Applies To:

Show Versions Show Versions

Supplemental Document: Release Information: Hotfixes: BIG-IP 12.1.1

Original Publication Date: 11/09/2016
Updated Date: 09/18/2017

BIG-IP Hotfix Release Information

Version: BIGIP-12.1.1
Build: 204.0
Hotfix Rollup: 2

Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v12.1.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
613127-3 CVE-2016-5696 SOL46514822 Linux TCP Stack vulnerability CVE-2016-5696


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Description
612564 1-Blocking mysql does not start
618382-4 2-Critical qkview may cause tmm to restart or may take 30 or more minutes to run
612952-1 3-Major PSU FW revision not displayed correctly
610307 3-Major Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber
609325 3-Major Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported
606807-1 3-Major i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error
604459-1 3-Major On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up
597309-2 3-Major Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms
561444-1 3-Major LCD might display incorrect output.
521270-1 3-Major Hypervisor might replace vCMP guest SYN-Cookie secrets
434573-6 3-Major Tmsh 'show sys hardware' displays Platform ID instead of platform name
609677-1 4-Minor Dossier warning 14
607857-1 4-Minor Some information displayed in "list net interface" will be stale for interfaces that change bundle state
607200-1 4-Minor Switch interfaces may seem up after bcm56xxd goes down
602061 4-Minor i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages
601309 4-Minor Locator LED no longer persists across reboots
592716-1 4-Minor BMC timezone value was not being synchronized by BIG-IP


Local Traffic Manager Fixes

ID Number Severity Description
597708-4 3-Major Stats are unavailable and VCMP state and status is incorrect



Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Description
542097-4 2-Critical Update to RHEL6 kernel
601938-2 3-Major Occasionally MCPD logs certain information incorrectly
601927-1 4-Minor Security hardening of control plane


Local Traffic Manager Fixes

ID Number Severity Description
602653-1 2-Critical TMM may crash after updating bot-signatures
599769 2-Critical TMM may crash when managing APM clients.
605682-2 3-Major With forward proxy enabled, sometimes the client connection will not complete.
599054-2 3-Major LTM policies may incorrectly use those of another virtual server


Application Security Manager Fixes

ID Number Severity Description
585120-1 2-Critical Memory leak in bd under rare scenario


Application Visibility and Reporting Fixes

ID Number Severity Description
596674-2 2-Critical High memory usage when using CS features with gzip HTML responses.
575170-2 2-Critical Analytics reports may not identify virtual servers correctly
590074-1 3-Major Wrong value for TCP connections closed measure


Advanced Firewall Manager Fixes

ID Number Severity Description
598294-1 2-Critical In rare cases, tmm might crash with ASM enabled.


iApp Technology Fixes

ID Number Severity Description
603605-1 2-Critical Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active
608373-2 3-Major Some iApp LX packages will not be saved during upgrade or UCS save/restore



Cumulative fixes from BIG-IP v12.1.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
596488-1 CVE-2016-5118 SOL82747025 GraphicsMagick vulnerability CVE-2016-5118.
570667-2 CVE-2016-0701 CVE-2015-3197 SOL64009378 OpenSSL vulnerabilities
587077-1 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 SOL37603172 Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
579220-1 CVE-2016-1950 SOL91100352 Mozilla NSS vulnerability CVE-2016-1950
570697-1 CVE-2015-8138 SOL71245322 NTP vulnerability CVE-2015-8138
580340-1 CVE-2016-2842 SOL52349521 OpenSSL vulnerability CVE-2016-2842
580313-1 CVE-2016-0799 SOL22334603 OpenSSL vulnerability CVE-2016-0799
579829-7 CVE-2016-0702 SOL79215841 OpenSSL vulnerability CVE-2016-0702
579085-6 CVE-2016-0797 SOL40524634 OpenSSL vulnerability CVE-2016-0797
578570-1 CVE-2016-0705 SOL93122894 OpenSSL Vulnerability CVE-2016-0705
569355-1 CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 SOL50118123 Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494
565895-1 CVE-2015-3217 SOL17235 Multiple PCRE Vulnerabilities


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Description
606509-4 2-Critical Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover
595605 2-Critical Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail
591119 2-Critical OOM with session messaging may result in TMM crash
579210 2-Critical VIPRION B4400N blades might fail to go Active under rare conditions.
601076 3-Major Fix watchdog event for accelerated compression request overflow
597303 3-Major "tmsh create net trunk" may fail
595693 3-Major Incorrect PVA indication on B4450 blade
591261 3-Major BIG-IP VPR-B4450N shows "unknown" SNMP Object ID
590904-1 3-Major New HA Pair created using serial cable failover only will remain Active/Active
589661 3-Major PS2 power supply status incorrect after removal
588327 3-Major Observe "err bcm56xxd' liked log from /var/log/ltm
587735 3-Major False alarm on LCD indicating bad fan
587668 3-Major LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.
585332 3-Major Virtual Edition network settings aren't pinned correctly on startup
584670 3-Major Output of tmsh show sys crypto master-key
584661 3-Major Last good master key
584655 3-Major platform-migrate won't import password protected master-keys from a 10.2.4 UCS file
583177 3-Major LCD text truncated by heartbeat icon on VIPRION
581945-2 3-Major Device-group "datasync-global-dg" becomes out-of-sync every hour
581811 3-Major The blade alarm LED may not reflect the warning that non F5 optics is used.
579529 3-Major Stats file descriptors kept open in spawned child processes
578064 3-Major tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade
578036-1 3-Major incorrect crontab can cause large number of email alerts
573584 3-Major CPLD update success logs at the same error level as an update failure
563592 3-Major Content diagnostics and LCD
555039-4 3-Major VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
539360 3-Major Firmware update that includes might take over 15 minutes. Do not turn off device.
526708 3-Major system_check shows fan=good on removed PSU of 4000 platform
433357 3-Major Management NIC speed reported as 'none'
400778 3-Major Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete
400550 3-Major LCD listener error during shutdown
587780 4-Minor warning: HSBe2 XLMAC initial recovery failed after 11 retries.
478986 4-Minor Powered down DC PSU is treated as not-present
418009 5-Cosmetic Hardware data display inaccuracies


Local Traffic Manager Fixes

ID Number Severity Description
603700 2-Critical tmm core on multiple SSL::disable calls
598052-1 2-Critical SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails
591139 2-Critical TMM QAT segfault after zlib/QAT compression conflation.
585654 2-Critical Enhanced implementation of AES in Common Criteria mode
579955-6 2-Critical HTTP2 and SPDY sometimes keep too many back-end connections
579953 2-Critical Updated the list of Common Criteria ciphersuites
584926-1 3-Major Accelerated compression segfault when devices are all in error state.
566342 3-Major Cannot set 10T-FD or 10T-HD on management port


Performance Fixes

ID Number Severity Description
599803 1-Blocking TMM accelerated compression incorrectly destroying in-flight contexts.
588879-2 2-Critical apmd crash under rare conditions with LDAP in BIGIP 12.0 and beyond


Application Security Manager Fixes

ID Number Severity Description
588049-1 2-Critical Improve detection of browser capabilities
585352-2 2-Critical bruteForce record selfLink gets corrupted by change to brute force settings in GUI
585054-1 2-Critical BIG-IP imports delay violations incorrectly, causing wrong policy enforcement
583686-2 3-Major High ASCII meta-characters can be disallowed on UTF-8 policy via XML import
581991-1 3-Major Logging filter for remote loggers doesn't work correctly with more than one logging profile
521370-1 3-Major Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8
518201-4 3-Major ASM policy creation fails with after upgrading


Access Policy Manager Fixes

ID Number Severity Description
600811-2 3-Major CATEGORY::lookup command change in behaviour
587419-1 3-Major TMM may restart when SAML SLO is performed after APM session is closed
585442-2 3-Major Provisioning APM to "none" creates a core file


Advanced Firewall Manager Fixes

ID Number Severity Description
596809-1 3-Major It is possible to create ssh rules with blank space for auth-info
593925-1 3-Major ssh profile should not contain rules that begin and end with spaces (cannot be deleted)
593696-1 3-Major Sync fails when deleting an ssh profile


Carrier-Grade NAT Fixes

ID Number Severity Description
584921-1 2-Critical Inbound connections fail to keep port block alive


Global Traffic Manager (DNS) Fixes

ID Number Severity Description
581824-2 3-Major "Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link.



Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
600662-9 CVE-2016-5745 SOL64743453 NAT64 vulnerability CVE-2016-5745
599168-7 CVE-2016-5700 SOL35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
598983-7 CVE-2016-5700 SOL35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
580596-1 CVE-2013-0169 CVE-2016-6907 SOL14190 SOL39508724 TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Description
604211-1 2-Critical License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.
600859-2 2-Critical Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.
599033-5 2-Critical Traffic directed to incorrect instance after network partition is resolved
595394-3 2-Critical Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.
606110-2 3-Major BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.
596814-4 3-Major HA Failover fails in certain valid AWS configurations
596603-2 3-Major AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.


Application Security Manager Fixes

ID Number Severity Description
600357-2 3-Major bd crash when asm policy is removed from virtual during specific configuration change



Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
591806-8 CVE-2016-3714 SOL03151140 ImageMagick vulnerability CVE-2016-3714
569467-5 CVE-2016-2084 SOL11772107 BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
591918-2 CVE-2016-3718 SOL61974123 ImageMagick vulnerability CVE-2016-3718
591908-2 CVE-2016-3717 SOL29154575 ImageMagick vulnerability CVE-2016-3717
591894-2 CVE-2016-3715 SOL10550253 ImageMagick vulnerability CVE-2016-3715
591881-1 CVE-2016-3716 SOL25102203 ImageMagick vulnerability CVE-2016-3716


Functional Change Fixes

ID Number Severity Description
583631-2 1-Blocking ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.
590993 3-Major Unable to load configs from /usr/libexec/aws/.
576478 3-Major Enable support for the Purpose-Built DDoS Hybrid Defender Platform
544477 3-Major New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.


TMOS Fixes

ID Number Severity Description
591039 2-Critical DHCP lease is saved on the Custom AMI used for auto-scaling VE
590779 2-Critical Rest API - log profile in json return does not include the partition but needs to
588140 2-Critical Pool licensing fails in some KVM/OpenStack environments
587791-1 2-Critical Set execute permission on /var/lib/waagent
565137 2-Critical Pool licensing fails in some KVM/OpenStack environments.
554713-2 2-Critical Deployment failed: Failed submitting iControl REST transaction
592363 3-Major Remove debug output during first boot of VE
592354 3-Major Raw sockets are not enabled on Cloud platforms


Local Traffic Manager Fixes

ID Number Severity Description
592699-3 2-Critical IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance
594302-1 3-Major Connection hangs when processing large compressed responses from server
592854-1 3-Major Protocol version set incorrectly on serverssl renegotiation
592682-1 3-Major TCP: connections may stall or be dropped
531979-6 3-Major SSL version in the record layer of ClientHello is not set to be the lowest supported version.


Application Visibility and Reporting Fixes

ID Number Severity Description
582629-1 2-Critical User Sessions lookups are not cleared, session stats show marked as invalid


Access Policy Manager Fixes

ID Number Severity Description
590601-2 3-Major BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed
590428-1 3-Major The "ACCESS::session create" iRule command does not work
590345-1 3-Major ACCESS policy running iRule event agent intermittently hangs
585905-1 3-Major Citrix Storefront integration mode with pass-through authentication fails
581834-5 3-Major Firefox signed plugin for VPN, Endpoint Check, etc


Anomaly Detection Services Fixes

ID Number Severity Description
588399-1 3-Major BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated
582374-1 3-Major Multiple 'Loading state for virtual server' messages in admd.log
569121-1 3-Major Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low
547053-1 4-Minor Bad actor quarantining


Traffic Classification Engine Fixes

ID Number Severity Description
590795-1 2-Critical tmm crash when loading default signatures or updating classification signature

 

Cumulative fix details for BIG-IP v12.1.1 Hotfix 2 that are included in this release

618382-4 : qkview may cause tmm to restart or may take 30 or more minutes to run

Component: TMOS

Symptoms:
When taking a qkview on a heavily loaded BIG-IP device (with lots of connections) running 12.1.0 or 12.1.1, the qkview utility may take a very long time to complete (30+ minutes) or cause tmm to restart. This is due to a new qkview command that was added to gather a list of recent connections with the tmsh show sys connection command, which has a significant performance impact when run while the BIG-IP is heavily loaded.

Conditions:
This can occur on the following versions:

- 12.1.0 including 12.1.0 HF1 and 12.1.0 HF2
- 12.1.1 including 12.1.1 HF1

This can occur when the BIG-IP is heavily loaded and while running the qkview command.

Impact:
Qkview command can take an exceedingly long time to run (30+ minutes).
Traffic disrupted while tmm restarts.

Workaround:
Do not run the qkview command if the device is heavily loaded.

Fix:
Removed offending "show sys connection" command from qkview utility.


613127-3 : Linux TCP Stack vulnerability CVE-2016-5696

Vulnerability Solution Article: SOL46514822


612952-1 : PSU FW revision not displayed correctly

Component: TMOS

Symptoms:
When EUD displays the PSU FW revison it is truncated from 16 bytes to 14 bytes.

Conditions:
This occurs when using a Murata REV02 M1845 PSU with AOM FW less than 2.7.14

Impact:
Incomplete PSU FW rev.

Workaround:
Infer the last 2 characters of the PSU FW rev from the 14 that are displayed and the HW revision of the PSU.


612564 : mysql does not start

Component: TMOS

Symptoms:
ASM storage initialization does not happen.

Conditions:
BIG-IP iSeries platforms; this occurs after new software install.

Impact:
Application is non-functional.

Workaround:
remove the sentinel file ;
/appdata/mprov/local/HD1.4/mysqldb/.moved.to.asmdbvol.
and reboot.


610307 : Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber

Component: TMOS

Symptoms:
This error message may be generated once or twice at shutdown:

01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.

Conditions:
Occurs once or twice per boot as a BIG-IP is being shut down or restarted.

Impact:
None. This can be ignored.

Workaround:
No workaround necessary. This message indicates no ill effects and can be ignored.

Fix:
This error message could have been generated once or twice at shutdown:

01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.

It no longer appears. Note that even when it was present, it only occurred at system shutdown and could be ignored.


609677-1 : Dossier warning 14

Component: TMOS

Symptoms:
After each boot, the var/log/ltm log file contains messages similar to the following: warning mcpd[6296]: 01070267:4: Dossier warning 14.

Conditions:
This occurs upon reboot after licensing and management port configuration is complete on i5000/i7000/i10000-Series platforms.

Impact:
There is no functional impact. This is a benign message that can be safely ignored.

Workaround:
None.

Fix:
The var/log/ltm log file no longer contains the benign messages similar to the following: warning mcpd[6296]: 01070267:4: Dossier warning 14.


609325 : Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported

Component: TMOS

Symptoms:
QSFP modules that do not support DDM (Digital Diagnostic Monitoring), write messages to /var/log/ltm indicating DDM is not supported, however, there are certain unsupported DDM F5-branded SFP modules that do not write a message to the log.

Conditions:
Upon inserting the unsupported DDM SFP modules.

Impact:
DDM is not reporting information for the following optics:

Unsupported DDM 1Gb-10GB SFP modules:

OPT-0004
OPT-0007
OPT-0011
OPT-0015
OPT-0051
OPT-0033

Workaround:
None.

Fix:
All DDM SFP 1Gb-10GB modules now log in /var/log/ltm that DDM is not supported with that optical transceiver.


608373-2 : Some iApp LX packages will not be saved during upgrade or UCS save/restore

Component: iApp Technology

Symptoms:
iApp LX packages that include dependencies on system utilities (like /bin/sh, /bin/bash, python etc.) cannot be imported to iApp LX RPM database.

Conditions:
oApp LX packages that depends on system utilities.

Impact:
iApp LX packages with dependencies will not be restored during upgrade or UCS restore process.

Workaround:
None.

Fix:
iApp LX UCS save process is updated turn off automatic dependency generation by rpmbuild so iApp LX package can be imported during UCS restore or upgrade.


607857-1 : Some information displayed in "list net interface" will be stale for interfaces that change bundle state

Component: TMOS

Symptoms:
Changing the bundling on an interface does not clear the following fields in the previously configured interface:
module-description, serial, vendor, vendor-oui, vendor-partnum, vendor-revision.

That information will be correct for the active interface, it is just not cleared for the previously configured interface.

Module description is not correctly reported on unbundled interfaces.

Conditions:
Bundling change on an interface

Impact:
"list net interface" on previously configured interfaces will show stale information. May be confusing.
Module description is missing from "list net interface" on unbundled interfaces.

Workaround:
Stale data will clear on a reboot. This is purely a display issue, it does not affect the functionality of the currently configured interfaces.


607200-1 : Switch interfaces may seem up after bcm56xxd goes down

Component: TMOS

Symptoms:
'tmsh show net interface' may show that switch ports are still up after bcm56xxd is brought down. This is because bcm56xxd does not notify mcpd that bcm56xxd will go down.

Conditions:
If the switch ports are up and bcm56xxd is brought down, 'tmsh show net interface' will show that the switch ports are still up.

Impact:
The switch ports may seem up, but traffic can't be sent/received.

Workaround:
None.

Fix:
Fix for bcm56xxd to notify mcpd that all ports become uninitialized before it goes down has already been implemented.


606807-1 : i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error

Component: TMOS

Symptoms:
If the LCD is not communicating with BIG-IP when the chassis manager daemon starts occasionally LCD errors will be displayed using the sensor number rather than the name "LCD"

Conditions:
chmand restart and LCD unable to commuicate

Impact:
cosmetic

Fix:
LCD error will show name "LCD" rather than sensor number in communication error.


606509-4 : Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover

Component: TMOS

Symptoms:
Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover.

Conditions:
This occurs when the following conditions are met:
* vCMP provisioned.
* vCMP hypervisor (host) running 12.1.0
* vCMP guest with 2 or more cores deployed and running 11.5.0 or greater.
* vCMP guest has HT-Split enabled (tmsh list sys db scheduler.splitplanes.ltm).

Impact:
vCMP guests may experience control-plane issues (such as failures to send or receive network failover traffic in an HA-pair, causing a failover).

Fix:
This release restores the process nice value of VCMP guest control-plane, so the vCMP guest no longer experiences potential frequent failovers.


606110-2 : BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.

Component: TMOS

Symptoms:
On AWS and Azure, dataplane interfaces use socket-based networking instead of UNIC modules. After upgrading a version later than 12.1.0, the default module for dataplane interfaces is UNIC modules instead of socket-based networking.

Conditions:
Upgrading BIG-IP VE on AWS or Azure running versions 12.0.0 or 12.1.0.

Impact:
The raw socket-based tmm driver is replaced by a UNIC driver. The socket-based driver eliminates kernel driver dependencies and provides better portability during kernel/driver upgrades.

Workaround:
None.

Fix:
BIG-IP VE socket-based networking driver retained after upgrade on AWS or Azure.


605682-2 : With forward proxy enabled, sometimes the client connection will not complete.

Component: Local Traffic Manager

Symptoms:
If forward proxy is enabled, and a required forged certificate is not in the cache, the connection might not complete.

Conditions:
Forward proxy is enabled, and a required forged certificate is not in the cache.

Impact:
Degraded service due to connections not completing.

Workaround:
None.

Fix:
The stalling caused by a missing forged certificate no longer happens.


604459-1 : On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up

Component: TMOS

Symptoms:
The following message appears on the console shortly after the system boots:

emerg logger: Re-starting bcm56xxd.

Conditions:
This occurs as a result of a possible race condition on On i5x00, i7x00 and i10x00 platforms.

Impact:
No functional impact, bcm56xxd daemon restarts successfully.

Workaround:
None.


604211-1 : License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.

Component: TMOS

Symptoms:
On Azure, after upgrading to any version other than 12.0.0 HF1-EHF14 or 12.1.0-HF1-EHF22, the system boots up as Not Licensed and Inoperative.

Although certain cloud-specific 12.x EHFs such as BIG-IP Virtual Edition 12.1.0 HF1 EHF1 is intended for AWS only, BIG-IP does not prevent you from accidentally downloading and installing it into Azure environments. If you upgrade Azure from BIG-IP Virtual Edition 12.0.0 HF1 EHF14 to the 12.1.0 HF1 EHF1 or 12.0.0-hf4 or 12.1.1, the Azure license becomes nonoperational and gets invalidated.

Conditions:
Upgrading a BYOL instance on Azure to 12.1.0 HF1 EHF1 or 12.1.1. The Azure-specific versions are as follows:
- 12.0.0-HF1-EHF14.
- 12.1.0-HF1-EHF22.

Impact:
License becomes unusable. Re-licensing the instance gets an invalid license.

Workaround:
The workaround for this issue is to boot back into previous boot volume, and then upgrade to 12.1.0-HF1-EHF22 in Azure.

To change default boot volume, choose one of the following methods:
1. tmsh reboot volume volume-name.
2. switchboot utility (interactive mode by default).
3. Admin UI.

For more information about the switchboot utility, see SOL5658: Overview of the switchboot utility, available here: https://support.f5.com/kb/en-us/solutions/public/5000/600/sol5658.html.

Fix:
This release fixes the issue that occurred when the Azure license become nonoperational after upgrading to BIG-IP Virtual Edition 12.1.0 HF1 EHF1 from 12.0.0 HF1 EHF14.

Note: Do not use BIG-IP 12.1.0 HF1 EHF1 in the Azure environments.


603700 : tmm core on multiple SSL::disable calls

Component: Local Traffic Manager

Symptoms:
tmm can crash if SSL::disable is called repeatedly in an iRule event.

Conditions:
Invoking SSL::disable multiple times in the same iRule event

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a crash related to multiple calls of SSL::disable


603605-1 : Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active

Component: iApp Technology

Symptoms:
After installation, the rpm on active device applications will be replicated to the standby. If standby does not have DHD installed, the installation page is never shown.

Conditions:
HA setup for DoS Hybrid Defender, with DHD only installed on Active.

Impact:
HA cannot be supported for DHD application on 12.1.0 and 12.1.1.

Workaround:
None.

Fix:
Can now install DoS Hybrid Defender on standby device in HA pair if it's already installed on active.


602653-1 : TMM may crash after updating bot-signatures

Component: Local Traffic Manager

Symptoms:
TMM may crash after DOSL7 bot signatures config has changed.

Conditions:
This is likely to happen after DOSL7 bot signatures config has changed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Try adding/removing some signatures, this should avoid the crash.

Fix:
Fixed a memory corruption when updating bot signatures.


602061 : i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages

Component: TMOS

Symptoms:
When firmware is updated on a i5000, i7000, i10000 series series appliance messages appear on the console indicating the update is in progress. The messages are inconsistent, some give an expected time the update will take and some do not.

Conditions:
Firmware update following the installation of a new iso with new firmware that must be programmed.

Impact:
cosmetic

Workaround:
None


601938-2 : Occasionally MCPD logs certain information incorrectly

Component: TMOS

Symptoms:
MCPD does not log information in the format expected

Conditions:
Create a new log entry

Impact:
Log entry may not be in the format expected

Workaround:
Rebooting bigip will cause the format to be updated correctly

Fix:
MCPD now logs information in the correct format.


601927-1 : Security hardening of control plane

Component: TMOS

Symptoms:
File permissions changes needed as found by internal testing

Conditions:
N/A

Impact:
N/A

Fix:
Apply latest security practices to control plane files.


601309 : Locator LED no longer persists across reboots

Component: TMOS

Symptoms:
The Locator LED (blinking F5 logo ball) state could be retained across reboots if the TMSH config was saved. The intended behavior is to default to disabled on reboot.

Conditions:
Setting the Locator to "enabled" via either the LCD or TMSH, then saving the TMSH config.

Impact:
i5600, i5800, i7600, i7800, i10600, and i10800 appliances

Workaround:
Disable the Locator LED and save the TMSH config

Fix:
Fixed Locator LED state persisting through reboots


601076 : Fix watchdog event for accelerated compression request overflow

Component: TMOS

Symptoms:
Accelerated compression requests that exceed 128 in-flight requests can cause a watchdog event.

Conditions:
Very rapid queuing of concurrent accelerated compression requests.

Impact:
TMM generates an HA failover driven by the accelerated compression watchdog timer.

Workaround:
Disable accelerated compression by disabling hardware accelerated compression with:

  % tmsh modify sys db compression.strategy value softwareonly

Fix:
Apply a constraint on accelerated compression request DMA ring so no more than 128 in-flight requests are queued at any one time.


600859-2 : Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.

Component: TMOS

Symptoms:
After upgrading 11.6.0 Hourly instances to 12.1.0 EHF Hourly instances with Instance Registration support, instance license becomes invalid and BIG-IP is unable to acquire a new hourly license.

Conditions:
Upgrading 11.6.0, or earlier Hourly Licensing instance to 12.1.0 HF1 EHF.

Impact:
License is invalidated and instance becomes unusable.

Workaround:
- Run "/usr/libexec/autoLicense -l" from command-line.

Fix:
Module licenses correctly after upgrade from 11.6.0 to 12.1.0 HF2 or later.


600811-2 : CATEGORY::lookup command change in behaviour

Component: Access Policy Manager

Symptoms:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM+URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions.

Only a valid hostname can be used and then have it's category returned.

In versions prior to v12.1.1, the following iRule command would be valid:

when HTTP_REQUEST {
  set this_uri http://[HTTP::host][HTTP::uri]
  set reply [CATEGORY::lookup $this_uri]
  log local0. "Category lookup for $this_uri returns $reply"
}

Starting in v12.1.1, the previous example you need to remove the HTTP::uri statement. If an HTTP::uri is provided to the command, an error will be returned

Jun 27 16:43:41 bigip4000-a41-1mgmt err tmm2[12601]: 01220001:3: TCL error: /Common/_1_categ_test <HTTP_REQUEST> - Categorization engine returned an error. invoked from within "CATEGORY::lookup $this_uri"

Started in v12.1.1, the example should be modified to pass in the HTTP::host only:

when HTTP_REQUEST {
  set this_uri http://[HTTP::host]
  set reply [CATEGORY::lookup $this_uri]
  log local0. "Category lookup for $this_uri returns $reply"
}

If APM and SWG are licensed and provisioned, the CATEGORY::lookup iRule command will accept an HTTP URI as a part of the argument to the command.

Conditions:
- BIG-IP licensed and provisioned for:
 - APM + URL Filtering
 - URL Filtering (used for SSL Bypass decisions in SSL Air-Gap deployments)
- An iRule which supplies a URI path to the CATEGORY::lookup iRule command

Impact:
Upgrading to v12.1.1 from previous versions that use the CATEGORY::lookup iRule command and use an HTTP::uri or pass in a plain text string with contains anything other than an HTTP hostname will see an error returned from the command. This can cause errors in existing deployments.

Workaround:
The required mitigation is to update the iRule to only pass an HTTP hostname to the CATEGORY::lookup iRule command


600662-9 : NAT64 vulnerability CVE-2016-5745

Vulnerability Solution Article: SOL64743453


600357-2 : bd crash when asm policy is removed from virtual during specific configuration change

Component: Application Security Manager

Symptoms:
BD restarts and produces a core file

Conditions:
A configuration change which involves headers configuration or a policy re-configuration and at the same time, while this update is taking place the ASM policy is removed from the virtual.
This is more likely to happen in scripted tests than in the field.

Impact:
Traffic gets dropped while the ASM gets restarted.

Workaround:
Don't change ASM configuration at the same time as changing the virtual server configuration.

Fix:
System will still restart but will not produce a core file when this happens.


599803 : TMM accelerated compression incorrectly destroying in-flight contexts.

Component: Performance

Symptoms:
You see a tmm core while using compression profiles.

Conditions:
Related to use of hardware compression.

Impact:
Report of a watchdog event, or an ASSERT generated by the compression layer. Traffic disrupted while tmm restarts.

Workaround:
Disable accelerated compression using the following command:

% tmsh modify sys db compression.strategy value softwareonly.

Fix:
The system now correctly dispatches cancelled in-flight accelerated compression contexts when cancellation comes while hardware is still actively compressing.


599769 : TMM may crash when managing APM clients.

Component: Local Traffic Manager

Symptoms:
When managing APM clients it is possible to encounter a rare tmm crash.

Conditions:
APM enabled and actively managing clients.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
There is no longer a rarely encountered TMM crash when managing APM clients.


599168-7 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Vulnerability Solution Article: SOL35520031


599054-2 : LTM policies may incorrectly use those of another virtual server

Component: Local Traffic Manager

Symptoms:
LTM policies may use policies configured on another virtual server.

Conditions:
- A configurations with several virtual servers and several configured ltm policies attached to those virtual servers.
- Configuration load: manually using the command tmsh load sys conf, or automatically by an upgrade or full config-sync.

Impact:
LTM policies get incrementally added to virtual servers as the policies are compiled, causing unexpected traffic handling decisions based on other policies.

Workaround:
Do not run tmsh load sys conf if you have policies configured. After an upgrade or full config-sync issuing a bigstart restart command or restarting the device will fix this condition.

Fix:
LTM policies no longer incorrectly use those of another virtual server


599033-5 : Traffic directed to incorrect instance after network partition is resolved

Component: TMOS

Symptoms:
After a network partition is resolved, the BIG-IP high availability subsystem may select a different device to handle traffic than the external network.

Conditions:
If the external network does not respond to GARP (Gratuitous ARP) messages to direct IP traffic to the correct device after an Active/Active condition is resolved, then it may continue to send traffic to a device that is now in Standby mode.

Impact:
Traffic will be interrupted since the upstream network is sending traffic to a device that won't process it.

Workaround:
The administrator might be able to manually run a script or command to redirect traffic to the correct device that is hosting the virtual service.

Fix:
When a network partition is resolved, and an Active/Active high availability pair chooses a single Active node, it now invokes a script that can be used to automatically notify the external network infrastructure of the new location for the virtual service. This new script is located in /config/failover/tgrefresh, and is invoked in addition to the transmission of GARP messages.


598983-7 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Vulnerability Solution Article: SOL35520031


598294-1 : In rare cases, tmm might crash with ASM enabled.

Component: Advanced Firewall Manager

Symptoms:
A rare crash exists in tmm when passing traffic with ASM enabled

Conditions:
This is a rare core in tmm that might occur when ASM is enabled

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


598052-1 : SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails

Component: Local Traffic Manager

Symptoms:
When enabling the SSL Forward Proxy "Cache Certificate by Addr-Port" on the client SSL profile, later flows on cached certificate lookups by "Addr-Port" do not hit the cache.

Conditions:
Enable SSL Forward Proxy and use "Cache certificate by Addr-Port".

Impact:
The client side certificate lookup failed, it may trigger the server side SSL handshake.

Fix:
With this fix, the certificate lookup by "Addr-Port" may have a cache hit.


597708-4 : Stats are unavailable and VCMP state and status is incorrect

Component: Local Traffic Manager

Symptoms:
Unable to retrieve statistics or statistics are all 0 (zero) when they should not be zero.

This is VCMP related.

Guest Virtual-disk always show in-use even when guest not in the running state.

When the guest OS is shut down, the GUI and TMSH do not show accurate information about status.

Conditions:
If a directory is removed from /shared/tmstat/snapshots merged might run at 100% CPU utilization and become unresponsive.

Impact:
No statistics are available. Some statistics, such as traffic stats from TMM, will not be updated, though they may be non-zero. Others, such as system CPU stats that are calculated by merged, will be zero. This will be evident through all management interfaces such as TMSH, TMUI, SNMP, etc.

VCMP guest O/S status is reportedly incorrectly.

Workaround:
If merged is hung, restart the daemon using the following command:
bigstart restart merged.

To prevent the issue from occurring, disable tmstat snapshots using the following command:
tmsh modify sys db merged.snapshots value false.

Fix:
The merged process no longer becomes unresponsive when a directory is removed from /shared/tmstat/snapshots.


597309-2 : Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms

Component: TMOS

Symptoms:
The Maximum Members Per Trunk limits is 8 or 16 depending on platform. This is due to

1. the limitation of an SDK from a third party vendor,
2. the number of external interfaces actually provided by earlier platforms

Conditions:
These platform limits are on the BIG-IP 10000 appliance and B2400, B4300, and B4450 blades.

Impact:
The existing number of interfaces per trunk is limited to either 8 or 16.

Workaround:
None

Fix:
New limit of 32 is implemented in 10000, Viprion 2400 and Viprion 4300. New limit 64 is implemented for Viprion 4450N.


597303 : "tmsh create net trunk" may fail

Component: TMOS

Symptoms:
When a trunk is created with "tmsh create net trunk", with LACP enabled or disabled, the addition of a trunk member may fail. When it fails, there will be log in /var/log/ltm like

Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: bs_trunk_addr_set: unit=0 Invalid parameter bs_trunk.cpp(2406)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: Trouble setting trunk 1, unit 0 bs_trunk.cpp(2591)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: SDK error Invalid parameter bs_trunk.cpp(2592)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0010:3: Trouble setting trunk: unit=0, trunk=testTrunk bs_trunk.cpp(1886)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0010:3: Trouble adding interface to trunk=testTrunk bsx.c(3109)

Conditions:
The problem tends to happen when a trunk is created right after it is deleted. If you wait for over 30 seconds, it is unlikely to happen.

Impact:
A trunk can't be created, and no trunk members can be added.

Workaround:
Wait for over 30 seconds before adding back the same trunk.

Fix:
A fix is already staged, and may show up in a hot fix later.


596814-4 : HA Failover fails in certain valid AWS configurations

Component: TMOS

Symptoms:
Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Conditions:
AWS deployments where there are multiple coincidences for the provided IP address (corresponding to other Amazon VPCs in the same Availability Zone containing unrelated instances but having the same IP address as the BIG-IP's floating IP address.

Impact:
Potential traffic disruption. Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Workaround:
Do not have AWS deployments with multiple VPCs sharing the same IP address as the BIG-IP's floating IP address.

Fix:
Failover now narrows network description by filtering with VPC id.


596809-1 : It is possible to create ssh rules with blank space for auth-info

Component: Advanced Firewall Manager

Symptoms:
In tmsh it is possible to create profile actions that contain blank spaces, such as in this example:

create security ssh profile ssh-test actions add { " " } rules add { " " { actions add { " " } identity-users add { " "} identity-groups add { " " } } } auth-info add { " " }

Conditions:
This occurs when creating profile actions.

Impact:
Actions can be created with blank spaces in them, you should be receiving a validation error. These rules also cannot be deleted.

Workaround:
Do not create profile actions with blank spaces.

Fix:
BIG-IP will now throw a validation error if you create a profile action containing only a blank space.


596674-2 : High memory usage when using CS features with gzip HTML responses.

Component: Application Visibility and Reporting

Symptoms:
AVR use consumes a lot of memory while trying to decompress responses. This can cause tmm core during stress traffic.

Conditions:
-- Enabled Dosl7d virtual server with CS features.
-- The server is sending compressed responses.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
High memory usage no longer occurs when using CS features with gzip HTML responses.


596603-2 : AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.

Component: TMOS

Symptoms:
When deploying BIG-IP VE in AWS with c4.8xlarge instance type, the system never boots and remains in "Stopped" state after briefly trying to start-up.

Conditions:
BIG-IP VE is deployed with c4.8xlarge instance type in AWS.

Impact:
c4.8xlarge instance type are not supported for BIG-IP VE in AWS.

Workaround:
Choose c4.4xlarge or other instance types in AWS.

Fix:
Issue corrected so that BIG-IP VE will work with c4.8xlarge instance type AWS.


596488-1 : GraphicsMagick vulnerability CVE-2016-5118.

Vulnerability Solution Article: SOL82747025


595693 : Incorrect PVA indication on B4450 blade

Component: TMOS

Symptoms:
When you run guishell -c "select HAS_PVA, PVA_VERSION from platform" on a B4450 blade (which includes PVA), the output indicates that it does not have PVA.

Conditions:
This occurs when looking at platform information on B4450 blades.

Impact:
PVA acceleration is not detected properly

Fix:
PVA service is now indicated properly on the B4450 blade.


595605 : Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail

Component: TMOS

Symptoms:
An upgrade to BIG-IP v12.0.0 will fail when all of the following conditions are met:
- AVR provisioned
- Upgrading to v12.0.0 from the following versions :
  - 11.6.1

Certain engineering hotfixes are also affected.

Conditions:
The following Engineering Hotfixes are affected.

- 11.6.0-hf5 EHF index 110 (Hotfix-BIGIP-11.6.0.5.110.429-HF5-ENG.iso)
- 11.6.0-hf5 EHF Index 214
- 11.6.0-hf5 EHF index 233
- 11.6.0-hf6 EHF index 240

11.6.1 is also affected.

Impact:
The upgrade to 12.0.0 will succeed but the configuration will fail to load.

This can be detected by running tmsh load sys config verify. You will see the following signature:

Unexpected Error: "Can't load keyword definition (analytics-report.device_group)"

Workaround:
12.1.1 is schema compatible with 11.6.1, so upgrade to 12.1.1 instead.


595394-3 : Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.

Component: TMOS

Symptoms:
Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.

Conditions:
11.5.x/11.6.x Hourly Billing instances with multiple NICs attached.

Impact:
User might not be able to log-in to the instance.

Workaround:
Rebooting the instance corrects the problem.

Fix:
Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x works with new Hourly billing licenses.


594302-1 : Connection hangs when processing large compressed responses from server

Component: Local Traffic Manager

Symptoms:
When large compressed responses are sent by the server, the connection hangs when trying to send decompressed content to the client.

Conditions:
An LTM policy which enforces decompression for responses is attached to the virtual server. The virtual server also has http compression profile attached to it. Server sends large compressed responses.

Impact:
Connection hangs when trying to process the compressed response in order to send decompressed content to client.

Fix:
The large compressed responses are successfully processed and no connection hangs are seen.


593925-1 : ssh profile should not contain rules that begin and end with spaces (cannot be deleted)

Component: Advanced Firewall Manager

Symptoms:
When attempting to delete a rule for an ssh profile and committing the changes in the GUI, you get an error: "Operation is not supported on property /security/ssh/profile/~Common~ssh-test/rules."

Conditions:
This occurs if you previously created ssh profile rules that contain spaces in them, such as this example:

create security ssh profile ssh-test actions add { " " } rules add { " " { actions add { " " } identity-users add { " "} identity-groups add { " " } } } auth-info add { " " }

Impact:
Unable to delete the rules

Fix:
You can now delete ssh profile rules that contain spaces for the rules.


593696-1 : Sync fails when deleting an ssh profile

Component: Advanced Firewall Manager

Symptoms:
After creating an ssh profile and successfully syncing it to the sync group, you later delete the profile and sync fails with this error on the target device:
"err mcpd[5178]: 01071488:3: Remote transaction for device group /Common/syncme to commit id 6 6285666289815053813 /Common/bigip2.mysite.com 0 failed with error 01071aaf:3: SSH profile: [/Common/ssh1] default actions is required and cannot be removed."

Conditions:
This is triggered when deleting an ssh profile that has been synced in a sync group. Sync group is configured for manual sync. It is not known if automatic sync also exhibits this behavior.

Impact:
Sync fails.


592854-1 : Protocol version set incorrectly on serverssl renegotiation

Component: Local Traffic Manager

Symptoms:
If the BIG-IP serverssl profile sends a new ClientHello request to renegotiate SSL, the protocol version will be set to 0. This will cause renegotiation to fail.

Conditions:
ServerSSL profile configured on a virtual server, and BIG-IP initiates a renegotiation.

Impact:
Protocol field is invalid (0), and the server will reset the connection.

Fix:
Fixed a reset issue with SSL renegotiation in the serverssl profile.


592716-1 : BMC timezone value was not being synchronized by BIG-IP

Component: TMOS

Symptoms:
You notice that errors on the LCD have an incorrect timestamp compared to what is reported in BIG-IP

Conditions:
This can occur when running the 12.1.1 base release on the BIG-IP i-Series platforms.

Impact:
Timestamp is reported in the wrong time zone.

Fix:
Fixed an issue with incorrect timestamp reporting on the LCD display


592699-3 : IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance

Component: Local Traffic Manager

Symptoms:
IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP might encounter significant performance impacts when initiated over a BIG-IP data port using IPv6.

Conditions:
-- Protocols: HTTPS, SCP, SSH, DNS, SMTP.
-- IPv6.
Note: Management port is not impacted.

Impact:
Performance impact pulling data over affected ports from the BIG-IP over IPv6.
BIG-IQ performance is impacted trying to manage BIG-IP devices over IPv6.

Workaround:
Disable TSO for IPv6 at the command line by running the following command: ethtool -K tmm tso off.
Note: This command must be run each time after reboot.

Fix:
The issue has been corrected, so that there is no performance impact pulling data over affected ports using HTTPS, SCP, SSH, DNS or SMTP from the BIG-IP over IPv6, and there is no BIG-IQ performance issue managing BIG-IP devices over IPv6.


592682-1 : TCP: connections may stall or be dropped

Component: Local Traffic Manager

Symptoms:
TCP connections stall or get dropped.

Conditions:
Under some network conditions especially with rateshaper enabled TCP connection could stall and ultimately get reset.

Impact:
This usually happens with rateshaper or BWC enabled. Rarely could also happen with very lossy networks.

Fix:
Properly manage re-transmissions after a tail drop by not not doing the exponential back-off. Reset the re-transmit timer for every partial ack received after a tail drop.


592363 : Remove debug output during first boot of VE

Component: TMOS

Symptoms:
There was unneeded debug output during 1st boot of VE on Cloud deployments.

Conditions:
Cloud deployment - AWS and Azure.

Impact:
Extra debug output on 1st boot.

Fix:
Debug output was removed.


592354 : Raw sockets are not enabled on Cloud platforms

Component: TMOS

Symptoms:
Cloud VMs come configured with UNIC driver instead of using raw sockets.

Conditions:
Cloud deployment - AWS and Azure.

Impact:
UNIC is used instead of raw sockets.

Workaround:
Manually disabling unic driver will force raw sockets to be used.

Fix:
Enabled raw sockets by default on Cloud deployments.


591918-2 : ImageMagick vulnerability CVE-2016-3718

Vulnerability Solution Article: SOL61974123


591908-2 : ImageMagick vulnerability CVE-2016-3717

Vulnerability Solution Article: SOL29154575


591894-2 : ImageMagick vulnerability CVE-2016-3715

Vulnerability Solution Article: SOL10550253


591881-1 : ImageMagick vulnerability CVE-2016-3716

Vulnerability Solution Article: SOL25102203


591806-8 : ImageMagick vulnerability CVE-2016-3714

Vulnerability Solution Article: SOL03151140


591261 : BIG-IP VPR-B4450N shows "unknown" SNMP Object ID

Component: TMOS

Symptoms:
The BIG-IP VPR-B4450N blade does not show the correct Object ID for SNMP. An SNMP query will return "unknown".

Conditions:
This issue may occur on VIPRION B4450N blades running affected versions of BIG-IP software.

Impact:
Some network management applications may complain and fail.

Workaround:
None.

Fix:
A new SNMP Object ID is added to TMOS v12.1.1 for VPR-B4450N.


591139 : TMM QAT segfault after zlib/QAT compression conflation.

Component: Local Traffic Manager

Symptoms:
TMM can segfault during prolonged mixture of software and hardware accelerated compression.

Conditions:
Continuous and prolonged mixture of software and hardware accelerated compression.

Impact:
TMM segfaults.

Workaround:
Disable hardware accelerated compression with:

    tmsh modify sys db compression.strategy value speed

Fix:
TMM QAT compression added pointer-hardening for compression context.


591119 : OOM with session messaging may result in TMM crash

Component: TMOS

Symptoms:
Under out of memory conditions, session messaging may not initialize storage correctly, resulting in a later TMM crash.

Conditions:
Under out of memory conditions, memory allocation for session messaging fails, and storage is not initialized correctly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Reduce load on box in order to avoid OOM conditions.

Fix:
Initialize storage on memory allocation failure.


591039 : DHCP lease is saved on the Custom AMI used for auto-scaling VE

Component: TMOS

Symptoms:
When configuring the instance for auto-scaling purpose and subsequently generating the Custom/Model AMI that is used for autoscaling VEs, the new instances generated from this image, might have the old DHCP lease acquired by the custom instance before an AMI was generated from it. This can collide with the new lease that the new instances get in their boot-up.

Conditions:
This occurs when Auto-scaling VEs.

Impact:
Multiple valid DHClient leases exist, which could result dhclient in BIG-IP choosing wrong IP address for the management interface.

Workaround:
Delete the /var/lib/dhclient/dhclient.leases before shutting down the custom instance and generating a Custom/Model AMI out of it.

Fix:
Auto-scaling AMI will no longer contain a DHCP lease when they are saved.


590993 : Unable to load configs from /usr/libexec/aws/.

Component: TMOS

Symptoms:
In 12.1.0, a new tmsh object 'sys global-settings file-whitelist-path-prefix' controls the path from which config can be loaded. To be allowed as a config storage location, the path must exist in file-whitelist-path-prefix. Because /usr/libexec/ is not part of the path, loading auto-scaling and CloudWatch iCall configuration files from /usr/libexec/aws/ fails.

Conditions:
The issue occurs with AWS auto-scaling- and CloudWatch-related configuration files in TMOS v12.1.0.

Impact:
AWS auto-scaling-related automation and CloudFormation Templates (CFTs) for deploying BIG-IP will not work because 'sys global-settings file-whitelist-path-prefix' disallows /usr/libexec/aws/ is disallowed as legitimate config location.

Workaround:
To work around this, add /usr/libexec/aws/ into the 'sys global-settings file-whitelist-path-prefix'. To do so, run the following tmsh command:

tmsh modify sys global-settings file-whitelist-path-prefix "{/var/local/scf} {/tmp/} {/shared/} {/config/} {/usr/libexec/aws}".

Fix:
Starting in 12.1.0-HF1, F5 Networks has changed the paths from which configuration files related to AWS autoscaling and CloudWatch can be loaded. This necessitates an extra step in the Custom AMI generation for Auto Scaling.

Configuration files related to AWS auto scaling and CloudWatch have been moved to the /usr/share/aws/ directory. This change was made because the system no longer allows /usr/libexec/aws as a config file storage and load location.

12.1.0 and earlier Auto Scaling-related automation and CFT configurations must be modified to point to the new locations. The new locations for the Auto Scaling and CloudWatch config files are:

The new locations for these config files are:
-- /usr/share/aws/autoscale/aws-autoscale-icall-config.
-- /usr/share/aws/metrics/aws-cloudwatch-icall-metrics-config.

Behavior Change:
Starting in 12.1.0-HF1, the system has changed the paths from which configuration files related to AWS autoscaling and CloudWatch can be loaded. This necessitates an extra step in the Custom AMI generation for Auto Scaling.

Configuration files related to AWS auto scaling and CloudWatch have been moved to the /usr/share/aws/ directory. This change was made because the system no longer allows /usr/libexec/aws as a config file storage and load location.

12.1.0 and earlier Auto Scaling-related automation and CFT configurations must be modified to point to the new locations. The new locations for the Auto Scaling and CloudWatch config files are:

The new locations for these config files are:
-- /usr/share/aws/autoscale/aws-autoscale-icall-config.
-- /usr/share/aws/metrics/aws-cloudwatch-icall-metrics-config.


590904-1 : New HA Pair created using serial cable failover only will remain Active/Active

Component: TMOS

Symptoms:
After creating a new sync-failover device group without network failover enabled, both devices remain Active.

Conditions:
Create a new sync-failover device-group without enabling network failover.

Impact:
Both device in the HA pair will be Active, which is unlikely to pass traffic successfully.

Workaround:
After adding the 2nd device to the sync-failover group, restart sod with "bigstart restart sod" on both devices.

Fix:
After creating the sync-failover group with without network failover configured, but a serial failover cable installed, one of the devices becomes Standby and the other remains Active.


590795-1 : tmm crash when loading default signatures or updating classification signature

Component: Traffic Classification Engine

Symptoms:
When upgrading classification signatures or downgrading to the default signatures, tmm will crash.

Conditions:
This occurs when loading updated classification signatures on versions 12.1.0 and 12.1.1.

Impact:
tmm will crash during the load. Traffic disrupted while tmm restarts.

Fix:
Fixed a crash when loading classification signatures.


590779 : Rest API - log profile in json return does not include the partition but needs to

Component: TMOS

Symptoms:
When querying the log profile via the Rest API, the returned response does not include the partition name in FullPath.

For example, for a log profile named mySample:
https://bigip_ip/mgmt/tm/security/log/profile/~Common~mySample/application/mySample

The JSON returned will contain
    "fullPath": "testProfile",
It should contain
    "fullPath": "/Common/testProfile",

This can cause BIG-IQ to fail to sync.

Conditions:
Log profile created. This is most visible when using BIG-IQ to sync.

Impact:
Applications relying on the folder path can fail

Fix:
The Rest API will now provide the full path to the log profile.


590601-2 : BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed

Component: Access Policy Manager

Symptoms:
After end-user successfully performs SP initiated SAML SSO with a original request URI other then "/", SP will redirect user back to '/' as landing URI.

Conditions:
BIG-IP is used as SAML SP and no relay state is configured on either SP or IdP

Impact:
User is not redirected to original request URI.

Workaround:
Workaround provided below works when first client request to BIG-IP as SP is 'GET'. This workaround is not applicable when first client request is 'POST'.

SP object can be configured with relay state pointing to the landing URI: %{session.server.landinguri}

After successful authentication, end-user will be redirected to the landing URI (reflected back by IdP in the relay-state).

Fix:
SAML SSO requests will now be redirected to the original request URI.


590428-1 : The "ACCESS::session create" iRule command does not work

Component: Access Policy Manager

Symptoms:
When the "ACCESS::session create" iRule command is used with an APM virtual, the command does not resume properly and causing the sessions to disconnect/hang.

Conditions:
APM virtual configured with an iRule that includes "ACCESS::session create" iRule command.

Impact:
APM virtual won't function correctly.

Workaround:
The "ACCESS::session create" iRule command should be removed from the iRule attached to the virtual.

Fix:
Updated the session DB calls to include req_id parameter so that the TCL context gets updated/saved and used upon resume.


590345-1 : ACCESS policy running iRule event agent intermittently hangs

Component: Access Policy Manager

Symptoms:
If you are using iRule event agent on the 12.1.0 release, you may see an intermittent Access Policy execution hang. The hang occurs during the execution of ACCESS::policy agent_id.

Conditions:
iRule event agent is configured.
iRule uses ACCESS_POLICY_EVENT_AGENT event
Within this event, ACCESS::policy agent_id command is used.

Impact:
Policy execution intermittently hangs.

Workaround:
Please use this command:
ACCESS::session data get {session.custom_event.id}

Fix:
A hang related to the use of ACCESS::policy agent_id has been fixed.


590074-1 : Wrong value for TCP connections closed measure

Component: Application Visibility and Reporting

Symptoms:
In TCP analytics, the measure 'connections closed' displays the wrong value.

Conditions:
TMM_API debug enabled.

Impact:
Wrong value displayed.

Workaround:
Do not turn on debug printing.

Fix:
Memory corruption found and fixed. All debug printing organized together at the beginning of the function.


589661 : PS2 power supply status incorrect after removal

Component: TMOS

Symptoms:
After removing the second power supply (PS2), running system_check indicates that the power supply status is still good:

system_check -d | grep power
Chassis power supply 1: status FAN=good; VINPUT=good; VOUTPUT=good; STATUS=good
Chassis power supply 2: status VINPUT=good; VOUTPUT=good; STATUS=not present

Conditions:
This occurs on 10000-series and 12000-series platforms when removing the PS2 power supply and running system_check

Impact:
Erroneous indication that the power supply is still good

Fix:
Power supply status for PS2 is now correctly indicated when the power supply is removed.


588879-2 : apmd crash under rare conditions with LDAP in BIGIP 12.0 and beyond

Component: Performance

Symptoms:
APM crashes during periods of high Active Directory lookups.

Conditions:
APM configured to use ldap. This was seen during stress testing of AD queries.

Impact:
APM crashes, clients unable to connect


588399-1 : BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated

Component: Anomaly Detection Services

Symptoms:
BIG-IP CPU utilization can be excessively high even after mitigating bad actors.

Conditions:
This can occur when Bad Actor detection is used

Impact:
CPU utilization will be higher than expected.

Fix:
An issue with referencing bad actors that have been detected and affecting CPU utilization has been fixed.


588327 : Observe "err bcm56xxd' liked log from /var/log/ltm

Component: TMOS

Symptoms:
Some "err bcm56xxd" log is observed from /var/log/ltm that read "err bcm56xxd[10968]: 012c0012:3: bs_module_do_precond:No preconditioning provided for module on port 3/5.0"

Conditions:
This occurs when during system start.

Impact:
The error is benign and can be ignored.

Fix:
The "No preconditioning provided for module" message is now logged at the info level.


588140 : Pool licensing fails in some KVM/OpenStack environments

Component: TMOS

Symptoms:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ, BIG-IQ can fail. The system posts the following error in /var/log/ltm: Dossier error 16.

Conditions:
This occurs when BIG-IQ is used to license the BIG-IP VE instance.

Impact:
From BIG-IQ, the licensing operation will appear as a successful operation, however, BIG-IP VE will not be licensed.

Fix:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ in OpenStack and/or KVM environments completes with success on BIG-IQ and BIG-IP.


588049-1 : Improve detection of browser capabilities

Component: Application Security Manager

Symptoms:
Browsers can override native functions, and manipulate the PBD capabilities test.

Conditions:
1. Proactive Bot defense is on.
2. Attacker override its native functions.

Impact:
Malicious browsers can go undetected by PBD.

Workaround:
N/A

Fix:
Check that majority of browsers native functions are not overridden.


587791-1 : Set execute permission on /var/lib/waagent

Component: TMOS

Symptoms:
Due to recent changes of the build process /var/lib/waagent didn't have proper execute permission set. This caused failure in executing user custom scripts during deploying.

Conditions:
First deployment of VM in Azure, which requires executing custom scripts.

Impact:
Custom scripts cannot be executed.

Workaround:
N/A

Fix:
Properly set execute permissions to /var/lib/waagent directory.


587780 : warning: HSBe2 XLMAC initial recovery failed after 11 retries.

Component: TMOS

Symptoms:
ltm log contains multiple instances of the following message on VIPRION B4450 blades: warning: HSBe2 XLMAC initial recovery failed after 11 retries.

Conditions:
This often happens when VIPRION 4480 or 4800 chassis with B4450 blades is rebooting.

Impact:
No operation impact. This is a cosmetic message that you can safely ignore.

Workaround:
None needed. This message is cosmetic only.

Fix:
A more robust XLMAC recovery mechanism has been implemented which reduces the maximum retries to four. It does not completely eliminate this warning message (HSBe2 XLMAC initial recovery failed after 11 retries), but its frequency is greatly reduced.


587735 : False alarm on LCD indicating bad fan

Component: TMOS

Symptoms:
During some blade power ON conditions, a false alarm message is displayed on the LCD on the chassis bezel.
This alarm indicates that several chassis fans are bad, however in reality the fans are not bad.
Typically, the messages look like this:
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 2: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 3: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 4: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 5: status (0) is bad.

Conditions:
Erroneous fan warnings may occur when a blade is inserted into a VIPRION 4800 chassis.

Impact:
No functional impact. The user may experience concern over the false alarms.

Workaround:
Press green check button on the front of chassis bezel to clear the alarm.


587668 : LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.

Component: TMOS

Symptoms:
Pressing the LCD checkmark button does not always bring up clearing prompt on VIPRION blades.

Conditions:
Pressing the LCD's checkmark button to clear an alert on VIPRION blades.

Impact:
Cannot clear the alert using the LCD.

Workaround:
Press the checkmark button followed by the left or right arrow buttons.

Fix:
In this release, unneeded LCD updates that might have clogged the message channel have been optimized, and the keypress passed along at a later time, so it is not lost. So pressing the LCD checkmark button now correctly brings up clearing prompt on VIPRION blades.


587419-1 : TMM may restart when SAML SLO is performed after APM session is closed

Component: Access Policy Manager

Symptoms:
TMM may core when user performs SAML SLO on external to BIG-IP SP/IdP, and BIG-IP's APM session is no longer valid.

Conditions:
- User initiated SAML SLO on external SAML provider, and external provider redirect users to BIG-IP with SLO request.
- User does not have a valid session on BIG-IP when SLO request is received.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable SAML SLO by removing SLO request/response URLs from configuration

Fix:
TMM will no longer restart in the case described above.


587077-1 : Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118

Vulnerability Solution Article: SOL37603172


585905-1 : Citrix Storefront integration mode with pass-through authentication fails

Component: Access Policy Manager

Symptoms:
Citrix Storefront integration mode with pass-through authentication fails. Client fails with error message saying "Authentication service is not reachable"

Conditions:
Citrix Storefront integration mode with only pass-through authentication enabled on the Storefront.

Impact:
Could not use pass through authentication on the storefront for remote access of the store.

Workaround:
None

Fix:
Passthrough authentication could be used for remote-access of the store.


585654 : Enhanced implementation of AES in Common Criteria mode

Component: Local Traffic Manager

Symptoms:
Common Criteria (CC) mode disallows the use of dedicated BIG-IP accelerator. It can be observed that performance of the BIG-IP in CC mode may not be as fast as benchmarks for some implementations AES on CPU.

Conditions:
Common Criteria (CC) mode is enabled.

Impact:
Lower performance with CBC-based AES ciphersuites.

Fix:
Updated AES implementation may achieve higher performance of CBC-based AES ciphersuites.


585442-2 : Provisioning APM to "none" creates a core file

Component: Access Policy Manager

Symptoms:
Provisioning APM level to "none" may result in apmd creating a core file.

Conditions:
When the APM service is shut down, the apmd daemon may create a core file.

Impact:
Harmless

Workaround:
There is no loss in functionality.


585352-2 : bruteForce record selfLink gets corrupted by change to brute force settings in GUI

Component: Application Security Manager

Symptoms:
If you update the brute force settings in the GUI, rest_uuid is updated as well, which breaks the self-link in the iControl REST API

Conditions:
Update brute force settings in GUI

Impact:
Unique record part updated

Workaround:
Update brute force settings using the REST API

Fix:
GUI is not changing rest_uuid when brute force settings are updated


585332 : Virtual Edition network settings aren't pinned correctly on startup

Component: TMOS

Symptoms:
You notice unusually high CPU utilization on Virtual Edition after upgrading to 12.1.0 when compared to a previous release (such as version 11.6.1).

Conditions:
This occurs after upgrading to 12.1.0. In Virtual Edition version 12.1.0, there is an issue where network interface IRQs don't get pinned correctly at startup.

Impact:
Since CPU0 is unusually high compared to previous releases, upgrading could put Virtual Edition into an overloaded state.

Workaround:
bigstart restart tmm will start the network interfaces and pin them to the right IRQ.

Fix:
Fixed an issue where interfaces and their IRQs were not configured correctly during system boot.


585120-1 : Memory leak in bd under rare scenario

Component: Application Security Manager

Symptoms:
Under high traffic, bd may leak memory and cause an ASM restart under certain rare conditions

Conditions:
ASM enabled and under high traffic

Impact:
Causes traffic abort while restart is happening. High swap and memory.

Workaround:
None.

Fix:
A memory leak in the bd was fixed.


585054-1 : BIG-IP imports delay violations incorrectly, causing wrong policy enforcement

Component: Application Security Manager

Symptoms:
When you import an XML file that contain references to violations in the delay blocking session tracking configuration, extra violations get added to the list.

Conditions:
This occurs when importing delay-type violations in ASM

Impact:
A very large subset of the violations is added to the policy

Fix:
BIG-IP now imports delay-type violations correctly.


584926-1 : Accelerated compression segfault when devices are all in error state.

Component: Local Traffic Manager

Symptoms:
TMM segfaults. Kernel log contains "Uncorrectable Error" and "icp_qa_al err" messages.

Conditions:
All physical or virtual devices concurrently enter error state.

Impact:
Tmm segfaults and restarts. May require a reboot.

Workaround:
Disable QAT compression using tmsh:

tmsh modify sys db compression.strategy value softwareonly

Fix:
TMM QAT compression driver will not fail if all QAT devices concurrently go down.


584921-1 : Inbound connections fail to keep port block alive

Component: Carrier-Grade NAT

Symptoms:
Connections that use a PBA port block should keep the port block from expiring. However inbound connections to a client using a port block will fail to refresh the block, causing the block to expire pre-maturely. An inbound connection can remain active while the port block has been deleted.

Conditions:
An inbound connection with no outbound connections fails to keep a port block alive, resulting in an inbound connection to a client without a corresponding port block.

Impact:
When reverse mapping an inbound connection to a subscriber (e.g. trying to find who was using an ip address/port at a particular time), customers may find no corresponding port block, or a port block belonging to another client when the reverse map is performed at a time when the connection is closed.

Workaround:
When performing a reverse map, customers should use the start time of a connection to determine which port block was in use.

Fix:
Inbound connections properly refresh the port block, preventing premature expiration of the port block.


584670 : Output of tmsh show sys crypto master-key

Component: TMOS

Symptoms:
In this release, tmsh show sys crypto master-key has changed and will now display its output as the base 64 encoded form of a SHA512 hash.

Conditions:
You will see this when running tmsh show sys crypto master-key, or f5mku -Z, or f5mku -U

Impact:
None


584661 : Last good master key

Component: TMOS

Symptoms:
When applying a UCS file to a platform that was different from the one the UCS was taken on, for example after RMA, you get a master key decrypt error because the master key is different.

Conditions:
This can occur either when applying a UCS file to an identical platform you received as an RMA exchange, or while performing the platform-migrate command.

Impact:
UCS load fails when extracting a UCS that came from another system.

Fix:
Secure Vault now stores the last good master key, which allows you to set the master key password to be the same as the other device you are importing from, then load the UCS from the other system. If master key decryption fails, the system will load the master key that was in effect before the UCS load was initiated. If that master key matched the master key from the system where the UCS was taken then encrypted attributes in the UCS can be loaded into the configuration.


584655 : platform-migrate won't import password protected master-keys from a 10.2.4 UCS file

Component: TMOS

Symptoms:
If you run the platform-migrate command to migrate from a UCS file generated on a platform running 10.2.4, the password protected master key won't import

Conditions:
You would encounter this when doing platform migration from an older platform running 10.2.4, and using the UCS file from that platform to platform-migrate to 12.1.1. This also only occurs if your 10.2.4 UCS contains secure attributes, such as clientssl or serverssl keys and profiles

Impact:
The platform-migrate command will fail if the 10.2.4 UCS contains a password protected master key.

Fix:
The 12.1.1 release can successfully platform-migrate UCS files from a 10.2.4 configuration if some steps are taken to generate a password protected master key on the 10.2.4 release. Without these steps, this impact exists. The 10.2.4-specific solution will be provided at a future date.

For more information on master keys, see SOL9420: Installing a UCS file containing an encrypted passphrase at https://support.f5.com/kb/en-us/solutions/public/9000/400/sol9420.html


583686-2 : High ASCII meta-characters can be disallowed on UTF-8 policy via XML import

Component: Application Security Manager

Symptoms:
After importing an XML policy, you cannot view or edit policies containing high ASCII characters.

Conditions:
This occurs when importing XML policies containing high-ASCII meta-characters but high-ASCII is not allowed in a UTF-8 policy.

Impact:
Unable to view or edit the policy, and Illegal meta character in value violation is triggered


583631-2 : ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.

Component: Local Traffic Manager

Symptoms:
Server SSL ClientHello does not encode lowest supported TLS version. The outer record for a ClientHello contains the same version as the ClientHello. If, for example, the ClientHello is TLS1.2, the outer record will contain TLS1.2. Older servers that do not support later TLS versions might generate an alert and close the connection.

Conditions:
A BIG-IP system with a server SSL profile that supports a TLS version higher than that of the server to which it is connecting.

Impact:
The connection fails. The system might generate an alert.

Workaround:
Force the server SSL profile to use a lower TLS version number by selecting 'No TLSv1.2' or 'No TLSv1.1' in the `options' section of the Server SSL Profile.

Fix:
When enabled by setting the db variable, 'SSL.OuterRecordTls1_0,' to, 'enable,' the outer SSL record will always contain TLS1.0. This is the default. You can use this db variable to prevent an issue in older servers that do not support TLS versions later than 1.0, in which an alert might be generated closing the connection.

Behavior Change:
Formerly, the version present in the ClientHello and the version present in the outer record would match. Now, if the sys db variable, 'SSL.OuterRecordTls1_0,' is set to 'enable' the version present in the outer record will be TLS 1.0 regardless of the version in the ClientHello. This is the default.


583177 : LCD text truncated by heartbeat icon on VIPRION

Component: TMOS

Symptoms:
while looking at informational text on the first line of the LCD display on a VIPRION, the end of the string is truncated by a heartbeat icon.

Conditions:
This occurs on platforms that display a heartbeat icon on the LCD display.

Impact:
The heartbeat icon is displayed over the last character of the string, this is cosmetic.

Fix:
In this release, longer messages on the LCD are now displayed on multiple lines.


582629-1 : User Sessions lookups are not cleared, session stats show marked as invalid

Component: Application Visibility and Reporting

Symptoms:
AVR session statistics may be reported as excessively high, and when the sessions time out they get marked as invalid instead of being removed.

Conditions:
The exact conditions which cause this in a production configuration are unknown, as this was discovered during internal testing.

Impact:
Session statistics will report incorrectly

Fix:
An issue with session statistics not clearing after session timeout has been fixed.


582374-1 : Multiple 'Loading state for virtual server' messages in admd.log

Component: Anomaly Detection Services

Symptoms:
When a dosl7d profile is configured on a BIG-IP that's in a device group and the BIG-IP is set to "Forced Offline" in the Device Management settings, admd will log multiple messages to admd.log similar to 47854390298368 Mar 22 02:38:50 [info] virtual bool CVirtualServerImpl::loadState() : Loading state for virtual server

Conditions:
- dosl7d profile attached to a virtual server
- BIG-IP is part of a DSC cluster
- a BIG-IP is forced offline in the cluster

Impact:
Excessive logging occurs to /var/log/adm/admd.log

Workaround:
None

Fix:
An issue with excessive logging to admd.log has been fixed.


581991-1 : Logging filter for remote loggers doesn't work correctly with more than one logging profile

Component: Application Security Manager

Symptoms:
A logging message arrived at a remote logger while the remote logger's filter have a criteria that doesn't match.

Conditions:
More than one logging profile is attached to a virtual server, the logging profiles have different filters conditions.

Impact:
A non related messages will be presented at the remote logger

Fix:
Fixed an issue with multiple remote logging with different filters.


581945-2 : Device-group "datasync-global-dg" becomes out-of-sync every hour

Component: TMOS

Symptoms:
The datasync-global-dg device-group may become out-of-sync unexpectedly without any user changes.
When this happens, the user can manually sync the device-group, but after about an hour the device-group becomes out-of-sync again.

Conditions:
1. This happens only in certain timezones, depending on the timezone configured on the BIG-IP. We have only seen this happening in the Europe/London timezone.
2. The problem will start happening about 3 days after the first installation of an ASM Signature Update (ASU) or FPS Engine/Signature Update.

Impact:
GUI/shell shows config-sync "possible change conflict" or "changes pending" in regards to the datasync-global-dg device-group.

Workaround:
None

Fix:
The datasync-global-dg device-group no longer becomes out-of-sync unexpectedly and repeatedly every hour.


581834-5 : Firefox signed plugin for VPN, Endpoint Check, etc

Component: Access Policy Manager

Symptoms:
clients are unable to use the Firefox plugin on Firefox version 47 and above

Conditions:
Clients using Firefox v47 and above attempting to use the Firefox plugin

Impact:
Clients will be unable to use the plugin if they are using Firefox version 47 and above

Fix:
The Firefox plugin now supports all versions.


581824-2 : "Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link.

Component: Global Traffic Manager (DNS)

Symptoms:
When you attempt to view the monitors' properties, the page throws an "Instance not found" error.

Conditions:
Viewing the GSLB Monitors tcp_half_open, gateway_icmp and bigip_link's properties page.

Impact:
You cannot view some of their monitors' properties.

Fix:
Fixed the "Instance not found" error.


581811 : The blade alarm LED may not reflect the warning that non F5 optics is used.

Component: TMOS

Symptoms:
When non F5 optics is used for front switch ports, the LCD and /var/log/ltm will display some warning message. But the alarm LED may not reflect that.

Conditions:
This is caused by a race condition. When a blade comes up and decides its role as a primary blade or a secondary blade, it will clear the alarm LED. So the last blade coming up may have its alarm LED in the right state, but the blades that came up earlier may have their alarm LEDs cleared.

Impact:
The alarm LED may not reflect the warning.

Workaround:
None.

Fix:
The problem is fixed in TMOS v12.1.1.


580596-1 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907

Vulnerability Solution Article: SOL14190 SOL39508724


580340-1 : OpenSSL vulnerability CVE-2016-2842

Vulnerability Solution Article: SOL52349521


580313-1 : OpenSSL vulnerability CVE-2016-0799

Vulnerability Solution Article: SOL22334603


579955-6 : HTTP2 and SPDY sometimes keep too many back-end connections

Component: Local Traffic Manager

Symptoms:
HTTP2 and SPDY may in some cases improperly clean-up (or re-use) back-end connections. These back-end connections will get cleaned up when the client connection is torn down, but if there are too many of these back-end connections a disruption of service may occur. In many cases the back-end web-server will tear down these connections after a short (keep-alive) time-out in which case this issue may not be significant.

Conditions:
HTTP2 and SPDY may leak child connections in some cases.

Impact:
Clients may experience a disruption of service

Fix:
HTTP2 and SPDY now re-uses or closes back-end connections as expected.


579953 : Updated the list of Common Criteria ciphersuites

Component: Local Traffic Manager

Symptoms:
This is a continuous maintenance of the default set per certification requirements

Conditions:
These changes are only in effect when ccmode script is executed.

Impact:
Current set of ciphersuites is the following, subject to change in future releases:

AES{128,256}-{SHA,SHA256}
ECDHE-RSA-AES128-CBC-{SHA,SHA256}
ECDHE-RSA-AES256-CBC-{SHA,SHA384}
ECDHE-RSA-AES128-GCM-{SHA256,SHA384}
ECDHE-ECDSA-AES128-{SHA,SHA256}
ECDHE-ECDSA-AES256-{SHA,SHA384 }
ECDHE-ECDSA-AES128-GCM-{SHA256,SHA384}


579829-7 : OpenSSL vulnerability CVE-2016-0702

Vulnerability Solution Article: SOL79215841


579529 : Stats file descriptors kept open in spawned child processes

Component: TMOS

Symptoms:
No known user visible impact.

Conditions:
This occurs in all multi-blade platforms where clusterd is running.

Impact:
No known user visible impact.

Workaround:
None.

Fix:
Stats file descriptors are opened so that they are closed when a child process is spawned.


579220-1 : Mozilla NSS vulnerability CVE-2016-1950

Vulnerability Solution Article: SOL91100352


579210 : VIPRION B4400N blades might fail to go Active under rare conditions.

Component: TMOS

Symptoms:
Over extended periods of booting and rebooting a VIPRION system containing B4400N blades, a switch port connected to the HSB might fail to initialize properly. In some cases, logs indicate an occurrence of the problem in the following form: hgm_fcs_errs[higig mac #] exceeds 1000.

Conditions:
This happens under very rare conditions on B4400N blades; for example, after approximately 8-12 hours of continuous rebooting.

Impact:
When the problem is manifest, the HSB receives FCS errors at a high-frequency and does not receive any valid traffic from the port switch. The B4400N blade might be unable to go active and join the cluster.

Workaround:
To recover, reboot the system once.


579085-6 : OpenSSL vulnerability CVE-2016-0797

Vulnerability Solution Article: SOL40524634


578570-1 : OpenSSL Vulnerability CVE-2016-0705

Vulnerability Solution Article: SOL93122894


578064 : tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade

Component: TMOS

Symptoms:
tmsh show sys hardware show "unavailable" for hard disk manufacturer

Conditions:
In VIPRION B4400/B4450 blades, tmsh show sys hardware always shows "unavailable" for hard disk manufacturer.

Impact:
Can't get correct hard disk manufacturer information.

Fix:
Fixed


578036-1 : incorrect crontab can cause large number of email alerts

Component: TMOS

Symptoms:
There is an incorrect crontab entry in /etc/cron.usbflush for /sbin/lsusb

Conditions:
This occurs for the usbflush entry.

Impact:
usbflush does not run, alert email is generated once per minute.

Workaround:
change /etc/cron.usbflush to use /usr/bin/lsusb

Fix:
Fix /etc/cron.usbflush to use /usr/bin/lsusb


576478 : Enable support for the Purpose-Built DDoS Hybrid Defender Platform

Component: Advanced Firewall Manager

Symptoms:
N/A

Conditions:
Requires new DoS License

Impact:
None

Fix:
This fix adds support for recognition of a Purpose-Built DDoS Hybrid Defender license, and the necessary mechanisms to launch the DDoS Application.

Behavior Change:
There is no change in behavior to existing behavior and functionalities. However, when a DoS License is installed, the Big-IP platform takes on the role of a dedicated DoS protection device. Consequently most non-DoS related functionalities are either disabled or function in limited capacity.


575170-2 : Analytics reports may not identify virtual servers correctly

Component: Application Visibility and Reporting

Symptoms:
In certain configurations, Analytics statistics on virtual server activity may not be reported correctly.

Conditions:
This occurs for virtual servers that are configured in one of these ways:

1. Two virtual servers have the same IP-Port-RouteDomain setting, but they use different protocols (such as TCP for one and UDP for the other) or different sources.

2. A virtual server is defined with a masked IP address rather than an explicit address (for example, 10.10.10.0/24).

Impact:
As a result, Analytics reports show an Aggregated Virtual Server or an incorrect one instead of displaying the correct virtual servers.

Workaround:
None.

Fix:
Correct identification of the virtual server and the activity reported in the charts is displaying to the right virtual server.


573584 : CPLD update success logs at the same error level as an update failure

Component: TMOS

Symptoms:
On booting after a successful CPLD update, you see an error in /var/log/ltm: "err chmand[4933]: 012a0003:3: CPLD not updated after previous power cycle."

Conditions:
This occurs during reboot after a successful firmware update

Impact:
The message is logged as an error, but it actually means that the CPLD version is as it is expected to be. This error can be safely ignored.

Fix:
CPLD update not required is now logged at the info level, not error.


570697-1 : NTP vulnerability CVE-2015-8138

Vulnerability Solution Article: SOL71245322


570667-2 : OpenSSL vulnerabilities

Vulnerability Solution Article: SOL64009378


569467-5 : BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.

Vulnerability Solution Article: SOL11772107


569355-1 : Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494

Vulnerability Solution Article: SOL50118123


569121-1 : Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low

Component: Anomaly Detection Services

Symptoms:
If you have a large CMP configuration using Advanced Detection and rate limiting with a low rate limit applied, the per-core rate limit on attack traffic can end up being lower than the desired overall rate limit.

Conditions:
This was seen during internal testing with a large number of cores (3 blades / 24 cores) and a very low rate limit applied.

Impact:
Overall rate limit is lower than expected.

Fix:
Improvements were made to rate limiting in environments with a high number of tmms


566342 : Cannot set 10T-FD or 10T-HD on management port

Component: Local Traffic Manager

Symptoms:
When setting the B4450 or B4300 mgmt port to 10T-FD or 10T-HD, there is no link LED. However, the peer unit shows the correct link LED for this setting.

Conditions:
B4450 or B4300 blade and you want to set 10T-FD or 10T-HD media type

Impact:
Unable to set this media type.

Fix:
The management port of B4450 and B4300 blades can now be configured with 10T-FD or 10T-HD


565895-1 : Multiple PCRE Vulnerabilities

Vulnerability Solution Article: SOL17235


565137 : Pool licensing fails in some KVM/OpenStack environments.

Component: TMOS

Symptoms:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ, BIG-IQ can fail. The system posts the following error in /var/log/ltm: Dossier error 16.

Conditions:
This occurs when BIG-IQ is used to license the BIG-IP VE instance.

Impact:
From BIG-IQ, the licensing operation will appear as a successful operation, however, BIG-IP VE will not be licensed.

Workaround:
There is no workaround.

Fix:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ in OpenStack and/or KVM environments completes with success on BIG-IQ and BIG-IP.


563592 : Content diagnostics and LCD

Component: TMOS

Symptoms:
While running platform_check, you notice this on the LCD:

F5 LCD Server
Clients: 0
Screens: 0

Conditions:
This occurs when running platform_check after running bigstart stop

Impact:
This is cosmetic, the LCD does not indicate that it is in diagnostic mode.

Fix:
When the LCD is unable to communicate with BIG-IP, such as during shutdown or platform_check, the LCD now displays the following:
F5 LCD Server
Host inaccessible or
in diagnostic mode


561444-1 : LCD might display incorrect output.

Component: TMOS

Symptoms:
Incorrect LCD display due to garbled messages received from LCD panel.

Conditions:
This occurs in various situations. Multiple messages sent to LCD and user interaction on LCD seem to reproduce the issue.

Impact:
LCD may display incorrect data.

Workaround:
The LCD usually corrects itself eventually, but to restore it immediately to a good state, run the following command: bigstart restart fpdd.

Fix:
The issue allowing garbled messages between the front panel display daemon (fpdd) and the LCD daemon (LCDd) is now prevented from happening.


555039-4 : VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration

Component: TMOS

Symptoms:
There is a high drop counts when running tmsh show net interface, and running tmctl -a drop_reason shows that a large number of drops are due to counters.rx_cosq_drop

Smaller buffering alpha values are configured for egress buffering to allow an 8 HW CoS queue feature to correctly implement weight based egress dropping. This results in busy ports dropping more aggressively, although allowing more fair buffering amongst multiple active ports.

Conditions:
Higher traffic rates, which stress switch MMU buffering resources, might result in egress CoS queue drop on busy ports.
This affects the BIG-IP 5000- and 7000 series platforms, and VIPRION B2100, B2150, and PB200 blades.

Impact:
This results in busy ports dropping more aggressively. Note that using smaller values allows more fair buffering amongst multiple active ports, whereas higher values allow better burst absorption but less fair buffering.

Workaround:
None.

Fix:
This release uses a larger alpha value for better burst absorption when the 8 hardware CoS queue feature is not enabled.


554713-2 : Deployment failed: Failed submitting iControl REST transaction

Component: TMOS

Symptoms:
When deploying an access control policy to a sync group, you notice the following error: Deployment failed:
Failed submitting iControl REST transaction 1445978291443908: remoteSender:ip_address

Conditions:
This can happen on policy sync with a large number of ACLs.

Impact:
The system will function properly, but some transactions may take longer than expected. BIG-IQ deployment of APM access control lists is one known case to fail due to timeouts.

Workaround:
None.

Fix:
The audit log contains every database modification request message sent to mcpd. Certain messages once took an unexpectedly long time to render, which has been fixed.


547053-1 : Bad actor quarantining

Component: Anomaly Detection Services

Symptoms:
An issue was found where bad actors could be released from quarantine due to a timing issue

Conditions:
This is a timing issue related to an having unusually high number of bad actors at the same time.

Impact:
Traffic can be removed from quarantine and passed to the web server

Fix:
An issue was fixed related to bad actor quarantining


544477 : New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.

Component: TMOS

Symptoms:
Phone support is not available for hourly billing customers in cloud marketplaces.

Conditions:
All hourly billing VE instances in AWS Marketplace.

Impact:
Phone support is not available for hourly billing VE instances.

Fix:
New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.

Behavior Change:
Changed licensing for hourly billing instances from pre-licensed image to template reg key which must be licensed through the license server.


542097-4 : Update to RHEL6 kernel

Component: TMOS

Symptoms:
Rare race condition between two (or more) threads operating on the same buffer_head/journal_head may cause a kernel panic

Conditions:
Running RHEL6 kernel under heavy disk load, more likely on a vCMP host

Impact:
Unexpected machine reboot causing loss of service

Workaround:
None.

Fix:
Redhat provided an update to RHEL6.7
F5 backported to RHEL6.4, 6.5:

jbd2: Fix oops in jbd2_journal_remove_journal_head()
jbd: Fix oops in journal_remove_journal_head()


539360 : Firmware update that includes might take over 15 minutes. Do not turn off device.

Component: TMOS

Symptoms:
On certain platforms, firmware updates might take over 15 minutes to complete. It is very important to wait until update completes. Do not turn on the device until the operation is finished.

Conditions:
This occurs on certain platforms.

Impact:
Reboot takes a long time. The GUI posts the following message: Reboot in progress
Please do not turn off your device. Depending on your configuration, reboot time will vary, taking 5 to 20 minutes. To view reboot progress, connect to the serial port of your device or access the system hypervisor.

Workaround:
None.

Fix:
Although reboot takes a long time, the GUI posts a message containing a time range, similar to the following message: Reboot in progress
Please do not turn off your device. Depending on your configuration, reboot time will vary, taking 5 to 20 minutes. To view reboot progress, connect to the serial port of your device or access the system hypervisor.


531979-6 : SSL version in the record layer of ClientHello is not set to be the lowest supported version.

Component: Local Traffic Manager

Symptoms:
In the ClientHello message, the system is now setting the SSL version in the record layer to be the same as version value of ClientHello message, which is the highest SSL version now supported.

Although RFC 5246 appendix E.1 does not give specific advice on how to set the TLS versions, the de facto standard used by all major browsers and TLS stacks is to set the ClientHello as follows:

SSL Record:
    Content Type: Handshake (22)
    Version: $LOWEST_VERSION
    Handshake Record:
        Handshake Type: Client Hello (1)
        Version: $HIGHEST_VERSION

The BIG-IP system implementation tells the SSL peer that the system supports only SSL versions from the $HIGHEST_VERSION through the $HIGHEST_VERSION instead of from the $LOWEST_VERSION through the $HIGHEST_VERSION, which effectively limits the range of SSL versions the system can negotiate with the SSL peer.

Conditions:
This issue occurs when the highest SSL version that the BIG-IP system supports does not fall into the range that an SSL peer supports.

For example, with SSL peer support configured for TLS1.0 or TLS1.1, if the BIG-IP system sets the highest SSL version to be TLS1.2, then there will be no version that the SSL peer thinks they have in common, and SSL handshake fails.

Impact:
SSL handshake fails.

Workaround:
There is no workaround for this issue.

Fix:
The SSL version in the record layer of ClientHello is now set to be the lowest supported version, which eliminates that issue that occurred when the highest SSL version that the BIG-IP system supports did not fall into the range that an SSL peer supports.


526708 : system_check shows fan=good on removed PSU of 4000 platform

Component: TMOS

Symptoms:
Running system_check on a 4000 platform with one PSU removed will still show status FAN=good; STATUS=good

Conditions:
This applies only to the BIG-IP 4000 platform.

Impact:
Fan shows status of 'good' when the PSU is removed. Reading the power supply status in the system_check output will show the PSU as down.

Fix:
If a PSU has been removed, system_check will now show status STATUS=not present


521370-1 : Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8

Component: Application Security Manager

Symptoms:
Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8, which results in suggestions for allowing meta-characters that cannot be accepted.

Conditions:
Auto-Detect Language policy is created, and then set to UTF-8 encoding.

Impact:
Suggestions for allowing high ASCII meta-characters cannot be accepted.

Fix:
Auto-Detect Language policy no longer contains disallowed high ASCII meta-characters.


521270-1 : Hypervisor might replace vCMP guest SYN-Cookie secrets

Component: TMOS

Symptoms:
Traffic suddenly stops passing on platforms in vCMP mode when SYN-cookie mode is triggered.

Occasionally, under HW-SYN-Cookie mode, HW-SYN-Cookie validation can fail, which triggers the software SYN-Cookie procedure, which does succeed.

Under vCMP guest, you might notice hwalgo_accept increasing under TMCTL table epva_hwvipstat. If this packet's destination is the local high-layer TCP stack, there is no functional impact. Otherwise, there might be a performance impact.

Under vCMP mirroring, however, the packet (failed to validate by FPGA), is sent to the remote TMM, which does not have the correct secret to validate, which causes the connection issue.

Conditions:
vCMP provisioning setup.

Impact:
Under vCMP guest, you might notice hwalgo_accept increased under TMCTL table epva_hwvipstat, which, if under HW-SYN-Cookie mode, everything will be validated automatically by FPGA instead.

You might also notice hwalgo_invalid, if the FPGA used
the updated secret for SYN-Cookie generation from the hypervisor, and when guest and hypervisor secret index overlaps.

Even though guest and hypervisor secret index might not be the same, the history secret might be updated by hypervisor, which might trigger additional hwalgo_accept.

Under vCMP mirroring, however, the packet (failed to validate by FPGA), is sent to the remote TMM, which does not have the correct secret to validate, so the error rate could be higher.

Workaround:
On the vCMP hypervisor, run the following commands.

1. echo "EPVA::enable_secret_diag true" > /config/tmm_init.tcl.
2. bigstart restart TMM.

On a multiple blade system, you must run these commands on all blades.

Fix:
Hypervisor no longer replaces vCMP guest SYN-Cookie secrets.


518201-4 : ASM policy creation fails with after upgrading

Component: Application Security Manager

Symptoms:
You cannot create an ASM security policy after upgrading to version 11.6.x. You will see the following error message:
------------------
# tmsh create asm policy /Common/blabla active encoding utf-8
Unexpected Error: ASMConfig exception: [101] Policy 'Security Policy /Common/blabla' already exists in this policy.
------------------

It does not matter if the security policy was created by the command line or by the Configuration utility.

Conditions:
ASM provisioned
Upgrade to 11.6.X

Impact:
ASM policies cannot be created.

Workaround:
Please apply the following workaround, as root user, from the command line of the affected BIG-IP.
Please run these exact commands - copy and paste into the command line:
---------------------
# mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'DELETE FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)'
---------------------

Be advised that this operation will permanently affect the mentioned database table.
It is strongly advised to first create a backup of the running configuration by running the following command from the command line of the affected BIG-IP:
---------------------
# tmsh save sys ucs /shared/tmp/backup.ucs
---------------------

Before applying the workaround, first make sure that you indeed need one.
You can do that by running this in the command line:
---------------------
# mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'SELECT * FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)'
---------------------
In case this query does not return any output - it means that there is no need to apply the mentioned workaround.

In case you do need to apply the workaround, you can use the same "SELECT *" query to validate the workaround, after it has been applied. Namely, after the workaround was applied, the "SELECT *" query should return no output.

Fix:
We've fixed ASM policy creation so that it does not fail after upgrade


478986 : Powered down DC PSU is treated as not-present

Component: TMOS

Symptoms:
When power is removed from the PSU but the PSU remains in the system, 'tmsh show sys hardware' reports the PSU as 'not-present'.

Conditions:
This occurs when an installed DC powered PSU loses power, and the user runs the command 'tmsh show sys hardware'.

Impact:
Only the message is incorrect. Although the PSU is present, the system cannot read its data without power, so the system marks the PSU 'not present'. Once power is restored, all information is available.

Workaround:
Plug the power cable into the PSU. The system can now detect the power supply status and read the PSU info.


434573-6 : Tmsh 'show sys hardware' displays Platform ID instead of platform name

Component: TMOS

Symptoms:
While running a version of BIG-IP older than the most recent release on a new hardware platform (recently purchased or recently acquired through RMA exchange), the 'tmsh show sys hardware' command may display the Platform ID code in place of the official F5 platform name.

For example, the 'tmsh show sys hardware' command may display a Platform ID like the following:

Platform
  Name D113

instead of the official platform marketing name, such as:

Platform
  Name BIG-IP 10000F

Conditions:
This may occur if the version of BIG-IP software installed is not the most recent release, and the hardware platform is a newer variant (due to added hardware features or other manufacturing change) than was originally supported by the older BIG-IP software release.

Impact:
Custom automation scripts which depend on correctly matching F5 platform marketing names may fail to match the platform ID.

Workaround:
Update platform-identification scripts to include the relevant platform IDs among the recognized match values.

Fix:
update Hot Fix Rollups to display Platform name.


433357 : Management NIC speed reported as 'none'

Component: TMOS

Symptoms:
Sometimes,after mcpd get restarted, mcpd didn't get management port nic speed information from chmand, "tmsh show net interface" could shows the speed of mgmt interface as "none".

Conditions:
Management interface is up and then restart mcpd.

Impact:
"tmsh show net interface" commands can't show correct management speed.

Workaround:
Use "bigstart restart chmand" to restart chmand.

Fix:
Fixed.


418009 : Hardware data display inaccuracies

Component: TMOS

Symptoms:
Sensor location fields show truncated. The Part Number and the PCA titles appear to be not right for some platforms because of the specific nature of the titles.

Conditions:
When displaying the hardware details you could see the problems in the sensor data and in the Hardware Version Information. This appears when running the command tmsh show sys hardware

Impact:
Missing sensor location data, and inaccuracy when naming the titles of the hardware characteristics.

Fix:
Fixed the truncation problem for the sensor location increasing the size of the data used for retrieving it; and used Part Number and PCA to have generic titles that apply to all platforms.


400778 : Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete

Component: TMOS

Symptoms:
On a VIPRION system during failover in which the blade transitioning from secondary to primary, log messages make it appear that chmand is looking to delete logical disks on CF1 and HD1.

Conditions:
This occurs on VIPRION systems.

Impact:
The ltm log displays messages: -- err chmand[6909]: 012a0003:3: Physical disk CF1 not found for logical disk delete'. -- err chmand[6909]: 012a0003:3: Physical disk HD1 not found for logical disk delete'.

Workaround:
None. These messages are benign and you can safely ignore them.


400550 : LCD listener error during shutdown

Component: TMOS

Symptoms:
During shutdown you see this error message: 012a0004:4: LCD listener write to LCDd exception: Psuedo Terminal: File I/O Error [Bad file descriptor] at PseudoTermDev.cpp:93

Conditions:
This can occur when shutting down a blade on a VIPRION 4400 platform.

Impact:
This occurs on shutdown and is cosmetic, and can be ignored.



Known Issues in BIG-IP v12.1.x


TMOS Issues

ID Number Severity Description
625784 1-Blocking TMM crash on BigIP i4x00 and i2x00 with large ASM configuration.
619097 1-Blocking iControl REST slow performace on GET request for Virtuals
603093 1-Blocking AC Power Supply output DC LED does not turn off when the input power is cut-off to it in redundant system
625824-1 2-Critical iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
625456-3 2-Critical Pending sector utility may write repaired sector incorrectly
621422 2-Critical i2000 and i4000 series appliances do not warn when an incorrect optic is in a port
620056-1 2-Critical Assert on deletion of paired in-and-out IPsec traffic selectors
617481-1 2-Critical TMM can crash when HTML minification is configured
616059-1 2-Critical Modifying license.maxcores Not Allowed Error
614865-1 2-Critical Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
614296-2 2-Critical Dynamic routing process ripd may core
613542-2 2-Critical tmm core while running the iRule STATS:: command
613536-4 2-Critical tmm core while running the iRule STATS:: command
610354-1 2-Critical TMM crash on invalid memory access to loopback interface stats object
610295-1 2-Critical TMM may crash due to internal backplane inconsistency after reprovisioning
605476-3 2-Critical istatsd can core when reading corrupt stats files.
604011-1 2-Critical Sync fails when iRule or policy is in use
601527-4 2-Critical mcpd memory leak and core
600894-1 2-Critical In certain situations, the MCPD process can leak memory
598748 2-Critical IPsec AES-GCM IVs are now based on a monotonically increasing counter
598697-3 2-Critical vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created
595712-2 2-Critical Not able to add remote user locally
591495-1 2-Critical VCMP guests sflow agent can crash due to duplicate vlan interface indices
591104-1 2-Critical ospfd cores due to an incorrect debug statement.
588686-4 2-Critical High-speed logging to remote logging node stops sending logs after all logging nodes go down
587698-3 2-Critical bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
585745-2 2-Critical sod core during upgrade from 10.x
583936-6 2-Critical Removing ECMP route from BGP does not clear route from NSM
583516-2 2-Critical tmm ASSERT's "valid node" on Active, after timer fire..
580697 2-Critical VIPRION 2200 platform might not pass traffic properly after FPGA firmware switch.
574055-4 2-Critical TMM crash after changing raccoon log level
567457-2 2-Critical TMM may crash when changing the IKE peer config.
557680-3 2-Critical Fast successive MTU changes to IPsec tunnel interface crashes TMM
460833-9 2-Critical MCPD sync errors and restart after multiple modifications to file object in chassis
442231-4 2-Critical Pendsect log entries have an unexpected severity
412817-2 2-Critical BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.
626721-5 3-Major "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart
624626-3 3-Major Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility
623930-3 3-Major vCMP guests with vlangroups may loop packets internally
623488-3 3-Major Custom adaptive reaper settings may be lost at upgrade time
623401-1 3-Major Intermittent OCSP request failures due to non-optimal default TCP profile setting
623391-5 3-Major cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size
623371-1 3-Major After changing from remote auth to local auth, if SSH keys are used, SSH attempts from non-existant users result in a connection closed
623367-1 3-Major When RADIUS remote authentication is enabled, a non existing user is able to ssh into the BIG-IP if they present the root's key.
623336-3 3-Major After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS
623265-4 3-Major v10 to v11.4+ UCS upgrade incorrectly retains v10 ca-bundle.crt
623084 3-Major mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp
622877-1 3-Major i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away
622619-5 3-Major BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD
622199-2 3-Major sys-icheck reports error with /var/lib/waagent
622194 3-Major sys-icheck reports error with ssh_host_rsa_key
622183-5 3-Major The alert daemon should remove old log files but it does not.
622133-1 3-Major VCMP guests may incorrectly obtain incorrect MAC addresses
621909-1 3-Major Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members
621423 3-Major sys-icheck reports error with /config/ssh/ssh_host_dsa_key
621273-1 3-Major DSR tunnels with transparent monitors may cause TMM crash.
621259-3 3-Major Config save takes long time if there is a large number of data groups
621242-1 3-Major Reserve enough space in the image for future upgrades.
621225 3-Major LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0"
620969 3-Major iControl doesn't give correct valid key sizes for FIPS keys on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards.
620659-3 3-Major The BIG-IP system may unecessarily run provisioning on successive reboots
620366-1 3-Major Alertd can not open UDP socket upon restart
619419 3-Major Workaround for Software Installation Failures in TMUI
619410-1 3-Major TMM hardware accelerated compression not registering for all compression levels.
618319-5 3-Major HA pair will go Active/Active, and report peer as "offline" is network-failover service is blocked
617986 3-Major Memory leak in snmpd
617875-1 3-Major vCMP guest may fail to start due to not enough hugepages
617643-1 3-Major iControl.ForceSessions enabled results in GUI error on certain pages
617229-1 3-Major Local policy rule descriptions disappear when policy is re-saved
616242-3 3-Major basic_string::compare error in encrypted SSL key file if the first line of the file is blank
615934-1 3-Major Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
615107-1 3-Major Cannot SSH from AOM/SCCP to host without password (host-based authentication).
614530-1 3-Major Dynamic ECMP routes missing from Linux host
614493-1 3-Major BIG-IP reset on ePVA accelerated flow may contain stale TCP window information.
614180-2 3-Major ASM is not available in LTM policy when ASM is licensed as the main active module
613415-1 3-Major Memory leak in ospfd when distribute-list is used
612752-1 3-Major UCS load or upgrade may fail under certain conditions.
612721-2 3-Major FIPS: .exp keys cannot be imported when the local source directory contains .key file
612083 3-Major Following an AC power cycle, the System Event Log may list HW, PCIe or DMI errors.
611658-1 3-Major "less" utility logs an error for remotely authenticated users using the tmsh shell
611512-1 3-Major AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name.
611487-3 3-Major vCMP: VLAN failsafe does not trigger on guest
610441-1 3-Major When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.
610417-1 3-Major Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
610352-1 3-Major sys-icheck reports error with /etc/sysconfig/modules/unic.modules
610350-1 3-Major sys-icheck reports error with /config/bigpipe/defaults.scf
610273-4 3-Major Not possible to do targeted failover with HA Group configured
609200-2 3-Major Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.
609186-5 3-Major TMM or MCP might core while getting connections via iControl.
609119-7 3-Major Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
607961-1 3-Major Secondary blades restart when modifying a virtual server's route domain in a different partition.
606330-4 3-Major The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family.
605894-1 3-Major Remote authentication for BIG-IP users can fail
605840-4 3-Major HSB receive failure lockup due to unreceived loopback packets
605800-3 3-Major Web GUI submits changes to multiple pool members as separate transactions
605792-1 3-Major Installing a new version changes the ownership of administrative users' files
604727-1 3-Major Upgrade from 10.2.4 to 12.1.0 fails when SNMP trap exists in config from 10.2.4.
603772-1 3-Major Floating tunnels with names more than 15 characters may cause issues during config-sync.
603149-2 3-Major Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy
602854-2 3-Major Missing ASM control option from LTM policy rule screen in the Configuration utility
602566-5 3-Major sod daemon may crash during start-up
602502-2 3-Major Unable to view the SSL Cert list from the GUI
602193-4 3-Major iControl REST call to get certificate fails if
601989-2 3-Major Remote LDAP system authenticated username is case sensitive
601893-2 3-Major TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.
601709-2 3-Major I2C error recovery for BIGIP 4340N/4300 blades
601502-3 3-Major Excessive OCSP traffic
601414-1 3-Major Combined use of session and table irule commands can result in intermittent session lookup failures
600944-1 3-Major tmsh does not reset route domain to 0 after cd /Common and loading bash
600558-5 3-Major Errors logged after deleting user in GUI
599543-1 3-Major Cannot update (overwrite) PKCS#12 SSL cert & key while referenced in SSL profile
598650-1 3-Major apache-ssl-cert objects do not support certificate bundles
598498-7 3-Major Cannot remove Self IP when an unrelated static ARP entry exists.
598443-1 3-Major Temporary files from TMSH not being cleaned up intermittently.
598039-5 3-Major MCP memory may leak when performing a wildcard query
597818-2 3-Major Unable to configure IPsec NAT-T to "force"
597729-5 3-Major Errors logged after deleting user in GUI
597601-3 3-Major Improvement for a previous issue regressed NAT-T
597564-3 3-Major 'tmsh load sys config' incorrectly allows the removal of the 'app-service' statement from configuration items
596826-5 3-Major Don't set the mirroring address to a floating self IP address
596815-1 3-Major System DNS nameserver and search order configuration does not always sync to peers
596104-3 3-Major HA trunk unavailable for VCMP guest
596067-2 3-Major GUI on VIPRION hangs on secondary blade reboot
595773-8 3-Major Cancellation requests for chunked stats queries do not propagate to secondary blades
595617-1 3-Major Modifying an IPsec tunnel and IPsec plus IKE SA does not remove the remote SA.
595317-4 3-Major Forwarding address for Type 7 in ospfv3 is not updated in the database
594426-4 3-Major Audit forwarding Radius packets may be rejected by Radius server
593361-1 3-Major The malformed MAC for inner pkt with dummy MAC for NSH with VXLAN-GPE.
592870-2 3-Major Fast successive MTU changes to IPsec tunnel interface crashes TMM
592320-1 3-Major ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1
591305 3-Major Audit log messages with "user unknown" appear on install
590938-3 3-Major The CMI rsync daemon may fail to start
589083-3 3-Major TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
588028-1 3-Major Clearing alerts from the LCD while the host is down will re-display the alerts on the LCD when the host comes up
586878-5 3-Major During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.
585833-1 3-Major Qkview will abort if /shared partition has less than 2GB free space
585485-5 3-Major inter-ability with "delete IPSEC-SA" between AZURE, ASA and BIGIP
584762 3-Major After restarting bcm56xxd, 5.x interface might show as down.
584583-7 3-Major Timeout error when attempting to retrieve large dataset.
583754-7 3-Major When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
583475-1 3-Major The BIG-IP may core while recompiling LTM policies
583285-4 3-Major BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
582084-1 3-Major BWC policy in device sync groups.
581851-2 3-Major mcpd, interleaving of messages / folder contexts from primary to secondary blade
580602-1 3-Major Configuration containing LTM nodes with IPv6 link-local addresses fail to load.
580500-2 3-Major /etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed.
579035-3 3-Major Config sync error when a key with passphrase is converted into FIPS.
578551-3 3-Major bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot
576305-9 3-Major Potential MCPd leak in IPSEC SPD stats query code
575919-2 3-Major Running concurrent TMSH instances can result in error in access to history file
575649-7 3-Major MCPd might leak memory in IPFIX destination stats query
575591-7 3-Major Potential MCPd leak in IKE message stats query code
575589-6 3-Major Potential MCPd leak in IKE event stats query code
575587-9 3-Major Potential MCPd leak in BWC policy class stats query code
575368-3 3-Major Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card
575176-1 3-Major Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic
575066-1 3-Major Management DHCP settings do not take effect
571333-5 3-Major fastL4 tcp handshake timeout not honored for offloaded flows
570818-4 3-Major Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.
569968 3-Major snmpd core during startup
569331-1 3-Major Recovery from Amazon Network Failure may associate some virtual addresses to the standby BIG-IP
568672-1 3-Major Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI
566507-4 3-Major Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment
562928-2 3-Major Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled
559080-5 3-Major High Speed Logging to specific destinations stops from individual TMMs
557471-2 3-Major LTM Policy statistics showing zeros in graphical UI
553795-7 3-Major Differing certificate/key after successful config-sync
547479-4 3-Major Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
546145-5 3-Major Creating local user for previously remote user results in incomplete user definition.
540872-1 3-Major Config sync fails after creating a partition.
527206-1 3-Major Management interface may flap due to LOP sync error
524123-1 3-Major iRule ISTATS::remove does not work
520877-1 3-Major Alerts sent by the lcdwarn utility are not shown in tmsh
471029-2 3-Major If the configuration contains a filename with the $ character, then saving the UCS through TMSH fails.
469366-3 3-Major ConfigSync might fail with modified system-supplied profiles
424542-5 3-Major tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments
393270-1 3-Major Configuration utility may become non-responsive or fail to load.
375434-6 3-Major HSB lockup might occur when TMM tries unsuccessfully to reset HSB.


Local Traffic Manager Issues

ID Number Severity Description
621452-1 1-Blocking Connections can stall with TCP::collect iRule
618905-1 1-Blocking tmm core while installing Safenet 6.2 client
625198-1 2-Critical TMM might crash when TCP DSACK is enabled
619663-1 2-Critical Terminating of HTTP2 connection may cause a TMM crash
619528-1 2-Critical TMM may accumulate internal events resulting in TMM restart
619071-3 2-Critical OneConnect with verified accept issues
616215-4 2-Critical TMM can core when using LB::detach and TCP::notify commands in an iRule
615388-2 2-Critical L7 policies using normalized HTTP URI or Referrer operands may corrupt memory
614509-1 2-Critical iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart
612229-1 2-Critical TMM may crash if LTM a disable policy action for 'LTM Policy' is not last
609628-1 2-Critical CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session
609199-6 2-Critical Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join
608555-3 2-Critical Configuring asymmetric routing with a VE rate limited license will result in tmm crash
608304-1 2-Critical TMM crash on memory corruption
607724-5 2-Critical TMM may crash when in Fallback state.
607524-1 2-Critical Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down.
607360-1 2-Critical Safenet 6.2 library missing after upgrade
606573-1 2-Critical FTP traffic does not work through SNAT when configured without Virtual Server
605865-4 2-Critical Debug TMM produces core on certain ICMP PMTUD packets
603032-3 2-Critical clientssl profiles with sni-default enabled may leak X509 objects
602326-1 2-Critical Intermittent pkcs11d core when installing Safenet 6.2 software
600982-3 2-Critical TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"
599135-3 2-Critical B2250 blades may suffer from high TMM CPU utilisation with tcpdump
588959-5 2-Critical Standby box may crash or behave abnormally
588351-4 2-Critical IPv6 fragments are dropped when packet filtering is enabled.
586587-1 2-Critical RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms.
586449-1 2-Critical Incorrect error handling in HTTP cookie results in core when TMM runs out of memory
584213-1 2-Critical Transparent HTTP profiles cannot have iRules configured
583355-1 2-Critical The TMM may crash when changing profiles associated with plugins
581746-1 2-Critical MPTCP traffic handling may cause a BIG-IP outage
575011-1 2-Critical Fix memory leak.
574880-2 2-Critical Excessive failures observed when connection rate limit is configured on a fastl4 virtual server.
574153-4 2-Critical If an ssl client disconnects during the handshake, the SSL flow may stall.
559030-1 2-Critical TMM may core during ILX RPC activity if a connflow closes before the RPC returns
545810-3 2-Critical ASSERT in CSP in packet_reuse
513310-1 2-Critical TMM might core when a profile is changed.
459671-5 2-Critical iRules source different procs from different partitions and executes the incorrect proc.
626106-1 3-Major LTM Policy with illegal rule name loses its conditions and actions during upgrade
625106-1 3-Major Policy Sync can fail over a lossy network
624846-1 3-Major TCP Fast Open does not work for Responses < 1 MSS
623940-1 3-Major SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello
622870 3-Major When using a Thales key, SSL handshake failed after restarting pkcs11d
622017-1 3-Major RRD files are not backed up if the /shared/rrd.backup directory already exists
621736-5 3-Major statsd does not handle SIGCHLD properly in all cases
621233-1 3-Major fastL4 + http profile with ip-protocol not set to tcp can crash tmm
620625-1 3-Major Changing Connection.VlanKeyed may cause asymmetric/npath connections to fail
620556-1 3-Major Fragmented packets on clone pool for L7 virtual server targeting another L7 virtual server through iRule
620079-1 3-Major Removing route-domain may cause monitors to fail
619849-4 3-Major In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
618430 3-Major iRules LX data not included in qkview
618428 3-Major iRules LX - Debug mode does not function in dedicated mode
618254-2 3-Major Non-zero Route domain is not always used in HTTP explicit proxy
618131-1 3-Major Latency for Thales key population to the secondary slot after reboot
618121 3-Major "persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x
618104-1 3-Major Connection Using TCP::collect iRule May Not Close
617824-3 3-Major "SSL::disable/enable serverside" + oneconnect reuse is broken
616022-2 3-Major The BIG-IP monitor process fails to process timeout conditions
615377-4 3-Major Unexpected rate limiting of unreachable and ICMP messages for some addresses.
615143-2 3-Major VDI plugin-initiated connections may select inappropriate SNAT address
613429-1 3-Major Unable to assign wildcard wide IPs to various BIG-IP DNS objects.
613079-4 3-Major Diameter monitor watchdog timeout fires after only 3 seconds
613065-1 3-Major User can't generate netHSM key with Safenet 6.2 client using GUI
612694-1 3-Major TCP::close with no pool member results in zombie flows
611691-5 3-Major Packet payload ignored when DSS option contains DATA_FIN
611652-3 3-Major iRule script validation presents incorrect warning for 'HTTP::cookie cookie-name' command.
611482-3 3-Major Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) .
611320-1 3-Major Mirrored connection on Active unit of HA pair may be unexpectedly torndown
610609-6 3-Major Total connections in bigtop, SNMP are incorrect
610429-5 3-Major X509::cert_fields iRule command may memory with subpubkey argument
610302-1 3-Major Link throughput graphs might be incorrect.
609244-4 3-Major tmsh show ltm persistence persist-records leaks memory
608024-3 3-Major Unnecessary DTLS retransmissions occur during handshake.
607803-3 3-Major DTLS client (serverssl profile) fails to complete resumed handshake.
607304-4 3-Major TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
607166-1 3-Major Hidden directories and files are not synchronized to secondary blades
607152-1 3-Major Large Websocket frames corrupted
606940-1 3-Major Clustered Multiprocessing (CMP) peer connection may not be removed
606575-6 3-Major Request-oriented OneConnect load balancing ends when the server returns an error status code.
606565-1 3-Major TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection
605983-1 3-Major tmrouted may crash when being restarted in debug mode
605175-1 3-Major Backslashes in monitor send and receive strings
604977-2 3-Major Wrong alert when DTLS cookie size is 32
604838-1 3-Major TCP Analytics reports incorrectly reports entities as "Aggregated"
604496-4 3-Major SQL (Oracle) monitor daemon might hang.
604133-4 3-Major Ramcache may leave the HTTP Cookie Cache in an inconsistent state
603979-2 3-Major Data transfer from the BIG-IP system self IP might be slow
603550-1 3-Major Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
603236-1 3-Major 1k/4k creation issue at Safenet 6.2 + 6.10.9 fw
602381 3-Major Poor performance can occur with MPTCP
602366-1 3-Major Safenet 6.2 HA performance
602358-4 3-Major Some sites need the SSL/TLS ClientHello version sent after receiving the HelloRequest to match the first ClientHello Version
602136-5 3-Major iRule drop command causes tmm segfault or still sends 3-way handshake to the server.
602040-3 3-Major Truncated support ID for HTTP protocol security logging profile
601496-3 3-Major iRules and OCSP Stapling
601178-1 3-Major HTTP cookie persistence 'preferred' encryption
600827-7 3-Major Stuck nitrox crypto queue can erroneously be reported
600614-4 3-Major External crypto offload fails when SSL connection is renegotiated
600593-1 3-Major Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests
599567 3-Major APM assumes snat automap, does not use snat pool
598874-11 3-Major GTM Resolver sends FIN after SYN retransmission timeout
597978-3 3-Major GARPs may be transmitted by active going offline
597879-1 3-Major CDG Congestion Control can lead to instability
597532-7 3-Major iRule: RADIUS avp command returns a signed integer
597253-2 3-Major HTTP::respond tcl command may incorrectly identify parameters as ifiles
597089-7 3-Major Connections are terminated after 5 seconds when using ePVA full acceleration
596433-2 3-Major Virtual with lasthop configured rejects request with no route to client.
596278 3-Major ILX workspace created by iApp made from template not deleted when iApp deleted
596242-1 3-Major [zxfrd] Improperly configured master name server for one zone makes dns express responds with previoius record
595281-1 3-Major TCP Analytics reports huge goodput numbers
593530-4 3-Major In rare cases, connections may fail to expire
593390-4 3-Major Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.
592784-2 3-Major Compression stalls, does not recover, and compression facilities cease.
592497-1 3-Major Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.
591659-9 3-Major Server shutdown is propagated to client after X-Cnection: close transformation.
591476-9 3-Major Stuck nitrox crypto queue can erroneously be reported
591343-5 3-Major SSL::sessionid output is not consistent with the sessionid field of ServerHello message.
590122-1 3-Major Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.
589400-1 3-Major With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
589223-1 3-Major TMM crash and core dump when processing SSL protocol alert.
588115-1 3-Major TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
588089-3 3-Major SSL resumed connections may fail during mirroring
587966-7 3-Major LTM fastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
587705-5 3-Major Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
587016-2 3-Major SIP monitor in TLS mode marks pool member down after positive response.
586738-4 3-Major The tmm might crash with a segfault.
586660-1 3-Major HTTP/ramcache2 and RAM Cache are not compatible.
586621-5 3-Major SQL monitors 'count' config value does not work as expected.
585813-2 3-Major SIP monitor with TLS mode fails to find cert and key files.
585412-4 3-Major SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
584948-5 3-Major Safenet HSM integration failing after it completes.
584414 3-Major Deleting persistence-records via tmsh may result in persistence being created to different nodes
584310-1 3-Major TCP:Collect ignores the 'skip' parameter when used in serverside events
584029-5 3-Major Fragmented packets may cause tmm to core under heavy load
583957-9 3-Major The TMM may hang handling pipelined HTTP requests with certain iRule commands.
582465-1 3-Major Cannot generate key after SafeNet HSM is rebooted
582331-1 3-Major Maximum connections is not accurate when TMM load is uneven
582234-6 3-Major When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.
582207-7 3-Major MSS may exceed MTU when using HW syncookies
580303-7 3-Major When going from active to offline, tmm might send a GARP for a floating address.
579926-1 3-Major HTTP starts dropping traffic for a half-closed connection when in passthrough mode
579843-1 3-Major tmrouted may not re-announce routes after a specific succession of failover states
579371-4 3-Major BigIP may generate ARPs after transition to standby
579252-3 3-Major Traffic can be directed to a less specific virtual during virtual modification
578951-2 3-Major TCP Fast Open connection timeout during handshake does not decrement pre_established_connections
572680-5 3-Major Standby TMM might overflow send buffer if out of sync with Active TMM
572281-5 3-Major Variable value in the nesting script of foreach command get reset when there is parking command in the script
569288-6 3-Major Different LACP key may be used in different blades in a chassis system causing trunking failures
568543-4 3-Major Syncookie mode is activated on wildcard virtuals
565799-6 3-Major CPU Usage increases when using masquerade addresses
563933-4 3-Major [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs
562267-2 3-Major FQDN nodes do not support monitor alias destinations.
557358-2 3-Major TMM SIGSEGV and crash when memory allocation fails.
551208-6 3-Major Nokia alarms are not deleted due to the outdated alert_nokia.conf.
550161-5 3-Major Networking devices might block a packet that has a TTL value higher than 230.
549329-5 3-Major L7 mirrored ACK from standby to active box can cause tmm core on active
545796-4 3-Major [iRule] [Stats] iRule is not generating any stats for executed iRules.
545450-6 3-Major Log activation/deactivation of TM.TCPMemoryPressure
542104-2 3-Major In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.
537553-7 3-Major tmm might crash after modifying virtual server SSL profiles in SNI configuration under load
537209-5 3-Major Fastl4 profile sends RST packet when idle timeout value set to 'immediate'
536563-3 3-Major Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets.
534457-6 3-Major Dynamically discovered routes might fail to remirror connections.
530266-4 3-Major Rate limit configured on a node can be exceeded
506543-3 3-Major Disabled ephemeral pool members continue to receive new connections
499404-5 3-Major FastL4 does not honor the MSS override value in the FastL4 profile with syncookies
486735-5 3-Major Maximum connections is not accurate when TMM load is uneven
483953-1 3-Major Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value.
472571-7 3-Major Memory leak with multiple client SSL profiles.
464801-3 3-Major Intermittent tmm core
441079-3 3-Major BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved
433572-4 3-Major DTLS does not work with rfcdtls cipher on the B2250 blade
431480-1 3-Major Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
423392-8 3-Major tcl_platform is no longer in the static:: namespace
405898-2 3-Major If the OSPF derived MTU is different from the path MTU, OSPF may not function as expected
374067-7 3-Major Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections
371164-1 3-Major BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs.
367226-2 3-Major Outgoing RIP advertisements may have incorrect source port
246726-1 3-Major System continues to process virtual server traffic after disabling virtual address
225634-1 3-Major The rate class feature does not honor the Burst Size setting.


Performance Issues

ID Number Severity Description
510631-1 3-Major B4450 L4 No ePVA or L7 throughput lower than expected


Global Traffic Manager Issues

ID Number Severity Description
603598-4 2-Critical big3d memory under extreme load conditions
587656-2 2-Critical gtm auto discovery problem with ehf for ID574052
587617-1 2-Critical While adding GTM server, failure to configure new IP on existing server leads to gtmd core
626141-3 3-Major DNSX Performance Graphs are not displaying Requests/sec"
621374-1 3-Major "abbrev" argument in "whereis" iRule returns nothing
615338-3 3-Major The value returned by "matchregion" in an iRule is inconsistent in some cases.
613576-4 3-Major QOS load balancing links display as gray
613045-5 3-Major Interaction between GTM and 10.x LTM results in some virtual servers marked down
602300-1 3-Major Zone Runner entries cannot be modified when sys DNS starts with IPv6 address
601180-2 3-Major Link Controller base license does not allow DNS namespace iRule commands.
595293-4 3-Major Deleting GTM links could cause gtm_add to fail on new devices.
589256-1 3-Major DNSSEC NSEC3 records with different type bitmap for same name.
588289-1 3-Major GTM is Re-ordering pools when adding pool including order designation
584623-2 3-Major Response to -list iRules command gets truncated when dealing with MX type wide IP
574052-3 3-Major GTM autoconf can cause high CPU usage for gtmd
370131-4 3-Major Loading UCS with low GTM Autoconf Delay drops pool Members from config


Application Security Manager Issues

ID Number Severity Description
627117-1 2-Critical crash with wrong ceritifcate in WSS
603945-2 2-Critical BD config update should be considered as config addition in case of update failure
588087-1 2-Critical Attack prevention isn't escalating under some conditions in session opening mitigation
587629-2 2-Critical IP exceptions may have issues with route domain
575133-1 2-Critical asm_config_server_rpc_handler_async.pl SIGSEGV and core
540928-1 2-Critical Memory leak due to unnecessary logging profile configuration updates.
622913-2 3-Major Audit Log filled with constant change messages
622386-1 3-Major Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled
621524-2 3-Major Processing Timeout When Viewing a Request with 300+ Violations
620635-2 3-Major Request having upper case JSON login parameter is not detected as a failed login attempt
616169 3-Major ASM Policy Export returns HTML error file
614441-4 3-Major False Positive for illegal method (GET)
613396-1 3-Major Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs
611385-1 3-Major "Learn Explicit Entities" may continue to work as if it is 'Add All Entities'
611151-2 3-Major An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive
609499-3 3-Major Compiled signature collections use more memory than prior versions
609496-2 3-Major Improved diagnostics in BD config update (bd_agent) added
608509-1 3-Major Policy learning is slow under high load
608245 3-Major Reporting missing parameter details when attack signature is matched against parameter value
604923-5 3-Major REST id for Signatures change after update
604612-1 3-Major Modified asm cookie violation happens after upgrade to 12.1
602221-2 3-Major Wrong parsing of redirect Domain
590851-4 3-Major "never log" IPs are still reported to AVR
584642-1 3-Major Apply Policy Failure
584103-2 3-Major FPS periodic updates (cron) write errors to log
582683-2 3-Major xpath parser doesn't reset a namespace hash value between each and every scan
582133-1 3-Major Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.)
581406-1 3-Major SQL Error on Peer Device After Receiving ASM Sync in a Device Group
581315-1 3-Major Selenium detection not blocked
580168-3 3-Major Information missing from ASM event logs after a switchboot and switchboot back
579917-1 3-Major User-defined signature set cannot be created/updated with Signature Type = "All"
579495-1 3-Major Error when loading Upgrade UCS
576591-6 3-Major Support for some future credit card number ranges
574113-2 3-Major Block All - Session Tracking Status is not persisted across an auto-sync device group
521204-2 3-Major Include default values in XML Policy Export


Application Visibility and Reporting Issues

ID Number Severity Description
602654-2 2-Critical TMM crash when using AVR lookups
602434-1 2-Critical Tmm crash with compressed response
601056 2-Critical TCP-Analytics, error message not using rate-limit mechanism can halt TMM
622735-1 3-Major TCP Analytics statistics does not list all virtual servers
618944-1 3-Major AVR statistic is not save during the upgrade process
601536-1 3-Major Analytics load error stops load of configuration
601035 3-Major TCP-Analytics can fail to collect all the activity
588626 3-Major Analytics alerts: Metric "Maximum TPS" can only be used with Virtual Servers (but not with a Pool Member).
560114-5 3-Major Monpd is being affected by an I/O issue which makes some of its threads freeze


Access Policy Manager Issues

ID Number Severity Description
618506 2-Critical TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.
618324-1 2-Critical Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
614364-1 2-Critical Linux client NA components cannot be installed neither using sudo password nor root password
608424-2 2-Critical Dynamic ACL agent error log message contains garbage data
608408-1 2-Critical TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library
592868-6 2-Critical Rewrite may crash processing HTML tag with HTML entity in attribute value
591117-3 2-Critical APM ACL construction may cause TMM to core if TMM is out of memory
582440-4 2-Critical Linux client does not restore route to the default GW on Ubuntu 15.10
574318-3 2-Critical Unable to resume session when switching to Protected Workspace
569563-2 2-Critical Sockets resource leak after loading complex policy
625474-1 3-Major POST request body is not saved in session variable by access when request is sent using edge client
625159-1 3-Major Policy sync status not shown on standby device in HA case
623562-3 3-Major Large POSTs rejected after policy already completed
622790-1 3-Major EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP
621447-1 3-Major In some rare cases, VDI may crash
621126-1 3-Major Import of config with saml idp connector with reuse causes certificate not found error
620614 3-Major Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account
619879-1 3-Major HTTP iRule commands could lead to WEBSSO plugin being invoked
619811-2 3-Major Machine Cert OCSP check fails with multiple Issuer CA
619486-2 3-Major Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self
619473-3 3-Major Browser may hang at APM session logout
619250-1 3-Major Returning to main menu from “RSS Feed” breaks ribbon
618957-1 3-Major Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates
618170-2 3-Major Some URL unwrapping functions can behave bad
617629-1 3-Major Same report is downloaded repeatedly after user clicks on "export csv" and then click on another tab
617187-2 3-Major APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate
617063-1 3-Major After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel
617002-1 3-Major SWG with Response Analytics agent in a Per-Request policy fails with some URLs
616838-3 3-Major Citrix Remote desktop resource custom parameter name does not accept hyphen character
615254-1 3-Major Network Access Launch Application item fails to launch in some cases
613613-2 3-Major Incorrect handling of form that contains a tag with id=action
612419-1 3-Major APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))
611922-1 3-Major Policy sync fails with policy that includes custom CA Bundle.
611669-2 3-Major Mac Edge Client customization is not applied on macOS 10.12 Sierra
611485-1 3-Major APM AAA RADIUS server address cannot be a multicast IPv6 address.
611478-1 3-Major Java 8 on MacOS Sierra throws an internal exception when a modifier key (Caps Lock, Shift, Alt, etc) is pressed
611240-2 3-Major Import of config with securid might fail
610224-2 3-Major APM client may fetch expired certificate when a valid and an expired certificate co-exist
610180-1 3-Major SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
605018-2 3-Major Citrix StoreFront integration mode with pass through authentication fails for browser access
604767-2 3-Major Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
601905-2 3-Major POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server
600872-1 3-Major Access session inactivity expiration time not updated when accessed with http/2 enabled browsers on Windows platforms.
600119-3 3-Major DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions
598981-3 3-Major APM ACL does not get enforced all the time under certain conditions
598211-1 3-Major Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
597431-7 3-Major VPN establishment may fail when computer wakes up from sleep
597214-3 3-Major Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
596116-3 3-Major Ldap Query does not resolve group membership, when required attribute(s) specified
595272-1 3-Major Edge client may show a windows displaying plain text in some cases
595227-1 3-Major SWG Custom Category: unable to have a URL in multiple custom categories
594288-1 3-Major Access profile configured with SWG Transparent results in memory leak.
592414-5 3-Major IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
591840-1 3-Major encryption_key in access config is NULL in whitelist
591590-1 3-Major APM policy sync results are not persisted on target devices
591268-4 3-Major VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions
591246-1 3-Major Unable to launch View HTML5 connections in non-zero route domain virtual servers
590820-4 3-Major Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
588888-3 3-Major Empty URI rewriting is not done as required by browser.
586718-1 3-Major Session variable substitutions are logged
586006-1 3-Major Failed to retrieve CRLDP list from client certificate if DirName type is present
585562-3 3-Major VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari
584582-2 3-Major JavaScript: 'baseURI' property may be handled incorrectly
583113-1 3-Major NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event
582752-3 3-Major Macrocall could be topologically not connected with the rest of policy.
582606-1 3-Major IPv6 downloads stall when NA IPv4&IPv6 is used.
582526-3 3-Major Unable to display and edit huge policies (more than 4000 elements)
580893-5 3-Major Support for Single FQDN usage with Citrix Storefront Integration mode
573643-3 3-Major flash.utils.Proxy functionality is not negotiated
572558-1 3-Major Internet Explorer: incorrect handling of document.write() to closed document
572519-1 3-Major More than one header name/value pair not accepted by ACCESS::respond
569309-3 3-Major Clientside HTML parser does not recognize HTML event attributes without value
567503-2 3-Major ACCESS::remove can result in confusing ERR_NOT_FOUND logs
562636-3 3-Major Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.
561348-6 3-Major krb5.conf file is not synchronized between blades and not backed up
560601-1 3-Major HTML5 File API and MediaSource URLs are blocked in Portal Access
554504 3-Major Client OS version not logged in Browser/OS Reports for iOS client devices
553063-3 3-Major Epsec version rolls back to previous version on a reboot
552444-1 3-Major Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD
543344-3 3-Major ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event
535119-1 3-Major APM log tables initial rotation in MySQL may be wrong
530109-4 3-Major OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
530092-2 3-Major AD/LDAP groupmapping is overencoding group names with backslashes
527119-4 3-Major Iframe document body could be null after iframe creation in rewritten document.
526519-1 3-Major APM sessiondump command can produce binary data
525429-1 3-Major DTLS renegotiation sequence number compatibility
525378 3-Major iRule commands do not validate session scope
509596-1 3-Major iFrames with 'javascript:' scheme in SRC may not work
503842-4 3-Major MS WebService html component doesn't work after rewriting
494135-1 3-Major HTML Event handlers may not work if 'eval' is redefined
482625-1 3-Major Pages with utf-8 Content-Type and utf-16 META tag do not render
455975-1 3-Major Separate MIBS needed for tracking Access Sessions and Connectivity Sessions
450136-3 3-Major Occasionally customers see chunk boundaries as part of HTTP response
386517-1 3-Major Multidomain SSO requires a default pool be configured
369407-3 3-Major Access policy objects are created inconsistently depending on whether created using wizard or manually.
238444-3 3-Major An L4 ACL has no effect when a layered virtual server is used.


WebAccelerator Issues

ID Number Severity Description
621284-5 3-Major Incorrect TMSH help text for the 'max-response' RAMCACHE attribute


Wan Optimization Manager Issues

ID Number Severity Description
619757-2 2-Critical iSession causes routing entry to be prematurely freed


Service Provider Issues

ID Number Severity Description
613297-3 2-Critical Default generic message routing profile settings may core
612135-3 2-Critical Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic
603397-1 2-Critical tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config
596631-1 2-Critical SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later
569316-1 2-Critical Core occurs on standby in MRF when routing to a route using a transport config
624743 3-Major iRules: SCTP::* commands not allowed on DIAMETER_* events
624023-3 3-Major TMM cores in iRule when accessing a SIP header that has no value
612143-3 3-Major Potential tmm core when two connections add the same persistence record simultaneously.
609575-4 3-Major BIG-IP drops ACKs containing no max-forwards header
609328-2 3-Major SIP Parser incorrectly parsers empty header
607713-2 3-Major SIP Parser fails header with multiple sequential separators inside quoted string.
603019-2 3-Major Inserted SIP VIA branch parameter not unique between INVITE and ACK
601255-4 3-Major RTSP response to SETUP request has incorrect client_port attribute
599521-4 3-Major Persistence entries not added if message is routed via an iRule
598854-3 3-Major sipdb tool incorrectly displays persistence records without a pool name
598700-4 3-Major MRF SIP Bidirectional Persistence does not work with multiple virtual servers
597835-5 3-Major Branch parameter in inserted VIA header not consistent as per spec
583101-2 3-Major ADAPT::result bypass after continue causes bad state transition
583010-4 3-Major Sending a SIP invite with "tel" URI fails with a reset
578564-4 3-Major ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response
573075-4 3-Major ADAPT recursive loop when handling successive iRule events
566576-6 3-Major ICAP/OneConnect reuses connection while previous response is in progress
401815-1 3-Major IP ToS not passing through with SIP LB


Advanced Firewall Manager Issues

ID Number Severity Description
612874-2 2-Critical iRule with FLOW_INIT stage execution can cause TMM restart
609095-2 2-Critical mcpd memory grows when updating firewall rules
626438-1 3-Major Frame is not showing in the browser and/ or an error appears
622281-1 3-Major Network DoS logging configuration change can cause TMM crash
621808-1 3-Major Proactive Bot Defense failing in IE11 with Compatibility View enabled
614284-1 3-Major Performance fix to not reset a data structure in the packet receive hotpath.
613459-1 3-Major Non-common browsers blocked by Proactive Bot Defense
610857-1 3-Major DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver.
610830-1 3-Major FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page.
610129-1 3-Major Config load failure when cluster management IP is not defined, but instead uses address-list.
608566-1 3-Major The reference count of NW dos log profile in tmm log is incorrect
606875-1 3-Major DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page
605427-1 3-Major TMM may crash when adding and removing virtual servers with security log profiles
601924-1 3-Major Selenium detection by ports scanning doesn't work even if the ports are opened
596502-2 3-Major Unable to force Bot Defense action to Allow in iRule
594869-4 3-Major AFM can log DoS attack against the internal mpi interface and not the actual interface
594075-3 3-Major Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically
592113-3 3-Major tmm core on the standby unit with dos vectors configured
590805-1 3-Major Active Rules page displays a different time zone.
586070 3-Major 'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings
585823-1 3-Major FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode)
501892-1 3-Major Selenium is not detected by headless mechanism when using client version without server


Policy Enforcement Manager Issues

ID Number Severity Description
609005 1-Blocking Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67).
624744-1 2-Critical Potential crash in a multi-blade chassis during CMP state changes.
624733-1 2-Critical Potential crash in a multi-blade chassis during CMP state changes.
624231-1 2-Critical No flow control when using content-insertion with compression
624228-1 2-Critical Memory leak when using insert action in pem rule and flow gets aborted
611467-1 2-Critical TMM coredump at dhcpv4_server_set_flow_key().
608009-1 2-Critical Crash: Tmm crashing when active system connections are deleted from cli
603825-4 2-Critical Crash when a Gy update message is received by a debug TMM
593070-6 2-Critical TMM may crash with multiple IP addresses per session
472860-5 2-Critical RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
625489-1 3-Major Merge multiple CCR-U messages during TARIFF-TIME-CHANGE
624376-1 3-Major Reporting reason AVP moved under USU AVP
624187-1 3-Major Relocate TUC AVP to group AVP USU
623491-1 3-Major After receiving the first Gx response from the PCRF, the BWC action against a rule is lost.
622220-1 3-Major tmm crash
618657-2 3-Major Bogus ICMP unreachable messages in PEM with ipother profile in use
617014-2 3-Major tmm core using PEM
608742-1 3-Major DHCP: DHCP renew ack messages from server are getting dropped by BIGIP in Forward mode.
608591-4 3-Major Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers
592070-5 3-Major DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied
588456-3 3-Major PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).
577863-6 3-Major DHCP relay not forwarding server DHCPOFFER and DHCPACK message after sometime


Carrier-Grade NAT Issues

ID Number Severity Description
609788 2-Critical PCP may pick an endpoint outside the deterministic mapping
606066-1 2-Critical LSN_DELETE messages may be lost after HA failover
605525-1 2-Critical Deterministic NAT combined with NAT64 may cause a TMM core
587106-1 2-Critical Inbound connections are reset prematurely when zombie timeout is configured.
602171-1 3-Major TMM may core when remote LSN operations time out


Global Traffic Manager (DNS) Issues

ID Number Severity Description
625671-4 3-Major The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
623023-1 3-Major Unable to set DNS Topology Continent to Unknown via GUI
621239-2 3-Major Certain DNS queries bypass DNS Cache RPZ filter.
620215-5 3-Major TMM out of memory causes core in DNS cache
619398-6 3-Major TMM out of memory causes core in DNS cache
619158-1 3-Major iRule DNS request with trailing dot times out with empty response
612769-2 3-Major Added better search capabilities on the Pool Members Manage page.
609527-2 3-Major DNS cache local zone not properly copying recursion desired (RD) flag in response
607658-1 3-Major GUI becomes unresponsive when managing GSLB Pool
605260-1 3-Major [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0


Traffic Classification Engine Issues

ID Number Severity Description
625172-1 2-Critical tmm crashes when classification is enabled and ftp traffic is flowing trough the box
624370-1 2-Critical tmm crash during classification hitless upgrade if virtual server configuration is modified


Device Management Issues

ID Number Severity Description
606518-1 2-Critical iControl REST with 3rd party auth does not function as expected with '@' / email addresses as username.
621401-3 3-Major When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load


iApp Technology Issues

ID Number Severity Description
615824-1 3-Major REST API calls to invalid REST endpoint log level change

 

Known Issue details for BIG-IP v12.1.x

627117-1 : crash with wrong ceritifcate in WSS

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
Web services security is turned on.
a bad / wrong / missing certificate is attached.

Impact:
Traffic drop until the BD is back (or failover).

Workaround:
The workaround would be to fix the attached certificate.


626721-5 : "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart

Component: TMOS

Symptoms:
Running the command "tmsh reset-stats auth login-failures <username>" on a bladed system can cause the mcpd process to restart on secondary blades if the <username> is not an actual user on the system. The /var/log/ltm log file will contain errors messages similar to:

Configuration error: Configuration from primary failed validation: 01020036:3: The requested username (username) was not found.... failed validation with error 16908342

Conditions:
This occurs on VIPRION systems when running the command for a user that doesn't exist on the other blades.

Impact:
mcpd processes on secondary blades restart, possibly causing loss of traffic and a failover (if in a device cluster).

Workaround:
Run the command "tmsh reset-stats auth login-failure <username>" using only valid usernames.


626438-1 : Frame is not showing in the browser and/ or an error appears

Component: Advanced Firewall Manager

Symptoms:
frame going blank when ASM policy enabled. this will trigger the following JS error in clients console:
Uncaught TypeError: Cannot read property '3' of undefined

Conditions:
Asm policy enabled. Device id is enabled theough one of the supporting features

Impact:
Site not operating correctly.

Workaround:
N/a


626141-3 : DNSX Performance Graphs are not displaying Requests/sec"

Component: Global Traffic Manager

Symptoms:
The DNSX Performance graphs have a X and Y axis of Requests/second but the data actually shows total requests.

Conditions:
Always.

Impact:
The data displayed in the graph is not correct.


626106-1 : LTM Policy with illegal rule name loses its conditions and actions during upgrade

Component: Local Traffic Manager

Symptoms:
BIG-IP version 12.0.0 introduced more strict checking on the characters allowed in policy and rule names, and it also introduced an auto-migration feature to convert any disallowed characters to an underscore (_). Allowed characters in policy and rule names are:
  A-Z a-z 0-9 . / : % -
Spaces are allowed between these characters.

When there is a pre-v12.0 Policy that contains an illegal character, the rule has each illegal character converted to a legal one. But conditions and actions, which are joined to the rule by name were not similarly adjusted. After migration, LTM Policy rule does not have any conditions or actions referring to its new name.

Conditions:
- Pre-v12.0 BIG-IP
- Policy and/or rule names contain illegal characters like: * < > ( ) [ ]
- Upgrade to v12.0 or later

Impact:
Policy rule name is changed, illegal characters converted to benign underscore (_). The upgraded configuration will load successfully, but the Rule's associated conditions and actions are not changed, and still point to the policy by its former name, effectively becoming orphaned. Inspecting rule using UI or tmsh shows conditions and actions missing.

Workaround:
The bigip.conf file can be manually edited to fix illegal characters and configuration reloaded.


625824-1 : iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory

Component: TMOS

Symptoms:
iControl calls related to Management::KeyCertificate might leak memory slowly, that causes swap space to increase continuously and might lead to exhaustion of swap space

Conditions:
This occurs with the iControl command bigip.Management.KeyCertificate.certificate_export_to_pem

Impact:
iControlPortal.cgi memory increases

Workaround:
Restart httpd to reload the iControl daemon.


625784 : TMM crash on BigIP i4x00 and i2x00 with large ASM configuration.

Component: TMOS

Symptoms:
With large ASM configurations (50 virtual servers, 50 ASM policies), TMM will continuously crash on boot-up or restart.

Conditions:
Large ASM configurations (50 virtual servers, 50 ASM policies).

Impact:
TMM continuously crashes and restarts, system is unusable.

Workaround:
None


625671-4 : The diagnostic tool dnsxdump may crash with non-standard DNS RR types.

Component: Global Traffic Manager (DNS)

Symptoms:
If the dnsxdump diagnostic tool is run when the DNS Express database has a DNS resource record using a non-standard type, the process may crash providing incomplete diagnostic output.

Conditions:
Running dnsxdump with a DNS Express database containing non-standard resource record types.

Impact:
dnsxdump provide incomplete diagnostic output, stopping on the zone containing the resource record with the non-standard type.

Workaround:
This is primarily known to be caused by non-standard RR types created for WINS records. Removing the WINS records from the master nameserver, will allow dnsxdump to work again after the next zone transfer.


625489-1 : Merge multiple CCR-U messages during TARIFF-TIME-CHANGE

Component: Policy Enforcement Manager

Symptoms:
F5 implementation sent two different CCR-U messages during tariff change - one immediately after tariff time changed & one subsequently when the remaining quota expired. This change merges these two messages into a single CCR-U with two USU AVPs.

Conditions:
Anytime a CCR-U message is sent after tariff time change.

Impact:
Interoperability with ZTE OCS.


625474-1 : POST request body is not saved in session variable by access when request is sent using edge client

Component: Access Policy Manager

Symptoms:
POST body sent by Edge Client is not saved in the session db session variable by access hudfilter.

Conditions:
- Configure BIG-IP as SAML Service Provider. To simplify reproduction change Access Policy execution timeout to few seconds.
- Use Edge Client to connect to BIG-IP.
- Saml Agent will redirect user for authentication to IdP
- Wait for few seconds for access policy to time out on BIG-IP.
- Enter credentials/complete authentication on IdP
- User will be redirected back to BIG-IP as SP. At this moment APM will create a new session, and will evaluate access policy again.

Impact:
SAML Agent will now fail with the following error:
SAML Agent: <AgentNameHere> cannot find assertion information in SAML request

Workaround:
Removing the ‘Origin’ header from the request with iRule does fix the issue, and the POST body becomes available to access hudfilter.


625456-3 : Pending sector utility may write repaired sector incorrectly

Component: TMOS

Symptoms:
When the pendsect process detects a pending sector and performs a repair of that sector, incorrect data may be written to an incorrect location on the hard disk.
This may result in corruption of files on the BIG-IP volume that may not be detected for an indeterminate period of time after the pending sector was repaired.

When a pending sector is repaired, a message similar to the following is logged to :
warning pendsect[17377]: Recovered Pending LBA:#########
(where ######### is the Logical Block Address of the repaired sector)

For more information on the pendsect utility, see:
SOL14426: Hard disk error detection and correction improvements

Conditions:
This may occur on BIG-IP appliances or VIPRION blades which contain hard disks which use 4096-byte physical sectors.

Currently-known affected platforms include:
BIG-IP 5000-/7000-series appliances
BIG-IP 10000-series appliances
VIPRION B4300 blades
VIPRION B2100 blades

Due to manufacturing changes and RMA replacements, additional platforms may potentially be affected.

The smartctl utility can be used to identify hard disks using 4096-byte physical sectors:

# smartctl --scan
/dev/sda -d scsi # /dev/sda, SCSI device

# smartctl -i /dev/sda | grep "Sector Size"

Affected:
Sector Sizes: 512 bytes logical, 4096 bytes physical

Not Affected:
Sector Size: 512 bytes logical/physical

Impact:
Potential corruption of unknown files on BIG-IP volumes.


625198-1 : TMM might crash when TCP DSACK is enabled

Component: Local Traffic Manager

Symptoms:
TMM crashes

Conditions:
All of the below are required to see this behavior:

DSACK is enabled

MPTCP, rate-pace, tail-loss-probe, and fast-open are disabled.

cmetrics-cache-timeout is set to zero; congestion control is high-speed, new-reno, reno, or scalable; AND Nagle is not set to 'auto'.

an iRule exists that changes any of the conditions above besides DSACK.

various client packet combinations interact in certain ways with the iRule logic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change any of the conditions above.


625172-1 : tmm crashes when classification is enabled and ftp traffic is flowing trough the box

Component: Traffic Classification Engine

Symptoms:
tmm crash

Conditions:
1. classification profile attached to the virtual server
2. ftp traffic flows through the system
3. complex configuration with iRules and multiple modules enabled

Impact:
Traffic disrupted while tmm restarts.

Workaround:
remove classification profile from the virtual server


625159-1 : Policy sync status not shown on standby device in HA case

Component: Access Policy Manager

Symptoms:
After policy sync, policy sync statuses are not shown in admin GUI on standby device in a failover device group.

Conditions:
- Create a failover device group whose members are in a bigger sync-only device group for policy.
- Initiate a policy sync from an active device
- Check policy sync stats on standby device

Impact:
It does not affect sync functionality and user still can see the sync status on an active device.

Workaround:
Check sync status on an active device in the group.


625106-1 : Policy Sync can fail over a lossy network

Component: Local Traffic Manager

Symptoms:
Policy Sync fails.

Conditions:
BIG-IPs are connected over a lossy link.

Impact:
HA redundancy fails.

Workaround:
tmsh modify sys db TM.TCPProgressive.AutoBufferTuning value disabled


624846-1 : TCP Fast Open does not work for Responses < 1 MSS

Component: Local Traffic Manager

Symptoms:
BIG-IP does not send the data until receiving the first client ACK.

Conditions:
TCP Fast Open requests an object of less than 1 MSS in size.

Fast open and delayed acks enabled.

Impact:
Delayed completion of the connection.

Workaround:
Disable delayed acks.


624744-1 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash resulting in flows being impacted.

Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.

Impact:
Traffic disrupted while tmm restarts.


624743 : iRules: SCTP::* commands not allowed on DIAMETER_* events

Component: Service Provider

Symptoms:
iRules: SCTP::* commands not allowed on DIAMETER_* events

Conditions:
In DIAMETER_INGRESS or DIAMETER_EGRESS events

Impact:
No SCTP::* iRule commands work under the above events


624733-1 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash resulting in flows being impacted.

Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.

Impact:
Traffic disrupted while tmm restarts.


624626-3 : Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility

Component: TMOS

Symptoms:
You cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility, which returns an error message similar to the following example:

01020036:3: The requested Certificate File (/Common/example.crt) was not found

Conditions:
The presence of SSL certificates and keys created without the .crt and .key extensions. This might have happened, for example, if the SSL certificates and keys were created using the tmsh utility.

Impact:
Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility.

Workaround:
You can use the tmsh utility to delete affected SSL certificates and keys. You would use commands similar to the following example:

tmsh delete sys crypto cert example
tmsh delete sys crypto key example


624376-1 : Reporting reason AVP moved under USU AVP

Component: Policy Enforcement Manager

Symptoms:
In the current implementation Reporting Reason AVP is located in MSCC at the same level as USU AVP.

Conditions:
Anytime a CCR-U is generated with reporting reason.

Impact:
Interoperability with ZTE OCS, which requires it as a child USU (Used-Service-Unit)


624370-1 : tmm crash during classification hitless upgrade if virtual server configuration is modified

Component: Traffic Classification Engine

Symptoms:
tmm crash

Conditions:
1. classification hitless upgrade is triggered
2. pending (not saved) changes on any of the virtual servers

Impact:
Traffic disrupted while tmm restarts.


624231-1 : No flow control when using content-insertion with compression

Component: Policy Enforcement Manager

Symptoms:
Packets can get queued in PEM and cause performance impact.
It could cause memory corruptions in some cases

Conditions:
This issue can happen when system there is are a lot of connections with compression enabled, hardware offload is not enabled, and content insertion is enabled

Impact:
Performance impact to flows and possible system crash.

Workaround:
Enable hardware offload and use the pem throttle feature for content insertion


624228-1 : Memory leak when using insert action in pem rule and flow gets aborted

Component: Policy Enforcement Manager

Symptoms:
Memory keeps increasing in PEM after several hours of live service.

Conditions:
Insert action in pem rule and response spawning multiple segments. Connection gets aborted midway.

Impact:
Connections can get reset once memory usage increases beyond threshold


624187-1 : Relocate TUC AVP to group AVP USU

Component: Policy Enforcement Manager

Symptoms:
Current implementation sends Traffic Change Usage (TCU) in MSCC at the same level as USU.

Conditions:
Anytime there is a TCU.

Impact:
Interoperability with ZTE OCS, which requires it as a child USU (Used-Service-Unit)


624023-3 : TMM cores in iRule when accessing a SIP header that has no value

Component: Service Provider

Symptoms:
When used an iRule to access a SIP header attribute with no value, TMM cores.

Conditions:
Use iRule to access the value of SIP message header attribute with no value.
Eg:
"Supported: " IEOL
"Session-Expires:" IEOL

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No Workaround.


623940-1 : SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello

Component: Local Traffic Manager

Symptoms:
If client tries to negotiate EC ciphers but does not present ec_point_formats extension, SSL handshake fails.

The ltm error log message looks like:
*****************************************************
Oct 12 11:25:08 gtm2 warning tmm1[21167]: 01260009:4: Connection error: ssl_select_suite:6799: no shared ciphers (40)
Oct 12 11:25:08 gtm2 warning tmm1[21167]: 01260026:4: No shared ciphers between SSL peers 10.1.6.50.36563:10.1.6.15.443.
*****************************************************

Conditions:
If client tries to negotiate EC ciphers but does not present ec_point_formats extension, SSL handshake fails.

Impact:
SSL Handshake fails.


623930-3 : vCMP guests with vlangroups may loop packets internally

Component: TMOS

Symptoms:
If a vlangroup is configured within a vCMP guest, under some circumstances unicast packets may be looped between the switchboard and the BIG-IP guest. This is most likely to occur when the guest is part of an HA pair.

Conditions:
vCMP guest, vlangroups.

Impact:
High CPU utilization and potentially undelivered packets.

Workaround:
Correctly configure proxy ARP excludes on the vlangroup and increase the FDB timeout by setting the vlan.fdb.timeout database key to a larger value such as 3600.


623562-3 : Large POSTs rejected after policy already completed

Component: Access Policy Manager

Symptoms:
When the policy has already completed, access still rejects POSTs greater than 64k. Client will see a reset, and these error messages will appear on the BIG-IP:

/var/log/ltm
Oct 18 19:10:04 bigip6 err tmm[14242]: 01230140:3: RST sent from 10.2.61.80:8080 to 10.2.61.10:55280, [0x1d4cb2c:2863] APM HTTP body too big

/var/log/apm
Oct 19 09:42:37 bigip3922mgmt err tmm1[7636]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 2960

Conditions:
Policy has already been fully evaluated to allow. Then the client sends a large POST. Only applies to POSTs made to '/'. Would not apply if the URL is something else like '/test'. Also does not apply to clientless modes, where the db key tmm.access.maxrequestbodysize can be used to increase the maximum POST body size allowed.

Impact:
Clients are unable to send POST bodies to '/' that are larger than 64kb, even though the policy has already been evaluated to allow.

Workaround:
Move the resource from '/' to another URL.


623491-1 : After receiving the first Gx response from the PCRF, the BWC action against a rule is lost.

Component: Policy Enforcement Manager

Symptoms:
The BWC action against a rule is lost and the traffic flow is capped at the maximum bandwidth configured in the BWC policy.

Conditions:
A flow should be associated with a PEM rule that has atleast a BWC action along with a Gx reporting action.

Impact:
The traffic flow is not capped by the correct BWC action, instead it is capped by the maximum configured bandwidth in the BWC policy.


623488-3 : Custom adaptive reaper settings may be lost at upgrade time

Component: TMOS

Symptoms:
Beginning in 11.6.0, the adaptive-reaper was changed to use the default-eviction policy. The configuration migration script does not migrate the adaptive-reaper settings, so after upgrade the reaper settings are reset to their default.

Conditions:
Upgrade from 10.x to 11.6.0 or later.

Impact:
Settings may be unexpectedly changed as part of upgrade.

Workaround:
Inspect the values after upgrade and reconfigure them.


623401-1 : Intermittent OCSP request failures due to non-optimal default TCP profile setting

Component: TMOS

Symptoms:
The connection between BIG-IP and OCSP responder is not reliable since it uses the default internal TCP configuration which doesn't fit the usage well.

Conditions:
When the OCSP stapling option is enabled in the clientSSL profile that is in use by a virtual server.

Impact:
The BIG-IP as a SSL server fails to staple the OCSP response to the SSL client. In other words, the certificate status messages are not added in the Server Hello message in the TLS handshakes to the SSL client.

Workaround:
The fix proposed an optimal TCP configuration used by the connection between BIG-IP and OCSP responder which makes the connection reliable now. Therefore the virtual server can now always correctly staple the certificate status in the Server Hello message to the SSL client.


623391-5 : cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size

Component: TMOS

Symptoms:
cpcfg fails with errors similar to:

Getting configuration from HD1.2
info: Copying configuration to HD1.1
info: Applying configuration to HD1.1
info: >++++ result:
info: Extracting manifest: /var/local/ucs/config.ucs
info: /: Not enough free space info: 739487744 bytes required
info: 259965952 bytes available
info: /var/local/ucs/config.ucs: Not enough free disk space to install!
info: Operation aborted.

Conditions:
Use cpcfg for a UCS that is larger than free space on root filesystem of target volume set.

Impact:
You cannot use cpcfg to copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size

Workaround:
Run the below to fix /etc/mtab on target (HD1.3 is used in this example; substitute the correct target volume) before cpcfg:
- volumeset -f mount HD1.3
- grep HD1.3 /proc/mounts | sed 's_/mnt/HD1.3_/_g;s_//_/_g' > /mnt/HD1.3/etc/mtab
- volumeset -f umount HD1.3


623371-1 : After changing from remote auth to local auth, if SSH keys are used, SSH attempts from non-existant users result in a connection closed

Component: TMOS

Symptoms:
When attempting to ssh in as a nonexistant user using SSH keypair, see connection closed.

Conditions:
1. Configure ssh keypair for passwordless login.
2. Set auth source to a remote type such as RADIUS, TACACS+, LDAP, Active Directory.
3. Set auth source back to local.
4. Attempt to ssh to bigip using keypair as a user that does not exist in the bigip local user directory.

Impact:
User does not see expected password prompt.

This can be used to check which usernames are valid on the bigip, but it requires ssh keys.

Workaround:
None known


623367-1 : When RADIUS remote authentication is enabled, a non existing user is able to ssh into the BIG-IP if they present the root's key.

Component: TMOS

Symptoms:
Able to login to bigip using root's keypair as a user which does not exist on either the bigip or the radius server.

Conditions:
1. Configure ssh keypair for passwordless login on the bigip.
2. Enable RADIUS auth on the bigip.
3. Attempt to ssh in to the bigip as a user which does not exist on either the bigip or the radius server, using the keypair.

Impact:
With root ssh keys, can login as nonexistent user.

Workaround:
Set the default remote role to something other than admin


623336-3 : After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS

Component: TMOS

Symptoms:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check is performed incorrectly, and the old bundle may accidentally be chosen.

Conditions:
This happens when /config/ssl/ssl.crt/ca-bundle.crt in the old version contains an RCS revision number near the top of the file, and the newer TMOS version does not contain a revision number. (This is a change in the format of the file generated by the organization providing F5 with this bundle.)

Impact:
Upgrades to versions that ship the "non-RCS" files will incorrectly retain the ca-bundle.crt from the previous version, instead of keeping the newer version that shipped with those versions.

This can result in certificate verification failures (e.g. for an OCSP stapling profile), or a BIG-IP creating an inconsistent/incomplete certificate chain for a virtual server.

Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:

1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
   cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

2. Reboot the system and clear the MCPD binary database. Refer to SOL13030, but essentially:
    touch /service/mcpd/forceload && reboot

3. After reboot, verify that the two files match (they should have the same checksum):
   md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt


623265-4 : v10 to v11.4+ UCS upgrade incorrectly retains v10 ca-bundle.crt

Component: TMOS

Symptoms:
Inconsistent CA certificate chain creation, or certificate validation/verification when verification occurs against /config/ssl/ssl.crt/ca-bundle.crt

Conditions:
A system is upgraded from v10 to v11/v12, or a v10 UCS is restored onto a v11/v12 system.

Impact:
Inconsistent ca-bundle.crt upgrade/UCS load handling can lead to odd / non-deterministic behavior between devices, even an HA pair / cluster of devices. Non-determinisim increases because ca-bundle.crt does not ConfigSync (and appears not to sync across blades in a chassis)

For example, on one device, the BIG-IP might construct and send a full certificate chain in an SSL Server Hello, when ca-bundle.crt is specified as a Client SSL profile's 'chain', but on its peer, if the peer is using an older/inconsistent ca-bundle, the peer might be unable to construct a full certificate chain.

Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:

1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
   cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

2. Reboot the system and clear the MCPD binary database. Refer to SOL13030, but essentially:
    touch /service/mcpd/forceload && reboot

3. After reboot, verify that the two files match (they should have the same checksum):
   md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt


623084 : mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp

Component: TMOS

Symptoms:
mcpd will fail to load the configuration if the pre 11.6.0 configuration had a dhcp virtual server is configured using any profile that is not /Common/udp.

Conditions:
In pre 11.6.0 having a dhcp type virtual server with a profile other than /Common/udp and then upgrading to 11.6.0 or above.

Impact:
mcpd fails to load the configuration. The BIGIP will not be operational until the configuration is changed and loaded.

Workaround:
Before the upgrade change the profile to /Common/udp.

The same change can be made to the bigip.conf file after the upgrade. Then load the config with tmsh load /sys config


623023-1 : Unable to set DNS Topology Continent to Unknown via GUI

Component: Global Traffic Manager (DNS)

Symptoms:
No option in dropdown menu to select Unknown Continent when configuring DNS Topology Record via GUI. Existing Topology Records will be displayed as "Continent is", instead of "Continent is Unknown".

Conditions:
Attempting to configure a DNS Topology Record via the GUI.

Impact:
Unable to set the Continent field to 'Unknown' via GUI.

Workaround:
Set the continent via tmsh using the command `create gtm topology ldns: continent -- server: continent --`


622913-2 : Audit Log filled with constant change messages

Component: Application Security Manager

Symptoms:
Frequent changes by Policy Builder fill the audit log too quickly and can affect viewing the Security Logs:

Error 502 Bad Gateway when clicking "Application Security" logs

Conditions:
Frequent Policy Builder changes occur and no ASM device group is configured.

Impact:
Disk space usage and errors viewing the Application Security logs

Workaround:
Workarounds:
1) Turn off "Recommend Sync when Policy is not applied". (Security ›› Options : Application Security : Preferences)

2) Enable ASM sync on a device group.


622877-1 : i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away

Component: TMOS

Symptoms:
Messages like the following in /var/log/ltm:

Oct 14 12:22:26 localhost err pfmand[5637]: 01660011:3: DDM interface: 6.0 transmit power too low alarm. Transmit power:0.0515 mWatts
Oct 14 12:22:26 localhost err pfmand[5637]: 01660011:3: DDM interface:6.0 receive power too low alarm. Received power:0.0000 mWatts
Oct 14 12:23:29 localhost err pfmand[5637]: 01660013:3: DDM interface:6.0 transmit power too low alarm cleared
Oct 14 12:23:29 localhost err pfmand[5637]: 01660013:3: DDM interface:6.0 receive power too low alarm cleared
'

Conditions:
i2000 or i4000 series appliances with DDM enabled and a reboot or restart of the pfmand daemon

Impact:
No functional impact, these are not valid DDM alarms or warnings.

Workaround:
Ignore DDM errors that clear right away after powerup or pfmand restart.


622870 : When using a Thales key, SSL handshake failed after restarting pkcs11d

Component: Local Traffic Manager

Symptoms:
With a Thales key, SSL handshake failed after restarting pkcs11d daemon.

Conditions:
Thales netHSM is used and pkcs11d daemon is restarted.

Impact:
SSL traffic is failed.

Workaround:
bigstart restart tmm

after

bigstart restart pkcs11d


622790-1 : EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP

Component: Access Policy Manager

Symptoms:
Edge Client takes a lot of time to disconnect when machine is moved to network with no connectivity to BIG-IP

Conditions:
* VPN is established
* Machine is moved to different network (with no BIG-IP) connectivity
* EdgeClient stays in "Disconnecting..." state for few minutes

Impact:
User have to wait until Disconnect procedure is complete


622735-1 : TCP Analytics statistics does not list all virtual servers

Component: Application Visibility and Reporting

Symptoms:
In "Statistics :: Analytics : TCP", displaying the stats by virtual server will only allow the option of "Aggregated".

Conditions:
This occurs on virtual servers with the TCP Analytics profile attached.

Impact:
GUI does not list all virtual servers that have the TCP Analytics profile attached.


622619-5 : BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD

Component: TMOS

Symptoms:
MCPd cpu utilization is high and renders it unresponsive.

Conditions:
A ranged log query where the log files are excessively large, e.g., 1 GB uncompressed.

Impact:
MCPd is killed due to being unresponsive, which restarts multiple daemons.

Workaround:
Lower the logging level, thereby decreasing the size of the file which must be parsed.


622386-1 : Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled

Component: Application Security Manager

Symptoms:
Internet Explorer browsers will get into an endless loop of requests, never reaching the back-end server, when accessing a Virtual Server which is enabled with both the Web Scraping feature, and the Proactive Bot Defense, if the mode of Proactive Bot Defense is set to During Attacks.

Conditions:
1. ASM Security Policy is attached to the Virtual Server, and has Web Scraping's Bot Detection set to Alarm & Block.
2. Within Web Scraping, both Fingerprint and Persistent Client Identification are disabled.
3. DoS profile is attached to the Virtual Server, and has Proactive Bot Defense set to During Attacks.
4. Users are using the Internet Explorer browser.

Impact:
Internet Explorer browser users are getting blocked from accessing the back-end server.

Workaround:
Two options for workaround:
1. Set Proactive Bot Defense to Always instead of During Attacks.
2. Enable either Fingerprint or Persistent Client Identification in the Web Scraping configuration.


622281-1 : Network DoS logging configuration change can cause TMM crash

Component: Advanced Firewall Manager

Symptoms:
Whenever a DoS Network logging profile is assigned or removed from a Virtual Server, it could cause random TMM crash.

Conditions:
The problem happens only with runtime config change.

Any logging profile config settings which was configured already and which gets loaded on TMM startup does not have this problem. Since this problem is a one time event on config change, TMM restart will pickup the config change and will work without any problem after the one time crash and TMM restart.

Impact:
Traffic disrupted while tmm restarts.


622220-1 : tmm crash

Component: Policy Enforcement Manager

Symptoms:
tmm crashes

Conditions:
It is not known exactly what conditions trigger this; it was observed with Policy Enforcement Manager configured. It may occur when a new blade is added or HA event occurs and flows get rebalanced before the session is established.

Impact:
Traffic disrupted while tmm restarts.


622199-2 : sys-icheck reports error with /var/lib/waagent

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /var/lib/waagent.

On BIG-IP version 12.0.0:
ERROR: ....L.... /var/lib/waagent
L - readLink(2) path mismatch

On BIG-IP version 12.1.0 and 12.1.1:
ERROR: .M....... /var/lib/waagent

M - Mode differs (includes permissions and file type)

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.


622194 : sys-icheck reports error with ssh_host_rsa_key

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /config/ssh/ssh_host_rsa_key and ssh_host_rsa_key.pub

ERROR: SM5...... /config/ssh/ssh_host_rsa_key
ERROR: SM5...... /config/ssh/ssh_host_rsa_key.pub

Conditions:
This occurs on BIG-IP running on Azure cloud when running the sys-icheck utility.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.


622183-5 : The alert daemon should remove old log files but it does not.

Component: TMOS

Symptoms:
When the utilization of the log filesystem goes above the configuration setting 'sys db logcheck.alertthres' (default 90%), it is intended that the alert daemon should delete old log files. It does not.

Conditions:
System activity generates a high number of log messages, and/or a user puts large files in /var/log.

Impact:
The log filesystem may become completely full, and new log messages cannot be saved.


622133-1 : VCMP guests may incorrectly obtain incorrect MAC addresses

Component: TMOS

Symptoms:
vCMP guests may be re-configured to use MAC addresses based off an all zero MAC address (00:00:00:00:00:00).

The 'tmsh show net vlan' command will show the vlan interfaces having mostly 0's in the MAC address:

-------------------------------------
Net::Vlan: external
-------------------------------------
Interface Name external
Mac Address (True) 00:00:00:00:00:01
MTU 1500
Tag 3702
Customer-Tag

-------------------------------------
Net::Vlan: internal
-------------------------------------
Interface Name internal
Mac Address (True) 00:00:00:00:00:02
MTU 1500
Tag 3703
Customer-Tag

Conditions:
For this to manifest the vCMP host vcmpd process will have to have had a prior crash or be killed.
In this scenario vcmpd on restart uses a default zero-base MAC address for the guests.
The guests will not use the new zero-based MAC until services are restarted on the guest, on which the new MAC address will take effect.

Impact:
This can cause network issues and conflicts if occurring on multiple guests in the same VLAN as the same MAC addresses will be used.

Workaround:
Restart the guest from the hypervisor.


622017-1 : RRD files are not backed up if the /shared/rrd.backup directory already exists

Component: Local Traffic Manager

Symptoms:
Performance graphs do not display.
rrdshim cpu time does not increase.
Issuing "rrdtool dump /var/rrd/blade0cpu | grep lastupdate" shows a time in the past (prior to last system boot).

Conditions:
/shared/rrd.backup directory must not exist.

incorrect info hash in /var/rrd/<filename>.info

Impact:
rrd files do not get backed up.

Workaround:
restart statsd
 "bigstart restart statsd"


621909-1 : Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members

Component: TMOS

Symptoms:
When a trunk on the BigIP 5000 or 10000 platforms has an odd number of members, the traffic distribution to those interfaces will be unbalanced. Some interfaces will see more traffic than others.

Conditions:
This can occur for two reasons:
Either purposefully configuring an odd number of members or a port goes down in a trunk that has an even number of members.

Impact:
Uneven traffic distribution.


621808-1 : Proactive Bot Defense failing in IE11 with Compatibility View enabled

Component: Advanced Firewall Manager

Symptoms:
Internet Explorer 11 browsers which have "Compatibility View" enabled (under Compatibility View Settings IE menu), will fail the JavaScript challenge, when Proactive Bot Defense is enabled and the "Block requests from suspicious browsers" checkbox is checked.

The challenged request will be blocked using a TCP_RST flag, and the browser will show "This page can’t be displayed" is seen in the browser.

Conditions:
1. DoS profile that is attached to the Virtual Server has Proactive Bot Defense is enabled and "Block requests from suspicious browsers" checkbox is checked.
2. Internet Explorer 11 browsers in which the site's domain is inserted to the "Compatibility View Settings" in the browser's menu.

Impact:
Legitimate browsers get blocked when accessing the site.

Workaround:
None


621736-5 : statsd does not handle SIGCHLD properly in all cases

Component: Local Traffic Manager

Symptoms:
- Performance graphs are not updating or are not existant.
- proc_pid_stat shows statsd time not increasing
- Top also shows that statsd is not taking any processor time.

Infact statsd is stuck on a wait in a signal handler.

Conditions:
If statsd receives a SIGCHLD signal it will get stuck and not process anything.

The following can trigger the issue:

rm -rf /shared/rrd.backup
- sed -i "s/^#CRC.*$/#CRC $RANDOM/" /var/rrd/throughput.info
- kill -HUP $(pgrep -f /usr/bin/statsd)

Impact:
No performance graphs are collected / generated

Workaround:
Restart statsd:
 - bigstart restart statsd


621524-2 : Processing Timeout When Viewing a Request with 300+ Violations

Component: Application Security Manager

Symptoms:
When attempting to view a request that triggered hundreds or thousands of violations, a timeout is encountered.

Conditions:
Attempting to view a request that triggered hundreds or thousands of violations

Impact:
A timeout is encountered.

Workaround:
increase the "max_execution_time" timeout in /usr/loca/lib/php.ini from 30 to 240 seconds.


621452-1 : Connections can stall with TCP::collect iRule

Component: Local Traffic Manager

Symptoms:
Connection does not complete

Conditions:
A TCP::collect command with two arguments defers collection beyond the first client message, which should be sufficient to produce a response.

The Initial Sequence number in the SYN is < 2^31.

The first received packet after the SYN carries data.

Impact:
Connection fails.


621447-1 : In some rare cases, VDI may crash

Component: Access Policy Manager

Symptoms:
VDI process crashes and connections to VDI resources are aborted.

Conditions:
VDI receives unexpected session variable result which is meant for some other VDI thread.

Impact:
Existing VDI connections are aborted and the user needs to login again.


621423 : sys-icheck reports error with /config/ssh/ssh_host_dsa_key

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /config/ssh/ssh_host_dsa_key and other files:

ERROR: missing /config/ssh/ssh_host_dsa_key
ERROR: missing /config/ssh/ssh_host_dsa_key.pub
ERROR: missing /config/ssh/ssh_host_key
ERROR: missing /config/ssh/ssh_host_key.pub

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.


621422 : i2000 and i4000 series appliances do not warn when an incorrect optic is in a port

Component: TMOS

Symptoms:
A 1G optic is inserted in a port that only supports 10G optics, or a 10G optic is inserted in a port that only supports 1G optics.

The invalid optic may show a link light, and no warning appears on the LCD.

Conditions:
i2000 or i4000 platforms ports do not auto-negotiate between 1G and 10G optics. Ports are assigned to one or the other speed.

Impact:
User may not understand why optic is not working correctly

Workaround:
Move the optic to the correct port.


621401-3 : When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load

Component: Device Management

Symptoms:
When BIG-IQ is monitoring more than 1 BIG-IP in a HA clustser, AVR reporting on the BIG-IQ may fail if one of the BIG-IPs is under heavy load.

Conditions:
BIG-IQ monitoring BIG-IPs in a HA cluster
BIG-IPs running AFM and/or ASM
BIG-IQ used to monitor AFM and/or ASM reporting.
At least one of the BIG-IPs is under significant load so as to cause delays in responding to BIG-IQ requests.

Impact:
AVR reporting will stop functioning.

Workaround:
bigstart restart restjavad


621374-1 : "abbrev" argument in "whereis" iRule returns nothing

Component: Global Traffic Manager

Symptoms:
The iRule [whereis <ip|ldns> abbrev] does not return a value.

Conditions:
iRule relying on whereis abbrev is used.

Impact:
The whereis iRule command will not return the expected value.


621284-5 : Incorrect TMSH help text for the 'max-response' RAMCACHE attribute

Component: WebAccelerator

Symptoms:
The TMSH help text for the 'max-response' RAMCACHE attribute incorrectly states that for the default value of 0 (zero) unlimited cache entries are allowed. In reality the number of cache entries is limited to 10.

Conditions:
Invoking the TMSH man/help page on RAMCACHE.

Impact:
Incorrect TMSH help text

Workaround:
N/A


621273-1 : DSR tunnels with transparent monitors may cause TMM crash.

Component: TMOS

Symptoms:
The TMM may crash if the BIG-IP system is configured with a DSR tunnel with a transparent monitor.

Conditions:
The BIG-IP system is configured with a DSR tunnel with a transparent monitor and the DB variable tm.monitorencap is set to "enable".

Impact:
Traffic disrupted while tmm restarts.


621259-3 : Config save takes long time if there is a large number of data groups

Component: TMOS

Symptoms:
Config save takes a long time to complete

Conditions:
This occurs when there is a large number (~2000) of data-group objects in the configuration

Impact:
When take longer than 90 seconds soap iControl will time out.
This make it impossible to manage via EM


621242-1 : Reserve enough space in the image for future upgrades.

Component: TMOS

Symptoms:
Increased the reserved free space in VM image from 15% to 30% to accommodate upgrades to future versions. Each next version tends to be bigger and require more disk space to install. The increased reserved space will allow upgrading to at least next 2 versions.

Conditions:
VE in local hypervisors and VE in the Cloud (AWS, Azure).

Impact:
Extends the disk image to reserve more disk space for upgrades.

Workaround:
N/A


621239-2 : Certain DNS queries bypass DNS Cache RPZ filter.

Component: Global Traffic Manager (DNS)

Symptoms:
A DNS query with the DO-bit set to 1 will bypass the RPZ filter on a DNS Cache.

Conditions:
A DNS Cache configured with RPZ.

Impact:
Queries with DO-bit set to 1 will bypass the RPZ filter and be answered normally.


621233-1 : fastL4 + http profile with ip-protocol not set to tcp can crash tmm

Component: Local Traffic Manager

Symptoms:
TMM will core when receiving a non-TCP datagram on a fastL4 + http profile virtual.

Conditions:
Create a virtual server that uses profiles fastL4 and http and is set to use an ip-protocol other than just tcp.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Set the virtual's ip-protocol to tcp.


621225 : LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0"

Component: TMOS

Symptoms:
When BIG-IP is initially booted or re-started, there are certain conditions under which the LTM log may report the following message for front panel interfaces, "PCI Device not found for Interface <X.0>", where X can be in the range of 1-6. These messages are misleading because the front panel interfaces do not have any PCI devices associated with them and should not have been flagged as errors.

Conditions:
i2600/i2800 products intermittently produce these messages upon power-up or BIG-IP re-start.

Impact:
They are false alarms in the log. The associated interfaces do not have said PCI devices.


621126-1 : Import of config with saml idp connector with reuse causes certificate not found error

Component: Access Policy Manager

Symptoms:
Export and then Import with reuse of config that has SAML Idp Connector as part of configuration would fail with Object not found or Certificate not found error:

Import Error: 01070734:3: Configuration error: /Common/my_cert.crt certificate not found.

Conditions:
Exporting and then importing with "Reuse existing objects" checked. Normal import is ok.

Impact:
Importing fails.

Workaround:
On From box:Disconnect Idp configuration, export config.
On To box:Recereate Idp configuration, import, reconnect it.


620969 : iControl doesn't give correct valid key sizes for FIPS keys on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards.

Component: TMOS

Symptoms:
Using the get_valid_key_sizes() for querying the valid key sizes, 1024 is returned, which is not valid when the FIPS firmware is version 2.2 or above.

Conditions:
FIPS firmware is version 2.2 or above.

Impact:
Unsupported key-size is returned.


620659-3 : The BIG-IP system may unecessarily run provisioning on successive reboots

Component: TMOS

Symptoms:
After the first boot, the system runs provisioning and boots successfully, but there is a file left on the system /mprov_firstboot. This will appear in /var/log/ltm:
  info mprov:4614:: \'\'provision.initialized\' indicates force TMOS only provisioning - forcing.\'

During a subsequent boot, provisioning will run again, potentially unnecessarily, due to the existence of this file. The following will appear in /var/log/ltm during the second boot:
  info mprov:4609:: \'Existence of file \'/mprov_firstboot\' indicates force TMOS only provisioning - forcing.\'

Conditions:
The memory size of the host changes and there is some other need for reprovisioning (for example a new configuration load).

Impact:
On a vCMP host, the second provisioning may not complete properly and guest systems will not pass traffic.

The vCMP host will continually try to start more than one tmm and fail when there should only be one tmm running. The /var/log/tmm logfile on the vCMP host will contain:
  <13> Sep 25 01:33:28 vcmphost1 notice Too small memsize (60) -- need at least 136 MB

The /var/log/tmm logfile on the vCMP guest will contain:
  <13> Sep 25 01:38:21 bigip1 notice Failed to write /var/run/libdag.so_2, err: -30
  <13> Sep 25 01:38:21 bigip1 notice panic: vdag failed to attach
  <13> Sep 25 01:38:21 bigip1 notice ** SIGFPE **

Workaround:
If the vCMP host is in a tmm restart loop due to this issue, reboot the vCMP host to allow the system to come up properly.


620635-2 : Request having upper case JSON login parameter is not detected as a failed login attempt

Component: Application Security Manager

Symptoms:
Not able to detect failed login attempt if ASM policy is case insensitive, and incoming JSON string contains upper case.

Conditions:
ASM provisioned
ASM policy is case-insensitive
JSON profile, w/ JSON login parameter with an upper-case character

Impact:
Not able to detect failed login attempt if ASM policy is case insensitive, and incoming JSON string contains upper case.

Workaround:
N/A


620625-1 : Changing Connection.VlanKeyed may cause asymmetric/npath connections to fail

Component: Local Traffic Manager

Symptoms:
When Connection.VlanKeyed is modified, asymmetric/npath connections may fail.

Conditions:
Connection.VlanKeyed bigd key is modified.

Impact:
Asymmetric/npath routed connections may fail.

Workaround:
Restarting TMM will resolve the issue. To do so, run "bigstart restart" from the command line. This will interrupt traffic so should be performed during a maintenance window.


620614 : Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account

Component: Access Policy Manager

Symptoms:
iOS Citrix receiver fails to add new store account and touching on the Save option after providing the credentials displays "Loading" and comes back to previous save option.

/var/log/apm displays "An exception is thrown: EVP_CipherFinal_ex failed: EVP_DecryptFinal_ex:bad decrypt" from VDI.

Conditions:
APM is configured with Citrix replacement mode. Provide wrong passcode values for RSA SecurId auth for continuously three times which trigger the next token input for the fourth time entering the right passcode. APM rotate session is enabled.

Impact:
iOS Citrix receiver could not add the account after providing wrong token values for two factor auth

Workaround:
Kill the iOS Citrix receiver application and click on the receiver again to add the account.


620556-1 : Fragmented packets on clone pool for L7 virtual server targeting another L7 virtual server through iRule

Component: Local Traffic Manager

Symptoms:
Fragmented packets may be transmited to clone pool members of virtual server, which is also forwarding its traffic to another virtual server.

Conditions:
One virtual server should be configured to forward traffic to another one using iRule, i. e.

when CLIENT_ACCEPTED {
  virtual another_virtual
}

This forwarding virtual should also have clone pool configured.

Impact:
Fragmented packet are transmitted to pool members, which affects performance and may trigger some intrusion detection systems.


620366-1 : Alertd can not open UDP socket upon restart

Component: TMOS

Symptoms:
alertd fails to restart due to the following error:
Sep 29 18:29:44 B2200-R76-S19 err alertd[16882]: 01100009:3: Couldn't open file UDP listener

Conditions:
alertd has spawned a long-running process (e.g. ntpd) which does not close inherited file descriptors.

Impact:
alertd fails to restart


620215-5 : TMM out of memory causes core in DNS cache

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.

Conditions:
This can occur when the TMM memory is exhausted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Provision sufficient memory for the TMM or reduce load.


620079-1 : Removing route-domain may cause monitors to fail

Component: Local Traffic Manager

Symptoms:
Removing route-domain may cause icmp and gateway-icmp monitors in unrelated route-domains to fail.

Conditions:
Route-domain is removed and icmp/gateway-icmp monitor is used.

Impact:
Monitor marking node down resulting in partial service outrage.

Workaround:
Restart bigd (bigstart restart bigd).


620056-1 : Assert on deletion of paired in-and-out IPsec traffic selectors

Component: TMOS

Symptoms:
When two traffic-selectors, one in and one out, mirror each other by reversing source and destination addresses, then deleting one can miss-fire an assert, restarting tmm.

Conditions:
Defining two clearly related traffic selectors, one for in and one for out, can confuse a later check of their names.

Impact:
When a traffic selector is deleted, from such a pair, an assert can fail that restarts tmm processes. Traffic disrupted while tmm restarts.

Workaround:
Using one traffic selector with direction=both would avoid the problem, before this change appears in a release.


619879-1 : HTTP iRule commands could lead to WEBSSO plugin being invoked

Component: Access Policy Manager

Symptoms:
With SSO logs set to 'Debug' in Access log configuration, the following log messages are seen in '/var/log/apm':
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: constructor
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext constructor ...
Sep 30 12:46:17 bigip3900mgmt err websso.3[14520]: 014d0005:3: Unsupported SSO Method
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914b510, SERVER: TMEVT_REQUEST
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914a718, CLIENT: TMEVT_ABORT_PROXY
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext destructor ...
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: webssoConfig destructor

With 'rstcause' enabled, the following log message is seen in '/var/log/ltm':
Sep 30 12:46:17 bigip3900mgmt err tmm2[13116]: 01230140:3: RST sent from 172.17.90.92:57611 to 127.0.0.1:10001, [0x24ccbbc:820] Internal error (APM::WEBSSO requested abort (Unsupported SSO Method))

Conditions:
HTTP::disable followed by HTTP::enable.

when CLIENT_ACCEPTED {
    HTTP::disable
    // do some other stuff
    HTTP::enable
}

Impact:
client receives a HTTP 503 reset

Workaround:
When the access profile is added to the virtual server, the websso plugin profile is automatically added. Manually removing the websso plugin fixes this bug.


619849-4 : In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGABRT (killed by sod)

Conditions:
TCP (full proxy) virtual servers with verified-accept enabled in the TCP profiles, that must be handling traffic.

This issue occurs extremely rarely.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
disable verify accept.


619811-2 : Machine Cert OCSP check fails with multiple Issuer CA

Component: Access Policy Manager

Symptoms:
If there are multiple CAs in the CA bundle and issuing CA is not first in it, the OCSP responder returns "unauthorized" response.

Conditions:
This can only happen when issuing CA is not first in the CA file.

Impact:
OSCP check in machine cert will fail and user won't be able to follow successful branch in Access Policy. This might result in Authentication failure even though the machine cert is valid.

Workaround:
Use iRule Event and variable Assign agent in between Machine Cert and OCSP Auth agent.

Follow these steps:

iRule:

1) Loop through the CA bundle until you find matching issuer cert
2) Set this new issuer cert to "session.check_machinecert.last.cert.issuer.cert"

Variable Assign:

3) Read this issuer cert from the session db and assign it back to the same session variable:

session.check_machinecert.last.cert.issuer.cert = expr { [mcget -nocache {session.check_machinecert.last.cert.issuer.cert}] }


619757-2 : iSession causes routing entry to be prematurely freed

Component: Wan Optimization Manager

Symptoms:
iSession may cause TMM to prematurely free a routing entry resulting in memory corruption and TMM restarting.

Conditions:
iSession-enabled virtual.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
No reasonable workaround short of not using iSession functionality.


619663-1 : Terminating of HTTP2 connection may cause a TMM crash

Component: Local Traffic Manager

Symptoms:
TMM crashes when an HTTP2 connection is being terminating on client and server sides concurrently.

Conditions:
HTTP2 profile is configured and assigned to a virtual.
A client SSL profile is also used on the same virtual.
Client interrupting a connection as well as server is also terminating a connection at the same time.

Impact:
Traffic disrupted while tmm restarts.


619528-1 : TMM may accumulate internal events resulting in TMM restart

Component: Local Traffic Manager

Symptoms:
Under some uncommon circumstances, long-lived connections may cause internal events to be accumulated causing excessive memory usage potentially resulting in TMM restarting.

Conditions:
HTTP virtual with long-lived connections.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
The issue can be mitigated by setting the HTTP 'max-requests' profile option to a reasonably low value - this value will depend on application requirements.


619486-2 : Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self

Component: Access Policy Manager

Symptoms:
Attempts to call some JavaScript methods (such as XMLHttpRequest.open) on a page accessed through Portal Access could fail if application modifies window.self builtin object. As a result, the application will stop working and optionally log an undefined variable/reference exception into Developer Tools console.

To verify that window.self is modified, run 'window.self == window' command in Developer Tools console of the page with error and check if it returns 'false'.

Conditions:
This can occur if a web application has javascript that modifies the value of window.self.

Impact:
Affected web-applications will not work when accessed through Portal Access.

Workaround:
None


619473-3 : Browser may hang at APM session logout

Component: Access Policy Manager

Symptoms:
Browser hangs at logout from APM session with RDP client and/or VMware View client.

Conditions:
- APM Virtual server with RDP client and/or VMware View client on webtop;
- active session on this webtop with opened client.

Impact:
Logout from APM session may take a long time (several minutes). In some cases, it may be necessary to restart browser.


619419 : Workaround for Software Installation Failures in TMUI

Component: TMOS

Symptoms:
A software installation fails for one of several reasons (unsupported software versions, lack of disk space, etc). This failure leaves the software volume in a state where future installations cannot be completed.

Conditions:
Software installation fails.

Impact:
You cannot install software on the failed volume. You will see "Previous installation not complete" message if you attempt to install software on this failed volume.

Workaround:
1. Installation fails.
2. Navigate to System >> Disk Management. Click on HD1 (for example)
3. Under Contained Software Volumes, you can see the reason for failure on the failed volume.
4. Select the failed volume and click Delete. Confirm you want to delete the failed volume.
5. Once the volume is deleted successfully, return to System >> Software Management : Image List
6. Select a valid image and click the Install button.
7. Under Volume Set Name enter a valid name and click the Install button.


619410-1 : TMM hardware accelerated compression not registering for all compression levels.

Component: TMOS

Symptoms:
DEFLATE/gzip/zlib compression levels other than level 1 were bypassing the hardware accelerator and being serviced in software, resulting in higher CPU utilization and slower compression times.

Conditions:
Compression requests for DEFLATE/gzip/zlib levels other than level 1.

Impact:
Compression requests serviced by software are scheduled on local CPUs. During heavy compression traffic, overall system traffic flow may be reduced. Compression requests serviced in software may take significantly longer to complete.


619398-6 : TMM out of memory causes core in DNS cache

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.

Conditions:
This can occur when the TMM memory is exhausted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Provision sufficient memory for the TMM or reduce load.


619250-1 : Returning to main menu from “RSS Feed” breaks ribbon

Component: Access Policy Manager

Symptoms:
When you go to “RSS Feed” configuration page for Document, Picture Library, List etc. and go back to SharePoint Dashboard using link
at the top pointing to “RSS FEED for …..”and then click any option on the ribbon, you got “500 Internal Server Error” and ribbon
stops working. When you use built-in browser button “go back” instead, everything works ok.

Conditions:
"500 Internal Server Error" occurred. Ribbon stop working.

Impact:
Ribbon stop working.

Workaround:
Use built-in browser "go back" button instead.


619158-1 : iRule DNS request with trailing dot times out with empty response

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS request takes about 20 seconds to respond and the response is empty.

Conditions:
An iRule uses RESOLV::lookup or NAME::lookup to resolve a domain name that ends with a dot.

Impact:
The request does not properly resolve to an IP address.

Workaround:
Strip the trailing dot from the domain name before calling RESOLV::lookup or NAME::lookup.


619097 : iControl REST slow performace on GET request for Virtuals

Component: TMOS

Symptoms:
Performing a GET request on a BIG-IP with a large number of Virtuals may result in slow performance and timeout error.

Conditions:
When a significant amount of Virtuals contains references to persistence profiles.

Impact:
Unable to perform large GET query on Virtual.


619071-3 : OneConnect with verified accept issues

Component: Local Traffic Manager

Symptoms:
System may experience an outage.

Conditions:
Verified Accept enabled in TCP profile
hardware syncookies enabled
OneConnect profile on VIP
Syncookie threshold crossed

Impact:
System outage.

Workaround:
Disabled verified accept when used with OneConnect on a VIP.


618957-1 : Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates

Component: Access Policy Manager

Symptoms:
BIG-IP supports import of external SAML SP metadata to create SP-Connector objects. When such metadata file contains two certificates (one with 'signing' and one with 'encryption use) then BIG-IP will import certificate that is positioned 'second' in metadata twice.

Conditions:
Imported metadata contains two certificates with different use types: 'signing' and 'encryption'

Impact:
There is no impact if in metadata signing and encryption certificates are the same. If certificates are different - SAML SSO may not function properly due to incorrect certificate imported in configuration.

Workaround:
Import certificates manually, and assign them to created from metadata SAML SP connector


618944-1 : AVR statistic is not save during the upgrade process

Component: Application Visibility and Reporting

Symptoms:
All AVR statistics will be lost after upgrade from 12.1.0 or 12.1.1.

Conditions:
AVR statistic was collected on 12.1.0 or 12.1.1.
The BIG-IP was upgraded.

Impact:
Old AVR statistics will be lost

Workaround:
1. before upgrade edit the following file:
./usr/libdata/configsync/avr_save_pre
2. change the following line " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 $(is_provisioned asm) -eq 1 ] && "

with " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 -o $(is_provisioned asm) -eq 1 ] && "


618905-1 : tmm core while installing Safenet 6.2 client

Component: Local Traffic Manager

Symptoms:
tmm core while installing Safenet 6.2 client.

Conditions:
Safenet 6.2 client installation

Impact:
Traffic disrupted while tmm restarts.


618657-2 : Bogus ICMP unreachable messages in PEM with ipother profile in use

Component: Policy Enforcement Manager

Symptoms:
The ipother virtual server will send bogus ICMP unreachable messages caused by incorrect error handling in the PEM filter.

Conditions:
A VS with ipother profile configured together with the PEM profile. In the field defect the additional piece needed was the missing classification, but this is due to code ordering, so in non-fixed versions this can also happen with the classification profile present.

Impact:
Unnecessary ICMP traffic


618506 : TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.

Component: Access Policy Manager

Symptoms:
TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.

Conditions:
APM is provisioned and access profile is attached to the virtual.

Impact:
Traffic disrupted while tmm restarts.


618430 : iRules LX data not included in qkview

Component: Local Traffic Manager

Symptoms:
Qkview does not contain any of the iRuleLX information.

Conditions:
N/A

Impact:
Support engineers will have to ask for the iRuleLX information separately. No iHealth heuristics possible at the moment.


618428 : iRules LX - Debug mode does not function in dedicated mode

Component: Local Traffic Manager

Symptoms:
In case if the debug option is enabled in the dedicated mode, sometimes some of the nodejs process can be allocated a "in-use" port, which prevents it from starting successfully.
By design every process is guaranteed a debug port in the configured range as long as there are enough ports available in the system. In-use ports are skipped, so consecutive port allocation is not guaranteed.

Conditions:
some of the ports in the range are busy.

Impact:
Some of the nodejs processes fail to start which prevents normal iRuleLX operation.

Workaround:
Consult with netstat output and set the debug-port-range-low to a higher value (eg. 10000+) to minimise the change of a port conflict.


618324-1 : Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor

Component: Access Policy Manager

Symptoms:
When upgrading from OPSWAT SDK V3 to V4, opening Access Policy in VPE if one of the opswat checker (e.g. Anti-Virus checker) contains an Undefined (i.e. previously defined but out of support) ID it will display as "Any." The correct display should be "Unsupported" or "Invalid" product.

Conditions:
Wrongful information displayed.

Impact:
Wrongful information displayed.

Workaround:
N/A


618319-5 : HA pair will go Active/Active, and report peer as "offline" is network-failover service is blocked

Component: TMOS

Symptoms:
All members of a Sync/Failover Device Group report "Active" for all traffic-groups, and "Offline" for all peers. Configuration sync works appropriately.

Conditions:
This can occur if the network failover configuration is incorrect. Each device should have multiple network failover addresses (either unicast or multicast) configured, and any self-IPs configured as unicast addresses must not block the configured unicast UDP source-port (default value: 1026).

If this port is blocked, the devices cannot exchange failover status information.

Impact:
When devices cannot reach the failover address of their peer devices, failover traffic will not be processed correctly and the device will become active for all traffic groups. This will result in duplicate IP addresses on the network for the objects in the traffic groups, which will cause a disruption of service.

Workaround:
Ensure that the "allow-service" parameter for the self-IP includes the configured network-failover port. Normally this is done with "allow-service { default }" if using the default default-list, or an explicit entry can be used with "allow-service { udp:1026 }".


618254-2 : Non-zero Route domain is not always used in HTTP explicit proxy

Component: Local Traffic Manager

Symptoms:
Customer may experience connectivity failure in certain situations where a sideband communications are required as part of the transaction.

Conditions:
BIG-IP has http-explicit configuration, where a sideband connection is required, say in the case of getting an OCSP response or a DNS resolver response when those services are associated with a different route domain.

Impact:
End-to-end connectivity failure.

Workaround:
Change configuration so that all services required are on the default route domain, 0.


618170-2 : Some URL unwrapping functions can behave bad

Component: Access Policy Manager

Symptoms:
Some URL unwrapping functions can behave incorrectly with different web application malfunctions as a result.

Conditions:
JavaScript with "location.pathname" like fields at the right side of an expression.

Impact:
Different web application malfunctions. One example is SharePoint 2010 using IE11, clicking the Edit button results in "Only secure content is displayed" at the bottom of the page.


618131-1 : Latency for Thales key population to the secondary slot after reboot

Component: Local Traffic Manager

Symptoms:
It may take a significant amount of time for the Thales key to populate from the primary slot to the secondary slot after a reboot. The latency can be a few minutes.

Conditions:
This occurs for Thales netHSM installed on Chassis.

Impact:
The key can't be found at secondary slot and the ssl traffic may fail.

Workaround:
If SSL handshakes fail on secondary blades for newly created Thales keys, you may check secondary blades with
 
    nfkminfo -l
 
to see if the file is there. If not the file can be synchronized with rfs-sync –U.


618121 : "persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x

Component: Local Traffic Manager

Symptoms:
"persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x

Conditions:
When the RTSP_RESPONSE event and "persist add" iRule are used and upgrade to v12.x.x.

Impact:
"persist add" iRule validation failed. The iRule will not be loaded.

Workaround:
possible workaround is to bypass validation

when RULE_INIT {
  set static::persist_cmd { persist add uie $SessionID $static::persist_timeout }
}

when RTSP_RESPONSE {
   set SessionID [RTSP::header value "Session"]
  if { $SessionID != "" }{
    #persist add uie $SessionID $static::persist_timeout
    eval $static::persist_cmd
  }
}


618104-1 : Connection Using TCP::collect iRule May Not Close

Component: Local Traffic Manager

Symptoms:
The BIG-IP never sends a TCP FIN in response to a client FIN.

Conditions:
A finite TCP::collect iRule is in progress.

This is repeatable in the debug kernel; in the default kernel, there has to be execution delay in a CLIENT_DATA iRule.

Impact:
The connection does not close until the sweeper causes a RST.

Workaround:
Adding a TCP::close command to a CLIENT_DATA iRule may work.


617986 : Memory leak in snmpd

Component: TMOS

Symptoms:
Memory usage in snmpd is increases until the OOM process kills snmpd.

Conditions:
BIG-IP configured with virtual servers that have the same destination IP address

Impact:
snmp disrupted while snmp restarts.

Workaround:
No workaround


617875-1 : vCMP guest may fail to start due to not enough hugepages

Component: TMOS

Symptoms:
In rare cases, when there are many vCMP guests, the last one may fail to start because the system has apparently leaked a few 2M hugepages. The shortfall so far has been very small, 5 - 20 hugepages missing, but occasionally this is enough that the last guest can not start.

Conditions:
It is not yet known what triggers this.

Impact:
vCMP guest fails to start.

Workaround:
Once in this state, only restarting the host system seems to clear the condition. Restarting the VCMP guests does not appear to help.


617824-3 : "SSL::disable/enable serverside" + oneconnect reuse is broken

Component: Local Traffic Manager

Symptoms:
If "SSL::disable/enable serverside" is configured in an iRule and oneConnect is configured in the iRule or in the Virtual Server profile, BIG-IP may not receive the backend server's HTTP response for every client's HTTP Request.

Conditions:
1. "SSL::disable/enable serverside" exists in the iRule
2. OneConnect is configured in the iRule or in the VS profile
3. apply the iRule and oneConnect Profile to the VS.

Impact:
The oneConnect behavior is unexpected, and may not get the backend Server's HTTP response for every client's HTTP Request.

Workaround:
You can work around the problem by disabling oneConnect.


617643-1 : iControl.ForceSessions enabled results in GUI error on certain pages

Component: TMOS

Symptoms:
GUI pages display "An error has occurred while trying to process your request."

Conditions:
Visiting pages related to PKI (cert/key), SNMP, AFM or licensing tasks when iControl.ForceSessions is enabled.

Impact:
Unable to use GUI for certain tasks when iControl.ForceSessions is enabled.

Workaround:
Use shell for related administrative tasks or if feature is not used, disable with the following command:

tmsh# modify sys db icontrol.forcesessions value disable


617629-1 : Same report is downloaded repeatedly after user clicks on "export csv" and then click on another tab

Component: Access Policy Manager

Symptoms:
If you click on the "export csv" button and then switch to another report, the same csv file will be download again when you click on the tab of another report.

Conditions:
Creating multiple reports in Access Report page and clicking on the "export csv" button in one report.

Impact:
Same file will be downloaded repeatedly.

Workaround:
Refresh the page before switching to another report.


617481-1 : TMM can crash when HTML minification is configured

Component: TMOS

Symptoms:
When AAM is provisioned and is used to cache dynamic pages, it can be configured to use HTML Minification to improve performance and optimize memory utilization. In some cases, HTML may incorrectly process the HTML code and cause TMM to crash.

Conditions:
1) AAM has to be provisioned and
2) AAM policy has to be configured and
3) has HTML minification enabled and
4) be applied to a virtual.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disabling minification prevent TMM from crashing for this reason.


617229-1 : Local policy rule descriptions disappear when policy is re-saved

Component: TMOS

Symptoms:
Local policy rule descriptions disappear when policy is re-saved.

Conditions:
A rule with description exists, and the policy it's under is saved.

Impact:
An existing rule description disappears when the policy it's under is saved.

Workaround:
Use TMSH to modify the policy's properties.


617187-2 : APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate

Component: Access Policy Manager

Symptoms:
If APM server uses untrusted SSL certificate/or it is accessed using IP address CustomDilaer, access is refused and there is no prompt to confirm the security warning.

Conditions:
APM has invalid certificate
User uses CustomDialer to access VPN

Impact:
VPN connection can't be established

Workaround:
Use valid SSL certificate on APM or add particular invalid certificate to trusted store on Windows


617063-1 : After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel

Component: Access Policy Manager

Symptoms:
After VPN tunnel is established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel.

Conditions:
VPN tunnel is established. Place the computer in hibernation. Resume from hibernation and connect to a new network where a Captive Portal is present, e.g. Starbucks.

Impact:
EdgeClient may show an error page for captive portal or stay in Reconnecting state for extended period. Disconnect button may not be responsive.


617014-2 : tmm core using PEM

Component: Policy Enforcement Manager

Symptoms:
tmm core when using PEM with cloning monitored traffic

Conditions:
Using PEM with iRules and cloning traffic

Impact:
Traffic disrupted while tmm restarts.


617002-1 : SWG with Response Analytics agent in a Per-Request policy fails with some URLs

Component: Access Policy Manager

Symptoms:
SWG with Response Analytics agent in a Per-Request policy fails with some URLs

Conditions:
Response analytics agent is added to per-request policy and per-request policy is attached to the virtual. APM and SWG are provisioned and licensed.

Impact:
Client might receive resets for some URLs when response analytics doesn't function correctly.

Workaround:
Remove response analytics agent from the per-request policy and perform categorization based only on URLs.


616838-3 : Citrix Remote desktop resource custom parameter name does not accept hyphen character

Component: Access Policy Manager

Symptoms:
While adding the custom parameter in Citrix Resource would give parser error as following,

01070734:3: Configuration error: apm resource remote-desktop /Common/ctx_resource: Parse error on line 1: DesktopViewer-ForceFullScreenStartup=On"

Conditions:
Having Citrix resource with custom parameter name with hyphen character

Impact:
Custom parameter can not be used with hyphen character

Workaround:
None


616242-3 : basic_string::compare error in encrypted SSL key file if the first line of the file is blank

Component: TMOS

Symptoms:
Trying to load a configuration that references an encrypted SSL key file may fail if the first line of the SSL key file is blank. When this occurs, the system will report a vague error message:

    01070711:3: basic_string::compare

If this happens during an upgrade, the system will not load the configuration under the new software version, and will remain inoperative.

Conditions:
This can occur if an affected configuration is present on a system running BIG-IP v11.3.0 or earlier, and is upgraded to BIG-IP v11.4.0 or later.

Impact:
Configuration fails to load on upgrade with extremely unhelpful error message, and absolutely no indication as to what file was being processed at the time (or that this relates to a filestore file).

Workaround:
Remove the newlines at the beginning of any SSL key files that begin with a newline. During an upgrade scenario, edit the files in the filestore.


616215-4 : TMM can core when using LB::detach and TCP::notify commands in an iRule

Component: Local Traffic Manager

Symptoms:
TMM cores when running an iRule that has the LB::detach command before the TCP::notify command.

Conditions:
A virtual server with an iRule that has the LB::detach command executed before the TCP::notify command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the combination of the TCP::notify and LB::detach commands.


616169 : ASM Policy Export returns HTML error file

Component: Application Security Manager

Symptoms:
When attempting to export an ASM Policy the resulting file contains an HTML error page.

Conditions:
It is not known what triggers this condition.

Impact:
Unable to export ASM Policies.

Workaround:
A) Restarting the asm_config_server.pl process, or restarting ASM usually clears up the issue.

B) Run "umask 0022" on the device

C) Download the file from the shell.


616059-1 : Modifying license.maxcores Not Allowed Error

Component: TMOS

Symptoms:
Your sync-failover device group status says "Sync Failed" and reports the following error in Device Management :: Overview "- Sync error on injury: Load failed from /Common/bigip1 0107178a:3: Modifying license.maxcores to a value other than 8 is not allowed."

Conditions:
non-homogeneous Virtual Editions configured with different licenses in a device group. If the license variable called perf_VE_cores is different among licenses, it will create this condition.

Impact:
The device group will fail to sync.

Workaround:
If you are using Virtual Editions in a Device Group, ensure that their licenses are the same.


616022-2 : The BIG-IP monitor process fails to process timeout conditions

Component: Local Traffic Manager

Symptoms:
Pool members that are down are not marked down by the monitor. The BIG-IP system continues to attempt to monitor the object.

Conditions:
It is not known exactly what triggers this condition. It was encountered on an https monitor.

Impact:
Incorrect monitor state. Pool members may not be marked down even though the target pool-member is down.

Workaround:
No known work-around


615934-1 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.

Conditions:
If there is an existing key/certificate, and the key/certificate management iControl functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.

Impact:
Key/certificate overwrite using iControl operations might fail.


615824-1 : REST API calls to invalid REST endpoint log level change

Component: iApp Technology

Symptoms:
In Big-IP 12.x versions before 12.1.2 invalid requests to a REST endpoint were being recorded in the FINE level logs, making it difficult to audit when an invalid request to a REST endpoint was coming in. In version 12.1.2, the log level was changed to INFO so that these messages are more easily consumed by users attempting to audit the log.

Conditions:
Any request made to an invalid REST endpoint will trigger a log message at the FINE level indicating that a request came in to an invalid REST endpoint.

Impact:
Auditing the REST Framework logs is more difficult, requiring you to look at messages logged at the FINE level.

Workaround:
Users can increase the log level of the REST Framework to FINE by making the following change to the file '/etc/restjavad.log.conf':

Before:
.level=FINE
After:
.level=INFO


615388-2 : L7 policies using normalized HTTP URI or Referrer operands may corrupt memory

Component: Local Traffic Manager

Symptoms:
TMM may restart when using a L7 policy that contains the 'normalized' keyword for HTTP URI or Referrer operands.

Conditions:
Normalized HTTP URI or Referrer operands used in L7 policies.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
No workaround short of removing use of normalization for HTTP URI and Referrer instances in L7 policies.


615377-4 : Unexpected rate limiting of unreachable and ICMP messages for some addresses.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system might fail to send RSTs, ICMP unreachable, or ICMP echo responses for some addresses.

/var/log/ltm might contain messages similar to the following:
-- Limiting icmp unreach response from 251 to 250 packets/sec.
-- Limiting icmp ping response from 251 to 250 packets/sec.
-- Limiting closed port RST response from 251 to 250 packets/sec.

Conditions:
Certain traffic patterns to addresses in two or more different traffic-groups.

Impact:
Certain response messages from addresses in one or more traffic-groups (but not all) might be rate limited by the BIG-IP system even though the level of traffic has not exceeded the tm.maxrejectrate setting.

Workaround:
None known.


615338-3 : The value returned by "matchregion" in an iRule is inconsistent in some cases.

Component: Global Traffic Manager

Symptoms:
The value returned by "matchregion" in an iRule is inconsistent when the GTM global setting, "cache-ldns-servers", is set to "yes" and the region contains a region, continent, country, state, or ISP.

Conditions:
The GTM global setting, "cache-ldns-servers" must be set to "yes" and the region must contain a region, continent, country, state, or ISP.

Impact:
The value returned by "matchregion" in an iRule is inconsistent and may lead to inconsistent behavior in the iRule.

Workaround:
Set the GTM global setting, "cache-ldns-servers" to "no".


615254-1 : Network Access Launch Application item fails to launch in some cases

Component: Access Policy Manager

Symptoms:
If multiple applications are configured to automatically launch on network access, only the first application will launch.

Conditions:
Network access resource has multiple applications configured

Impact:
Only the first application launches. Other applications won't launch automatically.

Workaround:
Launch applications manually after VPN is established.


615143-2 : VDI plugin-initiated connections may select inappropriate SNAT address

Component: Local Traffic Manager

Symptoms:
When the VDI plugin makes outgoing connections, the source address is selected from a SNAT pool. Should the connection pass through another matching virtual before reaching the external network, the selected SNAT address may be inappropriate for the egress vlan.

Conditions:
APM configuration with VDI functionality enabled and additional virtual matching the VDI-initiated connections.

Impact:
Return traffic from destination may not be able to return to the BIG-IP, thus breaking the VDI functionality.

Workaround:
No workaround short of removing the additional virtual matching the VDI traffic.


615107-1 : Cannot SSH from AOM/SCCP to host without password (host-based authentication).

Component: TMOS

Symptoms:
Issuing commands from the AOM/SCCP menu to the host do not function, or password is required when SSH from AOM/SCCP to the host.

Conditions:
Presence of /etc/ssh directory on host.

Impact:
AOM/SCCP unable to connect to host without password.

Workaround:
None.


614865-1 : Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Specifically, the functions are:
key_import_from_pem()
certificate_import_from_pem()
key_import_from_pem_v2()
certificate_import_from_pem_v2()

Conditions:
When there is an existing key or certificate on the BIG-IP system, and you want to overwrite them using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls, it results in errors stating that the key or certificate already exists on the BIG-IP system.

Impact:
Cannot overwrite the key/certificate file-objects using these iControl calls.

Workaround:
There are two workarounds:
- Delete and import the key/certificate using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls.

- Use key_import_from_file and certificate_import_from_file iControl calls as an alternative to import key/certificate from a file.


614530-1 : Dynamic ECMP routes missing from Linux host

Component: TMOS

Symptoms:
When an ECMP route is learned via dynamic routing, it is not added to the Linux host and local processes may not be able to reach the destination prefix. Load balanced traffic is not affected.

Conditions:
Dynamic routing in use, ECMP configured, ECMP route received from neighbors.

Impact:
Monitors may fail, other host-originated traffic may be sent out the wrong interface or nowhere at all.

Workaround:
Disable ECMP in ZebOS by setting "maximum-paths 1" in imish.


614509-1 : iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart

Component: Local Traffic Manager

Symptoms:
When the 'all' keyword is used with 'class match' on large external datagroups, the results will be incorrect and may result in TMM restarting.

Conditions:
iRule utilizing 'all' keyword with 'class match' on large external datagroups. A more unusual case is external datagroups with the tmm.classallocatemetadata bigdb entry set to the non-default 'disable' value.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No reasonable workaround short of not using 'all' keyword with 'class match' in iRules.


614493-1 : BIG-IP reset on ePVA accelerated flow may contain stale TCP window information.

Component: TMOS

Symptoms:
Reset sent by BIG-IP system on ePVA accelerated active flows might contain stale sequence number and ACK number, which might be out of the receiver's valid RST window.

Conditions:
For example, server side pool member down events lead to BIG-IP reset of all client flows on the pool member. If these flows are actively offloaded in ePVA with heavy traffic at the time of pool member down and reset sending out time, the SEQ/ACK number for the sending RST by BIG-IP SW might not be recent, and therefore a RST with most SW aware SEQ/ACK will be encoded.

Impact:
These RST might be ignored by the receiver if it is out of the valid window. The receiver must rely on the idle or alive timeout to clean this up. Although the receiver must rely on its TCP alive or idle timeout to activate in order to clean up these connections, this is the standard TCP stack behavior.

Workaround:
None.


614441-4 : False Positive for illegal method (GET)

Component: Application Security Manager

Symptoms:
False Positive for illegal method (GET) and errors in BD log on Apply Policy:
----
ECARD|ERR |Sep 04 07:38:47.992|23835|table.h:0287|KEY_REMOVE: Failed to REMOVE data
----

Conditions:
This was seen after upgrade and/or failover.

Impact:
-- False positives.
-- BD has the incorrect security configuration.

Workaround:
Run the following command: restart asm.


614364-1 : Linux client NA components cannot be installed neither using sudo password nor root password

Component: Access Policy Manager

Symptoms:
Linux client Network Access components cannot be installed neither using sudo password nor root password on firefox browser. Issue occurs because version reported is incorrect and post installation version on the machine still doesn't match with version reported by the server.

Conditions:
Firefox web browser, NPAPI plugins, Network Access on Linux distributions

Impact:
Installation and update of web browser plugin for network access fails


614296-2 : Dynamic routing process ripd may core

Component: TMOS

Symptoms:
As a result of a known issue the dynamic routing protocol daemon ripd, used for the RIP protocol may produce a core file when configuring it to use a interface configured with multiple self IP addresses on different subnets on the same VLAN.

Conditions:
- Use the RIP dynamic routing on an affected version.
- Have multiple self IP addresses belonging to different subnets on the same VLAN
- Add one of the subnets with the network command within the "router RIP" stanza.

Impact:
ripd will core and the configuration will not be allowed.

Workaround:
Configure one subnet/self IP address per VLAN.


614284-1 : Performance fix to not reset a data structure in the packet receive hotpath.

Component: Advanced Firewall Manager

Symptoms:
No symptoms. This is a performance fix.

Conditions:
This will happen always in the packet receive hotpath.

Impact:
No impact. Without this fix BIG-IP could have 0.5% (hard to measure) performance impact.

Workaround:
No workaround.


614180-2 : ASM is not available in LTM policy when ASM is licensed as the main active module

Component: TMOS

Symptoms:
ASM is not available in LTM policy rule creation when ASM is licensed as the main active module

Conditions:
ASM is licensed as the main active module

Impact:
ASM is not available in LTM policy rule creation

Workaround:
Use a license that has ASM as a sub-module. For example, LTM with Best Bundle.


613613-2 : Incorrect handling of form that contains a tag with id=action

Component: Access Policy Manager

Symptoms:
In some cases, a form with an absolute path in the action is handled incorrectly in Internet Explorer (IE) versions 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.

Conditions:
This issue occurs under these conditions:
-- HTML Form with absolute action path.
-- A tag with id=action inside this form.
-- A submit button in the form.
-- IE versions 7 through 9.

Impact:
The impact of this issue is that the web application can not work as expected.

Workaround:
This issue has no workaround at this time.


613576-4 : QOS load balancing links display as gray

Component: Global Traffic Manager

Symptoms:
All links in all data centers appear gray. After this patch all link appear to be green and the functional of load balancing to the first available link in each pool is restored.

Conditions:
This bug only affects devices licensed after 9/1/2016 which contain the gtm_lc: disabled field.

Impact:
Any GTM/LC devices licensed after 9/1/2016 and using links as part of their configuration will have the links reported as gray.

Workaround:
Remove all ilnks from configuration or install this hotfix.


613542-2 : tmm core while running the iRule STATS:: command

Component: TMOS

Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.

Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED


613536-4 : tmm core while running the iRule STATS:: command

Component: TMOS

Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.

Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED


613459-1 : Non-common browsers blocked by Proactive Bot Defense

Component: Advanced Firewall Manager

Symptoms:
Some non-common browsers may get blocked by the Proactive Bot Defense feature. This has been seen in rare cases, and causes these browsers to remain in a white page while the request is not being sent to the back-end server.

Conditions:
Proactive Bot Defense enable on the DoS profile.

Impact:
In rare cases, some non-common browsers may get blocked.

Workaround:
None


613429-1 : Unable to assign wildcard wide IPs to various BIG-IP DNS objects.

Component: Local Traffic Manager

Symptoms:
Assigning a wide IP with wildcard characters in the name to a DHS distributed application may not work properly when done via tmsh, and such configurations created via the GUI will result in configuration files that fail to load.

Conditions:
A wide IP with a wildcard character in its name.

Impact:
Unable to assign wide IP to BIG-IP DNS distributed-app.

Workaround:
None.


613415-1 : Memory leak in ospfd when distribute-list is used

Component: TMOS

Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv2 and the Routing Information Base (RIB). The leak may lead to a the daemon being terminated via the oom-killer.

Conditions:
OSPFv2 in use with a distribute-list, and Link State Advertisements (LSAs) in the database whose prefixes will be filtered by the distribute-list.

Impact:
ospfd may leak memory until the system terminates the process via the oom-killer.

Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.


613396-1 : Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs

Component: Application Security Manager

Symptoms:
Exported Policy in XML format cannot be imported.

Conditions:
Metacharacter overrides are defined on a Websocket URL in the policy.

Impact:
Exported XML policies cannot be imported back into the system without manual manipulation

Workaround:
If such a policy has already been exported only manual manipulation would allow it to be imported again.


613297-3 : Default generic message routing profile settings may core

Component: Service Provider

Symptoms:
If a virtual is created using the default generic message profile, the first packet received will produce an infinite number of messages and overflow the internal buffers.

Conditions:
The default generic message profile has the internal parser enabled but a zero byte message separator pattern. This causes the parser when receiving traffic to create an infinite number of empty packets and overflow the system.

Impact:
The infinite number of message will cause an internal panic producing a core. Traffic disrupted while tmm restarts.

Workaround:
Each usage of generic message should either provide a separator pattern or disable the internal parser.


613079-4 : Diameter monitor watchdog timeout fires after only 3 seconds

Component: Local Traffic Manager

Symptoms:
The Diameter monitor has a 3-second timeout that overrides the interval and timeout settings configured for the monitor.

Conditions:
A Diameter monitor must be configured.

Impact:
If the Diameter server takes longer than 3 seconds to reply to requests, it will be marked down.

Workaround:
None.


613065-1 : User can't generate netHSM key with Safenet 6.2 client using GUI

Component: Local Traffic Manager

Symptoms:
With Safenet6.2, creating key using GUI may hang and timeout. The GUI eventually quits with error message.

Conditions:
Installing Safenet6.2 client and attempting to create netHSM key from the GUI

Impact:
netHSM key creation fails, GUI hang.

Workaround:
You can use the corresponding tmsh command to create key.


613045-5 : Interaction between GTM and 10.x LTM results in some virtual servers marked down

Component: Global Traffic Manager

Symptoms:
Some GTM virtual servers are never marked up when interacting with 10.x LTM.

Conditions:
1. On a GTM server, with autoconf off, manually create a virtual server that is using translated IP/port and either no LTM virtual server name or an incorrect LTM virtual server name.
2. Make sure the LTM virtual server is available.

Impact:
On the GTM side, that LTM virtual server will never get marked up.

Workaround:
None.


612874-2 : iRule with FLOW_INIT stage execution can cause TMM restart

Component: Advanced Firewall Manager

Symptoms:
If you have an iRule that has FLOW_INIT stage execution, it is likely to result in random TMM crashes.

Conditions:
iRule that has FLOW_INIT stage action in it.

The FLOW_INIT stage iRule could be executed either because it was attached to a Virtual Server or configured on an AFM ACL Rule.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use iRule with FLOW_INIT action. Other stage iRules does not cause this problem.


612769-2 : Added better search capabilities on the Pool Members Manage page.

Component: Global Traffic Manager (DNS)

Symptoms:
With hundreds of potential pool members the GUI was not making it easy to search for them. The combobox was only allowing for searches that matched the beginning of the pool member's name.

Conditions:
Have more than just a few potential pool members.

Impact:
Frustrating user experience.

Workaround:
No workaround.


612752-1 : UCS load or upgrade may fail under certain conditions.

Component: TMOS

Symptoms:
UCS load fails, with the following error message: loaddb[20786]: 01080023:3: Error return while getting reply from mcpd: 0x10718e6, 010718e6:3: The requested primary admin user (user1) must exist in local user database.

Conditions:
Root login is disabled and the primary administrative user is set to anything other than 'admin', the default.

Impact:
UCS load or upgrade will fail.

Workaround:
Before upgrading or generating the UCS, re-enable the root account by setting DB variable systemauth.disablerootlogin to 'false'.

Unset the custom primary administrative user by setting DB variable systemauth.primaryadminuser to 'admin'.

These settings may be safely reinstated after the upgrade is complete.


612721-2 : FIPS: .exp keys cannot be imported when the local source directory contains .key file

Component: TMOS

Symptoms:
*.exp exported FIPS keys cannot be imported from local directory when the directory contains any file named *.key with matching name. For example, if the directory /shared/abc/ contains an exported FIPS key named xyz.exp and another file named xyz.key, the user will fail to import xyz.exp as a FIPS key into the system.

Conditions:
When the local source directory of the exported FIPS key (xyz.exp) also contains a file with matching name (xyz.key).

Impact:
Unable to import the FIPS key

Workaround:
Remove the same name *.key file from the local directory before importing the FIPS exported key *.exp.


612694-1 : TCP::close with no pool member results in zombie flows

Component: Local Traffic Manager

Symptoms:
'tmsh show sys conn all-properties' shows connections whose idle time exceeds the timeout.

Conditions:
There is no pool member, and a TCP::close iRule activates (typically after a TCP::respond).

Impact:
Connection does not tear itself down.

Workaround:
Make TCP::close conditional on pool failure, and rely on the pool failure to RST the connection rather than perform a clean TCP close.


612419-1 : APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))

Component: Access Policy Manager

Symptoms:
When there are multiple network access resources, and users switch between them within the same connection, a small memory leak happens.

Conditions:
Network access; full webtop, multiple Network Access resources.

Impact:
Memory usage increases over time.

Workaround:
There is no workaround. It is a relatively slow leak though. In the case where it was observed, the leak was about 130MB per month.


612229-1 : TMM may crash if LTM a disable policy action for 'LTM Policy' is not last

Component: Local Traffic Manager

Symptoms:
TMM may crash while processing an LTM policy.

Conditions:
- VIP with LTM policy attached.
- LTM policy contains rule with 2 or more actions.
- Policy action of disable - LTMN Policy is not the last one in the list of actions.

Impact:
TMM crash with the following in one of the /var/log/tmm log files:
notice ** SIGABRT **
Traffic disrupted while tmm restarts.

Workaround:
Ensure any LTM policy disable action is the last in the list of actions.


612143-3 : Potential tmm core when two connections add the same persistence record simultaneously.

Component: Service Provider

Symptoms:
If two messages processed on different connections with the same persistence key add a persistence record at the same time, one add operation is returned a non-fatal error, stating the 'a' record exists. The error might cause the message to be sent to both the destination and the originator, which fails.

Conditions:
Two messages processed on different connections with the same persistence key add a persistence record at the same time.

Impact:
A potential core occurs. The error might cause the message to be sent to both the destination and the originator, which fails. Traffic disrupted while tmm restarts.

Workaround:
None.


612135-3 : Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic

Component: Service Provider

Symptoms:
Configuring a virtual server with generic message profile without message routing profile will core when a packet is received by the virtual.

Conditions:
Configuring a virtual server with generic message profile without message routing profile.

Impact:
The system will core when a packet is received by the virtual server. Traffic disrupted while tmm restarts.

Workaround:
Each virtual server that contains a generic message profile should also have a message routing profile.


612083 : Following an AC power cycle, the System Event Log may list HW, PCIe or DMI errors.

Component: TMOS

Symptoms:
One or more of the following messages appear in the system event log:

CPU0 HW Correctable Error
CPU 0 Corrected Error: Port 1a PCIe* logical port has detected an error.
CPU 0 PCI/DMI Error B:D:F 0x8: xpglberrsts: pcie_aer_correctable_error
CPU 0 PCI/DMI Error B:D:F 0x8: corerrsts: receiver_error_status
CPU 0 PCI/DMI Error B:D:F 0x8: rperrsts: correctable_error_received
CPU 0 PCI/DMI Error B:D:F 0x8: rperrsts: multiple_correctable_error_received
CPU 0 Corrected Error: DMI Error Status
CPU 0 PCI/DMI Error B:D:F 0x0: xpglberrsts: pcie_aer_correctable_error
CPU 0 PCI/DMI Error B:D:F 0x0: corerrsts: receiver_error_status
CPU 0 PCI/DMI Error B:D:F 0x0: rperrsts: correctable_error_received
CPU 0 PCI/DMI Error B:D:F 0x0: rperrsts: multiple_correctable_error_received

Conditions:
The error messages may appear following an AC power cycle of the BIG-IP i-Serires platforms i4000, i4200.

Impact:
The system detected an error on an internal bus and was able to correct it. There is no data loss or functional impact.

Workaround:
There is no mitigation or workaround for this.


611922-1 : Policy sync fails with policy that includes custom CA Bundle.

Component: Access Policy Manager

Symptoms:
Policy sync fails with a policy that includes a custom CA Bundle with an error similar to the following: mcpd[6191]: 01070710:3: Database error (65), Can't set attribute value, type:certificate_summary attribute:name.

Conditions:
- Add a custom certificate bundle
- Add it to a policy, e.g. create an LTM SSL CA profile and add it to the endpoint security check agent in the access policy.
- Initiate a policy sync.

Impact:
Policy sync fails.

Workaround:
Use a built-in certificate bundle on source device and sync the policy.

Import the custom certificate bundle to all devices

Replace the built-in certificate bundle with the custom one in the policy.


611691-5 : Packet payload ignored when DSS option contains DATA_FIN

Component: Local Traffic Manager

Symptoms:
The payload of a packet is ignored when an MPTCP DSS option has DATA_FIN set.

Conditions:
A packet contains both a payload and an MPTCP DSS option with DATA_FIN set. This has been observed when uploading files from a Linux client to a server.

Impact:
The last packet of data is not received.

Workaround:
Disable MPTCP.


611669-2 : Mac Edge Client customization is not applied on macOS 10.12 Sierra

Component: Access Policy Manager

Symptoms:
Mac Edge Client's Icon, application name, company name amongst other things can be customized on BIG-IP before deploying on end user's machine. But on Mac Edge Client on macOS 10.12 Sierra this customization is not applied.

Conditions:
macOS Sierra 10.12, Edge client, customization

Impact:
Mac Edge Client customization is not applied on macOS 10.12 Sierra. Functionally there should be no impact except that user will see default application visually.

Workaround:
run following command on Terminal and re-launch Edge client:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"


611658-1 : "less" utility logs an error for remotely authenticated users using the tmsh shell

Component: TMOS

Symptoms:
when using 'less' Syntax Error: unexpected argument "/usr/bin/lesspipe.sh"

Conditions:
admin user configured with tmsh shell

Impact:
admin user cannot use the less command from shell

Workaround:
configure admin user to use the bash shell


611652-3 : iRule script validation presents incorrect warning for 'HTTP::cookie cookie-name' command.

Component: Local Traffic Manager

Symptoms:
While saving an iRule containing HTTP::cookie without the value parameter, you get a validation warning: 'warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. 'unexpected end of arguments;expected argument spec:COOKIE_NAME"160 25][HTTP::cookie $cookie_name]'.

The offending iRule command looks similar to this:
[HTTP::cookie $cookie_name]

Conditions:
iRules containing HTTP::cookie, but missing the optional value parameter, e.g. [HTTP::cookie $cookie_name].

Impact:
Validation warning incorrectly occurs if the optional 'value' parameter is left off. Note that the iRule is still loaded into the configuration.

Workaround:
Use the 'value' parameter in the HTTP::cookie command:
[HTTP::cookie value $cookie_name].


611512-1 : AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name.

Component: TMOS

Symptoms:
In AWS, Pool member autoscaling in BIG-IP fails to add pool members when pool name in BIG-IP is same as Autoscaling Group name in AWS.

Conditions:
- BIG-IP is configured to perform autoscaling of pool members in AWS.
 - Pool name in BIG-IP is same as the autoscaling group name in AWS attached with it.

Impact:
- Pool member autoscaling doesn't occur correctly without user intervention.

Workaround:
When configuring pool member auto-scaling in AWS, you must choose a different name for the pool compared to the autoscaling group name attached with it.


611487-3 : vCMP: VLAN failsafe does not trigger on guest

Component: TMOS

Symptoms:
vCMP: VLAN failsafe does not trigger on guest due to IPv6 link-local neighbor discovery traffic from host.

Conditions:
vCMP host configured, VLAN failsafe enabled on a VLAN, one or more VCMP guests enabled that use that VLAN

Impact:
Since the heartbeat messages going over IPv6 link-local addresses continue to be successfully passed from host to guest, VLAN failsafe does not trigger if a downstream router or switch goes down that's connected to the VLAN.

Workaround:
If you are able to, disabling IPv6 on the host will allow VLAN failsafe to work as expected.


611485-1 : APM AAA RADIUS server address cannot be a multicast IPv6 address.

Component: Access Policy Manager

Symptoms:
In the 13.0.0 release, support for AAA RADIUS direct IPv6 is added. However, validation will prevent using a multicast address for AAA radius IPv6 address. If you upgrade from a previous version to this version, you will see a validation error when the configuration loads.

Conditions:
The validation error occurs if APM AAA RADIUS address is an IPv6 multicast address on BIG-IP version 13.0.0 and beyond.

Impact:
Support for AAA RADIUS direct IPV6 is added in BIG-IP version 13.0.0. And the new validation affects only IPv6 multicast address. So any working IPv4 configuration will not be affected by this validation.

Workaround:
Multicast IPv6 addresses are not supported for direct IPv6 RADIUS, ensure you are using unicast addresses.


611482-3 : Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) .

Component: Local Traffic Manager

Symptoms:
Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule).

Conditions:
Universal persistence is configured. A loop of HTTP request is sent to tmm which doesn't own the record. Persistence lookup is performed, but finally the pool command is used for load-balancing pick.

Impact:
Discrepancy between persistence records.

Workaround:
Use persist, not pool command, to bind persistence record to a flow.


611478-1 : Java 8 on MacOS Sierra throws an internal exception when a modifier key (Caps Lock, Shift, Alt, etc) is pressed

Component: Access Policy Manager

Symptoms:
On MacOS Sierra, the recent builds of Java 8 (namely, Updates 91, 101 and 102) all throw an internal exception for applets when a modifier key (Caps Lock, Alt, Shift, etc) is pressed.

There is an Oracle bug opened for this matter:
http://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8166040

This applies to all the UI applets capturing user's input, not only F5 JavaRDP.

Conditions:
MacOS Sierra with Java 8 installed.

Impact:
In window mode, a modal dialog is shown prompting user to either continue and ignore the internal error ("Continue" button) or terminate the Java process ("Crash").
If user clicks "Continue", they can still work on in their remote desktop session.

The things are getting worse for the fullscreen mode as this dialog is hidden from the user so that they can't do anything and get an impression of the remote session being frozen.

Workaround:
Java 9 EarlyAccess is not affected so could be possibly used instead of Java 8 for launching applets.


611467-1 : TMM coredump at dhcpv4_server_set_flow_key().

Component: Policy Enforcement Manager

Symptoms:
TMM coredump at dhcpv4_server_set_flow_key().

Conditions:
1. You are using Policy Enforcement Manager (PEM) DHCP to discover subscribers.
2. You have configured a DHCP relay virtual server.
3. Two PEM DHCP subscriber connections share the same connection to a remote DHCP server.
4. One of the PEM DHCP subscriber connections expires.
5. The non-expired PEM DHCP subscriber connection sends a new DHCP request.
6. The remote PEM DHCP server responds to the new PEM subscriber request.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The client uses broadcast to do DHCP renewal is an indication the client did not get ACK from DHCP server when it uses unicast to talk to DHCP server directly. The most likely reason for this to happen is the server routing table is not configured to send DHCP ACK packets back to the client.

You can work around this problem by configuring DHCP server routing table so that it knows how to send DHCP ACK to the client.


611385-1 : "Learn Explicit Entities" may continue to work as if it is 'Add All Entities'

Component: Application Security Manager

Symptoms:
Under some scenarios, setting "Learn Explicit Entities" to 'Never' has no effect; it continues to work as if it is 'Add All Entities'

Conditions:
Steps to Reproduce:
1) Create a default policy, set "Learn New HTTP URLs" to "Add All Entities".
2) Create a non-pure wildcard URL "/in*".
3) Send the following request:
     GET /index.html HTTP/1.1\r\n
     Host: <Host URL>\r\n
     \r\n
4) There will be no suggestion to add /index.html URL since learning mode on "/in*" wildcard is "Never" by default.
5) Set "Learn Explicit Entities" to "Add All Entities" on "/in*" wildcard.
6) Send the same traffic again; there will be suggestion to add /index.html URL (which is still correct).
7) Delete all suggestions.
8) Set "Learn Explicit Entities" to "Never" on "/in*" wildcard.
9) Send the same traffic again.

Impact:
There is suggestion to add /index.html URL when there should be no such suggestion since the wildcard is in 'Never' mode now.

Workaround:
Go to "Learning and Blocking Settings", set "Learn New HTTP URLs" to "Never" press "Save", then set it back to "Add All Entities". press "Save" again.


611320-1 : Mirrored connection on Active unit of HA pair may be unexpectedly torndown

Component: Local Traffic Manager

Symptoms:
Mirrored connection on Active unit is torn down. TCP connection is RST with cause of 'HA Expire flow'.

Conditions:
Mirrored connection on Standby unit times out due state mismatch with connection on Active unit.

Impact:
Traffic loss.

Workaround:
Disable mirroring.


611240-2 : Import of config with securid might fail

Component: Access Policy Manager

Symptoms:
Import of the profile used for securid auth might fail if the profile has already been used for auth purposes at the moment of export.

Conditions:
This occurs when the following conditions are met:
-- Profile configured for securid authenticaiton with securid server attached.
-- Profile has been used for authentication more than 0 times.
-- Full import (no reuse) or Reuse import when secureid server under the same name is not present.

Impact:
Unable to import certain configurations.

Workaround:
1. In VPE, open securid auth item and set server to none before export.
2. Export profile.
3. Import profile.
4. Re-create the aaa securid server.
5. In VPE, open the securid auth item and set server to one from step #4.

Or
1. Export profile.
2. Create aaa securid server under the same name.
2. Import profile with reuse.

It is also possible to remove securid entry from config-files of securid server configuration in .conf.tar.gz, which would also work.


611151-2 : An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive

Component: Application Security Manager

Symptoms:
If you configure a sensitive parameter with an upper-case character (like "Password"), the data masking does not take place. When the sensitive parameter is all lower-case (like "password"), the data masking takes place as expected.

Conditions:
ASM provisioned
ASM policy is case-insensitive
JSON profile, w/ a sensitive parameter with an upper-case character

Impact:
no data masking for a JSON sensitive parameter

Workaround:
N/A


610857-1 : DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver.

Component: Advanced Firewall Manager

Symptoms:
When selenium client webdriver is detected running a browser Chrome or Firefox it is not being blocked due to low score being assigned by PBD (Suspicious Browsers) mechanism.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.

Impact:
A bot which running selenium Chrome or Firefox webdriver isn't mitigated by DoSL7 PBD mechanism.

Workaround:
N/A


610830-1 : FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page.

Component: Advanced Firewall Manager

Symptoms:
When an end-user accesses a web-site's first page there is a noticeable latency until it gets the page content.

Conditions:
This occurs when ASM is provisioned and to a virtual sever assigned dos application profile where Device ID mitigation configured or ASM policy with WebScraping and FingerPrint detection enabled.

Impact:
Bad user experience when accessing the website's first page.

Workaround:
tmsh modify sys db dosl7.fp_fonts_enabled disabled


610609-6 : Total connections in bigtop, SNMP are incorrect

Component: Local Traffic Manager

Symptoms:
While looking at total connections for the active BIG-IP using bigtop or SNMP, the connections are reported too high. For example if you sent a single connection through BIG-IP it is reported as 2 connections. Meanwhile, the standby device with mirroring configured accurately shows the number of connections.

Conditions:
This occurs on PVA-enabled hardware platforms.

Impact:
The total connection count statistic is incorrect.


610441-1 : When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.

Component: TMOS

Symptoms:
When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.

Conditions:
This occurs when adding a new member to an existing pool using iControl REST.

Impact:
Unable to tell if the request has succeeded or failed via iControl REST.

Workaround:
Add the following to partitionInfo in icrd.conf.

{"gtm/pool/a/members":[true, true]},
{"gtm/pool/aaaa/members":[true, true]}


610429-5 : X509::cert_fields iRule command may memory with subpubkey argument

Component: Local Traffic Manager

Symptoms:
The X509::cert_fields iRule command can leak memory in the 'method' memory subsystem if called with the 'subpubkey' argument, when the 'subpubkey' argument is not the last argument.

Conditions:
Create an iRule using X509::cert_fields where the subpubkey is not the last argument.

Example/signature to look for:
ltm rule rule_leak {
    when HTTP_REQUEST {
        if { [SSL::cert 0] ne "" } {
            HTTP::respond 200 content "[X509::cert_fields [SSL::cert 0] 0 subpubkey hash]\n"
        } else {
            HTTP::respond 200 content "no client cert (WRONG!)"
        }
    }
}

Impact:
Memory will leak, eventually impacting the operation of tmm.

Workaround:
Ensure that 'subpubkey' is the last argument to X509::cert_fields


610417-1 : Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.

Component: TMOS

Symptoms:
When adding a device to the trust, the SSL connection can use insecure ciphers. Also it will use the undesirable TLSv1 protocol instead of negotiating to the highest safest protocol available which is TLSv1.2

Conditions:
This exists when configuring devices in a device cluster.

Impact:
Unable to configure stronger ciphers for device trust.

Workaround:
None.


610354-1 : TMM crash on invalid memory access to loopback interface stats object

Component: TMOS

Symptoms:
TMM can crash with segmentation fault when TMM drops packets on its internal loopback interface. TMM needs to update interface stats associated with the loopback interface when dropping packets on that interface. The interface stats object for loopback interface is not allocated yet. That results in segmentation fault.

Conditions:
TMM drops packets on its internal loopback interfaces.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No Workaround.


610352-1 : sys-icheck reports error with /etc/sysconfig/modules/unic.modules

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /etc/sysconfig/modules/unic.modules:

ERROR: S.5...... /etc/sysconfig/modules/unic.modules

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.


610350-1 : sys-icheck reports error with /config/bigpipe/defaults.scf

Component: TMOS

Symptoms:
n Azure cloud, running sys-icheck may report an error with /config/bigpipe/defaults.scf and /usr/share/defaults/defaults.scf:

ERROR: S.5...... c /config/bigpipe/defaults.scf (no backup)
ERROR: S.5...... /usr/share/defaults/defaults.scf

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.


610302-1 : Link throughput graphs might be incorrect.

Component: Local Traffic Manager

Symptoms:
The link throughput performance graphs available in the GTM, DNS or Link Controller modules might show the throughput for the wrong link in the graph.

Conditions:
Multiple links exist and one of the links has a name that is a prefix for the name of one or more other links.

For example, there are two links defined and named "mylink" and "mylink2".

Impact:
The graphs for all links that contain the prefix might show the throughput for the link whose name matches the prefix.

For example, the throughput graphs for both "mylink" and "mylink2" might both show the throughput data for "mylink"

As a result of this issue, the historical link throughput data is gathered and stored incorrectly. This data is used to generate the throughput graphs.

Workaround:
Do not create links where the name of one link forms a prefix for the name of other links.


610295-1 : TMM may crash due to internal backplane inconsistency after reprovisioning

Component: TMOS

Symptoms:
In some scenarios on VE platforms TMM may crash due to backplane inconsistency shortly after a provisioning change.

Conditions:
- BigIP VE with performance limited license.
- Additional licensing/provisioning of modules raises performance limits. New TMM processes are started.
- No reboot has occurred after provisioning.

Impact:
TMM may core with panic: "Unexpected backplane address" in /var/log/tmm log files. Traffic disrupted while tmm restarts.

Workaround:
Reboot after provisioning if new license add-on keys raises performance of the BigIP.


610273-4 : Not possible to do targeted failover with HA Group configured

Component: TMOS

Symptoms:
With a traffic-group configured to use HA Group, it is not possible to disable the HA Group to perform targeted failover. Running tmsh run sys failover standby traffic-group traffic-group-1 produces an error:
"Unexpected Error: SOD command standby may not be issued for traffic group /Common/traffic-group-1 because it is configured to use HA group."

Conditions:
Traffic-group configured to use HA Group. Versions prior to 12.0.0 allowed you to disable the HA Group to do targeted failover.

Impact:
Unable to force the traffic-group to standby if HA Group is configured. You would need to change it to use a different mode, such as HA Order.

Workaround:
Temporarily change the traffic group to use a different Failover Method such as Load Aware or HA Order in order to failover. Note that this will disable HA Group functionality until the Failover Method is restored.


610224-2 : APM client may fetch expired certificate when a valid and an expired certificate co-exist

Component: Access Policy Manager

Symptoms:
APM client does not consider the expiration when it matches certificates for Machine Cert Check. If a matching but expired certificate is found before a valid certificate, the expired certificate is used for Machine Cert Check on Windows.

Conditions:
A valid and an expired certificate co-exist in the certificate store.

Impact:
Machine Certificate check fails.

Workaround:
Remove the expired certificate from the store.


610180-1 : SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML SP, and SLO is not properly configured on associated saml-idp-connector objects, IdP initiated SAML SLO may result in memory leak in SSO plugin.

Conditions:
- BIG-IP is used as SP.
- Associated saml-idp-connector object has 'single-logout-uri' property configured, but 'single-logout-response-uri' property is empty.
- User performs IdP initiated SAML SLO

Impact:
SSO plugin leaks memory

Workaround:
There are two possible workarounds:
- Fix misconfiguration: Configure SLO correctly by adding value to 'single-logout-response-uri' property of IdP connector object.
- Disable SLO by removing single-logout-uri' property of IdP connector object.


610129-1 : Config load failure when cluster management IP is not defined, but instead uses address-list.

Component: Advanced Firewall Manager

Symptoms:
In Cluster setup with multiple blades, if configurations do not have management IP addresses assigned to individual blades, but instead assign a cluster management IP address list to the cluster of blades. The configuration load will fail. System posts an error message similar to the following: err mcpd[24235]: 01071824:3: The address list is referenced by one of the rules of the admin IP either directly or in a nested manner, and the entry is of a different address family from that of the Admin IP.

Conditions:
1. Cluster setup with multiple blades.
2. No management IP assigned to individual blades.
3. Assign cluster management IP address list to the cluster of blades.

Impact:
After reboot, configuration load failure on secondary blades.

Workaround:
Define the cluster management IP address as the destination (in rule) without using address list.


609788 : PCP may pick an endpoint outside the deterministic mapping

Component: Carrier-Grade NAT

Symptoms:
When PCP is picking an endpoint for a LSN pool in deterministic mode and the initial pick fails due to an existing mapping, the subsequent picks are from the entire LSN pool translation port range. This may result in a mapping that violates the deterministic mapping algorithm.

Conditions:
With PCP configured and enabled with a lsn-pool in deterministic mode.

Impact:
Deterministic mapping restriction may be violated causing reverse mapping of public IP address to private IP address to not identify the correct subscriber.

Workaround:
Configure PCP with a NAPT pool (such as the DNAT mode's backup pool) and enable logging. Do not use an lsn-pool in deterministic mode.


609628-1 : CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session

Component: Local Traffic Manager

Symptoms:
When a client performs an abbreviated handshake by reusing the session from a previously established full handshake, the SSL forward proxy does not raise the CLIENTSSL_SERVERHELLO_SEND event.

Conditions:
This occurs when the following conditions are met:
-- SSL forward proxy configured
-- Session cache is enabled.

Impact:
iRule commands inside of the CLIENTSSL_SERVERHELLO_SEND are only executed for full handshakes but not for abbreviated handshakes; thus any logic that's applied per SSL connection should not run inside of CLIENTSSL_SERVERHELLO_SEND event since it is not reliably raised under all types of handshakes.

Workaround:
To make sure that the CLIENTSSL_SERVERHELLO_SEND event is reliably raised, disable session cache in the client SSL profile.


609575-4 : BIG-IP drops ACKs containing no max-forwards header

Component: Service Provider

Symptoms:
When a sip profile is in use and receives an acknowledgment packet missing the Max-Forwards header, BIG-IP will treat the packet as un-forwardable and does not forward the ACK. This can be experienced as a specific cilent being unable to make a call.

Conditions:
This would only be seen when BIG-IP is connected to specific clients that fail to populate the Max-Forwards header on an ACK.

Impact:
BIG-IP treats packets with the missing header as having a value of 0, which means "Do not forward".


609527-2 : DNS cache local zone not properly copying recursion desired (RD) flag in response

Component: Global Traffic Manager (DNS)

Symptoms:
When a DNS query sets the RD flag, that setting is supposed to be copied to the response. When a DNS query is handled by a cache local zone, the RD flag is not set properly.

Conditions:
A DNS cache local zone must be configured and a DNS query with the RD flag set must be handled by this local zone.

Impact:
The flag is not set properly in the DNS response. This most likely will only be noticed by protocol validation tools as standard DNS clients generally do not check this bit.

Workaround:
Use an equivalent DNS Express configuration instead of the local zone.


609499-3 : Compiled signature collections use more memory than prior versions

Component: Application Security Manager

Symptoms:
Compiled signature collections use more memory than prior versions.

Conditions:
Different signature sets are used for different policies.

Impact:
BD memory usage for compiled signature collections is increased.


609496-2 : Improved diagnostics in BD config update (bd_agent) added

Component: Application Security Manager

Symptoms:
Improved diagnostics in BD config update (bd_agent) are needed.

Conditions:
Further troubleshooting of BD config update transmission is needed.

Impact:
No diagnostics are available.

Workaround:
None.


609328-2 : SIP Parser incorrectly parsers empty header

Component: Service Provider

Symptoms:
If a SIP message contains an empty header, the following header will be included as the value of the empty header.

Conditions:
A SIP header without any value will incorrectly cause the next header to be used as the value.

Impact:
If the following header is needed for processing the message, it will not be seen (since it is incorrectly considered the value of the previous header).


609244-4 : tmsh show ltm persistence persist-records leaks memory

Component: Local Traffic Manager

Symptoms:
A small memory leak is detected when running the following command: tmsh show ltm persistence persist-records.

Conditions:
This occurs when running tmsh show ltm persistence persist-records.

Impact:
The memory leak is small, however if the command is run constantly the memory growth can become large.

Workaround:
None.


609200-2 : Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.

Component: TMOS

Symptoms:
Hotfix installation fails using certain version 11.x software to host incremental hotfix application of version 12.x software.

Conditions:
This issue occurs when the following conditions are met:
-- Active software is v11.x.
-- Target software is v12.x.
-- This is the first attempt install a hotfix to the installation target.

Impact:
Cannot install hotfix.

Workaround:
Delete the target location, and perform the hotfix installation again.

Subsequent attempts to install the hotfix will automatically install the base release first, which includes the needed DB hash type, and the hotfix will succeed.


609199-6 : Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join

Component: Local Traffic Manager

Symptoms:
If an MPTCP connection times out while a subflow is still performing the three-way handshake, the TMM produces a core. This only affects the debug TMM, not the default one.

Conditions:
An MPTCP connection times out while a subflow is still performing the three-way handshake with MP_JOIN. This only affects the debug TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP.


609186-5 : TMM or MCP might core while getting connections via iControl.

Component: TMOS

Symptoms:
When getting the connections list over iControl using System.Connections.get_list(), TMM or MCP cores or exits.

Conditions:
Using iControl to view all connections, and there is a very large number of connections (1 million or more) in the list.

Impact:
TMM or MCP may core or exit. Traffic disrupted while tmm restarts.

Workaround:
None.


609119-7 : Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:

Component: TMOS

Symptoms:
Occasionally the logging system prints out a blank message, similar to the following example:

-- err mcpd[19114]: 01070711:3:

For this log statement, there is text associated with the error in the bigip_mcpd_error_defs.in file, so something should be logged.

Conditions:
The problem is the result of an exception handler issue in mcpd's File Object validator. The damaged logs can come from anywhere in mcpd, but appear only after a File Object configuration change fails validation. If the problem occurs, it will happen only once per validation error. The damage caused by the exception handler is automatically corrected when the system rewrites the log.

Impact:
Except for the missing log text, the state and behavior of the BIG-IP system is unaffected.

Workaround:
None. The problem corrects automatically when the system rewrites the log.


609095-2 : mcpd memory grows when updating firewall rules

Component: Advanced Firewall Manager

Symptoms:
While updating firewall rules such as adding/deleting a blacklist, mcpd memory grows by a small amount with each update.

Conditions:
This can occur when making changes to firewall policies.

Impact:
mcpd memory grows unbounded; over a significant amount of time with many changes and no restarts, mcpd can run out of memory and oom killer can trigger a failover.


609005 : Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67).

Component: Policy Enforcement Manager

Symptoms:
Two client side DHCP packets with giaddr field set, one with source port 67 and another client side packet with source port 68 (not conforming to RFC since giaddr set DHCP packet (from relay agent) should use 67 as source port per RFC),
tmm will crash during err message logging.

Conditions:
1) Two client side DHCP packets arrive one after another.
2) Both DHCP packets have giaddr fields set
3) One packet uses 67 as source port, the other uses 68

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The conditions that cause the crash should not happen in a normal network setup. A DHCP relay agent should only use 67 as source port.


608742-1 : DHCP: DHCP renew ack messages from server are getting dropped by BIGIP in Forward mode.

Component: Policy Enforcement Manager

Symptoms:
When BIGIP is configured in Forwarding mode, renewal ack message from server in response to unicast renewal message from DHCP clients is getting dropped.

Conditions:
BIG IP in forwarding mode. DHCP clients sending unicast renewal message to DHCP server

Impact:
Unicast DHCP renewal requests are not acked. DHCP clients will send broadcast renewal messages and will be acked by servers.

Workaround:
After unable to receive acks from DHCP servers for unicast DHCP renewal messages, DHCP client will send broadcast DHCP renewal messages and will be acked by DHCP server and acks forwarded by BIGIP and received by DHCP clients.


608591-4 : Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers

Component: Policy Enforcement Manager

Symptoms:
CCR-I requests from PEM to PCRF have subscriber ID type set to 6 (UNKNOWN) for DHCP subscribers instead of 3 (NAI).

Conditions:
Occurs for DHCP discovered subscribers on a BIG-IP system that uses a PCRF for policy determination.

Impact:
Might impact the way policies are provided from the PCRF.

Workaround:
None


608566-1 : The reference count of NW dos log profile in tmm log is incorrect

Component: Advanced Firewall Manager

Symptoms:
In certain circumstances when virtual servers are configured with security log profiles, the log message in tmm log is showing incorrect reference cnt to the log profiles.

Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.

Impact:
This may lead to issues such as TMM crash if the reference count is not calculated correctly


608555-3 : Configuring asymmetric routing with a VE rate limited license will result in tmm crash

Component: Local Traffic Manager

Symptoms:
Configuring asymmetric routing with a VE rate limited license results in tmm crash.

Conditions:
Asymmetric routing is configured (i.e., client and/or server ingress and egress travel on different VLANs), and a VE rate limited license is used.

Impact:
tmm might continually crash when passing traffic. Traffic disrupted while tmm restarts.

Workaround:
Do not use asymmetric routing with a rate limited license.


608509-1 : Policy learning is slow under high load

Component: Application Security Manager

Symptoms:
On systems with high load, policy learning is slow and learning suggestions are slow to arrive.

Conditions:
Policy builder generates many learning suggestions on a system that processes intense traffic.

Impact:
Learning suggestions appear with considerable delay, policy learning speed goes down.

Workaround:
No workaround


608424-2 : Dynamic ACL agent error log message contains garbage data

Component: Access Policy Manager

Symptoms:
Starting in BIG-IP version 12.0.0, Dynamic ACL error log messages might contain garbage data.

Conditions:
This occurs when Dynamic ACL detects incorrect syntax of an ACL entry.

Impact:
The system logs garbage data.

Workaround:
Make sure the ACL entry is correct.


608408-1 : TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library

Component: Access Policy Manager

Symptoms:
TMM may restart when new SAML SSO configuration is created on BIG-IP systems as SAML IdP. This could also happen when BIG-IP is restarted, or a saved configuration containing SAML SSO objects is loaded on running BIG-IP.

Conditions:
All of the following
- The BIG-IP system is used as SAML IdP
- New SAML SSO configuration is added on BIG-IP
- Rarely occurring internal tmconf error happens when processing newly added configuration.

Impact:
TMM may restart.

Workaround:
None.


608304-1 : TMM crash on memory corruption

Component: Local Traffic Manager

Symptoms:
In rare cases tmm might crash on memory corruption.

Conditions:
It is not known what sequence of events triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


608245 : Reporting missing parameter details when attack signature is matched against parameter value

Component: Application Security Manager

Symptoms:
A parameter is shown without parameters details or with garbled parameter details in the local logging GUI.

Conditions:
An attack signature was detected in a parameter value.

Impact:
Bad reporting

Workaround:
N/A


608024-3 : Unnecessary DTLS retransmissions occur during handshake.

Component: Local Traffic Manager

Symptoms:
Unnecessary DTLS retransmissions occur during handshake.

Conditions:
During DTLS handshake, unnecessary retransmissions of handshake message may occur on VE platform.

Impact:
Possible DTLS handshake failure on VE platform.

Workaround:
None.


608009-1 : Crash: Tmm crashing when active system connections are deleted from cli

Component: Policy Enforcement Manager

Symptoms:
When the BIG-IP is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address by relay agent, tmm may crash when active system connections are deleted from cli or via aging.

Conditions:
1) BIG-IP in forwarding mode
2) giaddr field in unicast DHCP renewal packet is set to IP address of relay agent (Typically, it is set to 0 by the DHCP client)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This is not a typical network setup. Usually DHCP relay agent will not modify DHCP renewal packet to insert its own address as giaddr.


607961-1 : Secondary blades restart when modifying a virtual server's route domain in a different partition.

Component: TMOS

Symptoms:
Secondary blades restart when modifying a virtual server's route domain in a different partition. This log signature is in /var/log/ltm before the secondaries restart: err mcpd[1255]: 0107004d:3: Virtual address (/stef/1.1.1.1%0) encodes IP address (1.1.1.1) which differs from supplied IP address field (1.1.1.1%1).

Conditions:
- Multiple blades of vCMP guests in a sync-failover group.
- Route domains created on each device.
- Route domain assigned to a new partition after they were created.

Impact:
Traffic disrupted while secondary blades restart.

Workaround:
None.


607803-3 : DTLS client (serverssl profile) fails to complete resumed handshake.

Component: Local Traffic Manager

Symptoms:
DTLS client (serverssl profile) fails to complete resumed handshake.

Conditions:
This occurs when the BIG-IP system acts as a DTLS client.

Impact:
Possible failed resumed handshake.

Workaround:
Disable session reuse.


607724-5 : TMM may crash when in Fallback state.

Component: Local Traffic Manager

Symptoms:
There is a chance, when HTTP in Fallback mode, HTTP filter sends Abort event to TCP filter (causing tear down) prematurely while the Aborting triggered by upper filter/proxy is in flight.

TMM may crash when this happens.

Conditions:
It is not known exactly what conditions need to exist to trigger this, but it has been known to trigger when issuing HTTP::respond in the LB_FAILED event in an iRule, and it has been seen only rarely.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
no work around


607713-2 : SIP Parser fails header with multiple sequential separators inside quoted string.

Component: Service Provider

Symptoms:
SIP Parser fails header with multiple sequential separators inside quoted string.

Conditions:
If a SIP header contains multiple attribute separators ',' or ';' in an attribute.

Impact:
The SIP parser flags the message as an error. If this occurs in a quote within the attribute, it should be allowed, but it will still fail, Valid SIP messages are failing to be parsed.

Workaround:
None.


607658-1 : GUI becomes unresponsive when managing GSLB Pool

Component: Global Traffic Manager (DNS)

Symptoms:
GUI Locks Up and becomes unresponsive. Most major web browsers will complain about slow javascript and prompt you to kill the script.

Conditions:
Managing an A type GSLB pool when hundereds of virtual servers exist. These virtual servers do not have to be associated with the pool you are attempting to manage.

Impact:
Page takes a significantly long time to load.

Workaround:
Manage pools through tmsh, or wait for it to load.


607524-1 : Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down.

Component: Local Traffic Manager

Symptoms:
When the last member of a list of multiple DHCP servers is down, the original DHCP packet from client is not freed and memory is leaked.

Conditions:
Multiple DHCP servers are configured, and the last DHCP server configured is down.

Impact:
Packet memory is leaked.

Workaround:
Remove the last DHCP server that is down, or move it to the middle or front of the server member list.


607360-1 : Safenet 6.2 library missing after upgrade

Component: Local Traffic Manager

Symptoms:
After upgrading BIG-IP, a symbolic link is missing to the core Safenet library.

Conditions:
This occurs when a BIG-IP installation with Safenet 6.2 already installed is upgraded.

Impact:
Safenet 6.2 is not functional.

Workaround:
Reinstall Safenet 6.2. Or,

run this command at all blades of BIG-IP after the installation.

ln -sf /shared/safenet/toolkit/libgem.so /usr/lib64/openssl/engines/libgem.so


607304-4 : TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Component: Local Traffic Manager

Symptoms:
TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Conditions:
This can occur under normal operation, while running the geo_update command.

Impact:
Traffic disrupted while tmm restarts.


607166-1 : Hidden directories and files are not synchronized to secondary blades

Component: Local Traffic Manager

Symptoms:
Hidden directories and files (those whose filenames start with '.') that are created on primary blade are not synced to secondary blades.

Existing hidden files that are edited on the primary blade are not synced to secondaries.

Conditions:
Multi-bladed system.

Impact:
The most common uses of hidden files are per-user shell configuration and history.

Workaround:
Manually copy configuration files onto other blades.


607152-1 : Large Websocket frames corrupted

Component: Local Traffic Manager

Symptoms:
If large Websocket frames are being sent by the end-point and this transfer is interleaved with frames being sent by the other endpoint, corrupted frames could be sent by BIG-IP.

Conditions:
Websocket profile is attached to the virtual. Large Websocket frames are sent by the end-point. This transfer is interleaved with frames being sent in the other direction.

Impact:
Connection reset because of corrupted frames being received by the end-point.


606940-1 : Clustered Multiprocessing (CMP) peer connection may not be removed

Component: Local Traffic Manager

Symptoms:
- High memory usage due to connflow allocations
 - conn_remove_cf_not_found stat is non-zero

Conditions:
CMP with multiple TMMs. CMP peer connection is removed before it has been established.

Impact:
Low memory may lead to allocation failures that may lead to tmm core


606875-1 : DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page

Component: Advanced Firewall Manager

Symptoms:
When an end-user accesses a web-site's first page there is a noticeable latency until it gets the page content.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled, when accessing the page for a first time.

Impact:
Bad user experience when accessing the website's first page.

Workaround:
N/A


606575-6 : Request-oriented OneConnect load balancing ends when the server returns an error status code.

Component: Local Traffic Manager

Symptoms:
Request-oriented OneConnect load balancing ends when the server returns an error status code.

Conditions:
OneConnect is enabled and the server responds with a HTTP error status code.

Impact:
The client remains connected to the server, and no further load-balancing decisions are made.

Workaround:
It may be possible to detect the HTTP status code in the response, and manually detach the client-side.

To do so, use an iRule similar to the following:

when HTTP_RESPONSE {
    if { [HTTP::status] == 200 } { return }
    if { [HTTP::status] == 401 } {
        set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]]
        if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } {
            # Connection-oriented auth. System should already be doing the right thing
            unset auth_header
            return
        }

        unset auth_header
    }

    catch { ONECONNECT::detach enable }
}.

Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).


606573-1 : FTP traffic does not work through SNAT when configured without Virtual Server

Component: Local Traffic Manager

Symptoms:
After upgrading to 12.1.0 or 12.1.1, FTP traffic no longer works correctly with SNAT, when SNAT is configured without a virtual server.

Conditions:
The BIG-IP system configured to allow FTP traffic through, and SNAT is configured without a virtual server.

Impact:
The BIG-IP system does not SNAT port 21 traffic. In rare circumstances this can cause tmm to restart.

Workaround:
None.


606565-1 : TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection

Component: Local Traffic Manager

Symptoms:
When the /sys db tm.simultaneousopen variable is set to 'reset' or 'drop_connection', TMM may crash during a TCP simultaneous 4 way handshake.

Conditions:
1. The /sys db tm.simultaneousopen variable is set to 'reset' or 'drop_connection'.
2. A TCP 4 way handshake (simultaneous open) occurs as described in RFC 793.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The crash can be avoided, while still mitigating TCP 4 way handshakes, by setting the /sys db tm.simultaneousopen variable to 'drop_pkt'.


606518-1 : iControl REST with 3rd party auth does not function as expected with '@' / email addresses as username.

Component: Device Management

Symptoms:
Cannot use username containing an 'at' ( @ ) character, or specify the email address when requesting authentication token using iControl REST when 3rd party authentication provider being used.

Conditions:
Set-up the BIG-IP system to use 3rd party RADIUS or LDAP authentication and configure a username containing an 'at' ( @ ) character, or specify the email address.

Impact:
Cannot authenticate and get authentication token using iControl REST.

Workaround:
Do not use username with special characters, such as 'at' ( @ ), period ( . ), and so on).


606330-4 : The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family.

Component: TMOS

Symptoms:
The BIG-IP system does not accept incoming or initiate outgoing BGP connections when using peer-groups and no default address family.

Conditions:
BGP configured with 'no bgp default ipv4-unicast' and neighbors configured using a peer group that's explicitly activated for IPv4.

Impact:
The BGP connection to any neighbor in the peer group will not come up until 'clear ip bgp' is run on the neighbor or tmrouted is restarted.

Workaround:
Clear the BGP neighbor after changing the configuration.


606066-1 : LSN_DELETE messages may be lost after HA failover

Component: Carrier-Grade NAT

Symptoms:
After a failover, an LSN_DELETE message may be lost if the connection continued after the failover.

Conditions:
CGNAT configured as an HA pair, with session logging enabled.

Impact:
An LSN_DELETE message may be missing from the logs.


605983-1 : tmrouted may crash when being restarted in debug mode

Component: Local Traffic Manager

Symptoms:
tmrouted may restart after it being manually restarted with debug level equal or higher than 2.

Conditions:
tmrouted is manually restarted with debug level equal or higher than 2.
Multi route-domain setup with independent routing processes enabled on several route-domains.

Impact:
tmrouted may restart additional times which can add delay to getting back to service after manually restarting tmrouted.
Any restart of tmrouted already causes loss of dynamic routing sessions.

Workaround:
Do not use equal or higher than 2 debug level for tmrouted. This should be carried out only under recommendation from F5 Support.


605894-1 : Remote authentication for BIG-IP users can fail

Component: TMOS

Symptoms:
While trying to log into the command line of BIG-IP as a remotely authenticated user, login will intermittently fail. You may see the following in /var/log/secure: "err httpd[19596]: pam_ldap: ldap_simple_bind Can't contact LDAP server" but the LDAP server is up and is accessible by the BIG-IP

Conditions:
Remote authentication configured, users configured to use remote authentication, ssl-check-peer is enabled and one or more of these properties are different than "none": ssl-ca-cert-file, ssl-client-cert, ssl-client-key.

Impact:
The remote authentication service will fail to initiate a connection to the LDAP server with the ssl-check-peer setting enabled, even if the ssl-ca-cert-file is valid. It will terminate the connection and remote authentication will fail.

Workaround:
Disabling ssl-check-peer and setting ssl-ca-cert-file, ssl-client-cert and ssl-client-key to "none" can work around this issue.


605865-4 : Debug TMM produces core on certain ICMP PMTUD packets

Component: Local Traffic Manager

Symptoms:
The debug TMM will produce a core on the assert "cwnd or ssthresh too low" when receiving an ICMP PMTUD packet with an MTU larger than the current MTU. This does not affect the default TMM.

Conditions:
While using the debug TMM, an ICMP PMTUD packet is received with an MTU larger than the current MTU.

Impact:
Debug TMM crashes on assert "cwnd or ssthresh too low." Traffic disrupted while tmm restarts.

Workaround:
Block incoming ICMP PMTUD packets. Note that this will cause Path MTU Discovery to fail, and IP packets sent by the BIG-IP system with the Don't Fragment (DF) bit set may be dropped silently if the MTUs of the devices on the path are configured incorrectly.


605840-4 : HSB receive failure lockup due to unreceived loopback packets

Component: TMOS

Symptoms:
HSB reports a lockup due to a receive failure. Analysis of the HSB receive/transmit rings indicate that this is a false positive. Loopback packets were successfully transmitted, but not received, resulting in the receive failure. /var/log/ltm contains this signature: notice *** TMM 9 - PDE 19 - receive failure ***

Conditions:
Unknown.

Impact:
The unit is rebooted.

Workaround:
None.


605800-3 : Web GUI submits changes to multiple pool members as separate transactions

Component: TMOS

Symptoms:
You notice an unusually high amount of sync traffic when changing many pool members at once. In extreme cases, mcpd may run out of memory and crash.

Conditions:
When looking at a list of pool members, it is possible to choose to view many pool members at once, and you can then select them all and enable or disable them with one press of a button. Rather than sending all of the operations in a single transaction, the GUI code updates each pool member one by one. When there are a lot of pool members and auto-sync is being used, this can cause race conditions that can generate a large number of transactions going from the local machine to the remote machine.

Impact:
This can cause an unusually high amount of sync traffic to occur between devices in the sync group with auto-sync enabled. In extreme cases this can cause mcpd to crash and traffic is disrupted while mcpd restarts.

Workaround:
If you frequently need to enable/disable many pool members at once, there are a couple of options:
1. You can switch to manual sync during this operation.
2. You can minimize the number of pool members that are altered at once. The issue was observed when changing over 300 pool members at once.


605792-1 : Installing a new version changes the ownership of administrative users' files

Component: TMOS

Symptoms:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID.

Conditions:
A user is an administrative user who has advanced shell (bash) access and custom files in their home directory.

Impact:
Low in most cases, since the administrative user can still access most files. One exception is that SSH requires that the authorized_keys file be owned by the user ID in question. This is 0 when a user has an administrative role, so the authorized_keys file will be ignored and a password will still be required for login.

Workaround:
Run the following command, substituting a different filename as needed: chown 0 /home/theuser/.ssh/authorized_keys.


605525-1 : Deterministic NAT combined with NAT64 may cause a TMM core

Component: Carrier-Grade NAT

Symptoms:
TMM crashes when a virtual is configured with nat64 enabled, and a deterministic NAT lsn-pool, and there is traffic.

Conditions:
lsn-pool in deterministic mode is attached to a virtual server with nat64 enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Deterministic NAT is not supported with nat64, and should not be configured.


605476-3 : istatsd can core when reading corrupt stats files.

Component: TMOS

Symptoms:
The istatsd process may consume excessive CPU resources.

As a result of this issue, you may encounter one or more of the following symptoms:

-- The system performance degrades and the system eventually stops responding or reboots.
-- In the /var/log/ltm file, you observe multiple messages that appear similar to the following example: emerg logger: Re-starting istatsd.

-- The istatsd process produces a core file in the /shared/core directory.

Conditions:
This issue occurs when the following condition is met:

The istatsd process attempts to read a corrupt iStats file.
Under these conditions, the istatsd process may continually restart and produce a core file.

Impact:
Over time, the system performance may degrade and the system may eventually stop responding or reboot due to resource exhaustion.

Workaround:
To work around this issue, you can remove the iStats files and restart the istatsd processes. To do so, perform the following procedure:

Impact of workaround: This workaround will cause all statistics in the iStats files to reset.

Log in to the BIG-IP command line.
To stop the istatsd and related processes, type the following command:
tmsh stop sys service istatsd avrd merged

To delete the iStats files, type the following command:
find /var/tmstat2/ -depth -type f -delete

To start the istatsd and related processes, type the following command:

tmsh start sys service istatsd avrd merged


605427-1 : TMM may crash when adding and removing virtual servers with security log profiles

Component: Advanced Firewall Manager

Symptoms:
In certain circumstances when virtual servers are configured with security log profiles TMM may crash.

Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.

Impact:
TMM may crash with the following log in /var/log/tmm:
<13> Apr 18 13:23:04 <hostname> notice panic: ../base/fw_log_profile.c:3368: Assertion "fw_log_profile_protocol_sip_dos ref non-zero" failed.

Traffic disrupted while tmm restarts.


605260-1 : [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0

Component: Global Traffic Manager (DNS)

Symptoms:
When a listener is created in a partition that has a default route domain set, you cannot make changes to the listener in the GUI via DNS -> Delivery -> Listeners. It gives 'Instance not found' error when you try to save the change. Also, a listener in the /Common partition cannot even be viewed when a partition that has a default route domain other than 0 is selected.

Conditions:
This occurs when using partitions that have default-route-domain set to something other than 0.

Impact:
You will be unable to make changes to the listener.

Workaround:
Use TMSH or through LTM GUI: Local Traffic :: Virtual Servers.


605175-1 : Backslashes in monitor send and receive strings

Component: Local Traffic Manager

Symptoms:
After creating a monitor using the GUI containing a recv parameter with a backslash such as '\* OK', loading the configuration generates a validation error:

01070753:3: Monitor /Common/test recv parameter contains an invalid regular expression (Invalid preceding regular expression).
Unexpected Error: Loading configuration process failed.

Attempting to configure the same monitor via tmsh throws the validation error before creating the monitor, but the GUI allows the single backslash. Two backslashes are required in this case.

Conditions:
Using the GUI to configure a monitor, whose receive string needs to look for a backslash, and only a single backslash is entered in the GUI.

Impact:
Configuration fails to load after it is successfully created via the GUI. The GUI accepts this when it should throw a validation error: two backslashes are required.

Workaround:
When configuring the monitor via the GUI, use two backslashes instead of one.


605018-2 : Citrix StoreFront integration mode with pass through authentication fails for browser access

Component: Access Policy Manager

Symptoms:
Citrix StoreFront integration mode with pass through authentication fails for browser access. After providing the credentials, browser access continuously asks for 'Can not complete the request', press 'OK'.

Conditions:
This occurs when the following conditions are met:
- APM is configured in integration mode with StoreFront.
- External access virtual server IP is used in Citrix gateway configuration 'Subnet IP address' column.
- (Request Header Insert) :: [X-Citrix-Via-Vip:10.10.10.10], 10.10.10.10 is the virtual server IP address. Request Header Insert is configured on the HTTP profile of the same virtual server.

Impact:
No browser access to StoreFront.

Workaround:
StoreFront combines multiple headers of the same name and cannot use the resulting value. You can workaround this issue by stripping multiple headers of type x-citrix-via-vip.
Make 10.10.10.10 the corresponding External access virtual IP address.

when HTTP_REQUEST {
   if { [HTTP::header count "X-Citrix-Via-Vip"] >= 2 } {
        HTTP::header remove "X-Citrix-Via-Vip"
        HTTP::header insert "X-Citrix-Via-Vip" "10.10.10.10"
    }
}


604977-2 : Wrong alert when DTLS cookie size is 32

Component: Local Traffic Manager

Symptoms:
When ServerSSL profile using DTLS receives cookie with length of 32 bytes it throws fatal alert.

Conditions:
Another LTM with ClientSSL profile issues 32byte long cookie.

Impact:
DTLS with cookie size 32 is not supported.


604923-5 : REST id for Signatures change after update

Component: Application Security Manager

Symptoms:
The REST id of existing signatures are unexpectedly modified after updating a User Defined Signature, or downloading an Attack Signature Update that modifies existing signatures.

Conditions:
A User-Defined Signature is updated, or an ASU containing updated signatures is downloaded.

Impact:
The REST id of the modified signatures is changed which may confuse REST clients.

Workaround:
Execution of the following script will repair an affected device:

perl -MF5::Utils::Rest -MF5::DbUtils -MF5::ASMConfig::Entity::Signature -e '$dbh = F5::DbUtils::get_dbh(); $dbh->begin_work(); $dbh->do("UPDATE PLC.NEGSIG_SIGNATURES SET rest_uuid = \"\" "); F5::Utils::Rest::populate_uuids(dbh => $dbh, rest_entities => ["F5::ASMConfig::Entity::Signature"]); $dbh->commit();'


604838-1 : TCP Analytics reports incorrectly reports entities as "Aggregated"

Component: Local Traffic Manager

Symptoms:
Although the user has configured TCP Analytics to store statistics for a certain entity, it reports data for that entity in a single "Aggregated" row.

Conditions:
ALL of these conditions must be true:

The TCP Analytics profile is attached to a virtual with both clientside or serverside collection turned off in the profile.

TCP profile has mptcp, rate-pace, tail-loss-probe, fast-open, AND enhanced-loss-recovery all disabled. Also, Nagle, send-buffer, receive-window, proxy-buffer are not in AUTO mode. Finally, rexmt-thresh is 3 and the congestion control algorithm is not delay-based (NewReno, HighSpeed, Cubic). Regrettably, this matches the default TCP profile.

An iRule enables TCP-Analytics when disabled by default in the tcp-analytics profile.

Impact:
Defect eliminates nearly all data granularity for TCP Analytics.

Workaround:
Change the TCP profile on the virtual to violate any of the conditions listed above. The easiest is probably to enable rate pace or mptcp. For all affected versions, this will result in a noticeable CPU performance penalty.


604767-2 : Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.

Component: Access Policy Manager

Symptoms:
When importing SAML IdP's metadata, certificate object might not be assigned as 'idp-certificate' value of saml-idp-connector object.

Conditions:
BIG-IP is used as SAML SP.

Impact:
Described behavior will result in misconfiguration. SAML WebSSO will subsequently fail.

Workaround:
Manually assign imported certificate as a 'idp-certificate' value of saml-idp-connector object.


604727-1 : Upgrade from 10.2.4 to 12.1.0 fails when SNMP trap exists in config from 10.2.4.

Component: TMOS

Symptoms:
Upgrade from 10.2.4 to 12.1.0 fails when SNMP trap exists in config from 10.2.4. After upgrade from 10.2.4 to 12.1.0, you are unable to use the GUI. The system posts the following message: The configuration has not yet loaded. CLI login works, and /var/log/ltm shows that the following message was recorded during the device bootup phase:

emerg load_config_files: "/usr/libexec/bigpipe base daol" - failed. -- BIGpipe parsing error (/config/bigpipe/bigip_sys.conf Line 113): 012e0010:3: The requested value ({ i192_168_0_20_1) is invalid (<trapsess list> ` none) [add ` delete]) for 'trapsess' in 'snmpd'.

Conditions:
Upgrade from 10.2.4 to 12.1.0 fails when SNMP trap exists in config from 10.2.4. The root cause is that the host parameter in the trap is encapsulated in quotation marks.

Impact:
The upgrade completes, but the configuration does not load when the system restarts.

Workaround:
After the configuration has failed to load following an upgrade or UCS install to BIG-IP 12.1.0, due to the issue previously described, you can remove the SNMP trap destination configuration by editing the /config/bigpipe/bigip_sys.conf file, and performing a manual configuration conversion and reload to recover. Alternatively, to prevent the configuration load failure from occurring, you can remove the SNMP trap destination configuration before you upgrade to BIG-IP 12.1.0. Both procedures require that you re-create the SNMP trap destination configuration once the upgrade to BIG-IP 12.1.0 and/or configuration load are complete.


604612-1 : Modified asm cookie violation happens after upgrade to 12.1

Component: Application Security Manager

Symptoms:
False positive modified ASM cookie violation. Perhaps other false positive cookie related violations.

Conditions:
An upgrade happened to 12.1. Existing end users are connected with their browsers to the site.

Impact:
False positive violations. A blocking page will be shown in case the modified asm cookie is set to blocking (which is the default for this violation in case the policy is in blocking state).

Workaround:
One possibility is to put the modified asm cookie violation in transparent after an upgrade for a while.
Another option is to use the erase cookie blocking page as the default blocking page for some time after the upgrade.
Another possibility is to use an iRule like this one:
when ASM_REQUEST_DONE {
    if {[ASM::violation names] contains "VIOLATION_MOD_ASM_COOKIE"} {
        log local0. "remove TS01d2cce8 cookie"
        HTTP::respond 302 Location "http://sub.some_domain.com/index.html?[ASM::support_id]" "Set-Cookie" "TS01d2cce8=deleteOldTSCookie;expires=Thu, 01 Jan 1970 00:00:01 GMT"
    }


604496-4 : SQL (Oracle) monitor daemon might hang.

Component: Local Traffic Manager

Symptoms:
SQL (Oracle) monitor daemon might hang with high monitoring load (hundreds of monitors). DBDaemon debug log contains messages indicating hung connection aborting and that the address in use, unable to connect.

Conditions:
High number of SQL (Oracle, MSSQL, MySQL, PostgresSQL) monitors. Slow SQL responses might make the condition worse.

Impact:
Flapping pool members connected to SQL monitors. Frequent aborts and restarts of SQL monitor daemon.

Workaround:
You can mitigate this issue in the following ways:
-- Reduce number of monitored pool members.
-- Reduce frequency of monitor interval.
-- Split monitors among multiple devices.
-- Run monitors on bladed systems.


604133-4 : Ramcache may leave the HTTP Cookie Cache in an inconsistent state

Component: Local Traffic Manager

Symptoms:
Ramcache may re-use internal HTTP data without clearing the cookie cache. If other filters later inspect that cache they may read corrupted cookie information, or cause a TMM crash.

Conditions:
Ramcache + another filter or iRule inspecting/modifying cookies in a Ramcache response.

Impact:
The modifications of the corrupt cookie cache may cause HTTP headers to be malformed. Inspecting the cookie cache may cause the TMM to crash with an assert. Traffic disrupted while tmm restarts.


604011-1 : Sync fails when iRule or policy is in use

Component: TMOS

Symptoms:
After upgrading and attempting to sync to devices in a sync group, sync fails with the following error:

Load failed from 119.big.ip 01070621:3: Rule priorities for virtual server (vs1) must be unique.

Load failed from /Common/big152 01070712:3: Caught configuration exception (0), Values (/Common/vs1) specified for virtual server policy (/Common/vs1 /Common/asm_auto_l7_policy__vs1): foreign key index (vs_FK) do not point at an item that exists in the database.

Conditions:
- A virtual address exists in the traffic-group-local-only group, meaning that it is not synced
- A CPM policy or iRule is applied to that virtual server
- Conduct a sync

This was seen on an upgrade from 12.0.0 to 12.1.0 HF1 or beyond, but could be triggered on an upgrade from any version from 11.4.0 and beyond to 12.1.0 HF1.

Impact:
Config sync fails.

Workaround:
Disassociate the iRule or policy from the virtual server, then attempt to sync.


603979-2 : Data transfer from the BIG-IP system self IP might be slow

Component: Local Traffic Manager

Symptoms:
When a large amount of data needs to be transferred using a selp IP address, the BIG-IP system might send out fragmented IP packets with both the DF and MF bits set. Setting both bits is RFC compliant and valid, however some routers drop such packets. This might result in retransmissions and low throughput

Conditions:
This occurs when a self IP address processes large data transfers, and the router between the two endpoints does not process the IP fragments that have both the DF and MF bits set.

Impact:
Data transfer from the BIG-IP system's self IP might be slow.

Workaround:
Run the following command: ethtool -K tmm tso off.

Note: This has a different effect from setting db key tm.tcpsegmentationoffload to "disable" (which will not workaround the issue).

Note: To persist the effect of this command across reboots, use the solution specified in SOL14397: Running a command or custom script based on a syslog message, available here: https://support.f5.com/kb/en-us/solutions/public/14000/300/sol14397.html. For example,

alert tmmready "Tmm ready" {
exec command="/sbin/ethtool -K tmm tso off"
}


603945-2 : BD config update should be considered as config addition in case of update failure

Component: Application Security Manager

Symptoms:
A configuration update fails when the system cannot find the item to update. Configuration failures are shown in bd.log.

Conditions:
The condition that leads to this scenario is not clear and is still under investigation.

Impact:
The update fails and the entity is not added.

Workaround:
Delete the faulty entity and re-add, and then issue the following command: restart asm.

This fixes the issue in the cases in which it is a single entity.


603825-4 : Crash when a Gy update message is received by a debug TMM

Component: Policy Enforcement Manager

Symptoms:
Debug TMM will crash when a Gy update message is received.

Conditions:
- Need a Debug TMM running
- Gy update message must be received by the BIG-IP

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use non-debug TMM.


603772-1 : Floating tunnels with names more than 15 characters may cause issues during config-sync.

Component: TMOS

Symptoms:
Floating tunnels with names more than 15 characters may cause issues in config-sync, because such a long name is truncated when creating a corresponding Linux tunnel interface.

Conditions:
The BIG-IP system consists of both floating and non-floating tunnels and their names are longer than 15 characters.

Impact:
When the config-sync happens, the following error may occur:

Caught configuration exception (0), Cannot create tunnel 'g123456789abc~1' in rd0 - ioctl failed: File exists.

Workaround:
Some workarounds are available:

- Make sure that tunnel names are less than 16 characters; or

- Make sure that the names of floating and non-floating tunnels do not share a common prefix in the first 15 characters; or

- Make sure that the BIG-IP system does not have a mixture of floating and non-floating tunnels.


603598-4 : big3d memory under extreme load conditions

Component: Global Traffic Manager

Symptoms:
big3d memory consumption can grow if big3d is unable to process monitor requests in a timely fashion.

This can be seen by monitoring the memory consumption of big3d using standard OS tools such as top.

Conditions:
big3d maintains a queue for monitor requests.
Incoming monitor requests are first placed in the Pending queue.
Requests are moved from the Pending queue to the Active queue, if there is room in the Active queue.

When the Pending queue is full, there is no room for the Monitor Request. big3d attempts to clean up the Monitor request, but fails to completely free the memory.
This might result in a significant memory leak.

For this to happen, the Active queue must be full as well as the Pending queue.

One possible condition that might cause this is if multiple Monitors time out. This results in Monitors having long life times, which keeps the Active queue full.

Thus the Pending queue might become full and the memory leak can occur.

In BIGIP 11.1.0 versions of big3d,
the Active queue has 256 slots and
the Pending queue has 4096 slots.

In BIGIP 11.1.0-hf3, the queue sizes were expanded to
2048 for the Active queue and 16384 for the Pending queue.

Since the queues were smaller n versions prior to
11.1.0-hf3, this leaks is more likely to manifest itself.

In later versions, the leak is still possible, but is less likely to occur.

Impact:
big3d memory consumption grows unbounded. This might result in a big3d restart or memory starvation of other processes.

Workaround:
This can be partially mitigated by ensuring that monitors
settings are reasonable and that big3d is not overloaded.

This will minimize the chances that the Pending queue
does not become full.

There is no mechanism to resize the queues.


603550-1 : Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.

Component: Local Traffic Manager

Symptoms:
Virtual server remains in syncookie mode even after the syn flood stops.

As a result of this issue, you might see the following symptoms:
-- Virtual servers that use both FastL4 and HTTP profiles might show incorrect 'Current SYN Cache' stats.

-- Virtual stats 'Current SYN Cache' does not decrease.

Conditions:
This issue occurs when the configuration contains a virtual server that uses FastL4 as a filter (for example, has both the FastL4 profile and layer 7 profile (HTTP) syn flood to the virtual server).

Impact:
The virtual server stays stuck in syncookie mode after the synflood is over, and does not recover.

Workaround:
None.


603397-1 : tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config

Component: Service Provider

Symptoms:
tmm will core if the transport config specified in a MR::message route iRule command does not exist.

Conditions:
the transport config specified in a MR::message route iRule command does not exist.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use the correct name for the trasnport-config object.


603236-1 : 1k/4k creation issue at Safenet 6.2 + 6.10.9 fw

Component: Local Traffic Manager

Symptoms:
Creating 1024 and 4096 size keys fail when the safenet client version installed on bigip is 6.2 and Safenet appliance firmware is 6.10.9.

Conditions:
Safenet appliance: 6.2
Safenet firmware: 6.10.9
Safenet client: 6.2

Impact:
Can't create 1k/4k RSA key.


603149-2 : Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy

Component: TMOS

Symptoms:
Setting max data limit transmitted (in kilobytes) to a very large limit results in a smaller limit, causing SAs to expire too quickly. Values for ike-phase2-lifetime-kilobytes inside ipsec-policy can reach 2^32-1 kilobytes, but will be processed incorrectly, as if the value were smaller.

Conditions:
When lifetime-kilobytes is large enough, it can act as though it were smaller.

Impact:
Negotiated SAs expire too quickly when size lifetime is calculated too small.

Workaround:
Before the fix, decrease lifetime-kilobytes until properly stable.


603093 : AC Power Supply output DC LED does not turn off when the input power is cut-off to it in redundant system

Component: TMOS

Symptoms:
The BIG-IP i-Series platform (i2600, i2800, i4600, i4800) 250W AC power supply PWR-0334-01 and PWR-0334-02 will show differences in their LED behavior when hot swap or hot plug or whenever power is removed from the supply. This includes redundant systems and systems with a single supply.

Conditions:
PWR-0334-01
When the input ramps below 80Vac, the input LED Green Blinking, output LED Amber Blinking.
When the input ramps below 72VAC, the input LED OFF, output LED Amber Blinking.
If the AC cord is removed with 1 or 2 supplies in the system the input LED OFF, output OFF.

PWR-0334-02
When the input ramps below 75VAC + 1VAC, the input LED Green Blinking, output LED Amber Blinking
When the input ramps below 70VAC + 1VAC, the input LED OFF, output LED OFF immediately

Impact:
LED behavior may be inconsistent between revisions of power supply on early platform shipments with PWR-0334-02

Workaround:
N/A


603032-3 : clientssl profiles with sni-default enabled may leak X509 objects

Component: Local Traffic Manager

Symptoms:
SSL memory consumption grows when virtuals with sni-default-enabled clientssl profiles are modified.

Conditions:
clientssl profile with sni-default enabled combined with configuration manipulations of virtuals with such profiles.

Impact:
The amount of leakage will depending on the number of virtuals with sni-default-enabled clientssl profiles and frequency of configuration manipulations. For large configurations, the leakage can be very noticeable over time.

Workaround:
No workaround short of not using sni-default.


603019-2 : Inserted SIP VIA branch parameter not unique between INVITE and ACK

Component: Service Provider

Symptoms:
The branch parameter of the inserted VIA header is sometimes the same between an INVITE and ACK message.

Conditions:
If the CSEQ number of a SIP message is the same, the inserted VIA header will contain the same branch parameter.

Impact:
SIP proxy servers which perform strict message validations may reject the call.


602854-2 : Missing ASM control option from LTM policy rule screen in the Configuration utility

Component: TMOS

Symptoms:
In the Configuration utility, when creating or editing a LTM policy, the ASM control option may be missing from the rule screen.

Conditions:
Whether the ASM control option is present or missing purely depends on the license installed on the system.

The system incorrectly reports certain licensed modules to the Configuration utility, which fails to parse them and ultimately to display the ASM control option. If you wish to determine whether you are affected by this issue, SSH to the advanced shell of the BIG-IP system and run this command:

# grep -E '^active module : [^|]*\|[^|]*$' /config/bigip.license

If any output is returned, then you are affected by this issue.

Impact:
ASM cannot be enabled in LTM policies using the Configuration utility.

Workaround:
Use the TMSH utility to enable ASM in LTM policies.


602654-2 : TMM crash when using AVR lookups

Component: Application Visibility and Reporting

Symptoms:
When some module try to find/insert data into AVR lookups TMM/AVR core can occurs.
The Crash occur when two process try to "touch" the same cell in the lookup simultaneously×¥

Conditions:
AVR lookups is use by any modules.

Impact:
Traffic disrupted while tmm restarts.


602566-5 : sod daemon may crash during start-up

Component: TMOS

Symptoms:
sod daemon produces core file during start-up

Conditions:
sod encounters an error during start-up and attempts to recover.

Impact:
sod restarts


602502-2 : Unable to view the SSL Cert list from the GUI

Component: TMOS

Symptoms:
When you try to see information about any SSL certificates in the GUI, it displays an error: An error has occurred while trying to process your request.

Conditions:
Can not view any SSL certificates in the GUI if at least one certificate has a double extension(like test.crt.crt) in its name.

Impact:
Unable to view the any SSL Cert from the GUI

Workaround:
Delete such certificate through TMSH and reimport without .crt extension in the certificate name.

delete sys file ssl-cert test.crt.crt


602434-1 : Tmm crash with compressed response

Component: Application Visibility and Reporting

Symptoms:
AVR decompressed all the traffic in order to do classification.
This can cause tmm core due to too many decompress request.

Conditions:
Sending stressed compressed traffic on virtual with dos profile.

Impact:
Traffic disrupted while tmm restarts.


602381 : Poor performance can occur with MPTCP

Component: Local Traffic Manager

Symptoms:
Slow transfer speeds encountered with MPTCP. It appears to be a client MPTCP bug exposed on a VMWARE ESXi client using the vmxnet3 driver.

Conditions:
MPTCP
MPTCP linux client on ESXi

Impact:
degraded performance experienced

Workaround:
None


602366-1 : Safenet 6.2 HA performance

Component: Local Traffic Manager

Symptoms:
With Safenet 6.2 HA setup, you only sees the performance of one HSM.

Conditions:
Safenet 6.2 client is installed and Safenet HA is used.

Impact:
Only one HSM is used for the HA setup.

Workaround:
Add primary hsm to the newly created ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>

or
echo "copy" | /shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>

Add following hsm to the ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup addMember -serialNumber 470379014 -group ha_test -password <pw>

Enable HAonly
/shared/safenet/lunasa/bin/lunacm -c hagroup HAOnly -enable

Delete ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup deleteGroup -label ha_test


602358-4 : Some sites need the SSL/TLS ClientHello version sent after receiving the HelloRequest to match the first ClientHello Version

Component: Local Traffic Manager

Symptoms:
Some sites need the SSL/TLS version (both in the Record layer and Handshake Protocol) in the 2nd ClientHello after receiving the HelloRequest to be exactly the same as the SSL/TLS version of the 1st ClientHello; that is:
************************************************************
1st ClientHello record layer version == 2nd ClientHello record layer version;
1st ClientHello Handshake Protocol version == 2nd ClientHello Handshake Protocol version.
************************************************************

The BIG-IP system default behavior is to set the SSL/TLS ClientHello version to be the negotiated version in only the first round ServerHello.

Conditions:
This occurs when using virtual servers configured with one or more SSL profiles

Impact:
The SSL renegotiation after receiving the HelloRequest will fail.

Workaround:
Manually setting the ciphers in the ServerSSL to TLS1.0 can solve the issue.


602326-1 : Intermittent pkcs11d core when installing Safenet 6.2 software

Component: Local Traffic Manager

Symptoms:
Sometimes you may see pkcs11d core when stopping/restarting pkcs11d service.

Conditions:
bigstart issues "stop" to pkcs11d while pkcs11d receives message.

Impact:
pkcs11d may core intermittently.

Workaround:
pkcs11d may automatically restart without intervention.


602300-1 : Zone Runner entries cannot be modified when sys DNS starts with IPv6 address

Component: Global Traffic Manager

Symptoms:
Zone Runner entries cannot be modified if an IPv6 DNS name server is listed first. This can happen when a user runs the tmsh command
tmsh modify sys dns name-servers add { <IPv6> }

as the first dns name-server.
This will show in the /etc/resolv.conf file (an example)
nameserver 2001::1
nameserver 192.168.100.1

Conditions:
When an IPv6 nameserver is the first server defined.

Impact:
ZoneRunner records cannot be modified.

Workaround:
Do not use DNS server with IPv6 address or add IPv4 server at top of the list.


602221-2 : Wrong parsing of redirect Domain

Component: Application Security Manager

Symptoms:
ASM learns wrong domain names

Conditions:
no '/' after domain name in the redirect domain

Impact:
wrong learning suggestion can lead to wrong policy

Workaround:
N/A


602193-4 : iControl REST call to get certificate fails if

Component: TMOS

Symptoms:
While using the iControl REST API, a call to /mgmt/tm/sys/crypto/cert results in a 400 or 500 error. The call to /mgmt/tm/sys/crypto/key works.

Conditions:
This can occur if any of the certificates contain non utf-8 characters.

Impact:
iControl REST API call will fail.

Workaround:
If possible, generate the certificate to only contain utf-8 characters.


602171-1 : TMM may core when remote LSN operations time out

Component: Carrier-Grade NAT

Symptoms:
TMM configured with LSN may core during high utilization, when local endpoint resources are exhausted, and request for remote resources times out.

Conditions:
LSN remote operation time out. LSN can request remote TMM for resources when local resources are exhausted, when such request time out, this can result in a core in affected versions.

Impact:
Traffic disrupted while tmm restarts.


602136-5 : iRule drop command causes tmm segfault or still sends 3-way handshake to the server.

Component: Local Traffic Manager

Symptoms:
If you have a client-side iRule that drops a client-side connection, either tmm will segfault or the BIG-IP system still sends the SYN to the server, and then a RST. The reset cause will be 'TCP 3WHS rejected'.

Conditions:
Client-side iRule that drops a connection.

Impact:
TMM segfaults or the BIG-IP system still sends a SYN to the server.

Workaround:
None.


602040-3 : Truncated support ID for HTTP protocol security logging profile

Component: Local Traffic Manager

Symptoms:
The HTTP Protocol Security logging profile yields to incomplete support ID published in the local storage.

Conditions:
Configuration: LTM with Protocol Security Module provisioned, LTM virtual server with HTTP Protocol Security and local-storage logging profile attached. The log-db entries created by the HTTP Protocol Security logging profile have a truncated support ID.

Impact:
The support ID presented to the user does not match the one in the logs because the log entry is truncated (missing a few digits)

Workaround:
There is no workaround


601989-2 : Remote LDAP system authenticated username is case sensitive

Component: TMOS

Symptoms:
Unable to login via ssh, with cause being reported as "user account has expired". Wrong role being assigned for remote-user.

Conditions:
The character-case for the username returned from LDAP must match the login username and the configured account name. This can be exposed on an upgrade from 11.6.0 to 12.1.0 or later.

Impact:
Unable to login via ssh with remote-user or remote-user being assigned incorrect role when multiple accounts exists with the same name and mixed case.

Workaround:
Avoid configure same account username with different case and the authenticated user account in TMOS and used to login should exactly match the user account name returned from LDAP.


601924-1 : Selenium detection by ports scanning doesn't work even if the ports are opened

Component: Advanced Firewall Manager

Symptoms:
When selenium server package is running on an end point and a traffic being sent from there, proactive bot defense mechanism doesn't see selenium server opened ports.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.

Impact:
Low impact as the selenium detection by ports scan has a low score and doesn't mitigate a client, unless it has another suspicious client properties (for example tor browser)

Workaround:
N/A


601905-2 : POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server

Component: Access Policy Manager

Symptoms:
POST requests appear to hang when they are sent through a virtual server with EAM plugin enabled.

Conditions:
Most likely, the POST request contains large post data.

Impact:
The POST request will fail.

Workaround:
The following iRule will workaround the issue:

 when HTTP_REQUEST {

  if {[HTTP::method] eq "POST"}{
    # Trigger collection for up to $max_collect of data
    set max_collect 1000000
    if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= $max_collect}{
      set content_length [HTTP::header "Content-Length"]
    } else {
        set content_length $max_collect
    }
    # Check if $content_length is not set to 0
    if { $content_length > 0} {
      HTTP::collect $content_length
    }
  }


601893-2 : TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.

Component: TMOS

Symptoms:
Tmm cores. There might be messages similar to the following notice in /var/log/ltm just before the crash: notice BWC: instance already exist. This is an extremely rarely occurring issue.

Conditions:
This extremely rare issue occurs when the following conditions are met:
Dynamic BWC use with dynamic change in rate for each instance.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use dynamic modification of rates for dynamic policies.


601709-2 : I2C error recovery for BIGIP 4340N/4300 blades

Component: TMOS

Symptoms:
The I2C internal bus for the front switch may not work. The fix recovers from the problem when it happens.

Conditions:
This rarely happens.

Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up.

Workaround:
bigstart restart bcm56xxd


601536-1 : Analytics load error stops load of configuration

Component: Application Visibility and Reporting

Symptoms:
After upgrading, the configuration fails to load and you see this log message: 01071ac1:3: Non-Comulative metric (max-request-throughput) cannot be calculated per single entity (pool-member).
Unexpected Error: Validating configuration process failed.

Conditions:
This can occur any time the analytics configuration was valid in a previous release and is no longer valid. For example, if you have an analytics profile set at pool-member granularity, it will load in 12.0.0 but will fail to load on 12.1.0 as granularity must be set at the virtual-server level, not the pool level.

Impact:
Configuration fails to load, will not pass traffic.

Workaround:
Fixing the configuration manually is the only option when this occurs. In the pool-member granularity example, you can check all your analytics profiles for granularity pool-member and set them to granularity virtual-server.


601527-4 : mcpd memory leak and core

Component: TMOS

Symptoms:
Mcpd can leak memory curing config update or config sync.

Conditions:
All of the conditions that trigger this are not known but it seems to occur during full configuration sync and is most severe on the config sync peers. It was triggered making a single change on the primary by configuring a monitor rule, e.g., tmsh create ltm pool p members { 1.2.3.4:80 } monitor http

Impact:
Loss of memory over time, which may result in out-of-memory and mcpd core.


601502-3 : Excessive OCSP traffic

Component: TMOS

Symptoms:
With OCSP configured on a virtual server, you see excessive OCSP requests going to the OCSP server.

Conditions:
Virtual server configured with an OCSP profile

Impact:
OCSP responses are not cached properly and excessive requests are sent to the server.

Workaround:
None.


601496-3 : iRules and OCSP Stapling

Component: Local Traffic Manager

Symptoms:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile might cause OCSP requests to be reissued, resulting in a memory leak.

You may notice warning messages similar to the following in /var/log/ltm:
warning tmm[11300]: 011e0003:4: Aggressive mode sweeper: /Common/default-eviction-policy (0) (global memory) 115 Connections killed.

Conditions:
This occurs when the following conditions are met:
-- Virtual server with OCSP Stabling enabled.
-- iRule attached to the virtual server that uses SSL::renegotiate.

Impact:
TMM memory used increases gradually, eventually the aggressive mode sweeper is activated.

Workaround:
None.


601414-1 : Combined use of session and table irule commands can result in intermittent session lookup failures

Component: TMOS

Symptoms:
[session lookup] commands do not return the expected result.

Conditions:
An iRule which combines use of [table] and [session lookup] commands.

Impact:
Intermittent session functionality.

Workaround:
If possible, use table commands in lieu of session commands.


601255-4 : RTSP response to SETUP request has incorrect client_port attribute

Component: Service Provider

Symptoms:
- Clientside data is sent to UDP port 0
- RTSP response to SETUP request contains incorrect 'client_port' attribute (0)

Conditions:
- Virtual with RTSP profile.
- 200/OK is received from server in response to the initial SETUP request
- SETUP request was the initial message received on a new connection

Impact:
Unicast media may forwarded to incorrect UDP port (0).


601180-2 : Link Controller base license does not allow DNS namespace iRule commands.

Component: Global Traffic Manager

Symptoms:
The Link Controller base license was improperly preventing DNS namespace iRule commands.

Conditions:
A Link Controller license without an add-on that allowed Layer 7 iRule commands.

Impact:
An administrator would not be able add DNS namespace commands to an iRule or upgrade from a pre-11.5 configuration where the commands were working to 11.5.4 through 12.1.1.

Workaround:
To address the inability to upgrade, removal of DNS namespace commands from the configuration prior to upgrade will allow the upgrade to proceed. The commands will then be able to be re-added after a fixed version is installed.


601178-1 : HTTP cookie persistence 'preferred' encryption

Component: Local Traffic Manager

Symptoms:
When encryption is 'preferred' in the http cookie persistence profile, when the client presents a plain-text route domain formatted cookie the BIG-IP will ignore the cookie and re-load balance the connection.

Conditions:
This occurs when route-domain-compatible cookies are sent in plaintext.

Impact:
Cookie does not get accepted by the persistence profile and flow does not persist.


601056 : TCP-Analytics, error message not using rate-limit mechanism can halt TMM

Component: Application Visibility and Reporting

Symptoms:
An error message is displayed when TCP-Analytics fails to save new data. This error message should be rate-limited, like all TMM error messages, so that if taken place very frequently, it will be displayed only once in a while and not for every error event.
Since the error message is not rate-limited, hitting this error many times can lead to TMM halt.

This is also part of bug: 601035, which is the root-cause for hitting the error case.

Conditions:
TCP-Analytics is assigned to virtual server, and hitting bug: 601035.

Impact:
TMM can halt

Workaround:
Remove TCP-Analytics from virtual servers.


601035 : TCP-Analytics can fail to collect all the activity

Component: Application Visibility and Reporting

Symptoms:
When the traffic reaching BIG-IP comes from very large number of different client-ips and subnets, the TCP-Analytics table can get full which leads to ignoring the activity that follows, until next snapshot of data.

Conditions:
TCP-Analytics profile is attached to a virtual server, incoming traffic from large amounts of client-ips and subnets (exact number to cause full table depends on machine type and provisioned modules).

Impact:
TCP Analytics is showing only some of the activity, not all of it.
There is also another impact described in bug: 601056,which is frequent errors in log.

Workaround:
Disable TCP-Analytics.


600982-3 : TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"

Component: Local Traffic Manager

Symptoms:
When SSL is configured, the TMM might rarely crash, logging the following error in /var/log/ltm: notice panic: ../modules/hudfilter/ssl/ssl_session.c:538: Assertion "cached" failed.

Conditions:
This is a very rare crash related to SSL being configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


600944-1 : tmsh does not reset route domain to 0 after cd /Common and loading bash

Component: TMOS

Symptoms:
In tmsh, you are in a partition with a custom route domain. When you run 'cd /Common' and run bash then run 'ip route', the routing table from the partition is displayed, not /Common

Conditions:
Attempting to see the route table from the /Common partition after leaving another parition

Impact:
You cannot get /Common's route table back without quitting and restarting tmsh.

Workaround:
Quit tmsh and restart.


600894-1 : In certain situations, the MCPD process can leak memory

Component: TMOS

Symptoms:
In certain situations, the MCPD process can leak memory. This has been observed, for example, while updating large external data-group file objects. Each time an external data-group file is updated, MCPD's memory utilization grows a little bit. Once enough iterations have occurred, the system may no longer be able to update the external data-group file, but instead return the following error message:

err mcpd[xxxx]: 01070711:3: Caught runtime exception, std::bad_alloc.

Conditions:
So far, this issue has only been observed while updating a large external data-group file object.

Impact:
The system may no longer be able to update the external data-group file object. It is also possible for MCPD to crash, or be killed by the Linux OOM killer, as a result of the memory leak.


600872-1 : Access session inactivity expiration time not updated when accessed with http/2 enabled browsers on Windows platforms.

Component: Access Policy Manager

Symptoms:
Access session inactivity expiration time not updated when accessed with http/2 enabled browsers on Windows platforms.

Conditions:
- An HTTP/2 capable browser is on use on a Windows platform.
- APM and HTTP/2 are enabled on the same virtual.

Impact:
APM sessions will time out at the configured inactivity timeout regardless of activity and users will have to restart their sessions.

Workaround:
None.


600827-7 : Stuck nitrox crypto queue can erroneously be reported

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Nitrox systems (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The message "Hardware Error(Co-Processor): n3-crypto0 request queue stuck" will appear in the ltm log file.

Conditions:
Nitrox based system performing SSL under heavy load.

Impact:
Device errors reported in logs and crypto HA action is taken, possibly resulting in failing over.


600614-4 : External crypto offload fails when SSL connection is renegotiated

Component: Local Traffic Manager

Symptoms:
If and external crypto offload client is configured with an SSL profile and renegotiation is enabled for the SSL profile, the crypto client connection will fail when the SSL connection is renegotiated.

Conditions:
External crypto offload client configured with an SSL profile with renegotiation enabled.

Impact:
Crypto client connection to the crypto server will fail.

Workaround:
Disable renegotiation on the SSL profile.


600593-1 : Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests

Component: Local Traffic Manager

Symptoms:
After a CONNECT request is sent to the BIG-IP system and processed, if the client disconnects before a response is received from the server, the FIN is not propagated to the server-side and that connection remains open. If a client sends another CONNECT request to the same destination, the previous server-side flow is reused for the new request. Inspection of packet captures reveals that the BIG-IP system does not process the new CONNECT request as such, but instead forwards it to the server using the old server-side flow. This behaviour is incorrect. The CONNECT method should disable connection reuse, and the BIG-IP should close the server-side flow if the client disconnects first.

Conditions:
Use of HTTP Explicit Proxy and OneConnect together. CONNECT requests must arrive to the virtual server. The client must disconnect before the server responds.

Impact:
Some connections may fail. Depending on what data is sent to the server over an unintended connection, unpredictable results may be experienced.

Workaround:
You can apply the following iRule to the HTTP Explicit Proxy virtual server to mitigate the issue:

when HTTP_PROXY_REQUEST {
   if { [HTTP::method] equals "CONNECT" } {
      ONECONNECT::reuse disable
   }
   else {
      ONECONNECT::reuse enable
   }
}


600558-5 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may be observed:

1. After approximately 10 minutes, an error similar to the following appears in the LTM log (/var/log/ltm):

mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests

This message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.


600119-3 : DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions

Component: Access Policy Manager

Symptoms:
When connected to the vpn and wifi adapter is enabled (not connected to any wlan) access to websites outside the vpn is very slow.
Access is fine when wifi interface is disabled.

Conditions:
- number of DNS servers configured for active network adapters matches the number of DNS servers configured in Network Access resource

Impact:
User experience while navigating servers outside of VPN scope is impacted by increased connection time

Workaround:
Disable unused adapters or change the number of configured DNS servers


599567 : APM assumes snat automap, does not use snat pool

Component: Local Traffic Manager

Symptoms:
With a virtual configured to use a snat pool is also associated with APM (for example when configured as a RDP gateway), the snat pool setting is not honored.

Conditions:
Snat pool configured, APM configured (one example is deploying Horizon View iApp for ApM).

Impact:
The VLAN Self IP address is used instead of the snat pool addresses.


599543-1 : Cannot update (overwrite) PKCS#12 SSL cert & key while referenced in SSL profile

Component: TMOS

Symptoms:
When PKCS#12 cert and key are in use by SSL profiles, importing key/cert fails with the below error message:

Import Failed: Exception caught in Management::urn:iControl:Management/KeyCertificate::pkcs12_import_from_file_v2()
0107160f:3: Profile /Common/z-cssl's SSL forward proxy CA key and certificate do not match

Conditions:
1. When the cert and key are in the PKCS#12 format.
2. When the cert and key are in use by SSL profiles.

Impact:
When PKCS#12 cert and key are in use by SSL profiles, they can not be directly updated (overwritten) using key/cert import.

Workaround:
Use tmsh to install the PKCS#12 key. For example, suppose the key/cert to be replaced is called orig.key and orig.crt, it can be overwritten using the below command:

tmsh install sys crypto pkcs12 orig from-local-file /shared/eee.pfx


599521-4 : Persistence entries not added if message is routed via an iRule

Component: Service Provider

Symptoms:
MRF SIP route table implementation does not add a persistence entry if the message was routed via an iRule.

Conditions:
If the message is routed via an iRule, a SIP persistence entry will not be created.

Impact:
Since MRF SIP persistence may be bidirectional, not having the persistence entry will keep message flowing in the opposite direction from being automatically routed via persistence.

Workaround:
An iRule could be used to route messages directed towards the original client.


599135-3 : B2250 blades may suffer from high TMM CPU utilisation with tcpdump

Component: Local Traffic Manager

Symptoms:
B2250 blades may suffer from continuous TMM CPU utilization when tcpdump has been in use.

Conditions:
Run tcpdump on a B2250 platform

Impact:
Increment in TMM CPU utilization with every run of tcpdump.

Workaround:
Restart TMM, avoid the use of tcpdump.


598981-3 : APM ACL does not get enforced all the time under certain conditions

Component: Access Policy Manager

Symptoms:
Particularly when the box is very busy, or using certain applications, ACL is not applied for certain sessions. This issue may not consistently reproduced.

Conditions:
Brief summary:
If one TMM process more than 6 connections for a particular session during ACL construction time window, that particular TMM was not applying ACL for further connections for that particular session.

Details of the mechanism of the issue:
Each TMM constructs the ACL for each session whenever a connection associated with a particular session was being processed by that TMM. During this time, until the construction is completed, any further connections associated with the same session and being processed by the same TMM will be queued. When the construction is completed, TMM applies the ACL to these queued connections up to 6 connections for each cycle, and then switches context. The expected behavior is that some time later, applying ACL for this session will be resumed, and applying another 6 connections if any, until the all the queued entries are exhausted. The switching context had a bug, that results to not applying ACL after 6th connections for this TMM for that specific session.

The following conditions individually increase the chances for this problem to occur:
1. Box is very busy. (Construction of ACL windows is prolonged)
2. Concentration of connections into one TMM. (e.g. VPN feature)
3. Small number of TMMs (e.g. BIG-IP low end platform, VEs)
4. Application starts with a high number of concurrent connections.

Impact:
ACL is not applied for subsequent connections for that TMM.

Workaround:
Mitigation:
Administrator can kill the affected session, and this will enforce the user to re-login, hence, restart the ACL construction process.


598874-11 : GTM Resolver sends FIN after SYN retransmission timeout

Component: Local Traffic Manager

Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.

Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.

Impact:
Firewalls may log the FIN as a possible attack.


598854-3 : sipdb tool incorrectly displays persistence records without a pool name

Component: Service Provider

Symptoms:
MRF SIP persistence records added for a forwarding route (a peer object without a pool), will not be displayed properly by sipdb

Conditions:
If a persistence record is added for a route that does not contain a pool, this persistence entry will not be displayed correctly.

Impact:
The persistence entry is correctly stored in the persistence table and will operate correctly. Due to the bug in the sipdb tool, this entry will not be viewable for debugging purposes.


598748 : IPsec AES-GCM IVs are now based on a monotonically increasing counter

Component: TMOS

Symptoms:
IPsec was using random IVs.

With random IVs and shortest packets the complete integrity loss will happen before 8 Gb of data are exchanged over the security association in one direction (assuming probability of collision at 0.1%).

Conditions:
Use of AES-GCM or GMAC in IPsec.

Impact:
The use of random IVs limits the amount of traffic that can be sent with AES-GCM in IPsec.

Workaround:
The workaround is to limit the amount of traffic per above guidelines for long-lived security associations in IPsec.

A re-key before 10 Gbyte of data are exchanged is recommended. For 1 Gbps connection the rekey should happen in under 1 min (100 Mbps -- 15 min, 10 Gbps -- 10 sec).


598700-4 : MRF SIP Bidirectional Persistence does not work with multiple virtual servers

Component: Service Provider

Symptoms:
Messages received by different virtual servers (sharing the same router) are not able to be properly routed using the call-id persistence.

Conditions:
A router with multiple virtual servers bridging between networks are not able to use the same call-id persistence entry for routing messages. Messages trying to use a persistence entry created by a different virtual server may be routed to the wrong device.

Impact:
Messages received on another virtual server trying to use the persistence entry will be routed to the wrong device.


598697-3 : vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created

Component: TMOS

Symptoms:
After installing v12.1.0 on a vCMP host system the guests don't start anymore and remain in "failed" state.

Errors similar to these are logged in the ltm log file:

Jun 10 08:17:22 slot1/VIP4480-R68-S26 crit vcmpd[14354]: 01510003:2: User "qemu" doesn't exist
<..>
Jun 10 08:17:22 slot1/VIP4480-R68-S26 err vcmpd[14354]: 01510004:3: Guest (test-guest): Failure - Error starting VM.
Jun 10 08:17:22 slot1/VIP4480-R68-S26 info vcmpd[14354]: 01510007:6: Guest (test-guest): VS_STARTING->VS_FAILED

Conditions:
Upgrade vCMP host to v12.1.0 or higher
vCMP host system was originally installed with v11.6.0 or older builds.

Impact:
After installing v12.1.0 on a vCMP host system the guest don't start anymore and remain in "failed" state.

Workaround:
Workaround is to run the following command:

useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu

then:
 
bigstart restart vcmpd


598650-1 : apache-ssl-cert objects do not support certificate bundles

Component: TMOS

Symptoms:
The Traffic Management Shell (tmsh) documents command options for apache-ssl-cert objects that suggest that Apache SSL Certificates (apache-ssl-cert objects) support certificate bundles.
References to certificate bundles in context of the 'bundle-certificates', 'subject' and 'is_bundle' fields are in error, and should refer to single certificates only.
Apache SSL Certificates (apache-ssl-cert objects) do not actually support certificate bundles.
On BIG-IP v11.5.0 and later, attempting to create Apache SSL Certificate objects from a certificate bundle will result an error like the following:
01070712:3: Values (/Common/certificate_name) specified for Certificate Bundle Entity (/Common/certificate_name.0 /Common/certificate_name): foreign key index (certificate_file_object_FK) do not point at an item that exists in the database.

Conditions:
Attempting to create Apache SSL Certificate objects from a certificate bundle.

Impact:
Unable to create Apache SSL Certificate objects from a certificate bundle.


598498-7 : Cannot remove Self IP when an unrelated static ARP entry exists.

Component: TMOS

Symptoms:
Cannot remove a self-IP when an unrelated static ARP entry exists. The system produces an error similar to the following: err mcpd[6743]: 01071907:3: Cannot delete IP <addr> because it would leave a static neighbor (ARP/NDP) entry unreachable.

Conditions:
Static arp entry exists, and there are no Self IP addresses on the same subnet as the static ARP entry. When in this condition, none of the Self IP addresses can be deleted.

Impact:
Must delete static ARP entries in order to delete Self IP addresses.

Workaround:
None.


598443-1 : Temporary files from TMSH not being cleaned up intermittently.

Component: TMOS

Symptoms:
/var/tmp/tmsh and /var/system/tmp/tmsh can have left over unused directories if there was an abrupt termination wherein TMSH does not get a chance to clean up remaining directories.

Conditions:
This can occur if a running task creates a TMSH tmp file, then gets killed before it finishes its clean-up.

Impact:
This can cause the directories /var/tmp/tmsh and /var/system/tmp/tmsh to fill up and cause out of memory exceptions.

Workaround:
Manually delete all unused files in /var/tmp/tmsh and /var/system/tmp/tmsh.


598211-1 : Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.

Component: Access Policy Manager

Symptoms:
During the logon to Citrix StoreFront through an APM virtual server, after the login page, the BIG-IP system sends the client the following error: Error 404 file or directory not found.

Conditions:
This occurs when the following conditions are met:
- Citrix Android receiver 3.9.
- APM is in integration mode with Citrix StoreFront.
- Storefront unified experience mode is enabled.

Impact:
Cannot access Citrix StoreFront unified UI through Android Receiver 3.9.

Workaround:
For StoreFront integration mode, there is an iRule that is created by the iApp that redirects the root page to the store's URI. The workaround is to add an additional redirect for the receiver_uri ending with receiver.html. The iRule below contains this workaround.
It is also recommended to delete and recreate the existing store account.

when HTTP_REQUEST {
    if { [regexp -nocase {/citrix/(.+)/receiver\.html} [HTTP::path] dummy store_name] } {
        log -noname accesscontrol.local1.debug "01490000:7: setting http path to /Citrix/$store_name/"
        HTTP::path "/Citrix/$store_name/"
    }
}


598039-5 : MCP memory may leak when performing a wildcard query

Component: TMOS

Symptoms:
MCP's umem_alloc_80 cache (visible using tmctl -a) increases in size after certain wildcard queries. Accordingly, the MCP process shows increased memory usage.

Conditions:
Folders must be in use, and the user must execute a wildcard query for objects that are in the upper levels of the folder hierarchy (i.e. not at the very bottom of the folder tree).

Impact:
MCP loses available memory with each query. MCP could eventually run out of memory and core, resulting in an outage or failover (depending on whether or not the customer is running in a device cluster).

Workaround:
Do not perform wildcard queries.


597978-3 : GARPs may be transmitted by active going offline

Component: Local Traffic Manager

Symptoms:
GARPs may be transmitted by the active when going offline. As the standby which takes over for the active will also transmit GARPs, it is not expected that this will cause impact.

Conditions:
Multiple traffic-groups configured and active goes offline.

Impact:
It is not expected that this will cause any impact.

Workaround:
Make the unit standby before forcing offline.


597879-1 : CDG Congestion Control can lead to instability

Component: Local Traffic Manager

Symptoms:
Debug TMM crashes when the TCP congestion window allows an abnormally high or low congestion window. You can see this by looking at the bandwidth value in "tmsh show net cmetrics" if cmetrics-cache is enabled in the TCP profile.

Conditions:
Running the Debug TMM with CDG Congestion Control.

Impact:
Traffic disrupted while tmm restarts.
In the default TMM, the allowed sending rate will be abnormally high or low.

Workaround:
Use a congestion control algorithm other than CDG.

Switch to the default TMM.


597835-5 : Branch parameter in inserted VIA header not consistent as per spec

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This VIA header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP spec states that all messages in the same transaction should contain the same branch header. The code used to encrypt the branch field returns a different value each time.

Conditions:
Enabling SIP Via header insertion on the BIGIP on SIP MRF profile and need to cancel an INVITE

Impact:
Some servers have code to verify the brach fields in the VIA header do not change within a transaction. These servers complain when they see the fields change.


597818-2 : Unable to configure IPsec NAT-T to "force"

Component: TMOS

Symptoms:
When configuring IPsec NAT traversal to "Force", the behavior is as if the setting is "Off".

Conditions:
Configuring IPsec NAT Traversal to Force

Impact:
NAT-T does not work

Workaround:
Configure NAT-T to On instead.


597729-5 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may potentially be observed:

1. After approximately 10 minutes, an error similar to the following may appear in the LTM log (/var/log/ltm):

mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests

Such message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
It is possible that this error could be encountered when deleting local users (Access Policy :: Local User DB : Manage Users), and may theoretically be encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.


597601-3 : Improvement for a previous issue regressed NAT-T

Component: TMOS

Symptoms:
An earlier improvement request regressed NAT-T whereby phase2 cannot establish.

Conditions:
Using NAT-T with IKEv1.

Impact:
NAT-T does not work.


597564-3 : 'tmsh load sys config' incorrectly allows the removal of the 'app-service' statement from configuration items

Component: TMOS

Symptoms:
The 'tmsh load sys config' command incorrectly allows users to manually remove the 'app-service' statement from configuration items. For example, if a user is manually editing the bigip.conf file, and they remove the 'app-service' statement from a virtual server, 'tmsh load sys config' will not fail to load the config, which is incorrect.

Conditions:
A user manually edits a BIG-IP configuration file and improperly removes the 'app-service' statement from an object.

Impact:
The lack of the 'app-service' statement effectively disassociates the object from its Application Service. This can lead to further issues down the line. For example, if the object is then updated on a multi-blade VIPRION system, secondary blades will restart with an error similar to the following example:

May 6 08:18:27 slot2/VIP2400-R16-S10 err mcpd[32420]: 01070734:3: Configuration error: Configuration from primary failed validation: 010715bd:3: The parent folder is owned by application service (/Common/dummy.app/dummy), the object ownership cannot be changed to ().... failed validation with error 17241533.

Workaround:
Exercise caution when manually editing BIG-IP configuration files.


597532-7 : iRule: RADIUS avp command returns a signed integer

Component: Local Traffic Manager

Symptoms:
iRules that process attribute-value pairs from RADIUS treat integers as signed when they should be treated as unsigned.

Conditions:
iRules using RADIUS::avp to retrieve data

Impact:
iRules using the RADIUS::avp command will not work as expected.

Workaround:
The result can be casted to an unsigned integer after obtaining the value, as follows:

ltm rule radius_avp_integer {
    when CLIENT_DATA {
                set charid_integer [RADIUS::avp 26 "integer" index 0 vendor-id XXXXX vendor-type Y]
                set unsigned_charid_integer [expr {$charid_integer & 0xFFFFFFFF}]
}
}

Note that tmm internally treats avp values as signed integers so this might not completely correct the issue.


597431-7 : VPN establishment may fail when computer wakes up from sleep

Component: Access Policy Manager

Symptoms:
EdgeClient doesn't cleanup routing table before windows goes to hibernate. This may result in establishment of VPN when computer wakes up. It may also result in other network connectivity issues

Conditions:
-VPN connection is not disconnected
-Computer goes in hibernation

Impact:
Issues with Network connectivity

Workaround:
Renew DHCP lease by running
ipconfig/renew.

or

reboot the machine.


597253-2 : HTTP::respond tcl command may incorrectly identify parameters as ifiles

Component: Local Traffic Manager

Symptoms:
The HTTP::respond iRule command may incorrectly identify parameters as an iFile parameter when attaching the iRule to a Virtual Server.

Conditions:
HTTP::respond command making use of a variable as a header name. For instance:

HTTP::respond 500 -version 1.1 content "<content>" "$VariableHeaderName" "header_value_text" "Connection" "close"

Configure a HTTP/TCP virtual server and attach the iRule.

Impact:
1070151:3: Rule [/Common/example_rule] error: Unable to find ifile (header_value_text) referenced at line 3: [HTTP::respond 500 -version 1.1 content "<content>" "$VariableHeaderName" "header_value_text" "Connection" "close"]

Workaround:
Ensure the offending header name and value are either both literal strings or variables.


597214-3 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly

Component: Access Policy Manager

Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.

Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:

var a = { default: 1, continue: 2 };

Impact:
JavaScript code is not rewritten and may not work correctly.

Workaround:
It is possible to use iRule to rename field names in original code.


597089-7 : Connections are terminated after 5 seconds when using ePVA full acceleration

Component: Local Traffic Manager

Symptoms:
When using a fast L4 profile with ePVA full acceleration configured, the 5-second handshake timeout is not being updated to the idle timeout after the handshake is completed. The symptom is an unusually high number of connections getting reset in a short period of time.

Conditions:
It is not known all of the conditions that trigger this, but it is seen when using the fast L4 profile with pva-acceleration set to full

Impact:
High number of connections get reset, performance issue

Workaround:
Disabling the pva resolves the issue.


596826-5 : Don't set the mirroring address to a floating self IP address

Component: TMOS

Symptoms:
Using tmsh, you can configure the mirroring IP address using the command tmsh modify cm device devicename mirror-secondary-ip ip_address

It is possible to set ip_address to a floating self IP address when using tmsh, but BIG-IP can't mirror to a floating self IP address.

Conditions:
Accidentally setting the mirroring IP address to the floating self IP address using tmsh.

Impact:
Mirroring does not work in this case.

Workaround:
Change the mirroring address to a non floating self IP address. The GUI will only present non floating self IP addresses.

For more information about mirroring, see SOL13478: Overview of connection and persistence mirroring at https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13478.html


596815-1 : System DNS nameserver and search order configuration does not always sync to peers

Component: TMOS

Symptoms:
Modifying the System DNS nameserver and search order configuration does not always sync during an incremental sync if modified in the GUI or tmsh modify sys db.

Conditions:
The device is in a failover device group with incremental sync turned on.

In the GUI, modify the DNS Lookup Server List or the DNS Search Domain List fields under System >> Configuration : Device : DNS.

In tmsh, tmsh modify sys db dns.nameserver (or dns.domainname), and in some cases tmsh modify sys dns name-servers (or search)

Impact:
Modifications will not change the sync status nor sync the change to peers.

Workaround:
Perform a full sync or use 'tmsh modify sys dns name-servers replace-all-with' or 'tmsh modify sys dns search replace-all-with'.

Optionally, to get this setting to sync, modify the file /config/BigDB.dat to set realm=common for [DNS.NameServers] and [DNS.DomainName] and restart mcpd on all devices in the failover device group. However, this file may get overridden on a hotfix or upgrade.


596631-1 : SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later

Component: Service Provider

Symptoms:
A SIP media flow deny-listener was to have been deleted but an unrelated listener was deleted instead due to an incorrect address/port match.

For example, when the wrongly deleted listener is later meant to be deleted, there might be a SIGFPE with assertion failure "Assertion "bound listener" failed.".

Conditions:
A SIP MRF media flow existed and was deleted.
An unrelated flow exists with an address/port with wildcards such that it includes that of the media flow.

Impact:
Later when the wrongly deleted listener is referenced, the TMM crashes.


596502-2 : Unable to force Bot Defense action to Allow in iRule

Component: Advanced Firewall Manager

Symptoms:
When a request is being blocked (or challenged with CAPTCHA) due to being a suspicious browser, the action cannot be forced to allow in the iRule

Conditions:
This occurs when a bot defense action is triggered on suspicious browser, and you wish to allow the request to go through anyway and not send a RST.

Impact:
The bot defense action cannot be forced to "allow", the RST will still be sent.


596433-2 : Virtual with lasthop configured rejects request with no route to client.

Component: Local Traffic Manager

Symptoms:
Virtual with lasthop pool configured rejects requests which are sourced from MAC address which is not configured in the lasthop pool.

Conditions:
This issue occurs when the following conditions are meet:

- Virtual with lasthop pool.
- Connection sourced from MAC address which is not configured in the lasthop pool.
- Lasthop pool member is local to TMM.
- tm.lhpnomemberaction db key is set to 2.

Impact:
Connection is erroneously reset with no route to client.

Workaround:
- Change tm.lhpnomemberaction db key to 0 or 1 (behavior change).
- Add IP address for lasthop member which client is originating from to lasthop pool.


596278 : ILX workspace created by iApp made from template not deleted when iApp deleted

Component: Local Traffic Manager

Symptoms:
Any ILX workspace created by an iApp from a template (and possibly otherwise) remains even after the iApp is deleted.

You can check for them under tmsh's ltm/ilx/workspace, on the file system in /var/ilx/workspaces, or in the GUI at Local Traffic :: iRules : LX Workspace.

Conditions:
This occurs when using iApps which create ILX workspaces.

Impact:
Configuration which was supposed to be deleted stays on the box.

Workaround:
Delete the left over workspace manually.


596242-1 : [zxfrd] Improperly configured master name server for one zone makes dns express responds with previoius record

Component: Local Traffic Manager

Symptoms:
Improperly configured master name server for one zone prevented updates to properly configured other zones
from propagating to tmm, thus making dns express respond with previous record.

Conditions:
A wrongly configured dns zone which could not get update correctly.

Impact:
DNS express returns incorrect answers.

Workaround:
Fix the wrongly configured dns zone.


596116-3 : Ldap Query does not resolve group membership, when required attribute(s) specified

Component: Access Policy Manager

Symptoms:
corresponding session variable session.ldap.last.memberOf contains only the groups user directly belongs to.

Conditions:
when Ldap Query is configured with option
"Fetch groups to which the user or group belong" set to "All"
AND
required attribute is set to "memberOf",
only direct groups are populated into session variable

Impact:
group mapping fails

Workaround:
you need to add one more attribute to the "required attributes" list: "objectClass"

when your backend is MS Active Directory, you may want to add one more attribute to the list: primaryGroupID
to get all groups including primary group


596104-3 : HA trunk unavailable for VCMP guest

Component: TMOS

Symptoms:
If a VCMP guest is configured with an HA trunk with a threshold value greater than 0, the HA trunk configuration will fail with a message similar to the following:

err mcpd[5926]: 01071569:3: Ha group ha_group threshold for trunk _your_trunk_name_here_ 1 is greater than the maximum number of members 0.

Conditions:
This occurs when an HA trunk is configured a VCMP guest, with a threshold value greater than 0. This may occur by any of the following means:
1) Attempting to upgrade a guest to an affected version of BIG-IP, with an HA trunk configured with a threshold value greater than 0. The upgrade will fail with the indicated error message.
2) Attempting to load a UCS from a guest with an HA trunk configured with a threshold value greater than 0. The UCS load will fail with the indicated error message.
3) Creating an HA group and then attempting to modify the threshold value for the HA trunk. The modify command will fail with the indicated error message.

Impact:
HA trunks will not work on affected BIG-IP versions.
You will be unable to upgrade to an affected version of BIG-IP or load a configuration with an HA trunk configured with a threshold value greater than 0.

Workaround:
Configuring the HA trunk threshold to 0 will allow the upgrade to succeed or the configuration to load.
However, this disables the HA trunk feature.


596067-2 : GUI on VIPRION hangs on secondary blade reboot

Component: TMOS

Symptoms:
After rebooting a VIPRION chassis, the GUI suddenly becomes unresponsive several minutes after the reboot.

Conditions:
It is not known exactly triggers this as it is a race condition that occurs on system start, but it is believed that Enterprise Manager making queries against the VIPRION for non-chunked statistics while the blade(s) has not fully started will trigger this condition.

Impact:
GUI becomes unresponsive

Workaround:
bigstart restart httpd will clear this condition if it occurs.


595773-8 : Cancellation requests for chunked stats queries do not propagate to secondary blades

Component: TMOS

Symptoms:
Canceling a request for a chunked stats query (e.g. hitting ctrl-c during "tmsh show sys connection") does not stop data flowing from secondary blades.

Conditions:
A chassis-based system with multiple blades. Users must execute a chunked stats query (e.g. "tmsh show sys connection") and then cancel it before it finishes (e.g. with ctrl-c in tmsh).

Impact:
Unnecessary data will be sent from TMM to secondary mcpd instances, as well as from secondary mcpd instances to the primary mcpd instance. This could cause mcpd to restart unexpectedly.


595712-2 : Not able to add remote user locally

Component: TMOS

Symptoms:
When a user has logged in remotely, using tmsh to add a user with the same name will fail:

01020066:3: The requested user role partition (raduser TestPartition) already exists in partition Common.

Conditions:
Remote authentication is configured and a remote user has logged in.

Impact:
Changing remote user to local fails.

Workaround:
Use "replace-all-with" for partition access:

create auth user raduser password raduser1 partition-access replace-all-with { TestPartition {role manager }}


595617-1 : Modifying an IPsec tunnel and IPsec plus IKE SA does not remove the remote SA.

Component: TMOS

Symptoms:
When modifying the ipsec-tunnel-profile, the BIG-IP system deletes the IKEv1 phase 2 SAs locally, but does not inform the remote IPsec peer.

Conditions:
- Configuration uses both IPsec 'interface' mode tunnel(s) and IKEv1.
- A user modifies ipsec-tunnel-profile. Namely found here:
  -- web UI 'Network : Tunnels : Profiles : IPsec Interface : ipsec-tunnel-profile'.
  -- tmsh 'net tunnels ipsec ipsec-tunnel-profile'.

Impact:
A traffic outage on one tunnel when the remote IPsec peer is generally plays the role of Initiator. The remote system, will not attempt to establish a new tunnel because it believes that a valid SA exists.

Workaround:
Delete the defunct IPsec SA from the remote peer. If the remote IPsec peer is also a BIG-IP system, then restarting tmipsecd can be employed, however this will cause all IPsec tunnels to restart.


595317-4 : Forwarding address for Type 7 in ospfv3 is not updated in the database

Component: TMOS

Symptoms:
The ospf nssa-external database is not updated when the global address on an interface that is used as a forwarding address is changed

Conditions:
remove the global address on the forwarding interface

Impact:
the packets will be sent to an incorrect interface.

Workaround:
clear ipv6 ospf process


595293-4 : Deleting GTM links could cause gtm_add to fail on new devices.

Component: Global Traffic Manager

Symptoms:
Once links are auto-discovered, if auto discovery is disabled and the links are deleted, they could become stuck in the Server > Virtual Server list, preventing new devices from joining the sync group. If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.

Conditions:
Links are auto-discovered
Auto discovery is disabled
The links are deleted

Impact:
If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.

Workaround:
None


595281-1 : TCP Analytics reports huge goodput numbers

Component: Local Traffic Manager

Symptoms:
TCP Analytics reports that 2^32 bytes have been delivered, rather than 0.

Conditions:
When the serverside connection attempt fails.

Impact:
TCP Analytics stats are inaccurate.


595272-1 : Edge client may show a windows displaying plain text in some cases

Component: Access Policy Manager

Symptoms:
Under captive portal environment, sometimes edge client may show a windows with some plain text content.

Conditions:
Edge client is launched when users machine is inside captive portal network.

Impact:
User may not be able to establish VPN

Workaround:
Authenticate to captive portal using browser and Launch edge client again.


595227-1 : SWG Custom Category: unable to have a URL in multiple custom categories

Component: Access Policy Manager

Symptoms:
When configuring a url in multiple categories you receive a validation error message:
May 19 16:13:44 bigip12 err mcpd[8992]: 010717f3:3: Custom category (/Common/category_allow_group2) has invalid URL (http://172.16.20.1/*). Reason: You cannot have the same URL in two or more custom categories. URL used in category (/Common/category_allow_group1).

Conditions:
Configuring the same URL in multiple custom categories.

Impact:
Unable to have the same URL in multiple custom categories, and therefore cannot configure the system to have a URL allowed for one group but not for another.

Workaround:
None


594869-4 : AFM can log DoS attack against the internal mpi interface and not the actual interface

Component: Advanced Firewall Manager

Symptoms:
While under an attack that matches a DoS profile, BIG-IP may indicate that the interface is the internal mpi interface and not the interface that the attack is happening on.

Conditions:
This can occur in CMP-enabled systems.

Impact:
A valid DoS attack will be misreported


594426-4 : Audit forwarding Radius packets may be rejected by Radius server

Component: TMOS

Symptoms:
The Accounting-Request packets are missing two required AVPs (Attribute Value Pair), Acct-Session-ID and Acct-Status-Type. Some Radius servers drop Radius Accounting-Requests which are missing these AVPs.

Conditions:
Configured to use audit forwarding with radius and audit messages are not logged on the Radius server.

Impact:
Unable to log audit messages from BIG-IP using audit forwarding.


594288-1 : Access profile configured with SWG Transparent results in memory leak.

Component: Access Policy Manager

Symptoms:
Access profile configured with SWG Transparent results in memory leak.

Conditions:
Create an access profile of type SWG Transparent, and assign to a virtual. Run traffic through this virtual.

Impact:
TMM leaks memory.

Workaround:
None


594075-3 : Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically

Component: Advanced Firewall Manager

Symptoms:
With pccd.alwaysfromscratch set to true, the blob doesn't compile and pccd restarts periodically when firewall rules are modified.

Conditions:
1. pccd.alwaysfromscratch is set to true (default value is false)
2. Modify some firewall rules.

Impact:
The blob doesn't compile and pccd keeps restarting without loading new rules.

Workaround:
Remove saved blob files in /var/pktclass/ (rm -f /var/pktclass/*) and restart pccd.


593530-4 : In rare cases, connections may fail to expire

Component: Local Traffic Manager

Symptoms:
Connections have an idle timeout of 4294967295 seconds.

Conditions:
Any IP (ipother) profile is assigned to virtual server.

Impact:
Connections may linger.

Workaround:
None.


593390-4 : Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.

Component: Local Traffic Manager

Symptoms:
If an iRule selects a profile using just its name, not the full path, the internal lookup might fail. This might cause a new version of the profile to be instantiated, leading to memory issues.

Conditions:
An iRule calls SSL::profile but does not supply the complete path (e.g., /Common/clientssl); rather, the iRule uses only the profile name.

Impact:
Higher memory usage than necessary.

Workaround:
Always have iRules select profiles using the complete path.


593361-1 : The malformed MAC for inner pkt with dummy MAC for NSH with VXLAN-GPE.

Component: TMOS

Symptoms:
The target platform implementation need to be ensure that it is update to date with draft and additionally tested with other open sources and commercial implementations to deem stable. If not a stable and production version as in case below, sender packets can be with a dummy MAC which is not recognized by BIG-IP.

Conditions:
Target platforms which may be unstable and untested in VXLAN-GPE.

Impact:
BIG-IP drop packets since it does not recognize inner pkt MAC.

Workaround:
Ensure target platform is stable, tested and production version wrt VXLAN-GPE and NSH.


593070-6 : TMM may crash with multiple IP addresses per session

Component: Policy Enforcement Manager

Symptoms:
TMM crash

Conditions:
A session with multiple IP addresses with PCRF communication for dynamic policy management may have a crash credits to a race condition.

Impact:
Traffic disrupted while tmm restarts.


592870-2 : Fast successive MTU changes to IPsec tunnel interface crashes TMM

Component: TMOS

Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.

Conditions:
This occurs when quickly changing the IPsec tunnel interface MTU.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.


592868-6 : Rewrite may crash processing HTML tag with HTML entity in attribute value

Component: Access Policy Manager

Symptoms:
If HTML page contains HTML entities in attribute values, rewrite may crash processing this page.

Conditions:
HTML tag like this:
<script src="&#10;" type="text/javascript"></script>

Impact:
Web application may not work correctly.

Workaround:
In most cases HTML entities can be replaced by appropriate characters by iRule.


592784-2 : Compression stalls, does not recover, and compression facilities cease.

Component: Local Traffic Manager

Symptoms:
Compression stalls, does not recover, and compression facilities may cease.

Conditions:
A device error of any kind, or requests that result in the device reporting an error (for example, attempting to decompress an invalid compression stream).

Impact:
In general, compression stops altogether. Under some circumstances, compression requests may end up routed to zlib (software compression), but generally the SSL hardware accelerator card does not correctly report that it is unavailable when it stalls.

Workaround:
Select the softwareonly compression provider by running the following tmsh command: tmsh modify sys db compression.strategy value softwareonly.


592497-1 : Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.

Component: Local Traffic Manager

Symptoms:
While passing normal traffic, CPU utilization of one or more tmms suddenly goes to 100% as viewed by top and remains there indefinitely.

Conditions:
Idle timeout for tcp flows in FIN_WAIT_2.

Impact:
There is a rare occurrence in which tmm might result in 100% CPU busy.

Workaround:
None.


592414-5 : IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed

Component: Access Policy Manager

Symptoms:
IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed from dynamically generated child.

Conditions:
Browsers: IE11 and Chrome
When: After document.write() into its parent has been performed from dynamically generated child.

Impact:
Web application malfunction.

Workaround:
None.


592320-1 : ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1

Component: TMOS

Symptoms:
When a fastL4 profile's pva-offload-state set to establish (default is embryonic), the corresponding UDP virtual server using that profile won't offload UDP traffic and causes performance degradation.

Conditions:
This issue is introduced during v12.0.0 development and only impacts v12.1.0 and v12.1.1 releases.
A fastL4 UDP virtual server is using a fastL4 profile that has pva-offload-state set to establish.

Impact:
Performance degradation.

Workaround:
Use default setting for pva-offload-state of embryonic for fastL4 profile.


592113-3 : tmm core on the standby unit with dos vectors configured

Component: Advanced Firewall Manager

Symptoms:
On the standby unit with mirrored connections configured, uninitialized dos_vectors may cause core dump

Conditions:
HA setup, mirroring enabled on a virtual that has dos vectors configured

Impact:
Traffic disrupted while tmm restarts.


592070-5 : DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied

Component: Policy Enforcement Manager

Symptoms:
Variables in the flow context when stored in the sessionDB cannot be shared since the traffic groups of the server and client flows are different.

Conditions:
DHCP virtual created in a non-local traffic group.

Impact:
Variable sharing in the TCL context will not work.

Workaround:
Modify SysDb variable "Tmm.SessionDB.match_ha_unit" to disable the use of traffic-group ID while accessing the sessionDB.


591840-1 : encryption_key in access config is NULL in whitelist

Component: Access Policy Manager

Symptoms:
encryption_key in access config is NULL sometime when applying 404 whitelist action and will result in TMM crash.

Conditions:
All the following must be true:
- Access policy action resulted in a "not found".
- The session corresponding to above action must be expired.
- FIPS platform.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


591659-9 : Server shutdown is propagated to client after X-Cnection: close transformation.

Component: Local Traffic Manager

Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.

Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.

Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.

Workaround:
None.


591590-1 : APM policy sync results are not persisted on target devices

Component: Access Policy Manager

Symptoms:
Policy sync results, including profile, sync folder, new partition, statuses, history are not persisted on target devices after sync, when there are no LSO resolution.

Conditions:
- Create an APM policy with no LSO to resolve, or have an APM policy that has LSO resolved by previous sync

- Start a policy sync

Impact:
Sync results including the policy profiles won't be persisted so when the bigip restarts, all the sync data won't be lost.

Workaround:
Run tmsh command to save config:

tmsh save sys config


591495-1 : VCMP guests sflow agent can crash due to duplicate vlan interface indices

Component: TMOS

Symptoms:
When a VCMP guest uses sflow, the sflow agent will crash when it tries to add a row to its internal data structure and finds the key already exists for some other entry.

Conditions:
The problem is specific to BIG-IP i-Series platforms (i5200, i7200, i10200) with VCMP guests of 4 or more cores. 8 cores causes it all the time.

Impact:
sflow agent will crash.


591476-9 : Stuck nitrox crypto queue can erroneously be reported

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Nitrox systems (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The message "Device error: crypto codec cn-crypto-0 queue is stuck." will appear in the ltm log file.

Conditions:
Nitrox based system performing SSL under heavy load.

Impact:
Device errors reported in logs and crypto HA action is taken, possibly resulting in failing over.


591343-5 : SSL::sessionid output is not consistent with the sessionid field of ServerHello message.

Component: Local Traffic Manager

Symptoms:
SSL::sessionid output is not consistent with the sessionid field of ServerHello message. This is mostly cosmetic, but if an iRule depends upon the outcome, the result can be unexpected.

Conditions:
This occurs when using an iRule to inspect the session ID on server-side SSL.

Impact:
The values do not match. SSL::sessionid outputs the wrong sessionid.

Workaround:
None.


591305 : Audit log messages with "user unknown" appear on install

Component: TMOS

Symptoms:
Multiple log entries in /var/log/audit similar to

May 4 11:37:35 localhost notice mcpd[5488]: 01070417:5: AUDIT - client Unknown, user Unknown - transaction #33-1 - object 0 - create_if { db_variable { db_variable_name "version.edition" db_variable_value "<none>" db_variable_sync_type "private_internal" db_variable_data_type "string" db_variable_display_name "Version.Edition" } } [Status=Command OK]

Conditions:
This happens on initial install, it is not yet known what triggers it.

Impact:
This is the result of a daemon on the system not properly identifying itself to mcpd. The log messages can be safely ignored.


591268-4 : VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions

Component: Access Policy Manager

Symptoms:
VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions, it depends on client machine configuration. Symptom: negative record in windows DNS cache, can be verified by running ipconfig /displaydns

Conditions:
Specific client machine configuration

Impact:
VS hostname is not resolvable:
- 'Refresh' of webtop causes unavailable webtop
- Recurring check report may fail due to DNS resolve issue

Workaround:
* Clean windows DNS cache: ipconfig /flushdns
or
* Disable DNS Relay proxy service


591246-1 : Unable to launch View HTML5 connections in non-zero route domain virtual servers

Component: Access Policy Manager

Symptoms:
Currently APM always attempts to uze the RTDom 0 when VMware View HTML5 client is launched.

This doesn't work with the virtual servers in non-zero route domains.

Conditions:
APM configured as a PCoIP proxy on a VS in non-zero route domain.

Impact:
Customers cannot use virtuals in non-zero route domains if they need VMware View HTML5 client functionality


591117-3 : APM ACL construction may cause TMM to core if TMM is out of memory

Component: Access Policy Manager

Symptoms:
During ACL construction, TMM send queries regarding assigned ACL information. If the reply message contains error message of out-of-memory, TMM was not handling this error message properly, and cause TMM to core.

Conditions:
BIG-IP is extremely loaded and out of memory.

Impact:
Traffic disrupted while tmm restarts.


591104-1 : ospfd cores due to an incorrect debug statement.

Component: TMOS

Symptoms:
ospfd cores due to an incorrect debug statement.

Conditions:
This occurs in NSSA configs when ASE OSPF debugging enabled in imish (for example, by running the command: debug ospf route ase). Affected configuration commands are (in imish):
debug ospf all.
debug ospf route.
debug ospf route ase.

Impact:
ospfd might crash, interrupting dynamic routing.

Workaround:
Do not enable debugging in ospf that includes 'route ase'.


590938-3 : The CMI rsync daemon may fail to start

Component: TMOS

Symptoms:
CMI starts an instance of the rsync daemon used for synchronizing file objects. If this daemon is not running, but left its PID file, then it will not restart.

Conditions:
The rsync daemon failed unexpectedly.

Impact:
Sync of file objects will fail with an error like this:

01070712:3: Caught configuration exception (0), Failed to sync files...

Workaround:
Delete the PID file, "/var/run/rsyncd-cmi.pid". Then look up the configsync-ip of the local device and run "rsync-cmi start 1.2.3.4", replacing 1.2.3.4 with the current device's configsync-ip.


590851-4 : "never log" IPs are still reported to AVR

Component: Application Security Manager

Symptoms:
IP addresses marked as "never log" are reported to AVR regardless of the flag

Conditions:
Always

Impact:
Extra, unwanted logging for IP addresses flagged as "never log"

Workaround:
N/A


590820-4 : Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.

Component: Access Policy Manager

Symptoms:
Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.

Conditions:
Intense usage of JavaScript methods such as: appendChild(), insertBefore(), and other, similar JavaScript methods, in a customer's web application code.

Impact:
Very low web application performance when using Microsoft Internet Explorer.

Workaround:
None.


590805-1 : Active Rules page displays a different time zone.

Component: Advanced Firewall Manager

Symptoms:
Active Rules page displays a different time zone.

Conditions:
When Active Rules page is loaded after the BIG-IP system timezone has changed.

Impact:
GUI shows incorrect timezone.

Workaround:
Run the following command after changing BIG-IP timezone: bigstart restart tomcat.


590122-1 : Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.

Component: Local Traffic Manager

Symptoms:
Standard TLS rollback detection for TLSv1 or earlier clients might be too strict for clients that do not comply with RFC 2246 and later. These clients may require 'tls-rollback-bug' option set.

Conditions:
Standard behaviour of TLS clients is to use ClientHello.client_version in pre-master secret (PMS).

Some clients, incorrectly, might use negotiated version in PMS.

Impact:
Failed TLS handshake.

Workaround:
Configure the BIG-IP client SSL profile to include tls-rollback-bug, using a command similar to the following:

create /ltm profile client-ssl xxx ciphers DEFAULT options { tls-rollback-bug }.


589400-1 : With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Component: Local Traffic Manager

Symptoms:
With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Conditions:
Congestion window is small relative to message size; abc is enabled; also might manifest when serverside MTU is greater than clientside MTU.

Impact:
Additional connection latency.

Workaround:
Enabling proxy-mss on the serverside TCP profile significantly reduces incidence of this problem in observed cases.

If init-cwnd is low, raising it might also help.

Disabling abc can also reduce the problem, but might have other negative network implications.


589256-1 : DNSSEC NSEC3 records with different type bitmap for same name.

Component: Global Traffic Manager

Symptoms:
For a delegation from a secure zone to an insecure zone, BIG-IP returns different type bitmaps in the NSEC3 record depending on the query type. This causes BIND9's validator to reject the secure delegation to the insecure zone.

Conditions:
For insecure delegations, our DNSSEC implementation does not support the DS record. Those queries are forwarded to the backend, BIND if selected as fallback. Without ZSK/KSK for an insecure child zone, BIND responds SOA which we dynamically sign.

Impact:
DNS lookups may fail if BIND9's validator rejects the delegation.

Workaround:
None.


589223-1 : TMM crash and core dump when processing SSL protocol alert.

Component: Local Traffic Manager

Symptoms:
TMM crash and core dump when processing SSL protocol alert.

Conditions:
During SSL handshake, if the server sends protocol Alert to the BIG-IP system, TMM might crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


589083-3 : TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.

Component: TMOS

Symptoms:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation fails because of permission errors.

Using iControl, the system posts an error similar to the following: Error processing request for URI:http://localhost:8110/mgmt/tm/sys/config
{code:400,message: Can't create tmsh temp directory \"/config/.config.backup\" Permission denied, errorStack:[]}.

Using TMSH (e.g., running the command: tmsh save sys config), the system posts an error similar to the following:

Can't create tmsh temp directory "/config/.config.backup" Permission denied

Conditions:
This occurs when the following conditions are met:
-- Remote Authentication is configured.
-- User is logged in as a remote user who has the admin role.
-- Using TMSH or iControl for remotely authenticated user operations.

Impact:
Cannot save the configuration.

Workaround:
Use one of the following workarounds:
-- Use the GUI to save the configuration.
-- Have a locally authenticated user with admin role save the configuration.


588959-5 : Standby box may crash or behave abnormally

Component: Local Traffic Manager

Symptoms:
TMM crashes on the standby unit

Conditions:
It is not known the conditions that cause this, and has been seen very rarely.

Impact:
Tmm on the standby device crashes. Memory utilization before the crash can appear to be unusually high.


588888-3 : Empty URI rewriting is not done as required by browser.

Component: Access Policy Manager

Symptoms:
Empty URI must be rewritten at server side and client side rewriter in the same way: as empty URI (all browsers treat this type of URI in a specific way).

Conditions:
A tag with an empty 'src' or 'href' attribute.

Impact:
Web application malfunction, such as incorrect or unexpected behavior or error messages.

Workaround:
Use an application-specific iRule that modifies the empty URI.
-- For example, for JavaScript methods such as setAttribute(), an iRule should change this:
'F5_Invoke_setAttribute(o, "src", uri)'
to this:
'(uri=="")?o.setAttribute("src", uri):F5_Invoke_setAttribute(o, "src", uri)'.

-- As another example, for JavaScript methods such as write(str), writeln(str), innerHTML=str, outerHTML=str, and similar methods, if str contains <img src="" ... >, the iRule must remove the src attribute.


588686-4 : High-speed logging to remote logging node stops sending logs after all logging nodes go down

Component: TMOS

Symptoms:
All logging to external logging nodes (such as BIG-IQ) suddenly stop.

Conditions:
This occurs when all of the configured logging nodes go down. Even when they are brought back up, tmm will not send logs to the remote servers.

Impact:
Remote logging stops and will only resume if tmm is restarted.


588626 : Analytics alerts: Metric "Maximum TPS" can only be used with Virtual Servers (but not with a Pool Member).

Component: Application Visibility and Reporting

Symptoms:
While configuring an alert for Maximum TPS on an Analytics profile, you get an error: Metric "Maximum TPS" can only be used with Virtual Servers (but not with a Pool Member)

Conditions:
This occurs when attempting to add an Analytics alert that triggers on Max TPS, and the alert is configured to run against a pool member or an application (the default is Virtual Server, not pool member or application).

Impact:
You cannot configure Max TPS alerts at the pool member level. The GUI appears to allow you to do this, but validation rules will prevent you from adding the alert.

The full list of alerts that cannot be configured at the pool or application level include all rules with the word Maximum in them:

- Maximum TPS
- Maximum Server Latency
- Maximum Page Load Time
- Maximum Request Throughput
- Maximum Response Throughput


588456-3 : PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).

Component: Policy Enforcement Manager

Symptoms:
When the BigIp is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address, the DHCP server sends the ACK to the renewal packet to the relay agent IP(giaddr) instead of ciaddr. Bigip DHCP module does not process the ACK and update the lease time, which causes PEM subscriber session to be aged out.

Conditions:
1)BigIP in forwarding mode
2)giaddr field in unicast DHCP renewal packet is set to
IP address of relay agent(Typically, it is set to 0 by DHCP client)

Impact:
PEM Subscriber Session will age out


588351-4 : IPv6 fragments are dropped when packet filtering is enabled.

Component: Local Traffic Manager

Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.

Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.

Impact:
IPv6 fragments with a non-zero offset are lost.

Workaround:
Disable packet filtering.


588289-1 : GTM is Re-ordering pools when adding pool including order designation

Component: Global Traffic Manager

Symptoms:
GTM re-orders, including the "0" order when adding the pool with specific order designation.

Conditions:
This occurs when adding pools with a specified order.

Impact:
This changes the pool order unexpectedly which will affect Load balancing using global-availability.


588115-1 : TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw

Component: Local Traffic Manager

Symptoms:
As a result of a known issue TMM may crash in some specific scenarios if there is an overlapping and more specific route to the floating self-IP range configured on the unit.

Conditions:
- Unit configured with a floating self-IP and allow-service != none.
  - More specific route exists via GW to the self-IP.
  - Configured gateway for the overlapping route is unreachable.
  - Ingress traffic to the floating self-IP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the use of routes overlapping with configured floating self-IPs.


588089-3 : SSL resumed connections may fail during mirroring

Component: Local Traffic Manager

Symptoms:
SSL resumed connections when using SSL mirroring may fail during mirroring. This could result in SSL connections being unable to recover after failover.

Conditions:
Mirroring enabled on virtual with an associated client-ssl profile.

Impact:
SSL connections unable to recover after failover.

Workaround:
Disable session cache to prevent connections from resuming.


588087-1 : Attack prevention isn't escalating under some conditions in session opening mitigation

Component: Application Security Manager

Symptoms:
Attack is detected and isn't escalating in session opening

Conditions:
A session opening attack, challenges are being answered by the attacker.

Impact:
The attack continues.

Workaround:
Configure the attack prevention as rate limit.


588028-1 : Clearing alerts from the LCD while the host is down will re-display the alerts on the LCD when the host comes up

Component: TMOS

Symptoms:
If the LCD visible alerts are cleared using the LCD menu while the Host is down, then when the host is brought back up the LCD will re-display any alerts that were generated after the host went down.

Alerts generated after a the Host is down are persistent and when the host comes up it will harvest those alerts and re-display them on the LCD. Alarm LED may be re-initialized to an unexpected state.

Conditions:
Alerts generated while the host is down and alerts are cleared using the LCD menu interface.

Impact:
Alerts are re-displayed on the LCD when the host comes back up. And the alarm LED may indicate an alarm that was thought previously cleared.

Workaround:
Do not clear the alerts from the LCD interface while the host is down.


587966-7 : LTM fastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port

Component: Local Traffic Manager

Symptoms:
LTM fastL4 DNS virtual server or SNAT: first A query dropped when A and AAAA requested at the same time with same source IP:port.

Conditions:
A and AAAA DNS Query requested at the same time with the same source IP and Port.

Impact:
A Type DNS Query dropped intermittently.

Workaround:
Configure a standard virtual server with UDP profile for the traffic instead of using fastl4 or snat.


587705-5 : Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.

Component: Local Traffic Manager

Symptoms:
Persist lookups fail for source_addr with match-across-virtual servers when multiple entries exist for the client, but pointing to different pools.

Conditions:
'Match_across_virtual' enabled. Multiple persistence entries for a client address exist, and some of these persistence entries point to poolmembers from different pools. Some of these poolmembers do not belong to any of the current virtual server's pools.

Impact:
Source address persistence fails for this client, even though there is a valid persistence entry that can be used.

Workaround:
None.


587698-3 : bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured

Component: TMOS

Symptoms:
bgpd daemon crashes

Conditions:
bgp extended-asm-cap is configured before configuring
ip extcommunity-list standard with rt and soo fields.

Impact:
bgpd daemon crashes leading to route loss and traffic loss.


587656-2 : gtm auto discovery problem with ehf for ID574052

Component: Global Traffic Manager

Symptoms:
After applying EHF9-685.88-ENG to CRCGTMCS101, many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.

Conditions:
After applying EHF9-685.88-ENG

Impact:
Many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.

Workaround:
Skip to the next Eng HF
v11.4.1-hf10/hotfix/HF10-690.10-ENG


587629-2 : IP exceptions may have issues with route domain

Component: Application Security Manager

Symptoms:
The IP exception feature doesn't work as expected.

Conditions:
There are many defined same IPs but with different route domain.
There were config changes to these IPs regarding their exception properties.

Impact:
An ignored IP is not ignored etc.

Workaround:
bigstart restart asm


587617-1 : While adding GTM server, failure to configure new IP on existing server leads to gtmd core

Component: Global Traffic Manager

Symptoms:
gtmd core with SIGSEGV in selfip_needs_xlation.

Conditions:
No GTM server object configured with existent selfip.

Impact:
gtmd cores. GTM unable to respond to DNS queries. DNS traffic disrupted while gtmd restarts.

Workaround:
Configure the GTM server object with an existent selfip. For more information, see SOL15671: The BIG-IP GTM system must use a local self IP address to define a server to represent the BIG-IP GTM system at https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15671.html


587106-1 : Inbound connections are reset prematurely when zombie timeout is configured.

Component: Carrier-Grade NAT

Symptoms:
When an LSN pool is configured in PBA mode with a non-zero zombie timeout, inbound connections are killed and reset prematurely, often in a matter of seconds.

Conditions:
PBA mode configured on the pool, and zombie_timeout set to a non-zero value.

Impact:
Inbound connections to PBA pools with a zombie timeout configured may not be usable.

Workaround:
None.


587016-2 : SIP monitor in TLS mode marks pool member down after positive response.

Component: Local Traffic Manager

Symptoms:
SIP monitor in TLS mode marks pool member down after positive response. The SIP monitor in TLS mode is constantly marked down.

Conditions:
SIP monitor configured in TLS mode.
Server does not send close_notify alert in response to the monitor's close_notify request.

Impact:
Unable to monitor the status of the TLS SIP server.

Workaround:
None.


586878-5 : During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.

Component: TMOS

Symptoms:
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3.

The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade.

Conditions:
The issue occurs when all the below conditions are met.
1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, 11.6.1, and versions 12.1.0 and later).

Impact:
Configuration fails to load. The system posts an error message that might appear similar to one of the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Unexpected Error: Loading configuration process failed.

Workaround:
To workaround this situation, modify the configuration file before upgrading:
1. Check the config file /config/bigip.conf.
2. Identify the clientssl profile without a cert/key.
    For example, it might look similar to the following:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            "" { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }

   Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            default { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }
3. Remove the clientssl profile from /config/bigip.conf.
4. Run the command: tmsh load sys conf.
5. Re-create the clientssl profiles you need.


586738-4 : The tmm might crash with a segfault.

Component: Local Traffic Manager

Symptoms:
The tmm might crash with a segfault.

Conditions:
Using IPsec with hardware encryption.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


586718-1 : Session variable substitutions are logged

Component: Access Policy Manager

Symptoms:
With the log level set to debug, session variable substitutions are logged, including the encrypted password if you are substituting the password variable. You may see the following logs: debug apmd[3531]: 01490000:7: Util.cpp func: "ScanReplaceSessionVar()" line: 608 Msg: data: '%{session.logon.last.password}' start_pos: 0, count: 30 on 'session.logon.last.password' with the encrypted password logged

Conditions:
APM Access Policy log level set to debug, and session variable substitution is performed.

Impact:
Session variable substitution should not be logged, even if it is secure.

Workaround:
Set log level to informational or notice for normal operations. Logging at debug level is not recommended unless absolutely needed for specific troubleshooting as it adversely affects system performance.


586660-1 : HTTP/ramcache2 and RAM Cache are not compatible.

Component: Local Traffic Manager

Symptoms:
A virtual server fails some requests where the response is served from cache.

Conditions:
If a virtual server has either SPDY or HTTP/2 enabled, it might fail requests that would normally be served from RAM cache.

Also, a normal HTTP virtual server that has an iRule attached that responds to the HTTP_RESPONSE_RELEASE event might give errors to Tcl commands that attempt to access the response headers.

Certain filters and plugins that required access to the response headers might also fail in unexpected ways.

Impact:
Errors in certain TCL commands or failed requests.

Workaround:
None.


586621-5 : SQL monitors 'count' config value does not work as expected.

Component: Local Traffic Manager

Symptoms:
SQL monitors 'count' config value does not work as expected.

Conditions:
SQL monitor in use with the 'count' config value specified. The 'count' value is intended to record the number of times the connection to the back-end database is re-used before it is disconnected. However, the value is not correctly recording the number in this release.

Impact:
SQL monitor might use a 'count' value that is incorrect.

Workaround:
Add 101 to the desired value. For example, if the desired count is '5', use '106' instead.


586587-1 : RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms.

Component: Local Traffic Manager

Symptoms:
RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms. That results in sending data at higher rates than specified Max Rate.

Conditions:
RTT is less than 6ms.

Impact:
Packet loss might happen (queue overflow) due to sending at higher data rate than the specified max rate.

Workaround:
None.


586449-1 : Incorrect error handling in HTTP cookie results in core when TMM runs out of memory

Component: Local Traffic Manager

Symptoms:
If an under provisioned TMM runs out of memory, then this may result in allocation failures. Incorrect error handling of allocation failures in HTTP cookie code results in TMM core.

Conditions:
Cookie persistence with encryption required is enabled on the virtual. If an under provisioned TMM runs out of memory, then this may result in allocation failures.

Impact:
Traffic disrupted while tmm restarts.


586070 : 'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Component: Advanced Firewall Manager

Symptoms:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Conditions:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Impact:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Workaround:
N/A


586006-1 : Failed to retrieve CRLDP list from client certificate if DirName type is present

Component: Access Policy Manager

Symptoms:
Client certification revocation check will fail.

Conditions:
Two conditions will trigger this problem:
1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND
2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.

Impact:
Users may fail access policy evaluation when client certification is used.

Workaround:
Configure an LDAP server for the CRLDP object. It need not return a valid CRL.


585833-1 : Qkview will abort if /shared partition has less than 2GB free space

Component: TMOS

Symptoms:
In order to inform the user that the /shared partition needed to be cleaned up, qkview was checking for at least 2GB of free space. This isn't a hard requirement to build a qkview which potentially could use much less than the 2GB limit. Additionally, some F5 VE systems are shipped with less than 2GB in /shared, thus qkviews cannot be produced.

Conditions:
The /shared partition is smaller than 2GB or has less than 2GB free.

Impact:
User is unable to create a qkview despite having enough room to build one.

Workaround:
Increase the size of /shared so that it has at least 2GB of free space. See https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14952.html for detailed instructions on resizing volumes.


585823-1 : FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode)

Component: Advanced Firewall Manager

Symptoms:
Firewall NAT translation failures are observed if the pre-translation connection matches a Firewall NAT policy rule that uses source address list to match the incoming source address and the source translation object in the rule is configured to do 'dynamic-pat' with mode = deterministic

Conditions:
Following conditions suffice for the issue:

a) FW NAT rule has source translation object of type 'dynamic-pat' and mode = deterministic

AND

b) FW NAT rule has match source address-list only (and no inline source addresses on the match side)

Impact:
Translation failure occurs as described resulting in the connection failures.

Workaround:
If a FW NAT rule has source translation object with dynamic-pat and deterministic mode, the source address(es) on the match side should be specified as inline address(es) instead of specifying the source address-list with such addresses.


585813-2 : SIP monitor with TLS mode fails to find cert and key files.

Component: Local Traffic Manager

Symptoms:
SIP monitor with TLS enabled fails to find cert and key in filestore.

Conditions:
SIP monitor with TLS mode.

Impact:
Cannot create SIP monitor with TLS mode enabled and have the pool correctly checked.

Workaround:
Create an external monitor script to invoke the SIP monitor. Supply the correct arguments to the script.


585745-2 : sod core during upgrade from 10.x

Component: TMOS

Symptoms:
The failover daemon (sod) may core during an upgrade, when the peer device upgrade completes and rejoins the trust.

Conditions:
Upgrading an HA pair from 10.x to 12.x or later.

Impact:
corefile generated, and system may temporarily go offline.


585562-3 : VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari

Component: Access Policy Manager

Symptoms:
When using Google Chrome or Safari (WebKit-based) browser to launch VMware View HTML5 client for Horizon 7 from APM webtop, this attempt fails with a blank screen in place of remote desktop session.

Conditions:
-- BIG-IP APM configured as PCoIP proxy for Horizon 7.
-- APM webtop in which the HTML5 client is used to launch a remote desktop.

Impact:
Cannot use HTML5 client. Only native client (Horizon View client) is available.

Workaround:
when HTTP_REQUEST {
   if { [HTTP::header "Origin"] ne "" } {
        HTTP::header remove "Origin"
    }
     if { [ HTTP::method ] == "POST" && [ HTTP::uri ] == "/broker/xml" } {
        set BROKER_REQUEST 1
        HTTP::collect [HTTP::header Content-Length]
    }
}

when HTTP_REQUEST_DATA {
    if { [ info exists BROKER_REQUEST ] && [ regexp {<have-authentication-types[ \t\r\n]*>[ \t\r\n]*<name[ \t\r\n]*>[ \t\r\n]*saml[ \t\r\n]*</name>[ \t\r\n]*</have-authentication-types>} [HTTP::payload] ] } {
        HTTP::respond 200 content {<?xml version="1.0" encoding="UTF-8"?><broker version="11.0"><set-locale><result>ok</result></set-locale><configuration><result>ok</result><broker-guid>1</broker-guid><authentication><screen><name>saml</name><params></params></screen></authentication></configuration></broker>} Content-Type text/xml
    }
}

when HTTP_RESPONSE {
    if { ! [ IP::addr [ IP::remote_addr ] equals 127.0.0.0/8 ] } { return }
    set BROKER_RESPONSE 1
    set content_length 0
    if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
        set content_length [HTTP::header "Content-Length"]
    } else {
        set content_length 1048576
    }
    # Check if $content_length is not set to 0
    if { $content_length > 0} {
      HTTP::collect $content_length
    }
}

when HTTP_RESPONSE_DATA {
    if { ! [ info exists BROKER_REQUEST ] || ! [ info exists BROKER_RESPONSE ] } { return }
    regsub "<broker version=\"9.0\">" [HTTP::payload] "<broker version=\"11.0\">" payload
    HTTP::payload replace 0 [HTTP::payload length] $payload
    HTTP::release
}


585485-5 : inter-ability with "delete IPSEC-SA" between AZURE, ASA and BIGIP

Component: TMOS

Symptoms:
Some IKEv1 IPsec vendor implementations (for example Cisco ASA) send a delete SPI message for an IPsec-SA and expect that the sibling IPsec-SA (the SPI in the other direction) will also be deleted by the peer.

BIG-IP sends and expect messages with two SPI's inside.

Conditions:
An IPsec tunnel between a BIG-IP system and some other vendor may experience this. Azure and Cisco ASA are two such vendors.

Impact:
An IPsec tunnel goes down and in some situations may not renegotiate while the BIG-IP believes that the outgoing SPI is still active. The tunnel will stay down until the lifetime of the outbound SA expires.

Workaround:
Delete the outbound SA from the BIG-IP using the tmsh command by specifying the related SA:

(tmos)# delete net ipsec ipsec-sa ?
Properties:
  "{" Optional delimiter
  dst-addr Specifies the destination address of the security associations
  spi Specifies the SPI of the security associations
  src-addr Specifies the source address of the security associations
  traffic-selector Specifies the name of the traffic selector


585412-4 : SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines

Component: Local Traffic Manager

Symptoms:
Connections to a virtual server that uses an SMTPS profile may be reset with a reset cause of 'Out of memory.'

Conditions:
This might occur under the following conditions:
-- A virtual server that uses an SMTPS profile with activation-mode set to allow.
-- A client connection which does not use TLS that sends a DATA section with a text line that is longer than approximately 8192 characters.

8192 characters is an approximation for the maximum line length. The actual problem length can be affected by the MSS value and the particular way that the TCP traffic is segmented.

Impact:
The TCP connection is reset with a reset-cause of Out of memory' and the email will not be delivered.

Workaround:
None.


584948-5 : Safenet HSM integration failing after it completes.

Component: Local Traffic Manager

Symptoms:
tmm cannot load the Safenet library, and the following log entry is found in /var/log/auditd/audit.log:

denied { read } for pid=4936 comm="tmm" name="libCryptoki2_64.so" dev=dm-1 ino=1441838 scontext=system_u:system_r:tmm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file.

Conditions:
This occurs when there is at least one symlink in the shared/safenet/lunasa/lib/ directory.

The safenet-sync.sh script (used to replicate a functioning Safenet HSM installation to a newly-inserted secondary blade) and csyncd conspire to improperly install/fix permissions on the secondary blade if there are symlinks, which results in the Safenet HSM integration failing after it completes, until the user takes appropriate actions.

Impact:
Upon failover to secondary blade, the BIG-IP system will be unable to communicate with the configured netHSM.

Workaround:
Use chcon and chcon -h to fix any permissions issues. The --reference option can be used on any properly permissioned file in the same directory to do this quickly.

For example: chcon -h --reference=libcklog2.so libCryptoki2_64.so.


584762 : After restarting bcm56xxd, 5.x interface might show as down.

Component: TMOS

Symptoms:
During internal testing, a very rare condition manifests in which the 5.x interfaces are down after a bcm56xxd restart. Signature in the log file is 01010031:4: Device warning: HSBe2 XLMAC initial recovery failed after 11 retries.

Conditions:
This has been seen very rarely and its causes are unknown.

Impact:
The 5.x interfaces connect the blades to the backplane so the blades cannot pass messages over the backplane.

Workaround:
The command bigstart restart bcm56xxd restarts all interfaces and should bring the 5.x interfaces back up.


584642-1 : Apply Policy Failure

Component: Application Security Manager

Symptoms:
Some Policies cannot be successfully applied/activated

Conditions:
Signature overrides on Content Profiles are configured

Impact:
Policy cannot be applied

Workaround:
None.


584623-2 : Response to -list iRules command gets truncated when dealing with MX type wide IP

Component: Global Traffic Manager

Symptoms:
GTM iRule "members" with the "-list" flag will truncate MX-type WideIP pool members when printed out to a log.

Conditions:
Use the GTM iRule "members" with the "-list" flag to print out the members of an MX WideIP pool during a DNS event.

Impact:
WideIP MX-type pool members are truncated in the log.

Workaround:
None


584583-7 : Timeout error when attempting to retrieve large dataset.

Component: TMOS

Symptoms:
The Rest API can timeout when attempting to retrieve large dataset, such as a large GTM pool list. The error signature when using the Rest API looks like "errorStack":["java.util.concurrent.TimeoutException: remoteSender:127.0.0.1, uri:http://localhost:8110/tm/gtm/pool, method:GET "

Conditions:
Configuration containing a large number of GTM pools and pool members (thousands).

Impact:
If using the Rest API to retrieve the pool list, you may receive timeout errors.


584582-2 : JavaScript: 'baseURI' property may be handled incorrectly

Component: Access Policy Manager

Symptoms:
If generic JavaScript object has 'baseURI' property, it may be handled incorrectly via Portal Access: web application may get 'undefined' value for this property.

Conditions:
User-defined JavaScript object with 'baseURI' property.

Impact:
Web application may work incorrectly.

Workaround:
iRule can be used to remove F5_Deflate_baseURI() calls from rewritten JavaScript code.


584414 : Deleting persistence-records via tmsh may result in persistence being created to different nodes

Component: Local Traffic Manager

Symptoms:
After deleting the persistence records, a connection may use persistent records to two different nodes breaking persistence.

Conditions:
Deleting persistence records when there is high concurrency for particular persistence records (e.g., load testing).

Impact:
Client fails to persist to a particular node.

Workaround:
Avoid removing persistence records from tmsh or use iRules to remove persistence records.


584310-1 : TCP:Collect ignores the 'skip' parameter when used in serverside events

Component: Local Traffic Manager

Symptoms:
When TCP::Collect is used with 'skip' and 'length' arguments in SERVER_CONNECTED, the "skip' argument does not take effect and is ignored. The Collect works, but collects only the length bytes from start.

Conditions:
TCP:Collect on server side events like SERVER_CONNECTED used with the 'skip' parameter. This is an intermittent issue that have happen only with IIS server.

Impact:
TCP:Collect collects bytes without taking into account the skip, so the bytes collected are not the correct ones.

Workaround:
None.


584213-1 : Transparent HTTP profiles cannot have iRules configured

Component: Local Traffic Manager

Symptoms:
When an HTTP profile is configured in transparent mode, but has a nonexisting iRule attached to it, then tmm will crash.

Conditions:
There is irule but proxy is transparent

when HTTP_PROXY_REQUEST {
   after 1000
}

Change configuration from explicit->transparent while we were in the after command. We then attempt to use configuration that doesn't exist, and then crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This is incorrect configuration. Either detach the iRule or configure the profile in a mode other than transparent.


584103-2 : FPS periodic updates (cron) write errors to log

Component: Application Security Manager

Symptoms:
FPS periodic updates (run via cron) write errors to log when FPS is not provisioned.

Conditions:
FPS is not provisioned.

Impact:
Errors appears in FPS logs.


584029-5 : Fragmented packets may cause tmm to core under heavy load

Component: Local Traffic Manager

Symptoms:
tmm core due to assertion

Conditions:
tmm offloads a fragmented packet via ffwd'ing

Impact:
Traffic disrupted while tmm restarts.


583957-9 : The TMM may hang handling pipelined HTTP requests with certain iRule commands.

Component: Local Traffic Manager

Symptoms:
Rarely, the TMM may hang during a HTTP::respond or HTTP::redirect iRule command if it is part of a pipelined HTTP request.

Conditions:
A HTTP::respond or HTTP::redirect iRule is used.
The iRule command is in an event triggered on the client-side.
A pipelined HTTP request is being handled.

Impact:
The TMM will be restarted by SOD.


583936-6 : Removing ECMP route from BGP does not clear route from NSM

Component: TMOS

Symptoms:
When configured to install multiple routes into the routing table, ZebOS does not withdraw BGP routes when a neighbor is shut down and it has more than two routes already installed for the same route prefix.

Conditions:
ECMP routing must be enabled and in-use.

Impact:
ECMP routes are not properly removed from the main routing table.


583754-7 : When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.

Component: TMOS

Symptoms:
Executing 'show ltm persist persist-records' results in a blank error message.

Conditions:
TMM must be down.

Impact:
Non-obvious / unhelpful error message is generated, leading to customer confusion.

Workaround:
N/A


583516-2 : tmm ASSERT's "valid node" on Active, after timer fire..

Component: TMOS

Symptoms:
TMM crashes on ASSERT's "valid node".

Conditions:
The cause is unknown, and this happens rarely.

Impact:
tmm crash

Workaround:
no


583475-1 : The BIG-IP may core while recompiling LTM policies

Component: TMOS

Symptoms:
In some rare and still unknown situations the BIG-IP Mcpd process may core when creating or modifying LTM policies. While the root cause of the crash is not fully understood at this time, one of the symptoms points to a nonexistent or invalid LTM policy.

Conditions:
Creating or modifying LTM policies.

Impact:
The BIG-IP control plane services restart thus affecting both, control plane and data plane functionality.

Workaround:
A possible workaround could be to attempt re-creating the LTM policy producing the crash under a different name. Avoid any special characters (or spaces) in the name of the LTM policy.


583355-1 : The TMM may crash when changing profiles associated with plugins

Component: Local Traffic Manager

Symptoms:
The TMM may crash when changing profiles associated with plugins.

Conditions:
The must be a profile associated with a plugin already on a virtual server and traffic must be running. When the profile is removed or swapped for another, the crash may occur.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
A safe way to definitely avoid a crash is to stop the plugin before making changes to its profile.


583285-4 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.

Component: TMOS

Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message. This is the second part of a fix provided for this issue. See fixes for bug 569236 for the first part.

Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.

Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.

Workaround:
Manually remove the invalid SA on the BIG-IP system.


583113-1 : NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event

Component: Access Policy Manager

Symptoms:
The following iRule did not work as expected when the access profile had an NTLM auth. The client still received a 407 prompt to enter NTLM credentials.

when HTTP_PROXY_REQUEST {
    if { [HTTP::uri] contains "disable" } {
        ACCESS::disable
    }
}

Conditions:
Access profile of an SWG type, with an NTLM auth profile attached.

Impact:
It was impossible to disable NTLM auth from the HTTP_PROXY_REQUEST event.

Workaround:
The following iRule works from HTTP_REQUEST

when HTTP_REQUEST {
    if { [HTTP::uri] contains "disable" } {
        ACCESS::disable
        ECA::disable
    }
}


583101-2 : ADAPT::result bypass after continue causes bad state transition

Component: Service Provider

Symptoms:
Tcl command 'ADAPT::result bypass' does not work in ADAPT_REQUEST_RESULT when the ICAP server has previously returned 100-continue.

Conditions:
iRules exist on a VS with an adapt profile, containing:

when ADAPT_REQUEST_RESULT {
    ADAPT::result bypass
}

or

when ADAPT_RESPONSE_RESULT {
    ADAPT::result bypass
}

Impact:
ADAPT logs an unexpected state transition and resets the connection, making it impossible for iRules to replace the ICAP response.

Workaround:
Avoid 'ADAPT::result bypass' commands in cases where there is no preview (either configured for no preview, or after the preview has been dropped due to a 100-continue or 200-ok ICAP response).


583010-4 : Sending a SIP invite with "tel" URI fails with a reset

Component: Service Provider

Symptoms:
Using a "INVITE tel:" URI results in SIP error (Illegal value).

Conditions:
Sending a SIP "INVITE tel:" to BIG-IP does not work.

Impact:
"INVITE tel:" messages are not accepted by BIG-IP.

Workaround:
None


582752-3 : Macrocall could be topologically not connected with the rest of policy.

Component: Access Policy Manager

Symptoms:
It is possible to create macrocall access policy item that:

1. Belongs to policy items list.
2. Correctly connected to ending.
3. Have no incoming rules (i.e., no items pointing at it).

Conditions:
1. Create access policy with macrocall item in one of the branches.
2. Remove the item which refers to this macrocall item from AP

As a result, macrocall item remains.

Impact:
VPE fails to render this access policy.

Workaround:
Delete macrocall access policy item manually using tmsh commands.


582683-2 : xpath parser doesn't reset a namespace hash value between each and every scan

Component: Application Security Manager

Symptoms:
After a while the iRule event stops firing until the cbrd daemon is restarted.

Conditions:
The customer has a virtual server configured with an XML, along with an iRule that triggers on the XML_CONTENT_BASED_ROUTING event.

Impact:
XML content based routing does not work dependably.

Workaround:
N/A


582606-1 : IPv6 downloads stall when NA IPv4&IPv6 is used.

Component: Access Policy Manager

Symptoms:
When downloading large files through network access, downloads can appear to stall for a period of time and then resume.

Conditions:
This occurs when Network Access is configured with an IPv4&IPv6 resource

Impact:
Downloads occasionally stall with download speed going to 0, and then they resume.

Workaround:
It is possible that disabling large receive offload will work as a mitigation. To do so, run the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable.


582526-3 : Unable to display and edit huge policies (more than 4000 elements)

Component: Access Policy Manager

Symptoms:
It takes a very long time or is not possible to display huge policies (more than 4000 elements). VPE returns server timeout error or simple halts.

Conditions:
Huge Access Policy, for example, containing 4000 or more elements.

Impact:
Unable to edit policy because VPE times out.

Workaround:
None.


582465-1 : Cannot generate key after SafeNet HSM is rebooted

Component: Local Traffic Manager

Symptoms:
After the SafeNet Hardware Security Module (HSM) is restarted, users cannot generate a new key.

Conditions:
The BIG-IP system uses the SafeNet HSM.

Impact:
HSM service is not usable even after restarting pkcs11d. Users must re-authenticate.

Workaround:
To generate a new key, after HSM finishes starting up, run the following commands:

# /shared/safenet/toolkit/sautil -v -s 1 -i 10:11 -c
# /shared/safenet/toolkit/sautil -v -s 1 -i 10:11 -o -p <hsm_partition_password>

Or, you can reinstall SafeNet client.


582440-4 : Linux client does not restore route to the default GW on Ubuntu 15.10

Component: Access Policy Manager

Symptoms:
Default route may be deleted after network access connection is deleted on Linux Ubuntu 15.10 distribution.

Conditions:
Ubuntu 15.0, network access tunnel connect and then disconnect

Impact:
User will not be able to reach internet after disconnecting from network access.

Workaround:
If Wifi is in use then turn off and on again.
If Ethernet is used then unplugging and plugging cable again should solve the problem.


582331-1 : Maximum connections is not accurate when TMM load is uneven

Component: Local Traffic Manager

Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections per virtual server.

Conditions:
This occurs when the load disaggregated to available TMMs is uneven.

Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in lower-than-expected maximum connections.

Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.


582234-6 : When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.

Component: Local Traffic Manager

Symptoms:
When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.

Conditions:
A monitored pool member is initially disabled, and a config merge re-enables it

Impact:
Monitoring does not resume when pool member is re-enabled via config merge.

Workaround:
You can re-enable monitoring by running the following commands:

tmsh save sys config
tmsh load sys config


582207-7 : MSS may exceed MTU when using HW syncookies

Component: Local Traffic Manager

Symptoms:
Packets larger than the interface's MTU can be transmitted.

Conditions:
A SYN packet is received with an MSS that exceeds the interface's MTU.

Impact:
Potential packet loss.

Workaround:
Disable HW syncookie mode.


582133-1 : Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.)

Component: Application Security Manager

Symptoms:
When conditions of "Track Site Change" settings are met the staging flag on "*" entities is supposed to be turned ON in order to learn sub-sequences of site changes without blocking traffic. However it doesn't happen. The staging flag stays OFF.

Conditions:
Staging was set OFF on "*" entity. After that conditions of "Track Site Change" settings are met.

Impact:
in a situation when the protected Web application was changed, ASM can block traffic when it should not be blocked.

Workaround:
Staging flag can be changed manually via GUI


582084-1 : BWC policy in device sync groups.

Component: TMOS

Symptoms:
When there is a BWC policy created in global sync group and also a local one, then the configuration displays an error.

Conditions:
If BWC policy is created both in global sync and local.

Impact:
Configuration error, BWC policies will not be synced due to errors.

Workaround:
Ensure that BWC policy is in global sync only.


581851-2 : mcpd, interleaving of messages / folder contexts from primary to secondary blade

Component: TMOS

Symptoms:
MCPD on secondary blades restart with Configuration error.

Conditions:
Clustered system (VIPRION or vCMP guest). The issue occurs when the system interleaves commands from different contexts. For example, this might occur when one system requests continual persistence records resets, and another requests continual TCP statistics resets.

Impact:
Secondary blades restart services, resulting in performance degradation or failover.

Workaround:
Issue commands as part of a transaction.


581746-1 : MPTCP traffic handling may cause a BIG-IP outage

Component: Local Traffic Manager

Symptoms:
Occasional BIG-IP outages may occur when MPTCP traffic is being handled by a Virtual server.

Conditions:
MPTCP has been enabled on a TCP profile on a Virtual Server.

Impact:
A System outage may occur.

Workaround:
Do not enable MPTCP on any TCP profile


581406-1 : SQL Error on Peer Device After Receiving ASM Sync in a Device Group

Component: Application Security Manager

Symptoms:
When:
1) A "Block All" Session Tracking Status exists
and
2) A full sync occurs in an ASM CMI device group (always the case in manual sync device group)

Then upon loading the full sync in the peer an SQL error will appear during the load:
"Failed on insert to PLC.PL_SESSION_AWARENESS_DATA_POINT (DBD::mysql::db do failed: Duplicate entry '<ID>' for key 'PRIMARY')"

Conditions:
1) A "Block All" Session Tracking Status exists
and
2) A full sync occurs in an ASM CMI device group (always the case in manual sync device group)

Impact:
Benign error which does not affect configuration or enforcement.

Workaround:
None


581315-1 : Selenium detection not blocked

Component: Application Security Manager

Symptoms:
When selenium client webdriver is detected running the Chrome browser it is not being blocked due to low score being assigned by PBD (Suspicious Browsers) mechanism.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.

Impact:
A bot which running selenium Chrome webdriver isn't mitigated by DoSL7 PBD mechanism.

Workaround:
N/A


580893-5 : Support for Single FQDN usage with Citrix Storefront Integration mode

Component: Access Policy Manager

Symptoms:
Adding a new login account onto citrix receiver could enumerate the applications and desktop. But after logging off and trying to reconnect to the same account will start failing.

Conditions:
Citrix storefront integration mode with APM and using same FQDN for both accessing Storefront as well as APM virtual

Impact:
Clients are unable to connect.

Workaround:
No workaround other than using different FQDNs


580697 : VIPRION 2200 platform might not pass traffic properly after FPGA firmware switch.

Component: TMOS

Symptoms:
After a FPGA firmware switch on VIPRION 2200 platforms without a system reboot, some internal higig ports might not operate properly.

Conditions:
Using tmsh or GUI to switch FPGA firmware on VIPRION 2200 platforms.

Impact:
This might result in the system not handling traffic properly.

Workaround:
After any FPGA firmware switch, reboot the entire chassis by running the following command: clsh reboot.


580602-1 : Configuration containing LTM nodes with IPv6 link-local addresses fail to load.

Component: TMOS

Symptoms:
As a result of a known issue a configuration containing LTM nodes with IPv6 link-local addresses may fail to load.

Conditions:
Attempt to load a configuration containing a LTM node with a IPv6 link-local address.

Impact:
Configuration fails to load.

Workaround:
Use IPv6 global addresses instead.


580500-2 : /etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed.

Component: TMOS

Symptoms:
/etc/logrotate.d/sysstat fails to read /var/log/sa6 or fails to write to /var/log/sa6,, diskspace in /var/log/sa6 is not rotated and disk space reclaimed.

Conditions:
/var/log/sa6 becomes corrupt or disk space becomes full in /var/log/sa6

Impact:
Disk space is not reclaimed in /var/log/sa6

Workaround:
edit /etc/logrotate.d/sysstat
Add "exit 0" after sadf line


580303-7 : When going from active to offline, tmm might send a GARP for a floating address.

Component: Local Traffic Manager

Symptoms:
When moving from active to offline, tmm might send one final GARP for a floating address from the device that is moving offline.

Conditions:
Using high availability, and switching a device from active to offline.

Impact:
The GARP from the offline device can arrive on upstream devices after the GARP from the newly active device, which might poison the address cache of the upstream device. The result is that failover takes longer, since the upstream devices must rediscover the active device.

Workaround:
Use MAC masquerading along with the floating address; the system sends a GARP for the MAC masqueraded address, which prevents the issue.


580168-3 : Information missing from ASM event logs after a switchboot and switchboot back

Component: Application Security Manager

Symptoms:
Information missing from ASM event logs after a switchboot and switchboot back

Conditions:
ASM provisioned
event logs available with violation details
install/upgrade to another volume and switchboot to it
wait for ASM to fully come up
switchboot back
event logs are still available but violation details are gone

Impact:
Information missing from ASM event logs after a switchboot and switchboot back

Workaround:
N/A


579926-1 : HTTP starts dropping traffic for a half-closed connection when in passthrough mode

Component: Local Traffic Manager

Symptoms:
HTTP starts dropping traffic for a half-closed connection when in passthrough mode.

Conditions:
HTTP is in passthrough mode. Traffic is flowing for a half-closed connection.

Impact:
Incomplete data transfer to end-point, when the connection is half-closed and HTTP is in passthrough mode.

Workaround:
No workaround.


579917-1 : User-defined signature set cannot be created/updated with Signature Type = "All"

Component: Application Security Manager

Symptoms:
When creating a User-Defined Signature Set the Signature Type cannot be set to "All". After saving the setting, it resets back to Request.

Conditions:
Creating a new signature set with Signature Type set to "All" (the dropdown defaults to "Request" when opening the create page).

Impact:
A Custom Signature Set cannot be created for with Request and Response Signatures

Workaround:
No workaround, but can be mitigated by creating two signature sets, or using manual sets.


579843-1 : tmrouted may not re-announce routes after a specific succession of failover states

Component: Local Traffic Manager

Symptoms:
tmrouted does not re-announce RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.

Conditions:
- Active/Standby HA pair set up
 - Both units configured with a dynamic routing protocol and Route Health Injection enabled on one or more Virtual-Addresses.
 - Active unit has the following succession of failover states:
   Active->Offline->Online->Standby->Active

Impact:
Tmrouted may not announce the Virtual addresses when coming back to Active state after the mention succession.

Workaround:
A failover to Standby and back to Active works around the issue.
Restarting tmrouted is also an alternative option.


579495-1 : Error when loading Upgrade UCS

Component: Application Security Manager

Symptoms:
When loading an older version UCS file while ASM is live an error may occur when processing the new configuration. You will see the following error in the asm log:

Mar 9 07:16:06 dut30 err perl[22696]: 01310011:3: ASM configuration error: event code T1499 Failed to update configuration table CONFIG_TYPE_DYNAMIC_TABLES

Conditions:
Loading an older version UCS on a live system.

Impact:
Enforcement of Allowed Methods may be incorrect

Workaround:
Restart ASM


579371-4 : BigIP may generate ARPs after transition to standby

Component: Local Traffic Manager

Symptoms:
tmm generates unexpected ARPs after entering standby

Conditions:
HA pair with a vlangroup with bridge-in-standby disabled
ARP is received just before transition to standby

Impact:
Unexpected ARP requests that may result in packet loops


579252-3 : Traffic can be directed to a less specific virtual during virtual modification

Component: Local Traffic Manager

Symptoms:
Traffic can be directed to an less specific virtual during virtual modification. It could also be dropped if there is no less specific virtual server.

Conditions:
net self external-ipv4 {
    address 10.124.0.19/16
    traffic-group traffic-group-local-only
    vlan external
  }
  net self internal-ipv4 {
    address 10.125.0.19/16
    traffic-group traffic-group-local-only
    vlan internal
  }

  ltm pool redirect-echo {
    members { 10.125.0.17:7 }
  }
  ltm virtual fw {
    description "less-specific virtual"
    destination 10.125.0.0:any
    ip-forward
    mask 255.255.255.0
    profiles { fastL4 }
    translate-address disabled
    translate-port disabled
    vlans-disabled
  }
  ltm virtual redirect-echo {
    description "enable/disable this one"
    destination 10.125.0.20:echo
    ip-protocol udp
    mask 255.255.255.255
    pool redirect-echo
    profiles { udp }
    vlans { external }
    vlans-enabled
  }

Impact:
Traffic can be directed to less specific virtual server

Workaround:
No known workaround at this time other than applying configuration changes in a manner that avoids doing them on a unit that is handling the traffic. Applying changes on the standby and then failing over and syncing or utilizing a maintenance window would be common schemes to achieve a separation between production traffic and configuration changes.


579035-3 : Config sync error when a key with passphrase is converted into FIPS.

Component: TMOS

Symptoms:
When a key with passphrase is converted to a FIPS key (that is, imported into the FIPS card) and a config sync is done, sync fails with an error saying that passphrase is specified but the key is not passphrase protected.

Conditions:
Converting a private key with a passphrase to FIPS key and then performing a config-sync.

Impact:
Config sync will fail.

Workaround:
Ensure that you only import FIPS keys that are not encrypted with a passphrase. For more information, see SOL15720: Certain tasks related to the management of SSL certificates do not support encrypted private keys (11.x) at https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15720.html.


578951-2 : TCP Fast Open connection timeout during handshake does not decrement pre_established_connections

Component: Local Traffic Manager

Symptoms:
If a TCP connection is started and contains a valid Fast Open cookie, then times out during the three-way handshake, the failure is not accounted for properly. If this occurs more than a threshold number of times, BIG-IP will stop performing TCP Fast Open.

Conditions:
A TCP connection using TCP Fast Open with a valid Fast Open cookie times out during the three-way handshake.

Impact:
Each connection that times out in this fashion decreases the number of valid pre-established connections that the BIG-IP can support. If the number of connections timed out in this fashion rises above a threshold, BIG-IP will act as if TCP Fast Open is disabled. This threshold cannot be changed.


578564-4 : ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response

Component: Service Provider

Symptoms:
Connection aborted with RST "ADAPT unexpected state transition (old_state 22 event 7)"

Conditions:
An HTTP virtual has a request-adapt profile.
The ICAP server returns an HTTP response for REQMOD.
An iRule executes HTTP::respond in the HTTP_RESPONSE_RELEASE event.

Impact:
HTTP::respond cannot be used to modify an HTTP response returned by an ICAP server that is modifying an HTTP request.


578551-3 : bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot

Component: TMOS

Symptoms:
network 0.0.0.0/0 route-map Default is missing in bgp after a restart/reboot

Conditions:
"network 0.0.0.0/0 route-map Default" is configured in bgp

Impact:
The bgp doesn't have the same configuration after a restart/reboot. persistence of bgp protocol is not maintained leading to unexpected behavior of bgp


577863-6 : DHCP relay not forwarding server DHCPOFFER and DHCPACK message after sometime

Component: Policy Enforcement Manager

Symptoms:
If routing table on DHCP server is mis-configured, so that DHCP server know how to send packets to BigIP selfIP(used by BigIP DHCP relay), but does not know how to send packets to DHCP clients, DCHP client will not receive DHCP reply for unicast request and will start to broadcast DHCP renewal. After a while, BigIP will stop to relay DHCPOFFER and DHCPACK back to DHCP clients all together.

Conditions:
DHCP server unicast reply back to client is not received by client, causing DHCP client to send broadcast DHCP packets(with client's IP as source IP).

Impact:
BigIP will stop to relay DHCPOFFER and DHCPACK back
to DHCP clients

Workaround:
Fix the DHCP server routing table, so that DHCP server can deliver DHCP reply packet back to client successfully.


576591-6 : Support for some future credit card number ranges

Component: Application Security Manager

Symptoms:
ASM does not block or mask when a specific credit card number range (planned for the future) appears in the response.

Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card number with specific ranges.

Impact:
The traffic passes unmasked or unblocked to the end client.

Workaround:
A custom pattern is possible for these cases, but should be adjusted to each customer specifically.


576305-9 : Potential MCPd leak in IPSEC SPD stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IPSEC SPD stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575919-2 : Running concurrent TMSH instances can result in error in access to history file

Component: TMOS

Symptoms:
TMSH writes to the ~/.tmsh-history-username file whenever a command is issued. Running concurrent instances of TMSH can result in a race condition in writing this file.

Conditions:
Running multiple instances can cause one instance of TMSH to lock the history file while the other is trying to access it, resulting in an error.

Impact:
Updating the history file fails, so the file does not reflect the actual history of the commands that have been issued.

Workaround:
Only run a single instance of TMSH.


575649-7 : MCPd might leak memory in IPFIX destination stats query

Component: TMOS

Symptoms:
MCPd might leak memory in IPFIX destination stats query.

Conditions:
In some cases, querying IPFIX destination stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575591-7 : Potential MCPd leak in IKE message stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IKE message stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575589-6 : Potential MCPd leak in IKE event stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IKE event stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575587-9 : Potential MCPd leak in BWC policy class stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying BWC policy stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575368-3 : Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card

Component: TMOS

Symptoms:
When a UCS with FIPS keys is loaded after re-initializing the FIPS card, errors should be posted that the FIPS keys in the configuration that are now invalid. Instead, the configuration loads without any errors, and SSL handshake failures are seen when a clientSSL profile uses the FIPS key.

Conditions:
UCS file with FIPS keys is loaded after re-initializing the FIPS card.

Impact:
SSL handshake failures are seen when a clientSSL profile uses the FIPS key.

Workaround:
You can delete the FIPS keys, re-initialize the FIPS card, then install the needed keys.


575176-1 : Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic

Component: TMOS

Symptoms:
In some scenarios UDP traffic can cause syncookie statistics to be incremented.

Conditions:
Virtual server with fastL4 profile with ePVA offload enabled.
Virtual server to handle UDP traffic.

Impact:
Statistics might be incorrectly incremented, and can lead to early syncookie activation if used in conjunction with TCP on the same virtual server.


575133-1 : asm_config_server_rpc_handler_async.pl SIGSEGV and core

Component: Application Security Manager

Symptoms:
asm_config_server_rpc_handler_async.pl SIGSEGV and core

Conditions:
Import ASM XML security policy

Impact:
asm_config_server_rpc_handler_async.pl SIGSEGV and core. This occurs after the policy import completes.

Workaround:
N/A


575066-1 : Management DHCP settings do not take effect

Component: TMOS

Symptoms:
Modifications to /sys management-dhcp do not take effect.

Conditions:
Custom management-dhcp settings configured.

Impact:
DHCP for management interface does not function correctly.


575011-1 : Fix memory leak.

Component: Local Traffic Manager

Symptoms:
System exhausts available memory due to compression memory leak. Prior to running out of memory, repeatedly logs "Nitrox3 Hang Detected".

Conditions:
Compression device unavailable during creation of a new context.

Impact:
System can run out of memory.

Workaround:
Disable hardware compression using tmsh:

% tmsh modify sys db compression.strategy softwareonly


574880-2 : Excessive failures observed when connection rate limit is configured on a fastl4 virtual server.

Component: Local Traffic Manager

Symptoms:
When connection rate limit is set on a fastL4 virtual server,
client connections hang with high probability.

Conditions:
Set Connection Rate Limit on a fastL4 virtual server.

Impact:
Client connections hang with high probability.

Workaround:
Do rate limiting using iSession.


574318-3 : Unable to resume session when switching to Protected Workspace

Component: Access Policy Manager

Symptoms:
Clients logging into Protected Workspace are unable to view the page. The client's log file may have the following signature: HandlePwsCmd, detoured.dll signature validation error

Conditions:
This occurs infrequently on certain Windows clients logging into Protected Workspace

Impact:
Client browser cannot render the protected workspace


574153-4 : If an ssl client disconnects during the handshake, the SSL flow may stall.

Component: Local Traffic Manager

Symptoms:
If the TCP connection shuts down while SSL has offloaded a request to the Nitrox, the connection will stall until the flow expires. This can use excessive memory causing crashes elsewhere.

Conditions:
SSL must be configured on an interface, and a client must connect, begin the handshake, then disconnect while Nitrox requests are outstanding.

Impact:
Other parts of the TMM might crash causing service disruption.


574113-2 : Block All - Session Tracking Status is not persisted across an auto-sync device group

Component: Application Security Manager

Symptoms:
Users, IP addresses, and Sessions that are meant to be blocked due to their traffic patterns, are not being synchronized to the peer device in an auto-sync device group with ASM sync enabled.

This can lead to bad actors becoming unblocked again after failover, or in an Active-Active configuration.

Conditions:
1) Devices are in an auto-sync device group with ASM sync enabled.
2) Session Tracking is enabled.

Impact:
This can lead to bad actors becoming unblocked again after failover, or in an Active-Active configuration.

Workaround:
Force a full sync to propagate the session tracking information.


574055-4 : TMM crash after changing raccoon log level

Component: TMOS

Symptoms:
TMM crashes after changing the raccoon log level to debug2

Conditions:
Debug level is set to debug2 while tmm is passing traffic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
set debug level to INFO


574052-3 : GTM autoconf can cause high CPU usage for gtmd

Component: Global Traffic Manager

Symptoms:
The autoconf feature of GTM can cause high CPU utilization (~90%) under certain situations.

In large configurations of LTM vses that contain "." (dot) in the name.

Conditions:
Large configuration of LTM VS that contain "." in the name have the name converted ("." is replaced by "_") and the LTM VS name is saved to the config.

This causes the matching algorithm in autoconf to spend many CPU cycles walking the list of VS to find a match.

This problem is caused by large numbers of VSes on a GTM Server. (10k VSes on 10k Server is less of an issue
than 10k VSes on 1 GTM Server)

Impact:
CPU usage is high, which may impact monitoring and LB decisions.

Workaround:
There are some mitigations. The preferable (for performance
and stability) are listed first.

1. Rename the virtual servers on the LTM to remove the "."
   This would require deleting the GTM configuration and
   rediscovering it and recreating pools.

2. Turn off autoconf.
   Run autoconf once to populate the config, then turn it
   off.

3. Reduce the frequency of autoconf. It will still cause
   a high CPU usage scenario, but it will be less frequent.

Versions 12.0.0 and higher do not convert the "." to "_". So that problem is eliminated for new configurations.
If a customer upgrades to 12.0.0 and the config still contains VS names that were previously converted, they still may run into high CPU usage.
Upgrading to 12.0.0 alone does not fix this issue, a reconfig would be necessary.


573643-3 : flash.utils.Proxy functionality is not negotiated

Component: Access Policy Manager

Symptoms:
Access to some field names of classes inherited from flash.utils.Proxy is broken.

Conditions:
Presence of flash.utils.Proxy descendants.

Impact:
Customer application malfunction.

Workaround:
None.


573075-4 : ADAPT recursive loop when handling successive iRule events

Component: Service Provider

Symptoms:
After the first iRule resumes from being parked, ADAPT attempts to process the second iRule event repeatedly.
The connection is aborted with RST cause "ADAPT unexpected state transition".
The adapt profile statistic "records adapted" reaches a very high number as it counts every attempt.

Conditions:
A requestadapt or responseadapt profile is configured.
An iRule is triggered on the ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT event, that parks.
The modified headers (from an ICAP server) arrive at the ADAPT filter while the first event is parked.
Any iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event does not park.

Impact:
The connection is aborted with RST cause "ADAPT unexpected state transition".
The statistic "records adapted" reaches a very high number.
Eventually the TMM crashes and the Big-IP fails over.

Workaround:
If possible, arrange the iRules to avoid the conditions above.
In particular, if there is no better way, it is possible to avoid this if there is an iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event that parks.


572680-5 : Standby TMM might overflow send buffer if out of sync with Active TMM

Component: Local Traffic Manager

Symptoms:
Send buffer size is unlimited on a standby TMM. If sync is lost with the active TMM while a TCP client is advertising a zero receive buffer, the standby TMM might continue to use a zero send buffer indefinitely. This eventually leads to the send buffer overflowing on the standby TMM.

Conditions:
Standby TMM loses sync with active TMM while a TCP client's advertised receive window is zero.

Impact:
Standby TMM can accumulate too much data in the send buffer and overflow.

Workaround:
This issue is less likely with a low zero-window-timeout value in the TCP profile.


572558-1 : Internet Explorer: incorrect handling of document.write() to closed document

Component: Access Policy Manager

Symptoms:
HTML page with document.write() operations inside event handlers may not be processed correctly. Internet Explorer may show error on this page.

Conditions:
HTML page with document.write() calls inside event handlers or another scripts executed after document loading.
Strings passed to document.write() function contain HTML tags with URL or another re-writable content in attributes.

Impact:
HTML page is not shown at all or works incorrectly in Internet Explorer.

Workaround:
No workaround known


572519-1 : More than one header name/value pair not accepted by ACCESS::respond

Component: Access Policy Manager

Symptoms:
An error is seen when ACCESS::respond command is used, for example, in an iRule with multiple header name/value pairs.

Conditions:
When ACCESS::respond command is used with multiple header name/value pairs.

Impact:
An error is generated when the command is used.

Workaround:
Let the command take only one name/value pair.


572281-5 : Variable value in the nesting script of foreach command get reset when there is parking command in the script

Component: Local Traffic Manager

Symptoms:
When there is something like the following script:

foreach a [list 1 2 3 4] {
   set a 10
   after 100
}

There is parking command, after, in the script and it runs after "set a 10", when after command returns, the value of a goes back to the initial value set in the foreach, value of 10 is lost.

Conditions:
There is parking command in the nesting script of foreach. For more information on commands that park, see SOL12962: Some iRule commands temporarily suspend iRule processing at https://support.f5.com/kb/en-us/solutions/public/12000/900/sol12962.html

Impact:
Variable values get reset.

Workaround:
Set(or set again) the variable value after the parking command.


571333-5 : fastL4 tcp handshake timeout not honored for offloaded flows

Component: TMOS

Symptoms:
When a VIP is configured with a fastl4 profile that enables full acceleration and offload state to embryonic, and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the "idle timeout" value of the fastl4 profile, but it should be set to the "tcp handshake timeout" instead.

Conditions:
1. Configure fastl4 profile with ePVA=full, offload state=SYN, apply to network VS
2. Ensure ARP entry exists for server node (static arp, ping, etc.) to satisfy requirements for offloading initial SYN
3. Send over SYN packet from client to server via VS

Impact:
The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value.

Workaround:
Set the offload state to "established"


570818-4 : Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.

Component: TMOS

Symptoms:
LTM IPsec IKEv2 does not support dynamic remote-address CONFIG option, but still might potentially process that information sent by third-party devices. The configuration changes from this option might affect traffic-selector selection in IKEv2 negotiations, leading to wrong matching results and failure in establishing IPsec SA.

Conditions:
Certain third-party vendor devices are the remote IKEv2 peer, for example, a CISCO APIC device.

Impact:
Failure in establishing IPsec SA.

Workaround:
None.


569968 : snmpd core during startup

Component: TMOS

Symptoms:
sod reanimates (with core dump) snmpd due to heartbeat timeout during BIG-IP system startup and configuration load.

Conditions:
During startup and configuration load, snmpd sometimes blocks while waiting for certain system resources to become available. If snmpd blocks longer than its configured heartbeat timeout, sod reanimates it (with a core dump).

Impact:
Only impact is the generation of a core file.

Workaround:
Increase the snmpd heartbeat timeout to 300 seconds or more.

The 11.5.1 default timeout of 60 seconds might be too short for certain platforms and configurations. The default timeout for later releases is 300 seconds.


569563-2 : Sockets resource leak after loading complex policy

Component: Access Policy Manager

Symptoms:
File descriptors used by apmd remain unclosed (TCP and UDP) after loading a complex access policy.

After some time, the APM process file descriptor table is exhausted and no more access policies are processed.

The following error messages may be observed in the logs:

err apmd[16013]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 86 Msg: epoll_create() failed [Too many open files].

Conditions:
This can happen at the initial stage after apmd starts, or later when policies are reloaded. Although this is not directly related to log-level, this problem is easier to observe when the access control log-level is Warning or lower (Notice, Info, Debug).

File descriptors leak (remain unclosed) after loading complex policies that contain many agents.

Impact:
The APM process is unable to create new sessions, leading to an inability to process access policy operations.

Workaround:
This can happen at the initial stage after apmd starts, or later when policies are reloaded.

Current preferred workaround is to set log level to ERROR or higher and restart apmd.

When a large number of file descriptors has already been observed, the only way to close them other than disabling logging is to raise log levels to ERROR or above, and then issue the following command:

bigstart restart apmd

Note 1: Do not use sys db variables to change log level for versions 12.0.0 and later.

Note 2: Double-check log levels using the following command: tmsh list apm log-setting all-properties

Note 3: Opened file descriptors do not close until apmd is restarted.

Note 4: When in doubt (about whether file descriptors are leaking), run the following command on the BIG-IP system:

lsof -p `pidof apmd` | grep TCP; lsof -p `pidof apmd` | grep UDP. This gives you the number of open files.

- Detailed steps to change logging-level to ERROR:

Step 1. Modify access control log level using the following command: tmsh modify apm log-setting all access modify { all { log-level { access-control err } } }

Step 2. Check the log levels using the following command: tmsh list apm log-setting all-properties

Step 3. Manually restart apmd using the following command: bigstart restart apmd


569331-1 : Recovery from Amazon Network Failure may associate some virtual addresses to the standby BIG-IP

Component: TMOS

Symptoms:
Traffic will not pass to virtual servers of a traffic group

Conditions:
BIG-IP AWS
High Availability
AWS network outage

Impact:
Some of virtual addresses end up associated with the standby BIG-IP; traffic will not pass to their virtual servers.

Workaround:
If the desired BIG-IP is standby, failover to the BIG-IP.
If the desired BIG-IP is already active, failover from this BIG-IP and then failover back to this BIG-IP.


569316-1 : Core occurs on standby in MRF when routing to a route using a transport config

Component: Service Provider

Symptoms:
If routing a message to a route that uses a transport-config to define how to create an outgoing connection, the standby device will core.

Conditions:
routing a message to a route that uses a transport-config to define how to create an outgoing connection.

Impact:
The standby device will core.

Workaround:
NA


569309-3 : Clientside HTML parser does not recognize HTML event attributes without value

Component: Access Policy Manager

Symptoms:
Assignment of a specific HTML content to tag.innerHTML could lead to a JavaScript error. This happens when one or more of tags in HTML text contain html event attributes without value (such as <div onclick />)

Following or similar error is logged in browser JavaScript console:
Unable to get property 'charAt' of undefined or null reference

Impact:
Web application does not work when accessed through Portal Access.

Workaround:
iRule could be provided for specific application.


569288-6 : Different LACP key may be used in different blades in a chassis system causing trunking failures

Component: Local Traffic Manager

Symptoms:
In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch.

Conditions:
This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation.

Impact:
Non aggregated trunk members won't be able to pass traffic.

Workaround:
Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd"


568672-1 : Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI

Component: TMOS

Symptoms:
After an SA goes down, 'show net ipsec traffic-selector' may report that the traffic-selector is up. The Web UI also reports up.

Conditions:
This occurs if a tunnel times out and goes to the down state.

Impact:
Confusion on the true state of the tunnel.

Workaround:
None needed.


568543-4 : Syncookie mode is activated on wildcard virtuals

Component: Local Traffic Manager

Symptoms:
Syncookie mode can be activated with a wildcard virtual, even in the case where there is no SYN flood.

Conditions:
The default number of connections per second before activating syncookie mode is 1993. This value can be increased to a max of 4093. After this threshold is reached, then syncookie mode is activated. This is an insufficient maximum for wildcard virtuals, since they can have 30k+ connections per second.

Impact:
Syncookie mode is activated with high connection rates to a wildcard virtual.

Workaround:
Break up the wildcard virtual into multiple virtuals to reduce the number of connections per virtual.


567503-2 : ACCESS::remove can result in confusing ERR_NOT_FOUND logs

Component: Access Policy Manager

Symptoms:
When using the iRule command ACCESS::remove, ERR_NOT_FOUND messages may appear in /var/log/apm. Theses are not real errors. ACCESS is trying to insert a session variable, but it is not able to find the session because the iRule already deleted the session.

The logs in /var/log/apm look something like this:
Dec 22 14:35:44 v11-6-02 err tmm1[15932]: 01490514:3: 00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_save_init_req_to_sessiondb, Line: 14823

Conditions:
An iRule using the command ACCESS::remove, and the end-user does a POST.

Impact:
No functional impact, the iRule correctly deletes the session, and BIG-IP does not send a reset. But the log messages can be alarming or confusing.


567457-2 : TMM may crash when changing the IKE peer config.

Component: TMOS

Symptoms:
TMM might crash when changing the IKE peer config. It can happen with either IKEv1 or IKEv2 (TMM config crash).

Conditions:
This occurs when making changes to IPsec tunnels that causes the configuration to become invalid. For example, changing ISAKMP phase1 from SHA-1 to MD5 results in an invalid configuration.

Note: This occurs in the GUI only. The tmsh 'create' command does not cause this core.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use tmsh to make the affected configuration changes... this occurs in the GUI only. The tmsh 'create' command does not cause this core.


566576-6 : ICAP/OneConnect reuses connection while previous response is in progress

Component: Service Provider

Symptoms:
ICAP with OneConnect sometimes initiates a new ICAP request (REQMOD or RESPMOD) on the server connection while a previous response on the same connection is still being streamed from the ICAP server. This can cause the server to append the new response after the end of the previous response, in the same packet.

Conditions:
There is a 'oneconnect' profile on the internal virtual server along with the 'icap' profile.
Triggered by a disconnection of the IVS by the parent HTTP virtual server, before the ICAP transaction is complete.
This can happen for a number of reasons, such as an error in detected on the HTTP virtual server, or an HTTP::respond iRule that replaces an IVS response in progress.

Impact:
The connection used by the interrupted transaction is returned to the pool for reuse, potentially resulting in a new ICAP transaction beginning before the end of the interrupted one, and its response may be concatenated to the incomplete tail of the first one. OneConnect is unable to separate the contiguous ICAP responses whose boundary is within a packet. All the packet payload goes to the first ICAP transaction, and any payload after the terminating chunk is discarded. Thus the beginning of the second response is lost and its header parser gets confused. It keeps waiting for more data and rescanning the entire response, resulting in increasing CPU use up to 100% until the connection is aborted.

Workaround:
Remove OneConnect.


566507-4 : Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment

Component: TMOS

Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.

Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.

Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.

Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.


565799-6 : CPU Usage increases when using masquerade addresses

Component: Local Traffic Manager

Symptoms:
When using masquerade addresses, CPU usage increases. This can ultimately lead to a reduction in device capacity.

Conditions:
This can occur if one or more of your traffic groups is configured to use a MAC Masquerade address.

Impact:
Possible performance degradation or reduction in capacity


563933-4 : [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs

Component: Local Traffic Manager

Symptoms:
A and AAAA RRsets in the additional section are dropped.

Conditions:
When dns64-additional-section-rewrite is 'v4-only' or 'v6-only'.

Impact:
Failure to include the additional RRs results in additional lookups by the client which could be glue records for a resolver.

Workaround:
Set dns64-additional-section-rewrite is 'any'.


562928-2 : Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled

Component: TMOS

Symptoms:
Certain url connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled with 'curl: (7) couldn't connect to host' error.

Conditions:
Using curl command with'--local-port' option causes the connections to fail on the BIG-IP system.

Impact:
TCP connections do not complete the three way handshake and traffic does not pass.

Workaround:
Disabling 'cmp' option in virtual server secures the traffic over IPsec tunnels.


562636-3 : Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.

Component: Access Policy Manager

Symptoms:
When certain end user interface pages (e.g. 401 response) are served by the APM, these include a unique parameter in the URL. This results in the leak of objects representing caches for these pages, because their unique parameter renders caching ineffective.

Conditions:
This occurs when the following conditions are met:
-- Use of SWG in Transparent mode.
-- One of the following:
+ Use a logon page agent, an external logon page agent, or a 401 agent in the access policy.
+ Trigger an access policy evaluation when one is already in progress or when accessing a page that requires an established session.

Impact:
A memory leak in the TMM.

Workaround:
None (when the triggering conditions are encountered).


562267-2 : FQDN nodes do not support monitor alias destinations.

Component: Local Traffic Manager

Symptoms:
FQDN nodes do not support monitor alias destinations.

Conditions:
Configure a monitor with an alias address or port. The system will either prevent you from configuring, or the monitor will only be directed to the node address or port.

Impact:
The BIG-IP system does not send health checks to the configured monitor alias port. Monitor doesn't work as expected.

Workaround:
Depending on the functionality needed, you might be able to work around this by using an alternative configuration.


561348-6 : krb5.conf file is not synchronized between blades and not backed up

Component: Access Policy Manager

Symptoms:
krb5.conf file is not in sync across all blades.
this may cause a feature (Kerberos SSO / Kerberos Auth) to not work as expected

Conditions:
when administrator made changes to krb5.conf file manually, the configuration file is not synchronized to all blades or is lost upon upgrade

Impact:
Kerberos Auth / Kerberos SSO does not work properly on all blades


560601-1 : HTML5 File API and MediaSource URLs are blocked in Portal Access

Component: Access Policy Manager

Symptoms:
Web Application is not working and a message similar to following is logged to the developer tools console in the browser:
"Refused to load media from 'blob:https://...' because it violates the following Content Security Policy directive: ..."

Conditions:
This occurs on web applications that are using the HTML5 file API

Impact:
Applications with usage of HTML5 File API could stop working when accessed via APM Portal Access.

Workaround:
when HTTP_RESPONSE_RELEASE {
    if { [HTTP::header exists Content-Security-Policy] } {
        HTTP::header replace Content-Security-Policy \
            [string map {"data:" "data: blob: mediasource: mediastream:"} [HTTP::header Content-Security-Policy]]
    }
}


560114-5 : Monpd is being affected by an I/O issue which makes some of its threads freeze

Component: Application Visibility and Reporting

Symptoms:
When Monpd is restarted, it starts printing non-stop error message to logs. Analytics statistics may be lost, and new data cannot be loaded. The ltm log contains this error signature - err stat_bridge_thread[8278]: monpd`ERR`date`11285` [stat_bridge_thread::validateCorrectNumberOfPartitions, ] Too many partitions (44) defined for DB table AVR_STAT_DISK_T

Conditions:
A system I/O issue (maybe caused by /var/log being full).

Impact:
AVR statistics are lost.
Monpd thread cannot load new data, and it prints non-stop error messages to the logs.

Workaround:
Run the following:

find /var/avr/loader/ -mindepth 1 -name "*" -print0 | xargs -0 rm
touch /var/avr/init_avrdb
bigstart restart monpd


559080-5 : High Speed Logging to specific destinations stops from individual TMMs

Component: TMOS

Symptoms:
High Speed Logging to specific destinations stops from individual TMMs. The flows appear to have very large idle times. Attempts to delete the flows sets the idle time to zero, but does not kill the flow.

Conditions:
This appears to be the result of a failure on the part of the log destination (for example, a log server) wherein the server's TCP stack ACKs a FIN request from the TMM, but does not follow through with a matching FIN or RST. The logging code expects another timeout (essentially a FIN-WAIT2 timeout), but never receives one because the flow has already been marked as expired. As a result, the flow goes into a state in which it appears to be viable but is not actually delivering.

Impact:
Logs are silently lost.

Workaround:
Create an additional virtual server to act as a proxy for the log server, and sent the logs to this virtual server. This essentially uses the TMM itself as a sanitizing proxy.


559030-1 : TMM may core during ILX RPC activity if a connflow closes before the RPC returns

Component: Local Traffic Manager

Symptoms:
TMM core with plugin context refcount error.

Conditions:
Using ILX RPC calls. Most likely to occur when using a low end box or virtual.

Impact:
Traffic disrupted while tmm restarts.


557680-3 : Fast successive MTU changes to IPsec tunnel interface crashes TMM

Component: TMOS

Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.

Conditions:
The issue occurs when the IPsec tunnel interface attributes has its configuration modified quickly and repeatedly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.


557471-2 : LTM Policy statistics showing zeros in graphical UI

Component: TMOS

Symptoms:
Statistics for LTM Policies, i.e. the total count of policy action invocations and number of successful policy action invocations, are not being updated in the graphical UI. The graphical UI shows zeros for both of these stats for every LTM Policy.

Conditions:
Occurs under all conditions.

Impact:
Through the GUI, Administrators cannot see invocation counts for general troubleshooting or to determine which policies are being used.

Workaround:
Accurate stats can be obtained from the command line using tmsh.

Stats for all policies can be obtained by the following:
# tmsh show ltm policy.

Stats for a specific policy can be obtained by specifying the policy name.
# tmsh show ltm policy <policy-name>.


557358-2 : TMM SIGSEGV and crash when memory allocation fails.

Component: Local Traffic Manager

Symptoms:
TMM SIGSEGV and crash when memory allocation fails.

Conditions:
Although the specific conditions under which this occurs are not well understood, it appears that the issue occurs when the SSL operation detects an error and processes the connection for removal from the SSL queue. Before the connection is removed, another command attempts to remove the connection a second time, which causes the issue to occur.

Impact:
TMM SIGSEGV and crash. Traffic disrupted while tmm restarts.

Workaround:
None known at this time.


554504 : Client OS version not logged in Browser/OS Reports for iOS client devices

Component: Access Policy Manager

Symptoms:
When an iOS device is used to login with APM, the client OS version is not logged and is not correctly reported in the Browser/OS Report.

Conditions:
Client device must run iOS.

Impact:
Devices running different versions of iOS are not differentiated in the Browser/OS Report.

Workaround:
None.


553795-7 : Differing certificate/key after successful config-sync

Component: TMOS

Symptoms:
1) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with the same name as the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip will retain a copy of the original key.

2) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with a different name from the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer's client-ssl profile will still use the original certificate/key instead of the new one.

Conditions:
1) High Availability failover systems with FIPS configured with Manual Sync.

2) High Availability failover systems configured with Manual Sync.

Impact:
1) An abandoned FIPS key is left behind.

2) The systems claim to be synced, but one system's client-ssl profile uses one certificate/key pair, while the other system(s)' same client-ssl profile uses a different certificate/key pair.

Workaround:
1) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
   Workaround #2: Delete the FIPS key by-handle on the peer system(s).

2) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
   Workaround #2: Manually update the client-ssl profile then delete the old certificate/key on the peer system(s).


553063-3 : Epsec version rolls back to previous version on a reboot

Component: Access Policy Manager

Symptoms:
If administrator has installed multiple EPSEC packages, after a reboot the EPSEC version rolls back to the previously installed version.

Conditions:
The BIG-IP system needs to be rebooted for this issue to be seen, and multiple EPSEC packages must have been installed on the system before the reboot.

Impact:
OPSWAT version rolls back without prompting or logging. This might open up the end-point security issues that are supposed to be fixed by the latest installed OPSWAT package.

Workaround:
The workaround is to upload a dummy file in Sandbox.
1. Go to Access Policy :: Hosted Content :: Manage Files.
2. Upload any dummy file, even a 0 byte file. Change the security level to 'session'.

After this change, even if you reboot or shutdown-restart, the EPSEC version does not revert.


552444-1 : Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD

Component: Access Policy Manager

Symptoms:
Dynamic drive mapping in network access may not work if
mapping is configured to use session variable, and session variable is received from LDAP/AD.

Conditions:
Drive mapping is received from LDAP/AD and contains double slash in the path, e.g. "\\server\path"

Impact:
Dynamic drive mapping may not function.

Workaround:
For example using session.ad.last.attr.homeDirectory attribute value to drive map. Assign variable and escape the textra backslashes added by APM.

homeDirectory = return [regsub -all {\\\\} [mcget {session.ad.last.attr.homeDirectory}] {\\}]


551208-6 : Nokia alarms are not deleted due to the outdated alert_nokia.conf.

Component: Local Traffic Manager

Symptoms:
Some of the log messages watched by alertd changed between BIG-IP software versions 10.x to versions 11.x/12.x. However, the /etc/alertd/alert_nokia.conf file has not been updated accordingly.

Conditions:
Running versions 11.x/12.x and receiving targeted messages that match the 10.x regex key fields. This occurs when the Nokia snmp alarms are enabled. See solution 15435 at https://support.f5.com/kb/en-us/solutions/public/15000/400/sol15435.html

Impact:
Matching the specific fields in the log message fails, so the corresponding alarm is not deleted from the nokia_alarm table. This might cause SNMP alerts to not be broadcast in Nokia-specific environments.

Workaround:
None.


550161-5 : Networking devices might block a packet that has a TTL value higher than 230.

Component: Local Traffic Manager

Symptoms:
Some networking devices block a packet that has a TTL value higher than 230. The TTL value for the BIG-IP system is set to 255 internally and cannot be changed.

Conditions:
The issue occurs when traffic originates from the BIG-IP system (as a client).

Impact:
No access to the resources.

Workaround:
None.


549329-5 : L7 mirrored ACK from standby to active box can cause tmm core on active

Component: Local Traffic Manager

Symptoms:
A spurious ACK sent to the standby unit will be mirrored over to the active unit for processing. If a matching connection on the active has not been fully initialized, tmm will crash.

Conditions:
HA active-standby pair setup for L7 packet mirroring.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


547479-4 : Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted

Component: TMOS

Symptoms:
TMM crashes with a subkey that has master_record field set to true.

Conditions:
Unknown.

Impact:
Traffic disrupted while tmm restarts.


546145-5 : Creating local user for previously remote user results in incomplete user definition.

Component: TMOS

Symptoms:
Creating a local user for a user who previously authenticated using a remote mechanism (e.g. LDAP, RADIUS) results in a user who has no partition-access. Additionally, the user cannot be modified via web UI.

Conditions:
Configure remote system authentication. Create a local user for remotely authenticated user.

Impact:
User cannot authenticate. User name does not appear in User List.

Workaround:
After initial creation, modify local user via tmsh to include appropriate partition-access.


545810-3 : ASSERT in CSP in packet_reuse

Component: Local Traffic Manager

Symptoms:
Causes TMM to crash

Conditions:
This crash will happen on LTM virtuals that meet the following two configuration criteria:
- the virtual is configured with fasthttp profile.
- the virtual's enabled VLAN is mapped to the _loopback interface.

Impact:
Crash and restart of TMM

Workaround:
None


545796-4 : [iRule] [Stats] iRule is not generating any stats for executed iRules.

Component: Local Traffic Manager

Symptoms:
iRule is not generating any stats for executed iRules when the rule is removed/edited and then re-added to the virtual server.

Conditions:
This occurs when the following steps are taken:
1. Move/edit an iRule that is attached to a virtual server.
2. Pass traffic to the virtual server.
3. Add the iRule back to the virtual server.

Impact:
No iRule usage stats available.

Workaround:
None.


545450-6 : Log activation/deactivation of TM.TCPMemoryPressure

Component: Local Traffic Manager

Symptoms:
The TCP memory pressure feature allows packets to be randomly dropped when the TMM is running low on available memory. The issue is that these packets are dropped silently.

Conditions:
TM.TCPMemoryPressure set to "enable".

Impact:
Packets are dropped, where the cause of the drop cannot be easily determined.


543344-3 : ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event

Component: Access Policy Manager

Symptoms:
When a BIG-IP system is configured with explicit HTTP proxy, ACCESS iRule does not work reliably in HTTP_PROXY_REQUEST. The issue happens when the current ACCESS iRule searches the associated session ID from the connection itself in these ways: either the session ID is embedded in the request, or the connection has been processed by ACCESS previously. When neither condition is satisfied, then current ACCESS iRule cannot find the associated session ID.

Conditions:
ACCESS iRule such as ACCESS::session data get/set, ACCESS::session exists, session ID is not provided by the caller, and caller expects the session ID to be resolved internally.

Impact:
Whenever ACCESS iRule commands cannot find the associated session ID, ACCESS iRule commands are processed as if the caller provided an empty session ID in its arguments. As a result, ACCESS::iRule commands return an empty result.

Workaround:
If possible, use ACCESS_ACL_ALLOWED as the event for the iRule, when the session ID is known. This would work for a BIG-IP system configured for reverse proxy or forward proxy.


542104-2 : In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.

Component: Local Traffic Manager

Symptoms:
In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.

TCP monitors may fail because the server fails to respond to the initial TCP SYN.

TCP traffic that utilizes a SNAT may fail because the server fails to respond to the initial TCP SYN.

Conditions:
A server with tcp_tw_recycle enabled.

A multi-blade BIG-IP chassis.

Impact:
Monitor failures or traffic disruption.

Workaround:
After confirming that the time is properly synchronized across the chassis, reboot the chassis.

Alternatively, if your servers do not require tcp_tw_recycle to be enabled, it is recommended that you disable this setting on your servers.


540928-1 : Memory leak due to unnecessary logging profile configuration updates.

Component: Application Security Manager

Symptoms:
There is a memory leak in ASM control plane daemons after processing many calls in a long lived process

Conditions:
A) Pool member state changes frequently.
or
B) Manual learning is enabled (versions 12.x)

Impact:
Memory consumption by ASM control plane daemons increases.

Workaround:
Restart ASM - which will cause a failover and a down time

OR just kill asm_config_server by:
-----------------------
pkill -f asm_config_server
-----------------------
which will get restarted back by ASM process watchdog in ~15 seconds and should not cause failover nor downtime.


540872-1 : Config sync fails after creating a partition.

Component: TMOS

Symptoms:
Config sync fails after creating a partition. A config sync error similar to the following occurs:

Configuration error: Can't associate (/P1/pool1) with folder (/P1) folder does not exist

Conditions:
This error occurs when a folder is created in the same transaction that an object is also created in that folder.

This can be done either by explicitly using tmsh or iControl transaction mechanisms or through incremental sync of APM where folders get created.

Impact:
A transaction will fail or incremental sync on APM will fail on a peer.

Workaround:
In the case of transactions, create partitions and folders in a separate transaction from any object creation.

For incremental sync of APM, force a full sync by using the 'Overwrite Configuration' option in the UI.


537553-7 : tmm might crash after modifying virtual server SSL profiles in SNI configuration under load

Component: Local Traffic Manager

Symptoms:
Making configuration changes to SSL profiles for the virtual server configured for SSL SNI might crash tmm under load.

The BIG-IP system may generate an assertion failure panic string in the /var/log/tmm file that appears similar to the following example:
  panic: Assertion "valid type" failed.

Conditions:
1. LTM virtual server is configured with multiple SSL profiles, one of which is the default SNI profile.
2. The BIG-IP system is under traffic load.
3. A change is made to any of the SSL profiles configured on the virtual server, or SSL profiles are added or removed from the virtual server profile list.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


537209-5 : Fastl4 profile sends RST packet when idle timeout value set to 'immediate'

Component: Local Traffic Manager

Symptoms:
When a virtual is configured with a Fastl4 profile and the idle timeout value is set to 'immediate', traffic is handled improperly and a RST is issued.

Conditions:
A virtual is processing traffic that contains a Fastl4 profile with idle timeout set to 'immediate'.

Impact:
Traffic is Reset on a virtual where it should properly handle the traffic.

Workaround:
Avoid using the 'immediate' setting for the idle timeout value on a Fastl4 profile.


536563-3 : Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets.

Component: Local Traffic Manager

Symptoms:
Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets.

Conditions:
This occurs when the existing connection is closing while waiting on an ACK to the last FIN.

Impact:
Unexpected RSTs (Clientside).

Workaround:
None.


535119-1 : APM log tables initial rotation in MySQL may be wrong

Component: Access Policy Manager

Symptoms:
APM uses local MySQL to store logs and automatically rotate the log tables when the log table size exceeds a limit, which removes the oldest log table and make room for a new current log table.

However, the initial timestamps of those log tables may be very close--or the same in 1-second granularity of MySQL timestamps--right after the installation that initially creates those log tables. Due to the timestamp granularity, it may be wrong for APM to choose the oldest log table to remove in the first round of rotation, resulting in removal of log data that are not the oldest.

After the first rotation, the log table rotation should work as normal.

Conditions:
The first round of log table rotation after installation

Impact:
Log data that are not the oldest may be removed at the first round of log table rotation.


534457-6 : Dynamically discovered routes might fail to remirror connections.

Component: Local Traffic Manager

Symptoms:
When using dynamic routing, it's possible that L4 connections fail to remirror after a restart on the standby device. Initial mirroring works as expected, but remirroring might not work.

Conditions:
Using dynamic routes and mirroring, and either the active or standby restarts. If the active restarts, failover completes correctly, but connections might not remirror to the previously active device after it comes back online.

Impact:
Dynamically discovered routes might fail to remirror connections. One-way failover, similar to L7 virtual servers. Initial failover works as expected; subsequent failovers might drop connections.

Workaround:
Provide a static route instead of dynamic routes.


530266-4 : Rate limit configured on a node can be exceeded

Component: Local Traffic Manager

Symptoms:
Rate limit configured on a node is not honored and is exceeded. The excess per second can be as much as 10 (100%) when the limit is configured as 10.

Conditions:
More than 1 tmm needs to be there. Rate limit needs to be configured on the node.

Impact:
Node rate limit feature does not work as intended.

Workaround:
Rate limit can be shifted from the node to pool member and it works.


530109-4 : OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.

Component: Access Policy Manager

Symptoms:
OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.

Conditions:
-- User certificate has AIA configured.
-- Option 'Ignore AIA' is unchecked.
-- APM is configured.

Impact:
OCSP auth might fail as wrong URL is used.

Workaround:
1. Clean URL field.
2. Uncheck option 'Ignore AIA'.


530092-2 : AD/LDAP groupmapping is overencoding group names with backslashes

Component: Access Policy Manager

Symptoms:
Adding a group value that contains space(s) manually in AD/LDAP Group Resource Assign actions will result in the space(s) being escaped and thus invalidating match attempts. For example, adding group 'Foo Bar' (without the quotes) will result in an expression found in bigip.conf as follows:

expression "expr { [mcget -decode {session.ldap.last.attr.memberOf}] contains \"CN=Foo\\\\ Bar\" }"

The value '\"CN=Foo\\\\ Bar\"' will not match a memberOf group returned that contains 'CN=Foo Bar,...'.

Conditions:
Spaces are encoded with backslashes.

Impact:
Matching for memberOf group will not working.

Workaround:
N/A


527206-1 : Management interface may flap due to LOP sync error

Component: TMOS

Symptoms:
An error that occurs while reading the management interface registers might cause incorrect interpretation of the management interface state, which might cause the management interface to flap.
Example error sequence:
-- warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.
-- err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0 : File mgmtif/BourneMgmtIfSvc.cpp Line 357.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x7 expected=0x5.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is DOWN.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is UP.

Conditions:
This problem might occur rarely on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades.

Impact:
The management interface on the affected blade or appliance might be down for several seconds, 15 seconds being a typical interval.

Workaround:
None.


527119-4 : Iframe document body could be null after iframe creation in rewritten document.

Component: Access Policy Manager

Symptoms:
End users report being unable to use certain page elements in chrome (such as the Portal Access menu), and it appears that Javascript has not properly initialized.

Conditions:
The body of a dynamically created iframe document could be initialized asynchronously after APM rewriting. The issue is specific to Chrome browser and results in JavaScript errors on the following kind of code:
    iframe.contentDocument.write(html);
    iframe.contentDocument.close();
    <any operation with iframe.contentDocument.body>

One of applications known to contain such code and fail after APM rewriting is TinyMCE editor.

Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access.

Workaround:
Revert rewriting of the document.write call with a post-processing iRule.
The workaround iRule will be unique for each affected application.


526519-1 : APM sessiondump command can produce binary data

Component: Access Policy Manager

Symptoms:
New session variable "session.access.scope" includes a null character after the value. This will result in piped grep commands from sessiondump such as:
sessiondump <args> | grep <search value>

returning the text:
Binary file (standard input) matches

instead of the expected output.

Note that this problem exists in APM version 12.

Conditions:
Using sessiondump command with pipe to grep.

Impact:
Administrator cannot use "grep" command with sessiondump.

Workaround:
Use "-a" option with grep. For example:
sessiondump <args> | grep -a <search value>


525429-1 : DTLS renegotiation sequence number compatibility

Component: Access Policy Manager

Symptoms:
OpenSSL library was modified to keep it compatible with RFC 6347 complaint DTLS server renegotiation sequence number implementation.

Conditions:
The old OpenSSL library is not compatible with RFC6347, the new OpenSSL library is modified to be compatible with RFC6347.
The current APM client is compatible with old OpenSSL library, not the new OpenSSL library.

Impact:
The current APM client is not compatible with new OpenSSL libary.


525378 : iRule commands do not validate session scope

Component: Access Policy Manager

Symptoms:
Assume that a user establishes a session on one virtual server. If the user learns his session ID, he may attempt to reuse that session ID to gain access to resources guarded by a different virtual server. When this happens, the iRule access session commands like [ACCESS::session sid] and [ACCESS::session exists] do not validate the scope of the session. The iRules consider sessions from other virtual servers to be valid, which can cause unintended results and potentially lead to end-users gaining higher privileges than administrators intended.

Conditions:
There may be multiple access profiles assigned to multiple virtual servers, but the iRule session commands will treat all sessions the same.

Impact:
If the administrator is not careful with how the iRule session commands are used, it can result in a user bypassing the access policy and receiving higher privileges than the administrator intended.

Workaround:
Care must be used to ensure that iRules using the session commands do not result in unintended behavior. An iRule similar to one below can be used to restrict a session to the virtual server on which it was created:

when ACCESS_ACL_ALLOWED {
  set sessionlistener [ACCESS::session data get "session.server.listener.name"]
  set virtualname [virtual name]
  
  if { [HTTP::cookie MRHSession] != "" } {
    if { not ($sessionlistener equals $virtualname) } {
      # enter whatever command you wish to use to prevent the connection
      reject
    }
  }
}


524123-1 : iRule ISTATS::remove does not work

Component: TMOS

Symptoms:
When an iRule invokes ISTATS::remove to remove an iStat, the iStat is not removed.

Conditions:
Invoking the ISTATS::remove command from an iRule.

Impact:
The value of the iStat remains defined.

Workaround:
Use istats-triggers and iCall scripts to invoke the iStats command line tool indirectly.


521204-2 : Include default values in XML Policy Export

Component: Application Security Manager

Symptoms:
XML Policy Export does not include some entities, unless their values are different from the system's default settings

Conditions:
ASM provisioned
export security policy in XML format

Impact:
XML Policy Export does not include some entities, unless their values are different from the system's default settings

Workaround:
n/a


520877-1 : Alerts sent by the lcdwarn utility are not shown in tmsh

Component: TMOS

Symptoms:
Beginning in BIG-IP version 12.1.0, the 'tmsh show sys alert lcd' command displays the list of alerts sent to the LCD front panel display.

The command-line utility lcdwarn can be used to send alert messages to the LCD front panel display.

Alert messages sent to the LCD front panel display by the lcdwarn utility are not included in the list of alerts shown by the 'tmsh show sys alert lcd' command.

Conditions:
This occurs when using the lcdwarn utility to send alert messages to the LCD front panel display. Such messages are typically sent for testing purposes.

This problem occurs on affected BIG-IP software versions running on all BIG-IP and VIPRION hardware platforms.

Impact:
The 'tmsh show sys alert lcd' command may not include all alert messages sent to the LCD front panel display. Messages sent by the lcdwarn utility are not shown.

Workaround:
None. This is a cosmetic issue.


513310-1 : TMM might core when a profile is changed.

Component: Local Traffic Manager

Symptoms:
TMM might core when a profile is changed.

Conditions:
TCP Proxy configured with the TCP/Persist/Auth/SCTP profile. This issue might occur in either of the following scenarios:
-- Change profile on the active device.
-- Change profile on the standby device and perform a config sync to the active ones.

Impact:
TMM might core.

Workaround:
None.


510631-1 : B4450 L4 No ePVA or L7 throughput lower than expected

Component: Performance

Symptoms:
L4 no ePVA and L7 performance was limited to as little as 146Gbps under some traffic conditions instead of the advertised capability of 160Gbps.

Conditions:
This occurs on the B4450 blade.

Impact:
Performance lower than expected


509596-1 : iFrames with 'javascript:' scheme in SRC may not work

Component: Access Policy Manager

Symptoms:
Some applications do not work with Portal Access, resulting in an error 'F5_Invoke_write is not defined' on JavaScript Console.

Conditions:
Web application that uses IFrames with 'javascript:' scheme in SRC attribute runs through Portal Access.

Impact:
Web application does not work through Portal Access.

Workaround:
There is no workaround at this time.


506543-3 : Disabled ephemeral pool members continue to receive new connections

Component: Local Traffic Manager

Symptoms:
Disabled ephemeral pool members continue to be selected for new connections.

Conditions:
FQDN parent node is disabled causing its derived ephemeral pool members to be marked disabled.

Impact:
Unexpected traffic load balanced to disabled pool members

Workaround:
None.


503842-4 : MS WebService html component doesn't work after rewriting

Component: Access Policy Manager

Symptoms:
MS webservice.htc component provides javascript interface for SOAP services for Internet Explorer. It stops working after rewriting through reverse proxy.

Conditions:
It works with F5CH=I, and other html components are working through APM too. That means that the issue is with something we change in this file.

Impact:
MS WebService component stops working.

Workaround:
---
when HTTP_REQUEST {
  # Downgrade IE compatibility mode
  set downgrade_ie_compat 0
  if { [HTTP::path] contains "PreviewQualitySheet.aspx" } {
    set UAString [string tolower [HTTP::header User-Agent]]
    if { ! ($UAString contains "msie 8.") and ! ($UAString contains "msie 7.")} {
      set downgrade_ie_compat 8
    }
  }
  # do not rewrite WebService HTML Component
  # because IE ignores it after rewriting.
  # patching a few things manually instead
  set ms_webservice_fix 0
  if { [HTTP::uri] ends_with "webservice.htc"} {
    set ms_webservice_fix 1
    HTTP::uri "[HTTP::uri]?F5CH=I"
    if { [HTTP::version] eq "1.1" } {
      if { [HTTP::header is_keepalive] } {
        HTTP::header replace "Connection" "Keep-Alive"
      }
      HTTP::version "1.0"
    }
  }
}
when HTTP_RESPONSE {
  if { $downgrade_ie_compat > 0 && ! [HTTP::header exists X-UA-Compatible] } {
    HTTP::header replace "X-UA-Compatible" "IE=$downgrade_ie_compat"
  }
  if { $ms_webservice_fix == 1 } {
    if { [HTTP::header exists "Content-Length"] and \
        [HTTP::header "Content-Length"] > 0 and \
        [HTTP::header "Content-Length"] <= 1048576 } {
      HTTP::collect [HTTP::header Content-Length]
    } else {
      HTTP::collect 1048576
    }
  }
}
when HTTP_RESPONSE_DATA {
  if { $ms_webservice_fix == 1 } {
    set location [string first \
        {if (co.userName == null)} \
        [HTTP::payload]]
    if { $location > 0 } {
      HTTP::payload replace $location 0 {loc=F5_WrapURL(loc);}
    }
  }
  HTTP::release
}


501892-1 : Selenium is not detected by headless mechanism when using client version without server

Component: Advanced Firewall Manager

Symptoms:
DoSL7 Proactive Bot Defense (Block requests from suspicious browsers) detects selenium when the selenium server is running and a listener has opened on one of specific ports.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled, when accessing the page for a first time.

Impact:
If a bot is running selenium client package only it is not being blocked by DoSL7 Proactive Bot Defense mechanism.

Workaround:
N/A


499404-5 : FastL4 does not honor the MSS override value in the FastL4 profile with syncookies

Component: Local Traffic Manager

Symptoms:
FastL4 does not honor the MSS override value in the FastL4 profile when syncookies are in use. This can lead to cases where the advertised MSS value in the SYN/ACK is larger than the MSS override value.

Conditions:
The FastL4 profile specifies a non-zero MSS override value and syncookies mode is active.

Impact:
The wrong MSS value is advertised during 3WHS.

Workaround:
None.


494135-1 : HTML Event handlers may not work if 'eval' is redefined

Component: Access Policy Manager

Symptoms:
If 'eval' JavaScript call is redefined in HTML page, event handlers may not work correctly.

Conditions:
There may be many ways to re-define 'eval'. For example:

<form>
<button name=eval onclick="someFunction();">Button</button>
</form>

In this case 'onclick' event handler will not work through Portal Access.

Impact:
Web application may not work correctly. In the worst case scenario, the browser (Internet Explorer 9 or later) may crash.

Workaround:
There is no workaround at this time.


486735-5 : Maximum connections is not accurate when TMM load is uneven

Component: Local Traffic Manager

Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections virtual server.

Conditions:
This occurs when the load disaggregated to available TMMs is uneven.

Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in higher-than-expected maximum connections.

Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.


483953-1 : Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value.

Component: Local Traffic Manager

Symptoms:
ICMP type 3 code 4 (needsfrag) messages are elicited when TMM transmits packets at the TM.MinPathMTU size if the path MTU is lower than that value.

Conditions:
Path MTU discovery results are cached by default. If a client responds to an IP datagram with an ICMP needsfrag message with a very small MTU (smaller than the value of the TM.MinPathMTU database variable), the cached path MTU value will be set to the TM.MinPathMTU value even though this still isn't able to traverse the path.

This can affect multiple endpoints when a low MTU is advertised by an endpoint (misconfigured or malicious) behind a shared NAT address.

Impact:
TMM may use and enforce a low path MTU for clients capable of handling a higher path MTU, but may use an MTU too high to reach clients whose path MTU is lower than TM.MinPathMTU.

This metric will live for 10 minutes by default.

Workaround:
This issue has no workaround at this time.
The route metric lifetime can be lowered using route.metrics.timeout db key.


482625-1 : Pages with utf-8 Content-Type and utf-16 META tag do not render

Component: Access Policy Manager

Symptoms:
Some pages cannot be displayed. A page has a Content-type header with charset utf-8. The payload has a META tag with charset utf-16. Actual data appears to be utf-8. Rewriting the page inserts a utf-16 BOM in the response, causing the page to not load.

Conditions:
Pages that contain utf-8 Content-Type headers but utf-16 META tags

Impact:
Web-application cannot display some pages.

Workaround:
An iRule can be used to fix the META charset and allow the page to load.


472860-5 : RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.

Component: Policy Enforcement Manager

Symptoms:
The RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.

Conditions:
Session created via iRule running on the RADIUS virtual server.

Impact:
RADIUS session statistics are not incremented.

Workaround:
None.


472571-7 : Memory leak with multiple client SSL profiles.

Component: Local Traffic Manager

Symptoms:
If multiple client SSL profiles are attached to a virtual server, memory will leak each time any profile is changed.

Conditions:
Multiple client SSL profiles are attached to a virtual server.

Impact:
Memory will leak a small amount of memory.

Workaround:
None.


471029-2 : If the configuration contains a filename with the $ character, then saving the UCS through TMSH fails.

Component: TMOS

Symptoms:
If the configuration contains a filename with the $ character, then saving the UCS through TMSH fails. The filenames in the user configuration can contain $ character. Examples of filenames include cm cert cache-path and cm key cache-path.

tmsh save sys ucs <ucs-id> fails for such configuration.

The error displayed appears similar to the following.:
Fatal: executing: md5sum /var/tmp/filestore_temp/files_d/Common_d/certificate_d/:Common:?><.crt_53783_1
Operation aborted.
/var/tmp/configsync.spec: Error creating package.

Conditions:
Filenames in configuration contain $ character in cm cert cache-path or cm key cache-path, for example.

Impact:
tmsh save sys ucs <ucs-id> fails.

Workaround:
Do not use the $ character as part of the filenames in the configuration.


469366-3 : ConfigSync might fail with modified system-supplied profiles

Component: TMOS

Symptoms:
A config sync operation might fail with a parent-profile-not-found error message, despite the fact that the parent profile is present in the running configuration of both systems.

Conditions:
On the sync target (the system receiving the configuration, and the one that reports a sync failure), a system-supplied profile (e.g. /Common/serverssl) has been modified, and is present in /config/bigip.conf.

Impact:
An administrator is unable to synchronize system configurations. The system might post messages similar to the following example: '01020036:3: The requested parent profile (/Common/serverssl) was not found.'

Workaround:
One of the following: 1. Manually replicate the changes on the base profile to the system that is sourcing the config sync.
2. Undo the changes to the base profile on the system that is receiving the config sync (to do so, save the configuration, manually remove the base profile from /config/bigip.conf, and then re-load the configuration), and then perform a force sync operation. 3. Perform a sync in the other direction.
Important: Performing a sync in this direction overrides any unsync'd changes on the other system.


464801-3 : Intermittent tmm core

Component: Local Traffic Manager

Symptoms:
tmm intermittently cores. Stack trace signature indicates "packet is locked by a driver"

Impact:
Traffic disrupted while tmm restarts.


460833-9 : MCPD sync errors and restart after multiple modifications to file object in chassis

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
This symptom may occur under the following conditions:

1. Two or more VIPRION chassis are configured in a device sync group.
2. File objects (such as SSL certificates) are added/modified/deleted on one chassis in the group.
3. These changes are synchronized to other members of the device sync group.
4. While the previous changes are still being synchronized to all blades in all chassis in the device sync group, an overlapping set of file objects are added/modified/deleted on a chassis in the group (typically the same chassis as in step 2).
5. While the previous sync operation is still in progress, these subsequent changes are synchronized to other members of the device sync group.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.


459671-5 : iRules source different procs from different partitions and executes the incorrect proc.

Component: Local Traffic Manager

Symptoms:
iRules source different procs from different partitions and executes the incorrect proc.

Conditions:
Multiple iRule procs defined in multiple admin partitions.

Impact:
iRules "proc" lookup algorithm is not deterministic, or Virtual Servers are improperly caching and sharing the lookup results.

Workaround:
To work around this issue, ensure all iRule proc names defined in the BIG-IP configuration are unique.


455975-1 : Separate MIBS needed for tracking Access Sessions and Connectivity Sessions

Component: Access Policy Manager

Symptoms:
Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description.

Conditions:
Using SNMP MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns.

Impact:
Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description.

Workaround:
This issue has no workaround at this time.


450136-3 : Occasionally customers see chunk boundaries as part of HTTP response

Component: Access Policy Manager

Symptoms:
Occasionally, users see chunk boundaries as part of HTTP response if the virtual server is configured with rewrite profile variant and some other profiles.

Conditions:
Virtual server with rewrite profile variant and some other profiles like OneConnect and NTLM could cause HTTP response to be double-chunked.

Impact:
End users may see random characters displayed on their web pages, or the page may fail to render because it contains invalid HTML markup.

Workaround:
To workaround this problem, use an iRule to rechunk the HTTP response always.


442231-4 : Pendsect log entries have an unexpected severity

Component: TMOS

Symptoms:
Pendsect logs non-errors with a 'warning' severity.

Conditions:
This occurs when pendsect is executed.

Impact:
Unexpected log entries. When pendsect is executed and does not find any disk errors, it logs the following at the warning level: warning pendsect[21788]: pendsect: /dev/sdb no Pending Sectors detected. This is not an error. The message is posted at the incorrect severity level and does not indicate a problem with the BIG-IP system.

Workaround:
None needed. This is cosmetic.


441079-3 : BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved

Component: Local Traffic Manager

Symptoms:
The BIG-IP system is modifying the source port on NAT connections.

Conditions:
This occurs when NAT is configured on the BIG-IP system. This occurs on BIG-IP 2000/4000 hardware platforms.

Impact:
This impacts any applications where the source port is expected to be preserved.

Workaround:
None.


433572-4 : DTLS does not work with rfcdtls cipher on the B2250 blade

Component: Local Traffic Manager

Symptoms:
DTLS does not work with rfcdtls cipher on the B2250 blade.

Conditions:
This occurs as a result of hardware acceleration offload on the B2250 blade when using dtls on vCMP.

Impact:
DTLS does not work with rfcdtls cipher on the B2250 blade

Workaround:
None.


431480-1 : Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message

Component: Local Traffic Manager

Symptoms:
Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed.

Conditions:
The exact conditions that result in this error are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time, but the system recovers without any user action.


424542-5 : tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments

Component: TMOS

Symptoms:
tmsh modify net interface commands with either invalid interface names, or invalid attribute names will appear to create new interfaces.
An invalid interface will show up in "show net interfaces"

Conditions:
Only happens on clustered or virtual environments, not on appliances.

Impact:
Cosmetic only - extraneous interfaces show up in tmsh show net interface.

Workaround:
guishell -c "delete from interface where name='12345/is_this_correct'"


423392-8 : tcl_platform is no longer in the static:: namespace

Component: Local Traffic Manager

Symptoms:
In previous versions of iRules, the variable tcl_platform was readable as: 'set myvar static::tcl_platform'. However with recent changes, the variable is in the global, not static namespace and should be accessed as '::tcl_platform'.

Conditions:
This occurs on pre-11.4.0 iRules that use the variable 'static::tcl_platform'.

Impact:
iRules that worked properly under earlier versions can result in runtime Tcl exceptions (disrupting traffic) after an upgrade to v11.4.0 or later, if those iRules reference static::tcl_platform.

Workaround:
To map tcl_platform into the static namespace in an iRule, use the following: when RULE_INIT { upvar #0 tcl_platform static::tcl_platform }. Or you can use ::tcl_platform instead of static::tcl_platform. Note: The latter workaround might demote a virtual server from CMP. For more information, see SOL14544: The tcl_platform iRules variable is not in the static:: namespace, available here: http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14544.html.


412817-2 : BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.

Component: TMOS

Symptoms:
The BIG-IP system is unreachable for IPv6 traffic via PCI pass-through interfaces, because current ixgbevf drivers do not support multicast receive.

Conditions:
When configured to see IPv6 traffic on a PCI pass-through interface, the BIG-IP guest is not able to see this traffic.

Impact:
PCI pass-through interfaces are unable to see IPv6 traffic.

Workaround:
None.


405898-2 : If the OSPF derived MTU is different from the path MTU, OSPF may not function as expected

Component: Local Traffic Manager

Symptoms:
If the maximum transmission unit (MTU) for a network running OSPF is different from ZebOS, or if its neighbor router has configured for its interface MTU, OSPF adjacencies may not form, or some datagrams may be rejected.

Conditions:
TMM has cached a reduced path MTU for a network that is smaller than the configured MTU of the interface. OSPF running on that interface.

Impact:
OSPF adjacencies never fully form and routes are not exchanged.

Workaround:
Restarting TMM clears the cached maximum transmission unit (MTU), and allowing all interface MTUs to function with default values should prevent a mismatch.


401815-1 : IP ToS not passing through with SIP LB

Component: Service Provider

Symptoms:
Egress flow doesn't show the ToS bit even though ingress flow has ToS bit set.

Conditions:
Non zero ToS value in the ingress flow

Impact:
Ingress flow ToS value is not propagated to egress flow

Workaround:
when CLIENT_ACCEPTED {
   set client_tos [IP::tos]
}
when SERVER_CONNECTED {
  IP::tos $client_tos
}


393270-1 : Configuration utility may become non-responsive or fail to load.

Component: TMOS

Symptoms:
While doing normal operations via the configuration utility, the status indicators may become non-responsive or fail to load, the GUI could become very sluggish, and you could be unable to load the GUI, or you could be taken to the license activation screen.

Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Unable to log into the GUI or GUI shows blank page

Workaround:
Run the command 'bigstart restart tomcat' or reboot the BIG-IP system.


386517-1 : Multidomain SSO requires a default pool be configured

Component: Access Policy Manager

Symptoms:
When configuring multidomain SSO, a pool must be assigned to the virtual, even if one is not being used. A typical symptom of not assigning the pool is that after logon, the user will be redirected back to another logon page.

Conditions:
Any use case of multidomain SSO where there is no pool configured on the virtual servers, and there is not a webtop assigned.

Impact:
There are two known use cases where this is commonly encountered. 1) LTM + Secure Connectivity virtuals do not usually have a default pool configured.
2) The pool is being configured through an iRule

Workaround:
When configuring multidomain SSO, always assign a default pool to the virtual server.


375434-6 : HSB lockup might occur when TMM tries unsuccessfully to reset HSB.

Component: TMOS

Symptoms:
An HSB lockup might occur when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This failure can also result in a "DMA lockup on transmitter failure" reported in the TMM log files.

Conditions:
This occurs on HSB platforms that have AMD processors, which include the BIG-IP 6900, 8900, 8950, 11000, and 11050N platforms, and the VIPRION B4200 and B4200N blades.

Impact:
The HSB is non-functional and requires reinitialization. This occurs after the BIG-IP is rebooted, which is automatically triggered when this condition occurs.

Workaround:
None.


374067-7 : Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections

Component: Local Traffic Manager

Symptoms:
Using the 'snatpool' command in the CLIENT_ACCEPTED iRule event causes keepalive requests to originate from the self-IP of the BIG-IP system.

Conditions:
An iRule using the 'snatpool' command in CLIENT_ACCEPTED.

Impact:
Keepalive connections occasionally source from the BIG-IP system's self-IP address.

Workaround:
Use the HTTP_REQUEST event to set the SNAT pool.


371164-1 : BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs.

Component: Local Traffic Manager

Symptoms:
Since traffic groups are not bound to any specific VLAN, so Neighbor Discovery (ND) for link-local addresses go out on all VLANs. This occurs because traffic groups are not bound to any particular VLAN or interface. Since MAC is bound to the traffic group, it is not bounded to particular VLAN either.

Conditions:
Using MAC masquerade addresses on VLANs. TMM creates new link-local address for each masquerading MAC. Thus, the same link-local address might be used on all interfaces, which means that the system might use the same MAC on different VLANs.

For example, in the following configuration, you might expect that traffic-group-1 and MAC 02:23:e9:74:e2:c4 are bound only to VLAN Internal. However, you can create another self IP address, assign it to different VLANs or route domains, and have them be part of the same traffic group. A traffic group is about availability and not about routing or partitioning.


Configuration
===========
net self 10.10.10.10%1 {
    address 10.10.10.10%1/23
    allow-service {
        default
    }
    floating enabled
    traffic-group traffic-group-1
    unit 1
    vlan Internal
}.

Impact:
Although this is intended functionality, some users might not expect the behavior. BIG-IP sends ND probes for all masquerading addresses on all VLANs. Although switches typically build up forwarding tables per VLAN, there are some switches that might not correctly, which results in failure to forward packets as expected. That might impact other traffic, including IPv4.

Workaround:
Set the db variable tm.macmasqaddr_per_vlan to True. This ensures that a single source MAC is associated with a single VLAN ID, and is guaranteed to be unique per VLAN.


370131-4 : Loading UCS with low GTM Autoconf Delay drops pool Members from config

Component: Global Traffic Manager

Symptoms:
Pool members loaded from the UCS are not in the configuration. If there are objects dependent on them, this may prevent the GTM config from loading completely.

Conditions:
GTM and LTM are enabled, Autoconf Delay is very low, there are GTM autoconfigured pool members from LTM virtual servers, and subsequently a UCS is loaded.

Impact:
GTM config loaded from the UCS might be overwritten and Pool Members might be lost from it.

Workaround:
bigstart stop gtmd during UCS load, or set the autoconf delay to be much higher than the time required to load the UCS.


369407-3 : Access policy objects are created inconsistently depending on whether created using wizard or manually.

Component: Access Policy Manager

Symptoms:
Network Access (NA) wizard policy incorrectly labels 'Advanced Resource Assign' as 'Resource Assign' in VPE.

Conditions:
This is evident when viewing the label following completion of the NA wizard.

Impact:
The label in the VPE is 'Resource Assign', where it should be 'Advanced Resource Assign'.

Workaround:
None.


367226-2 : Outgoing RIP advertisements may have incorrect source port

Component: Local Traffic Manager

Symptoms:
TMM may change the source port of RIP packets send by ripd to something other than 520. Neighbor routers will not accept these packets and RIP routing will not work.

If the TMM instance handling the outgoing packet would not be selected to handle return traffic by the hashing algorithm in use, the source port of the traffic will be modified so the hashing algorithm returns the same TMM instance.

Conditions:
Multiple TMM instances, RIP routing configured.

Impact:
Dynamic routing using RIP will not work if the traffic hash of the packets does not match the TMM handling the outgoing traffic.


246726-1 : System continues to process virtual server traffic after disabling virtual address

Component: Local Traffic Manager

Symptoms:
A virtual address is defined as the IP address with which you associate one or more virtual servers. A virtual server is represented by an IP address and a service. The BIG-IP system continues to process traffic for virtual servers after disabling the related virtual address.

Conditions:
When a virtual address is disabled in LTM, TMM still processes traffic for the virtual IP addresses on that virtual address. For example, if you define virtual servers of 10.10.10.2:80, and 10.10.10.2:443 on the BIG-IP system, then 10.10.10.2 is the virtual address. If you disable the virtual address of 10.10.10.2, the BIG-IP system continues to process traffic for the virtual servers.

Impact:
Traffic is still processed.

Workaround:
Disable virtual servers instead. For more information, see SOL8940: The BIG-IP system processes traffic for virtual servers after disabling the virtual address, available here: https://support.f5.com/kb/en-us/solutions/public/8000/900/sol8940.html


238444-3 : An L4 ACL has no effect when a layered virtual server is used.

Component: Access Policy Manager

Symptoms:
A layer 4 ACL is not applied to the network access tunnel. As a result of this issue, you may encounter the following symptoms:

Unexpected network traffic may be allowed to pass.
Expected network traffic may be blocked.

Conditions:
This issue occurs when the following conditions are met:

-- The APM virtual server is targeting a layered virtual server, such as an SSO layered virtual server.
-- The referenced BIG-IP APM access policy is configured with a layer 4 ACL.
-- When an ACL is applied to a BIG-IP APM access policy, the access policy dynamically creates an internal layered virtual server that is used to apply the ACL. However, if the BIG-IP APM virtual server targets a layered virtual server, such as an SSO layered virtual server, traffic bypasses the dynamically-created internal layered virtual server and the ACL is not applied.

Impact:
Access control using a layer 4 ACL will not work. This may allow unwanted traffic to pass, or can block valid traffic.

Workaround:
None. However, a layer 7 ACL may be implemented if the network traffic is HTTP.


225634-1 : The rate class feature does not honor the Burst Size setting.

Component: Local Traffic Manager

Symptoms:
The rate class feature does not honor a Burst Size setting other than the default of 0 (zero).

The Burst Size setting is intended to specify the maximum number of bytes that traffic is allowed to burst beyond the base rate configured for the rate class. When the burst rate is set to zero, no bursting is allowed.

Conditions:
When using a non-default Burst Size setting for a single rate class, the setting does not have the intended effect of allowing traffic to burst beyond the base rate configured for the rate class. When using a non-default Burst Size setting for a rate class referencing a hierarchical rate class (a child class referencing a parent class), traffic processed by the rate class may cause TMM to panic and generate a core file.

Impact:
Traffic does not burst beyond the base rate configured for the rate class. In the case of hierarchical rate classes, the BIG-IP may temporarily fail to process traffic.

Workaround:
To work around this issue, you can disable the Burst Size setting by changing the value to zero. To do so, perform the following procedure:

Impact of workaround: None.

Log in to the Configuration utility.
Click Network.
Click Rate Shaping.
Click the appropriate rate class.
Change the Burst Size to 0.
Click Update.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************
Generated: Mon Nov 7 14:37:29 2016 EST
Copyright F5 Networks (2016) - All Rights Reserved

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)