Discovery by entering the command: tmsh modify sys db tm.enforcepathmtu value disable.

Fix:
Fixed unnecessary re-transmission of packets on higher ICMP Path maximum transmission unit (PMTU).


478261-2 : WinInet handle leak in Edge Client on Windows

Component: Access Policy Manager

Symptoms:
WinInet handle leak in Edge Client on Windows

Conditions:
EdgeClient on Windows, general use

Impact:
This leak has slight/minor impact on consuming resources

Workaround:

Fix:
WinInet handle leak was eliminated.


478257-7 : Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed

Component: Local Traffic Manager

Symptoms:
Re-transmission of fragment needed packets.

Conditions:
Multiple ICMP Destination Unreachable with Fragmentation needed code messages.

Impact:
Burst traffic generated.

Workaround:
Disable Path MTU Discovery by doing the following, "tmsh modify sys db tm.enforcepathmtu value disable"

Fix:
Don't re-transmit packets if the MTU is not changed.


477218-5 : Simultaneous stats query and pool configuration change results in process exit on secondary.

Component: TMOS

Symptoms:
Simultaneous stats query and pool configuration change results in process exit on secondary.

Conditions:
Running parallel operations in tmsh/GUI or multiple tmsh operations on pool objects. For example, running 'tmsh show' command while simultaneously updating the monitor on the pool in the GUI.

Impact:
The primary restarts, and the slot goes down, resulting in potential traffic impact. The ltm logs display error messages similar to the following: -- err mcpd[29041]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool (/Common/CYBS-P-UBC-43) was not found. -- notice mcpd[8487]: 0107092a:5: Secondary slot 1 disconnected.

Workaround:
Use the absolute name of the pool in the tmsh command: /partition_name/pool_name.

Fix:
TMSH command now automatically issues the absolute path by using the context for the current connection to MCPd, so there are no MCPd restarts in this case.


476097-1 : TCP Server MSS option is ignored in verified accept mode

Component: Local Traffic Manager

Symptoms:
After enabling 'verified-accept' in the TCP profile, window scaling is not working on server side connection. More specifically, the BIG-IP system ignores window scaling from the back-end server.

Conditions:
Enabling 'verified-accept' in TCP profile.

Impact:
the BIG-IP system ignores window scaling from the back-end server.

Workaround:
Disable 'verified-accept' in the TCP profile.

Fix:
Window scaling with back-end server now works when 'verified-accept' is enabled in the TCP profile.


475735-4 : Failed to load config after removing peer from sync-only group

Component: Access Policy Manager

Symptoms:
Load sys config fails.

Conditions:
Loading config after removing peer from sync-only device group.

Impact:
Failed to load config.

Workaround:
Remove peer device from the sync-only device group on which policy sync has been performed previously.

Fix:
A user can now load sys config even after removing the peer from the sync-only group.


475647-2 : VIPRION Host PIC firmware version 7.02 update

Component: TMOS

Symptoms:
Correctly report part numbers of current-manufacture VIPRION B4300 series blades (part numbers 400-0076-00 and 400-0077-00).

Conditions:
Affects VIPRION B4300 series blades.

Impact:
Features of current-manufacture VIPRION B4300 series blades (part numbers 400-0076-00 and 400-0077-00) may not be properly supported by the BIG-IP software.

Workaround:
None.

Fix:
VIPRION Host PIC firmware version 7.02 update now supports all expected BIG-IP software features on VIPRION B4300 blades.


475403-2 : Tunnel reconnect with v2.02 does not occur

Component: Access Policy Manager

Symptoms:
Tunnel reconnect does not happen when DTLS is enabled

Conditions:
Configure SSL profile Enable DTLS in NA resource Establish NA connection from the device

Impact:
Reconnect does not happen

Workaround:
N/A

Fix:
A HelloRequest is re-transmitted if not responded by a ClientHello


474779-1 : EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails.

Component: Access Policy Manager

Symptoms:
On EAM process initialization, the plugin is unable to register a thread (MPI channel) with TMM on rare occasions. A subsequent system call to end the process fails.

Conditions:
Unknown.

Impact:
EAM plugin is up but the access gates are not initialized correctly.

Workaround:
Establish connection to OAM server. bigstart stop eam Clear config.cache from each accessgates by deleting /config/aaa/oam/<partition_name>/<aaa_oam_obj_name>/<accessgate_name>/config.cache using commandline. bigstart restart eam

Fix:
EAM plugin initialization is fixed, now the plugin register with TMM process will not fail.


474601-5 : FTP connections are being offloaded to ePVA

Component: Local Traffic Manager

Symptoms:
FTP connections are offloaded to acceleration hardware embedded Packet Velocity Acceleration (ePVA) chip.

Conditions:
SNAT listener

Impact:
FTP data connections fail due to lack of translation in PORT commands.

Workaround:
Use FTP virtual instead of SNAT listener.

Fix:
FTP connections will no longer be offload to ePVA hardware when traversing through a SNAT listener.


474356-1 : Client SSL on partition other than /Common does not load if no key/cert/inherit-certkeychain

Component: Local Traffic Manager

Symptoms:
Client SSL configurations on a partition other than /Common do not load if there is no key/cert or inherit-certkeychain.

Conditions:
This occurs when the following conditions are met: 1. There is a configuration in a folder/partition other than /Common. 2. crypto-server-default-clientssl, or another clientssl profile, has no key/cert or inherit-certkeychain configured.

Impact:
Cannot load configuration or UCS.

Workaround:
To work around this, complete the following steps: 1. modify /defaults/profile_base.conf and /config/profile_base.conf -- config # vim /defaults/profile_base.conf -- config # vim /config/profile_base.conf -- Locate crypto-server-default-clientssl and add the key/cert-related configuration to it. Specifically, change the profile information to match the following: ltm profile client-ssl crypto-server-default-clientssl { defaults-from /Common/clientssl cert-key-chain { default { cert /Common/default.crt chain none key /Common/default.key passphrase none } } cert /Common/default.crt chain none key /Common/default.key passphrase none inherit-certkeychain true ciphers DHE-RSA-AES256-GCM-SHA384 renegotiate-period 21600 cache-size 0 } 2. For clientssl other than crypto-server-default-clientssl, make sure key/cert and/or inherit-certkeychain is set. 3. Load the configuration by running the command: tmsh load sys conf

Fix:
Client SSL configurations on a partition other than /Common do not now have a default key/cert and inherit-certkeychain, so the configuration loads correctly.


473685-1 : Websso truncates cookie domain value

Component: Access Policy Manager

Symptoms:
Cookies assigned during back end authentication may not be returned to back end servers. The failures require the set-cookie header contain a domain assignment and the domain value must begin with a dot.

Conditions:
401 response from a back end has Set-Cookie headers containing domain assignments that begin with a dot.

Impact:
Applications protected by the above authorization may not work.

Workaround:
An iRule can be used to catch the 401 response. If it contains one or more Set-Cookie headers, check each for a domain attribute. Remove the initial dot in the domain value, if present.

Fix:
Websso processes domain fields in Set-Cookie headers correctly.


473488-6 : In AD Query agent, resolving of nested groups may cause apd to spin

Component: Access Policy Manager

Symptoms:
Access policy daemon (apd) consumes about 100% CPU and puts a heavy load on the network sometimes when resolving nested groups in AD Query. The AD Group Cache updates in a loop.

Conditions:
This issue occurs when the user belongs to a parent domain, and is a member of group that belongs to a sub-domain For example, user belongs to parent.com group belongs to child.parent.com the user is a member of the group "fetch nested groups" option is enabled for AD Query.

Impact:
The impact of this issue is that the user will be unable to resolve nested groups and unable to finish AD Query.

Workaround:
There is no workaround at this time.


473348-6 : hbInterval value not set to 300 sec after upgrad.

Component: TMOS

Symptoms:
The hbInterval determines the amount of time the snmpd daemon can wait for a response. Software versions 11.2.x use an hbInterval of 60 sec. Software versions 11.3.0 and later use an hbInterval of 300 sec.

Conditions:
When upgrading from version 11.2.x to version 11.3.0 or later.

Impact:
After upgrade, the hbInterval is still set to 60 sec and not set to 300 sec. An snmpd core is created.

Workaround:
Edit bigipTrafficMgmt.conf and set hbInterval value to 300 using the following procedure: 1. Run the command: bigstart stop snmpd. 2. Change the value of hbInterval in /config/snmp/bigipTrafficMgmt.conf and save the file. 3. Run the command: bigstart start snmpd.

Fix:
When upgrading from a release that did not have the hbInterval set to 300, the new release now has hbInterval set to 300.


473255-3 : Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement.

Component: Access Policy Manager

Symptoms:
Portal Access could incorrectly rewrite Javascript submit() method if it's called in scope of 'with' statement and without object.

Conditions:

Impact:
Form cannot be submitted from script on page.

Workaround:
Create an iRule which adds explicit object reference to submit() call.

Fix:
Fixed an issue where Portal Access could incorrectly rewrite a form submit initiated from Javascript.


473163-2 : RAID disk failure and alert.conf log message mismatch results in no trap

Component: TMOS

Symptoms:
Due to a mismatch between the definition of an alert for RAID disk failure in alert.conf, and the actual log message syntax, the appropriate SNMP traps are not issued when a disk is failing.

Conditions:
This happens when there is a RAID disk failure and the definition RAID disk failure in alert.conf is similar to the following: alert BIGIP_RAID_DISK_FAILURE "raid[0-9]: Disk failure .*?" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.96"; lcdwarn description="RAID disk failure." priority="3" }

Impact:
Actual log message syntax matches the following: 'alert kernel: md/raid1:md12: Disk failure on dm-29, disabling device.' As a result, there is no SNMP trap for a failing disk, so no SNMP trap is issued, and the LCD message is not displayed.

Workaround:
For information about configuring custom traps, see SOL3727: Configuring custom SNMP traps, available here: https://support.f5.com/kb/en-us/solutions/public/3000/700/sol3727.html.


473105 : FastL4 connections reset with pva-acceleration set to guaranteed

Component: TMOS

Symptoms:
With 'pva-acceleration' set to 'guaranteed', the BIG-IP system can take up to five seconds to detect that one of either the client-side or server-side connections has not been offloaded to the ePVA hardware.

Conditions:
This occurs with 'pva-acceleration' set to 'guaranteed' and only one of client or server connections is offloaded to hardware.

Impact:
This results in the connection that has not been offloaded being reset five seconds after being established.

Workaround:
None.

Fix:
FastL4 connections are now handles correctly with pva-acceleration set to guaranteed, and are no longer reset.


473088-4 : Virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile

Component: TMOS

Symptoms:
The BIG-IP system does not allow you to configure a virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile. If you attach a ClientSSL profile, however, the configuration is allowed, which is incorrect behavior.

Conditions:
Create a virtual server, add tcp, request-adapt, and one-connect profiles along with ClientSSL.

Impact:
This unsupported configuration might have many unknown side effects in TMM.

Workaround:
Do not configure a virtual server with one-connect and requestadapt or responseadapt profiles.

Fix:
Configurations of request-/response-adapt combined with one-connect along with ClientSSL profiles are now handled correctly.


473033-5 : Datastor Now Uses Syslog-ng

Component: TMOS

Symptoms:
Datastor did not use the normal syslog facility, causing some very rare disk full errors in /var/log.

Conditions:
When datastor is heavily overloaded or experiencing a traffic pattern that it was not designed for, it can generate copious notice messages to its log. Because datastor writes directly to its log, log rotation may seem to work, but inadvertently leave a large, hidden file in /var/log.

Impact:
In very rare cases, this hidden large file may cause out of disc errors, preventing logging from occurring.

Workaround:
Log rotate can be configured to restart datastor if this becomes an issue.

Fix:
Datastor now uses syslog-ng.


472256-3 : tmsh and tmctl report unusually high counter values

Component: Access Policy Manager

Symptoms:
When running the command 'tmctl profile_access_stat', the values displayed for sessions_eval_cur, sessions_active_cur, and/or sessions_estab_cur mignt be unusually high.

Conditions:
The issue might appear if the following events happen, in sequence: 1. Some sessions have been established. 2. On a chassis system, a blade restarts. On an appliance system, tmm restarts on the active system, which triggers failover. 3. Some of the existing sessions log out after the chassis or appliance is back online.

Impact:
The profile access stat might report inaccurate readings. The system returns results similar to the following: -- sessions_active_cur 18446744073709551615. -- sessions_eval_cur 18446744073709551615.

Workaround:


472117-2 : Analytics scheduled report: "predefinedReportName" and "multiLeveledReport" are mutually exclusive

Component: Application Visibility and Reporting

Symptoms:
Analytics scheduled report: You create a non-loadable configuration by changing "predefinedReportName" to "multiLeveledReport", or the reverse for an "analytics application-security scheduled-report".

Conditions:
Trying to modify an existing scheduled-report type from predefined to multi-leveled or vice versa caused error message. This was true for both tmsh and REST-API.

Impact:
The entire system configuration is not loaded.

Workaround:
Manually edit /config/bigip.conf so that "predefinedReportName" and "multiLeveledReport" do not appear together in the same Analytics scheduled report.

Fix:
REST API: You can now modify a scheduled-report type, and it will automatically reset the other type's attribute ("predefinedReportName" or "multiLeveledReport").


472062-3 : Unmangled requests when form.submit with arguments is called in the page

Component: Access Policy Manager

Symptoms:
Expressions like form.submit(something) are not being rewritten by Portal Access. This may cause direct URL or unmangled paths in request. Such request will fail and application could stop working.

Conditions:

Impact:
Web Application could send unmangled requests and stop working.

Workaround:
iRule workaround is possible, but it will be unique for each web application.

Fix:
Calls of form.submit with arguments are now correctly handled by Portal Access.


471926-1 : Static subscriber sessions lost after bigstart restart

Component: Policy Enforcement Manager

Symptoms:
Sessions are not created on standby device

Conditions:
Bigstart restart active device. Standby will become active and sessions should be created on new active. Before the old active comes online, Bigstart restart the new active.

Impact:
Sessions are not created on new active device

Workaround:
N/A

Fix:
Corrected intermittent HA issues in static subscriber provisioning


471860-3 : Disabling interface keeps DISABLED state even after enabling

Component: TMOS

Symptoms:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface still shows DISABLED.

Conditions:
This occurs when using both tmsh and the GUI.

Impact:
The state of the interface remains DISABLED. However, the interface passes traffic after enabling.

Workaround:
You can reboot correct the indicator.

Fix:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface now shows ENABLED.


471819-2 : The big3d agent restarts periodically when upgrading the agent on a v11.4.0 or prior system and Common Criteria mode is enabled.

Component: Global Traffic Manager

Symptoms:
The big3d agent restarts periodically if a v11.4.0 or earlier system with Common Criteria mode enabled is updated with a newer version of the big3d agent.

Conditions:
A v11.4.0 or earlier system is updated to run a newer version of the big3d agent and Common Criteria mode is enabled.

Impact:
The impact of this issue is periodic restarting of the big3d agent.

Workaround:
Disable Common Criteria mode. Alternatively, restore the prior version of the big3d agent.

Fix:
The big3d agent has been modified to run in a mode that eliminates inconsistencies with version 11.4.0 and earlier.


471117-4 : iframe with JavaScript in 'src' attribute not handled correctly in IE11

Component: Access Policy Manager

Symptoms:
If an HTML page contains an iframe with JavaScript code in the src attribute, some web applications might not work correctly through portal access in Internet Explorer 11.

Conditions:
Conditions leading to this issue include Internet Explorer 11 and iframe with JavaScript in the src attribute: <iframe src="javascript: some code...">

Impact:
Some Web applications may work incorrectly.

Workaround:
This issue has no workaround at this time.

Fix:
If an HTML page contains an iframe with JavaScript code in the src attribute, it is handled correctly in Internet Explorer 11 through Portal Access.


471059-4 : Malformed cookies can break persistence

Component: Local Traffic Manager

Symptoms:
Clients sending a malformed cookie (that is, a space character that precedes the persistence cookie) might prevent the parsing of a valid persistence cookie.

Conditions:
HTTP request contains malformed cookie value that occurs before the BIG-IP system persistence cookie, For example: Cookie:foo=bar =bar; BIGipServerhttp=60361226.20480.0001

Impact:
Persistence is ignored.

Workaround:
None.

Fix:
Cookie values containing space character are parsed properly.


470813-1 : Memory corruption in f5::rest::CRestServer::g_portToServerMap

Component: TMOS

Symptoms:
Abort during guestagentd static deinitialization

Conditions:
Daemon and threads are shutdown

Impact:
Crash in guestagentd and CRestServer

Workaround:
N/A

Fix:
Fix crash on shutdown in guestagentd and CRestServer


470756-6 : snmpd cores or crashes with no logging when restarted by sod

Component: TMOS

Symptoms:
Prior to sod restarting snmpd following a heartbeat timeout, there are often no snmpd warning/error logs leading up to the restart condition that might indicate root-cause.

Conditions:
snmpd can be blocked waiting for mcpd responses to its database queries. This is typically experienced when CPU utilization is very high.

Impact:
sod continues restarting snmpd (and generating a core dump) as long as the blocking conditions continue for longer than the configured snmpd heartbeat interval. During this time, external MIB queries might timeout/fail.

Workaround:
Address CPU utilization issues.

Fix:
The snmpd daemon now periodically logs warning messages regarding slow query responses from mcpd. snmpd also attempts to maintain heart-beat communication with sod under these conditions.


468837-5 : SNAT translation traffic group inheritance does not sync across devices

Component: TMOS

Symptoms:
When a snat-translation object is created, and its inherited-traffic-group property is set, this property does not sync to other devices.

Conditions:
This is relevant for any setup with multiple devices in a CMI failover device group.

Impact:
The inherited-traffic-group property must be manually maintained on all devices.

Workaround:
Enable the 'full sync' option instead of using incremental sync.

Fix:
SNAT translation traffic group inheritance now syncs across devices using incremental sync.


468473-2 : Monitors with domain username do not save/load correctly

Component: TMOS

Symptoms:
When using the username/password fields for a monitor, if specifying a domain with the username in the standardized fashion "domain\user", the \ will disappear upon save/reload of the configuration. The result of this will not fail to load , but the monitor may appear down/offline due to improper login credentials.

Conditions:
Configuration must be using a monitor that uses a domain-specific username in the username field.

Impact:
Configuration will load, but monitor will show down/offline due to bad credentials.

Workaround:
The username field must be adjusted in the /config/bigip.conf file to specify the username field with a domain using a \\ syntax. For example: domain\user would need to be configured as: domain\\user.

Fix:
Monitors with domain username now save/load correctly.


468137-6 : Network Access logs missing session ID

Component: Access Policy Manager

Symptoms:
Without session ID in client logs, it's hard to correlate client and server-side logs.

Conditions:

Impact:
Hard to troubleshoot client logs

Workaround:

Fix:
Now Network Access components print session ID in four messages: Starting pending session ID: %sessionid, Session %sessionid established, Session %sessionid closed: Status, and Failed to open session %sessionid.


467930-1 : Searching ASM Request Log for requests with specific violations

Component: Application Security Manager

Symptoms:
Filtering the ASM Request Log for requests that match some violations did not return expected results.

Conditions:
This issue occurs when the Request Log Filter is used for specific violations such as "Web Scraping detected."

Impact:
Request Log search does not return expected matches.

Workaround:
This issue has no workaround at this time.

Fix:
The Request log filter for violations now functions as expected. Previously, filtering the ASM Request Log for requests that match some violations did not return expected results.


466745-3 : Cannot set the value of a session variable with a leading hyphen.

Component: Access Policy Manager

Symptoms:
Cannot set the value of an ACCESS::session variable with a leading hyphen.

Conditions:
Using a leading hyphen for the value of the session variable, for example: ACCESS::session set data var_name -value.

Impact:
Cannot use hyphen in session variable value. The system posts and error message similar to the following: err tmm3[12741]: 01220001:3: TCL error: /Common/pass <ACCESS_POLICY_AGENT_EVENT> - bad option name (line 1)setting variable var_name for sid (null) failed (line 1)Illegal argument (line 1) (line 1) invoked from within "ACCESS::session data set var_name "-foo""

Workaround:
This issue has no workaround at this time.

Fix:
In this release, an extra parameter, made up of two dashes (--), was added. When -- is inserted before a value, the value can start with a hyphen; for example, "ACCESS::session set data var_name -- -value".


465951-2 : If net self description size =65K, gtmd restarts continuously

Component: Global Traffic Manager

Symptoms:
The gtmd process restarts continuously.

Conditions:
This issue occurs when the net self <IP> description >= <65K string> 'Description', 'Location', 'Contact', or 'Comment' field for the device (Device Management>Devices>Properties) > = <65K string>

Impact:
When this happens, gtmd is unable to perform its duties.

Workaround:
This issue has no workaround at this time.

Fix:
An issue that caused gtmd to restart because of long descriptions has been fixed.


465607-7 : TMM cores with TMM log error 'Assertion "flow in use" failed.' when isuing FastHTTP.

Component: Local Traffic Manager

Symptoms:
TMM cores with the TMM log showing the error 'Assertion "flow in use" failed.' This is an infrequent race condition.

Conditions:
This is an infrequent race condition. The actual set of events that leads to this core is unknown. However, this requires FastHTTP to be configured, and it is known that this happens when the FastHTTP connection is closing.

Impact:
TMM has cores and restarts. Connections may be lost, failover may be triggered.

Workaround:
Do not use FastHTTP.

Fix:
The system now provides checks to mitigate the race condition on close of FastHTTP to avoid the core.


465590-9 : Mirrored persistence information is not retained while flows are active

Component: Local Traffic Manager

Symptoms:
Mirrored persistence information is not retained. This is most visible on long-running flows, where the mirrored entry is removed while the flow is still active.

Conditions:
Mirrored flows with persistence profiles assigned to the VIP, or when persistence profiles are marked to mirror persistence entries.

Impact:
If a failover occurs, a new load balancing pick is made for new flows.

Workaround:

Fix:
Mirrored persistence records are now correctly retained.


465317-1 : Failure notice from "/usr/bin/set-rsync-mgmt-fw close" seen on each boot

Component: TMOS

Symptoms:
The ltm log file will have a line per cluster member at boot that contains a message similar to this: Background command '/usr/bin/set-rsync-mgmt-fw close' failed. The command exited with status 1.

Conditions:
Observable in a log file after boot. Only applies to chassis, not appliances.

Impact:
innocuous

Workaround:

Fix:
An error like this formerly appeared on chassis boot: Background command '/usr/bin/set-rsync-mgmt-fw close' failed. The command exited with status 1. This message was always harmless but now no longer appears.


465052-6 : Some HTTP::cookie iRule commands can cause TMM to core if required arguments are missing

Component: Local Traffic Manager

Symptoms:
TMM cores when executing an HTTP::cookie command in an iRule. If the command does not have the minimum required number of arguments, the code is not checking for this condition; it assumes they are there.

Conditions:
An iRule command must execute an HTTP::cookie command (such as "HTTP::cookie sanitize") with missing required arguments.

Impact:
TMM restarts, possibly causing a failover in an active/standby system.

Workaround:
Ensure all HTTP::cookie commands in iRules have the correct number of arguments. A work around is to add a line "log local0. some text" before the line "HTTP::cookie sanitize". Then, there will be no tmm crash.

Fix:
Check to make sure all required arguments are present in an HTTP::cookie command prior to attempting to use them.


464870-7 : Datastor cores and restarts.

Component: TMOS

Symptoms:
Datastor cores and restarts. This occurs potentially because of generational issues, object replacement from archive, and the possibility that an object was deleted in the interim.

Conditions:
Traffic patterns that shift from low to moderate velocity with strong tiling to decoherent, high velocity traffic can cause this to occur when request queuing is turned on.

Impact:
Temporary cache outage. The cache must then be completely reseeded. A datastor core file is written, and datastor is restarted.

Workaround:

Fix:
Fixed potential crash and removed some extraneous time stamps from logged messages.


464252-2 : Possible tmm crash when modifying html pages with HTML profile.

Component: TMOS

Symptoms:
With certain combinations of append_to_tag/prepend_to_tag rules and input fragments, HTML profile could get stuck in an infinite loop.

Conditions:

Impact:
The BIG-IP will stop processing requests and failover after some time.

Workaround:
Remove HTML profile from virtual server. Or, modify profile rules in a way that would not cause loop.

Fix:
Fixed an issue in HTML profile which could cause an infinite loop while processing HTML page with certain rules.


464043-3 : Integration of Firmware for the 2000 Series Blades

Component: TMOS

Symptoms:
Integration of Firmware for the 2000 Series Blades.

Conditions:
When firmware has changes that benefit platforms, it is internally released and updated in the latest version of software.

Impact:
This will improve functioning of the hardware.

Workaround:
None. This is an action item.

Fix:
Integration of Firmware for the 2000 Series Blades.


464024-4 : File descriptor leak when running some TMSH commands through scriptd

Component: TMOS

Symptoms:
File descriptors for pipes are leaking when executing some TMSH commands through scriptd.

Conditions:
TMSH commands must execute via scriptd (for example, running tmsh::modify in an iCall, but there may be other conditions that lead to the leak).

Impact:
iCall scripts cease to function, and scriptd must be restarted. Eventually the system logs error messages similar to the following: err scriptd[11946]: 014f0013:3: Script (/Common) generated this Tcl error: script did not successfully complete: the pipe system call failed, Too many open files.

Workaround:

Fix:
All pipes are closed when a TMSH command is completed, so file descriptors no longer leak when running some TMSH commands through scriptd.


462714-2 : Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server

Component: Local Traffic Manager

Symptoms:
A source address persistence record created on a virtual server with a FastL4 profile times out and is aged out even while traffic is flowing through that flow. The traffic that results in this issue is UDP with checksum of 0.

Conditions:
The profile has to be FastL4. Traffic that is either UDP with checksum of 0, or SCTP are definitely affected.

Impact:
Source address persistence is not usable as the entry ages out while it should not.

Workaround:
None.

Fix:
Source address persistence record no longer times out unexpectedly on FastL4 profile virtual server.


462514-1 : Support for XMLHttpRequest is extended

Component: Access Policy Manager

Symptoms:
JavaScript exceptions occur.

Conditions:
The problem occurs with web-application JavaScript code using XMLHttpRequest.

Impact:
Web-application logic and behavior can be broken.

Workaround:
There is no workaround at this time.

Fix:
XMLHttpRequest rewriting is improved, so that patched objects behave the same way (or close enough) as original ones on a given browser.


461189-5 : Generated assertion contains HEX-encoded attributes

Component: Access Policy Manager

Symptoms:
When a BIG-IP system serving as SAML identity provider (IdP), generates an assertion, the message might contain HEX-encoded values.

Conditions:
This occurs when user authenticates against LDAP/AD/RADIUS, and retrieved from AAA server attributes contain non-ASCII values. These non-ASCII values are then used by BIG-IP as Identity Provider in generated Assertion.

Impact:
SAML SSO might fail if Service Provider is not be able to process HEX-encoded attributes.

Workaround:
There is no workaround for IdentityProvider. On Service Provider side, assertion attribute values that begin with '0x' could be treated as HEX encoded. Such values can be HEX decoded after SP processed assertion.

Fix:
BIG-IP as Identity Provider now base64-encodes non-UTF8 attributes, as expected.


460627-3 : SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists

Component: Local Traffic Manager

Symptoms:
When the SASP monitor starts up, it can attempt to open a new TCP connection to the GWM server when another connection exists to it.

Conditions:
This happens when a GWM server sends the SendWeight messages to SASP monitor immediately after the registration of the pool member is complete, but the registration of all the pool members is not complete.

Impact:
The SASP monitor fins an existing TCP connection to the GWM server.

Workaround:
This issue has no workaround at this time.

Fix:
The Send Weight messages are processed only after the registration of all the pool members is complete. Monitor logging has been vastly improved. In addition, there was a crashing bug that caused the SASPD_monitor process to be restarted. That bug has been fixed.


458450-2 : Memory allocation metadata corruption when debugging log is enabled on ECA

Component: Access Policy Manager

Symptoms:
When ECA log level is set to debug, and receives a HTTP header cookie, and HTTP cookie header value is longer then 1023 characters, then there is a possibility of corrupting memory allocation metadata, which cause glibc malloc library to assert whenever it detects a corruption.

Conditions:
1. ECA log level is set to debug 2. ECA receives HTTP request contains HTTP cookie 3. HTTP cookie header value is longer then 1023 characters

Impact:
The impact of this issue is that ECA asserts and crashes.

Workaround:
Do not enable the debugging log.

Fix:
ECA can properly handle HTTP cookie header longer than 1023 characters when log level is set to debug.


458104-3 : LTM UCS load merge trunk config issue

Component: TMOS

Symptoms:
Performing the ucs sys load command does not overwrite trunk interface configuration, it merges with the existent setting. When loading UCS with RMA flag, you may not get expected results. The expected outcome is that the trunk is overwritten, not merged.

Conditions:
Current configuration has a trunk with several interface members. The UCS to be loaded contains the same trunk name but with other interfaces.

Impact:
The trunk incorrectly appears as merged, having both sets of interfaces. The config on disk bigip_base.conf shows the correct config. Reboot does not resolve the issue.

Workaround:
1. Restore the BIG-IP configuration to factory default settings using the command sequence: -- load sys config default. -- load sys ucs example.ucs no-license. -- save sys config. 2. Force the mcpd process to reload the BIG-IP configuration with the command sequence: touch /service/mcpd/forceload. -- load sys ucs example.ucs no-license. -- save sys config.

Fix:
Trunk config member interfaces are no longer merged during load. Only the trunk member interfaces defined in the config are present after a load.


457760-5 : EAM not redirecting stdout/stderr from standard libraries to /var/log/apm

Component: Access Policy Manager

Symptoms:
Logs from standard libraries were not redirected to /var/log/apm in EAM plugin.

Conditions:
Stdout/stderr from standard libraries are affected.

Impact:
stderr/ stdout from standard libraries were not logged and that impacted troubleshooting effort.

Workaround:
No workaround to log stderr/stdout

Fix:
[OAM] Redirecting stdout/stderr from standard libraries to /var/log/apm. This is now fixed.


455264-3 : Error messages are not clear when adding member to device trust fails

Component: TMOS

Symptoms:
If you cannot reach the IP address of a device that you are adding to a device trust then the error message does not properly display in the GUI. For some errors the message is empty and for some errors the message contains unformatted xml data.

Conditions:
This problem occurs when adding a peer or subordinate to the device trust where the IP address cannot be reached.

Impact:
User cannot be sure what the problem with adding the device really is.

Workaround:
Verify that the address is correct and that you are able to route to the device you are trying to add to the device trust.

Fix:
During trust initiation when the peer is unreachable, the system now posts the error message is "This device is not found."


455020-1 : RTSP profile idle timeout is not applied if it is longer than the TCP profile timeout

Component: Carrier-Grade NAT

Symptoms:
The minimum of the Real Time Streaming Protocol (RTSP) and TCP profile timeouts is applied to the RTP and RTCP connflows associated with an RTSP connection.

Conditions:
This problem can leave UDP connflows for RTP and RTCP open for a shorter time period than desired.

Impact:
The shorter timeout (either RTSP profile or TCP profile) is used for the idle timeout on RTP and RTCP flows associated with an RTSP connection.

Workaround:
To workaround this issue configure both the TCP and the RTSP profile so that the idle timeout periods are the same.

Fix:
With the fix, the RTP and RTCP timeouts use the value configured in the RTSP profile.


454692-4 : Assigning 'after' object to a variable causes memory leaks

Component: Local Traffic Manager

Symptoms:
Assigning 'after' object to a variable prevents the release of the 'after' object and its related connflow object, resulting in a memory leak for 'connflow', 'tcl (variable)', 'tclrule_pcb', and 'filter (variable)'.

Conditions:
This occurs when using the 'after' iRule command and assigning it to a variable.

Impact:
TMM crash or TMM memory usage increases.

Workaround:
Unset the variable containing the 'after' object, for example: when HTTP_REQUEST priority 800 { set SCRIPT_ID [\ after $static::one_second { log local0. "$LOG_MSG" } \ ] } when CLIENT_CLOSED { unset SCRIPT_ID }

Fix:
Assigning 'after' object to a variable no longer causes memory leaks.


452010-3 : RADIUS Authentication fails when username or password contain non-ASCII characters

Component: Access Policy Manager

Symptoms:
RADIUS Authentication fails when the logon name contains non-ASCII characters. The problem is caused due to failure in conversion from UTF-8 to Windows-1252.

Conditions:
RADIUS authentication is configured and username/password contain non-ASCII characters.

Impact:
Users are not able to log in.

Workaround:
There is no workaround for this issue.

Fix:
Now it is possible to configure charset decoding behavior. You can decode usernames and passwords into CP-1252 (original behavior) or use UTF-8 charset (in this case, RADIUS Auth sends the username and password unmodified).


450814-10 : Early HTTP response might cause rare 'server drained' assertion

Component: Local Traffic Manager

Symptoms:
Early HTTP response from the server might cause 'server drained' assertion and traffic disruption.

Conditions:
This occurs when the server sends an early response, which might occur if the server responded before the system completed processing the entire incoming HTTP request data from the client. A filter other than HTTP is also required on the chain.

Impact:
The system posts a 'server drained' assertion and traffic is disrupted.

Workaround:
None, however, this issue occurs very rarely.

Fix:
HTTP will not cause a "server drained" assertion if a server ends a connection in an early server response.


447874-5 : TCP zero window suspends data transfer

Component: Local Traffic Manager

Symptoms:
HTTP pipeline request might cause TCP window stay at 0 and not recover.

Conditions:
This intermittent issue occurs when HTTP pipeline requests are sent, and those requests use the GET method.

Impact:
When this occurs, the resulting TCP zero window suspends data transfer. It is possible that the TCP window will be reduced to 0 (zero) and never recover.

Workaround:
None.

Fix:
HTTP pipeline request no longer causes TCP window stay at 0 when HTTP pipeline requests are sent, and those requests use the GET method.


447043-3 : Cannot have 2 distinct 'contains' conditions on the same LTM policy operand

Component: Local Traffic Manager

Symptoms:
Cannot express conditions such as 'user-agent contains 'Android' AND 'Mobile'. LTM policies have operands that can be matched against a set of values, causing a match when the operand matches one of these values. There is no way to use current functionality to match all of the values. One specific situation in which this is needed is to configure 'contains'.

Conditions:
Specify an ltm rule with 2 conditions with the same operand and match type, for example: conditions { 0 { http-header name User-Agent contains values { Android } } 1 { http-header name User-Agent contains values { Mobile } }

Impact:
The policy does not work. The system posts an error message similar to the following: Failed to compile the combined policies.

Workaround:

Fix:
LTM policies now allow for rules to have multiple conditions on the same operand and same match type so that 'user-agent contains 'Android' AND 'Mobile' can now be expressed by specifying: conditions { 0 { http-header name User-Agent contains values { Android } } 1 { http-header name User-Agent contains values { Mobile } }


446860-4 : APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348

Component: Access Policy Manager

Symptoms:
APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348 (ActiveSync client fails to login to APM with large POST body)

Conditions:
ActiveSync client large POST body tries to log into APM.

Impact:
ActiveSync client with large POST body cannot log in even when tmm.access.maxrequestbodysize DB variable is configured

Workaround:
This issue has no workaround at this time.

Fix:
Now APM Exchange Proxy honors tmm.access.maxrequestbodysize DB variable. Modify the db variable "tmm.access.maxrequestbodysize" with a value larger than the maximum email body size you would like to support. The maximum supported value is 25000000 (25MB).


443298-2 : FW Release: Incorporate Victoria2 LOP firmware v1.20

Component: TMOS

Symptoms:
This is a standard bug used for tracking the incorporation of Firmware changes.

Conditions:
The purpose of this change is to integrate a firmware package into the BIGIP build.

Impact:
unknown

Workaround:

Fix:
FW Release: Incorporate Victoria2 LOP firmware v1.20 into BIG-IP


442884-1 : TMM assert "spdy pcb initialized" in spdy_process()

Component: Wan Optimization Manager

Symptoms:
TMM assert "spdy pcb initialized" in spdy_process() caused by a HUDEVT_ABORTED on a zero'd SPDY ctx from iSession.

Conditions:
This may happen when using APM + iSession + SPDY filter. The problem happen when iClient unexpectedly closes the connection (by sending FIN) before handshaking complete. FIN force the HUDEVT_ABORTED may come to SPDY before HUDEVT_FLOW_INIT (because INIT event may delayed in iSession due to HANDSHAKE). We believe the iClient sends FIN as result of some miss-configuration.

Impact:
TMM Asserts.

Workaround:
1. Fix iClient configuration. 2. Remove SPDY profile from the chain.

Fix:
We fixed iSession code for proper serve HUDEVT_ABORTED and HUDEVT_FLOW_INIT events. Now if HUDEVT_ABORTED arrives and HUDEVT_FLOW_INIT event was not passed up, iSession sends up HUDEVT_FLOW_INIT and forwards up HUDEVT_ABORTED only after that.


442871-1 : BIG-IP VE instances created using OpenStack interfaces may fail to detect the KVM hypervisor

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) instances created using OpenStack interfaces may fail to detect the Kernel-based Virtual Machine (KVM) hypervisor.

Conditions:
This issue occurs when all of the following conditions are met: -- You are deploying a BIG-IP VE instance on a KVM hypervisor. -- You are using the OpenStack interface tool set to perform the deployment.

Impact:
As a result of this issue, you may encounter one or more of the following symptoms: -- The BIG-IP VE instance fails to start. -- When starting the BIG-IP VE instance, diagnostic messages may indicate that the hypervisor is not recognized.

Workaround:
To work around this issue, you can modify your OpenStack compute nodes to run all instances as KVM. To do so, perform the following procedure: Note: The workaround assumes that your compute nodes use KVM as the default hypervisor. Impact of workaround: Performing the following procedure should not have a negative impact on your system. 1. Log in to the OpenStack compute node as the root user. 2. Using an editor, create a file in the /etc/nova directory named release. 3. Add the following content to the new file: [Nova] vendor = Red Hat product = Bochs package = RHEL 6.3.0 PC 4. Restart all services or reboot the compute note. 5. Redeploy a new BIG-IP VE instance using the OpenStack interface tool set.

Fix:
BIG-IP VE instances created using OpenStack interfaces now detect the KVM hypervisor. Important: If you performed the steps to work around this issue (as described in the known issue for this bug), removing the workaround might require a license change.


442698-10 : APD Active Directory module memory leak in exception

Component: Access Policy Manager

Symptoms:
The APD Active Directory module might leak memory if an exception happens.

Conditions:
exception happens when request is being processed

Impact:
session request failed, apd leaks a memory

Workaround:
NA

Fix:
APD is now more robust and handles exceptions in AD module properly.


442647-5 : IP::stats iRule command reports incorrect information past 2**31 bits

Component: Local Traffic Manager

Symptoms:
Due to a mistaken internal object-size conversion, the statistical data used by the IP::stats iRule command reports a negative number when the data exceeds 2**31.

Conditions:
Transferring more than 2 gigabytes or 2 billion packets on a connection that then uses IP::stats commands in an iRule will show a negative number.

Impact:
iRules cannot rely on the validity of the IP::stats counters when more than 2 gigabytes have been transferred.

Workaround:
Upgrade to a fixed version.

Fix:
iRules now uses a 64-bit object


441297-3 : LACP trunk remains down after restarting mcpd on 2000/4000 series platforms

Component: TMOS

Symptoms:
When you restart mcpd on 2000/4000 series platforms configured with a Link Aggregation Control Protocol (LACP) trunk, the trunk remains down.

Conditions:
This occurs on 2000/4000 series platforms with an LACP trunk when mcpd is restarted.

Impact:
Trunk status remains down after the restart, and interfaces are all reported as 'uninit'. Functionally, interfaces are all reported as 'uninit' does not affect single interface VLANs as traffic is still correctly carried.

Workaround:
Run the command: tmsh restart sys service pfmand. The restart of pfmand helps in updating the interface status, which in turn helps update the trunk status.

Fix:
LACP trunk now becomes active after restarting mcpd on 2000/4000 series platforms.


439880-2 : NTLM authentication does not work due to incorrect NetBIOS name

Component: Access Policy Manager

Symptoms:
Internally, the BIG-IP system assumes that the NetBIOS name always matches the prefix of the DNS name. For example, if the domain name is sales.company.com, then the NetBIOS name must be SALES. If the NetBIOS name does not meet this assumption, NTLM and/or Kerberos front-end authentication never work even when configured correctly. Under a Disjoint Namespace Scenario deployment, the NetBIOS name and prefix of the DNS name do not match, and the BIG-IP system cannot establish an SCHANNEL with the Active Directory server.

Conditions:
NetBIOS name does not match with the suffix of the DNS name.

Impact:
NTLM front-end authentication does not work as there is no SCHANNEL to Active Directory which can be used to verify the user's credentials.

Workaround:
Change the ActiveDirectory deployment to match its NetBIOS and DNS name.

Fix:
BIG-IP 11.6.0 HF6 introduced the Apm.NetBIOS.DomainName db variable as a global NetBIOS domain name. When the variable is defined with a non-default value, that value will be used as NetBIOS domain name during configuration. When the variable is defined with the default value (which is "<null>"), then APM reverts to extracting NetBIOS domain name from FQDN. This means when this db variable is set with a non-default value, only one NetBIOS domain is usable. Note: Support for the Apm.NetBIOS.DomainName db variable is discontinued in version 12.0.0 and later. For BIG-IP 12.0.0, when you create a Machine Account in APM, APM performs a domain join, retrieves the NetBIOS domain name from the Active Directory server, stores it in the configuration, and uses it for NTLM authentication. To use the new behavior, delete the existing machine account and recreate it. Otherwise, the machine account continues to obtain the NetBIOS name the way it did before version 12.0.0.


438674-5 : When log filters include tamd, tamd process may leak descriptors

Component: TMOS

Symptoms:
The log filter functionality in TMOS allows users to publish logs from a specific set of processes to various log destinations.

Conditions:
Configure log filter that includes tamd.

Impact:
Client authentication might fail. When a log filter includes tamd, the tamd process might start to leak descriptors.

Workaround:
Do not define log filters that include tamd (tamd is included in 'all').

Fix:
The BIG-IP system no longer sends tamd log messages to the configured remote log destinations.


431467-1 : Mac OS X support for nslookup and dig utilities to use VPN DNS

Component: Access Policy Manager

Symptoms:
Network access from browser or Edge Client on Mac does not change system DNS configuration the way that the nslookup and dig utilities expect. Once network access is established, the nslookup and dig utilities do not utilize DNS servers and DNS search suffixes set by SSL VPN.

Conditions:
NA access with DNS servers and DNS search suffixes, NA from browser or Edge Client on Mac OS X.

Impact:
The system should behave as expected except for the nslookup, dig, and host utilites.

Workaround:

Fix:
The nslookup, host and dig utilities are now able to use DNS server and DNS search suffixes set by SSL-VPN.


431283-7 : iRule binary scan may core TMM when the offset is large

Component: Local Traffic Manager

Symptoms:
Binary command does not check if the offset argument is beyond the internal buffer boundary, this may core TMM. Here is an example: binary scan [TCP::payload] @${offset_num}c var1 if "offset_num" is larger than payload buffer length, TMM may core.

Conditions:
Here is an example: binary scan [TCP::payload] @${offset_num}c var1 if "offset_num" is larger than payload buffer length, TMM may core.

Impact:
TMM may core.

Workaround:
Check payload length and compare with the offset argument before using the command.

Fix:
Check the offset value before moving the cursor.


429018-2 : tmipsecd cores when deleting a non-existing traffic selector

Component: TMOS

Symptoms:
tmipsecd cores when a to-be-removed traffic selector is not found in the internal database on tmipsecd.

Conditions:
This is a rare race condition.

Impact:
IPsec tunnel flapping and core dump.

Workaround:

Fix:
TMIPSECD logs a critical message instead of coring, and IPsec tunnel flapping and core dump no longer occurs when deleting a non-existing traffic selector.


426328-8 : Updating iRule procs while in use can cause a core

Component: Local Traffic Manager

Symptoms:
When updating an iRule that is in process or parked and has existing connections and uses a proc, a core can occur due to incorrect internal reference counting.

Conditions:
High traffic iRule that both parks and uses a proc.

Impact:
The BIG-IP system might temporarily fail to process traffic, and fail over if configured as part of a high availability (HA) pair.

Workaround:
Disable listener before updating iRule. For more information, see SOL14654: Updating an iRule that uses sideband connections may cause TMM to core, available here: http://support.f5.com/kb/en-us/solutions/public/14000/600/sol14654.

Fix:
Updating an iRule that uses sideband connections no longer causes TMM to core.


426209-2 : exporting to a CSV file may fail and the Admin UI is inaccessible

Component: Access Policy Manager

Symptoms:
If there are a large number of APM report records, exporting them to a CSV file might fail and the Admin GUI can then become inaccessible.

Conditions:
When the report data