Applies To:

Show Versions Show Versions

Supplemental Document: Release Information: Hotfixes: BIG-IP 11.2.1

Original Publication Date: 09/28/2016

BIG-IP Hotfix Release Information

Version: BIGIP-11.2.1
Build: 1328.0
Hotfix Rollup: 16

Cumulative fixes from BIG-IP v11.2.1 Hotfix 15 that are included in this release
Cumulative fixes from BIG-IP v11.2.1 Hotfix 14 that are included in this release
Cumulative fixes from BIG-IP v11.2.1 Hotfix 13 that are included in this release
Cumulative fixes from BIG-IP v11.2.1 Hotfix 12 that are included in this release
Cumulative fixes from BIG-IP v11.2.1 Hotfix 11 that are included in this release
Cumulative fixes from BIG-IP v11.2.1 Hotfix 10 that are included in this release
Cumulative fixes from BIG-IP v11.2.1 Hotfix 9 that are included in this release
Cumulative fixes from BIG-IP v11.2.1 Hotfix 8 that are included in this release
Cumulative fixes from BIG-IP v11.2.1 Hotfix 7 that are included in this release
Cumulative fixes from BIG-IP v11.2.1 Hotfix 6 that are included in this release
Cumulative fixes from BIG-IP v11.2.1 Hotfix 5 that are included in this release
Cumulative fixes from BIG-IP v11.2.1 Hotfix 4 that are included in this release
Cumulative fixes from BIG-IP v11.2.1 Hotfix 3 that are included in this release
Cumulative fixes from BIG-IP v11.2.1 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.2.1 Hotfix 1 that are included in this release
Known Issues in BIG-IP v11.2.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
536481-4 CVE-2015-8240 SOL06223540 F5 TCP vulnerability CVE-2015-8240
600662-8 CVE-2016-5745 SOL64743453 CGNAT: NAT64 vulnerability CVE-2016-5745
596488-7 CVE-2016-5118 SOL82747025 GraphicsMagick vulnerability CVE-2016-5118.
591806-6 CVE-2016-3714 SOL03151140 ImageMagick vulnerability CVE-2016-3714
570716-7 CVE-2016-5736 SOL10133477 BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736
580596-8 CVE-2013-0169 CVE-2016-6907 SOL14190 SOL39508724 TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907
577826-5 CVE-2016-1286 SOL62012529 BIND vulnerability CVE-2016-1286
573124-3 CVE-2016-5022 SOL06045217 TMM vulnerability CVE-2016-5022
572495-8 CVE-2016-5023 SOL19784568 TMM may crash if it receives a malformed packet CVE-2016-5023
567475-2 CVE-2015-8704 SOL53445000 BIND vulnerability CVE-2015-8704
560180-5 CVE-2015-8000 SOL34250741 BIND Vulnerability CVE-2015-8000
540849-1 CVE-2015-5986 SOL17227 BIND vulnerability CVE-2015-5986
540846-1 CVE-2015-5722 SOL17181 BIND vulnerability CVE-2015-5722
540767-5 CVE-2015-5621 SOL17378 SNMP vulnerability CVE-2015-5621
539923-4 CVE-2016-1497 SOL31925518 BIG-IP APM access logs vulnerability CVE-2016-1497
472093-5 CVE-2015-8022 SOL12401251 APM TMUI Vulnerability CVE-2015-8022
452318-3 CVE-2014-0050 SOL15189 Apache Commons FileUpload vulnerability CVE-2014-0050
591918-9 CVE-2016-3718 SOL61974123 ImageMagick vulnerability CVE-2016-3718
591908-8 CVE-2016-3717 SOL29154575 ImageMagick vulnerability CVE-2016-3717
591894-9 CVE-2016-3715 SOL10550253 ImageMagick vulnerability CVE-2016-3715
591881-8 CVE-2016-3716 SOL25102203 ImageMagick vulnerability CVE-2016-3716
577828-2 CVE-2016-2088 SOL59692558 BIND vulnerability CVE-2016-2088
577823-5 CVE-2016-1285 SOL46264120 BIND vulnerability CVE-2016-1285
437285-5 CVE-2013-3571 CVE-2012-0219 CVE-2010-2799 SOL14919 Multiple socat vulnerabilities
567484-2 CVE-2015-8705 SOL86533083 BIND Vulnerability CVE-2015-8705


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Description
428735-1 1-Blocking TACACS+ system auth and file descriptors leak
505071-6 2-Critical Delete and create of the same object can cause secondary blades' mcpd processes to restart.
386589-2 2-Critical During failover, mirrored hardware acceleration connection might be dropped
365219-5 2-Critical Trust upgrade fails when upgrading from version 10.x to version 11.x.
559939-5 3-Major Changing hostname on host sometimes causes blade to go RED / HA TABLE offline
553649-2 3-Major The SNMP daemon might lock up and fail to respond to SNMP requests.
533826-3 3-Major SNMP Memory Leak on a VIPRION system.
526817-1 3-Major snmpd core due to mcpd message timer thread not exiting
485833-2 3-Major The mcpd process may leak memory when using tmsh to modify user attributes
470756-3 3-Major snmpd cores or crashes with no logging when restarted by sod
433466-7 3-Major Disabling bundled interfaces affects first member of associated unbundled interfaces
410465-2 3-Major Using config sync with partition default route-domains.
407056-2 3-Major GNU tar doesn't support backslash in filename, breaking UCS process
405399-2 3-Major AOM software package is not automatically updated to the latest version.
405053-1 3-Major Intermittent getLopCpldInfo read CPLD register errors
395171-1 3-Major The BIG-IP system may monitor a gateway fail-safe pool configured for a peer BIG-IP system
386032 3-Major Modifying the BIG-IP management interface media type to any value other than auto or 1000baseT full disables Auto-MDIX.
384002-1 3-Major freetype security update
355661-4 3-Major sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address
473163-5 4-Minor RAID disk failure and alert.conf log message mismatch results in no trap


Local Traffic Manager Fixes

ID Number Severity Description
402976-1 1-Blocking tmm core on out of memory
394895-1 1-Blocking tmm crash after installation before configuration/provision
538255-4 2-Critical SSL handshakes on 4200/2200 can cause TMM cores.
530963-1 2-Critical BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms
528739-4 2-Critical DNS Cache might use cached data from ADDITIONAL sections in ANSWER responses.
451003-4 2-Critical SSL/TLS client certificate verification may fail due to SHA algorithms that are advertised but not supported
450814-3 2-Critical Early HTTP response might cause rare 'server drained' assertion
449052-1 2-Critical WOM failover in chassis
424816 2-Critical TMM crash in pfp_process_ingress
415814-2 2-Critical ICMP error pkt handled incorrectly by not decrementing the TTL when forwarding the pkt
407353-2 2-Critical TMM might fail under heavy load when using cmp.
570617-1 3-Major HTTP parses fragmented response versions incorrectly
557645-7 3-Major Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.
553830-1 3-Major Use of OneConnect may result in stalled flows
542031 3-Major CMP messages may be lost leading to inconsistent behaviors
525958-2 3-Major TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop.
511537-1 3-Major In an intra-cluster environment, if persist is used, tmm might crash occasionally.
473759-3 3-Major Unrecognized DNS records can cause mcpd to core during a DNS cache query
452643-9 3-Major Pool member's lb_value is not updated when transistioning from disabled to enabled
449848-7 3-Major Diameter Monitor not waiting for all fragments
447424-3 3-Major SSL session resumption can mistakenly use software path
437627-9 3-Major TMM may crash if fastl4 vs has fragmeneted pkt
435993-5 3-Major Tunnel recipient drops encapsulated traffic instead of forwarding
425420-3 3-Major Server-side SSL can reuse expired session IDs
416250-1 3-Major HTTPS monitor hangs when SSL handshake not completed
400325-1 3-Major Valid SSL handshakes can sometimes fail on 2xxx/4xxx
395901-1 3-Major Persisted connections will not bump pool member out of slowramp
394126-1 3-Major Intrachassis mirrored connections with ratio lb might not take poolmember out of slowramp.
520413-5 4-Minor Aberrant behavior with woodside TCP congestion control
515995-1 4-Minor Monitor fails to update Node state when Mcpd also updates Node state
446835-2 4-Minor fastl4 tcp-handshanke-timeout
424931-3 4-Minor Creating or copying large files may cause the csyncd service to spike CPU utilization.


Global Traffic Manager Fixes

ID Number Severity Description
471467-3 2-Critical gtmparse segfaults when loading wideip.conf because of duplicate virtual server names
487808-4 3-Major End of Life announcement for inbound and outbound cost-based link load balancing and inbound link path-based load balancing.


WebAccelerator Fixes

ID Number Severity Description
467633-7 3-Major WAM CSS minification can add spaces to the output, potentially coring TMM (in rare cases)


Service Provider Fixes

ID Number Severity Description
430117-2 3-Major DIAMETER can double-free data leading to unpredictable behavior

 

Cumulative fix details for BIG-IP v11.2.1 Hotfix 16 that are included in this release

600662-8 : CGNAT: NAT64 vulnerability CVE-2016-5745

Vulnerability Solution Article: SOL64743453


596488-7 : GraphicsMagick vulnerability CVE-2016-5118.

Vulnerability Solution Article: SOL82747025


591918-9 : ImageMagick vulnerability CVE-2016-3718

Vulnerability Solution Article: SOL61974123


591908-8 : ImageMagick vulnerability CVE-2016-3717

Vulnerability Solution Article: SOL29154575


591894-9 : ImageMagick vulnerability CVE-2016-3715

Vulnerability Solution Article: SOL10550253


591881-8 : ImageMagick vulnerability CVE-2016-3716

Vulnerability Solution Article: SOL25102203


591806-6 : ImageMagick vulnerability CVE-2016-3714

Vulnerability Solution Article: SOL03151140


580596-8 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907

Vulnerability Solution Article: SOL14190 SOL39508724


577828-2 : BIND vulnerability CVE-2016-2088

Vulnerability Solution Article: SOL59692558


577826-5 : BIND vulnerability CVE-2016-1286

Vulnerability Solution Article: SOL62012529


577823-5 : BIND vulnerability CVE-2016-1285

Vulnerability Solution Article: SOL46264120


573124-3 : TMM vulnerability CVE-2016-5022

Vulnerability Solution Article: SOL06045217


572495-8 : TMM may crash if it receives a malformed packet CVE-2016-5023

Vulnerability Solution Article: SOL19784568


570716-7 : BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736

Vulnerability Solution Article: SOL10133477


570617-1 : HTTP parses fragmented response versions incorrectly

Component: Local Traffic Manager

Symptoms:
When a fragmented response is parsed by HTTP, the version field may be incorrectly bounded. HTTP correctly determines the version of the response. However, other filters that re-scan the version field might see a truncated value. The filters then miss-parse the HTTP version.

Conditions:
A fragmented response where the HTTP version field appears in multiple packets. Another filter, for example VDI, re-scans the HTTP version field.

Impact:
The detected version of HTTP may be incorrect. Typically, the response is detected as a HTTP/0.9 response rather than the 1.0 or 1.1 response it actually uses.

Workaround:
None.

Fix:
HTTP correctly bounds the response version for other filters to parse.


567484-2 : BIND Vulnerability CVE-2015-8705

Vulnerability Solution Article: SOL86533083


567475-2 : BIND vulnerability CVE-2015-8704

Vulnerability Solution Article: SOL53445000


560180-5 : BIND Vulnerability CVE-2015-8000

Vulnerability Solution Article: SOL34250741


559939-5 : Changing hostname on host sometimes causes blade to go RED / HA TABLE offline

Component: TMOS

Symptoms:
If the UI System::Platform screen is used to change the hostname on a Standalone VIPRION, the non-primary blades in the chassis may temporarily report an offline state.

Conditions:
This affects only multi-blade chassis systems in Standalone mode.

Impact:
If the system is hosting vCMP guests, it may cause unexpected failovers, and interruption of traffic.

Workaround:
To change the hostname on the VIPRION, use the tmsh command:
'modify sys global-settings hostname new-host-name'.

Fix:
Changing hostname on Standalone VIPRION no longer causes the non-primary blade to go RED / HA TABLE offline.


557645-7 : Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.

Component: Local Traffic Manager

Symptoms:
Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.

Conditions:
VIPRION 2200 and 2400 platforms with more than one blade.

Multiple devices in an HA configuration.

TMM incorrectly identifies which TMM should handle host connections from an HA peer.

The host connection will be reset after the SYN retransmits are exceeded between TMM and the host process.

Impact:
Periodic reported failures in host-to-host communication. This could affect config sync, and other HA related communication.

Workaround:
None.

Fix:
Host communication on VIPRION 2200 and 2400 platforms behaves the same as host communication on non-VIPRION 2200 and 2400 platforms, as expected.


553830-1 : Use of OneConnect may result in stalled flows

Component: Local Traffic Manager

Symptoms:
Stuck serverside flows that do not expire

Conditions:
Serverside flow expires while clientside is closing while OneConnect is being used.

Impact:
Excessive memory usage, tmm can crash.

Workaround:
Disable OneConnect. This can also be mitigated by ensuring the server-side idle timeout is not set lower than the client profile's fin-wait timeout while using OneConnect.

Fix:
Connections utilizing OneConnect will be forcibly shutdown upon expiration


553649-2 : The SNMP daemon might lock up and fail to respond to SNMP requests.

Component: TMOS

Symptoms:
The SNMP daemon might lock up and fail to respond to SNMP requests.

Conditions:
If the SNMP configuration on the BIG-IP changes and the SNMP daemon restarts. This is a timing issue that might appear intermittently.

Impact:
The BIG-IP system stops responding to SNMP requests. You then cannot monitor the BIG-IP system via SNMP.

Workaround:
If the SNMP daemon is locked up, restart it by issuing the following command: bigstart restart snmpd.

Fix:
The SNMP daemon no longer locks up and become unresponsive when it is restarted.


542031 : CMP messages may be lost leading to inconsistent behaviors

Component: Local Traffic Manager

Symptoms:
Features that utilize CMP messages may exhibit inconsistent behavior.

Conditions:
Upon receiving a CMP message, the tmm processes an internal event that sends CMP message that overwrites the incoming message.

Impact:
Some examples: ARP failures, persistence failures, and connection stalling.

Workaround:
None.

Fix:
Incoming CMP messages are no longer overwritten before they have been processed.


540849-1 : BIND vulnerability CVE-2015-5986

Vulnerability Solution Article: SOL17227


540846-1 : BIND vulnerability CVE-2015-5722

Vulnerability Solution Article: SOL17181


540767-5 : SNMP vulnerability CVE-2015-5621

Vulnerability Solution Article: SOL17378


539923-4 : BIG-IP APM access logs vulnerability CVE-2016-1497

Vulnerability Solution Article: SOL31925518


538255-4 : SSL handshakes on 4200/2200 can cause TMM cores.

Component: Local Traffic Manager

Symptoms:
When processing SSL handshakes in the crypto acceleration hardware, a BIG-IP 2000 or 4000 platform might experience a TMM core.

Conditions:
This can occur when processing SSL handshakes in the crypto acceleration hardware. The issue is very unlikely to be seen other than on BIG-IP version 11.6.0 HF5 or on version 12.0.0 base install.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.

Fix:
The crypto acceleration hardware driver for the 2200/4200 has been fixed to avoid memory corruption.


536481-4 : F5 TCP vulnerability CVE-2015-8240

Vulnerability Solution Article: SOL06223540


533826-3 : SNMP Memory Leak on a VIPRION system.

Component: TMOS

Symptoms:
The snmpd image increases in size on a VIPRION system.

Conditions:
Run continuous snmpbulkwalk operations.

Impact:
The snmpd image increases, and might eventually result in a crash. The ltm log might contain an error message similar to the following: err mcpd[7061]: 01071087:3: Killed process for snmpd as current count of messages (965505855) keeps building.

Workaround:
To reset the memory usage and stop the snmpd daemon from coring, run the following command: bigstart restart snmpd.

Fix:
The snmpd image no longer increases in size on a VIPRION system processor.


530963-1 : BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms

Component: Local Traffic Manager

Symptoms:
The BIG-IP does not verify every byte in the Finished message of an TLS handshake but does properly validate the MAC of the Finished message.

Conditions:
* The BIG-IP platform contains a Cavium SSL accelerator card but the affected TLS connection is not accelerated by the Cavium SSL accelerator card.

The following list some examples when a TLS connection is not accelerated by the Cavium card:

* The ciphers used by the TLS connection are not fully accelerated in the Cavium card. For more information about ciphers that are fully hardware accelerated, refer to SOL13213: SSL ciphers that are fully hardware accelerated on BIG-IP platforms (11.x)

* The BIG-IP platform does not contain a Cavium SSL accelerator card. The following list the BIG-IP platforms that do not contain a Cavium SSL accelerator card:
* BIG-IP 2000 platforms
* BIG-IP 4000 platforms
* BIG-IP Virtual Edition

Impact:
F5 believes the reported behavior does not have security implications at this time.

Workaround:
None.

Fix:
BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms. F5 does not consider this behavior a vulnerability.


528739-4 : DNS Cache might use cached data from ADDITIONAL sections in ANSWER responses.

Component: Local Traffic Manager

Symptoms:
DNS Caching might use cached data from ADDITIONAL sections of previous lookups in the ANSWER section of responses.

Conditions:
This occurs when using DNS Caching.

Impact:
The data from the ADDITIONAL section might be used in the ANSWER section of DNS responses. The data might be stale or incorrect.

Workaround:
None.

Fix:
The DNS Cache now correctly ignores data from the ADDITIONAL section when constructing the ANSWER section.


526817-1 : snmpd core due to mcpd message timer thread not exiting

Component: TMOS

Symptoms:
snmpd might occasionally experience a thread deadlock conditions and would be restarted (with a core dump) by sod.

Conditions:
This can occur during a SNMP configuration change.

Impact:
snmpd occasionally becomes unresponsive for the duration of the configured snmpd heartbeat timeout.

Workaround:
After a SNMP configuration change on the BIG-IP system, the deadlock timing issue can avoided by manually restarting snmpd.

Fix:
snmpd no longer becomes unresponsive for the duration of the configured snmpd heartbeat timeout during configuration changes.


525958-2 : TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop.

Component: Local Traffic Manager

Symptoms:
In a specific combination of events TMM may core.

Conditions:
This occurs when the following conditions are met:
  - Load balancing a flow to an ip_tuple (e.g., the Tcl 'node' command).
  - That address is not directly connected.
  - The matched route is a gateway pool that contains a pool member that is not reachable.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure correct routing to all destinations with reachable next hops.

Fix:
TMM no longer cores when load balancing to a node's IP address in iRule, routed towards an unreachable nexthop.


520413-5 : Aberrant behavior with woodside TCP congestion control

Component: Local Traffic Manager

Symptoms:
Potential tmm core.

Conditions:
Woodside congestion control along with multiple profile options enabled and certain traffic may cause an issue where tmm may core.

Impact:
With woodside and other necessary options, TMM may core. Without woodside, or the other necessary options, which has negative performance implications and might trigger other unexpected behaviors.

Workaround:
Switching from woodside to illinois congestion control avoids issue.

Fix:
Woodside congestion control along with multiple profile options enabled and certain traffic no longer causes an issue where tmm may core.


515995-1 : Monitor fails to update Node state when Mcpd also updates Node state

Component: Local Traffic Manager

Symptoms:
Monitor fails to update Node state when Mcpd also updates Node state

Conditions:
This is an intermittent issue that might occur as a result of a timing issue between the monitor and the Mcpd process.

Impact:
Node fails to change state.

Workaround:
bigstart restart bigd.

Fix:
This release fixes a timing issue in which a monitor failed to update Node state when Mcpd also updated Node state.


511537-1 : In an intra-cluster environment, if persist is used, tmm might crash occasionally.

Component: Local Traffic Manager

Symptoms:
In an intra-cluster environment, if persist is used, tmm might crash occasionally.

Conditions:
This is a rare crash related to persistence in a clustered configuration. It can be aggravated by using iRules containing commands that park the iRule, such as the after command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes occasionally when using persist in intra-cluster environments.


505071-6 : Delete and create of the same object can cause secondary blades' mcpd processes to restart.

Component: TMOS

Symptoms:
A single transaction containing both a delete and a create of the same object can, for certain types of objects, cause the secondary blades' mcpd processes to restart because of validation failure. The validation error appears similar to the following: 01020036:3: The requested object type (object name) was not found.

Conditions:
This has been seen to occur when an APM policy agent logon page is modified, and the error reports that its customization group cannot be found.

In BIG-IP v11.6.0 HF6 and BIG-IP v11.5.4 and BIG-IP v11.5.4 HF1, this can also occur when an iApp creates a virtual server.

Impact:
mcpd restarts on every secondary blade, causing most other system services to restart as well. This might result in a temporary loss of traffic on all secondary blades. After mcpd restarts, the new configuration is accepted and the system returns to normal operation.

Workaround:
None.

Fix:
For certain types of objects, an incorrect message was sent to the secondary blades' mcpd processes if an object of that type was deleted and then recreated within a single transaction. This caused mcpd to restart on every secondary blade. The correct message is now sent, even for this type of object.


487808-4 : End of Life announcement for inbound and outbound cost-based link load balancing and inbound link path-based load balancing.

Component: Global Traffic Manager

Symptoms:
The BIG-IP Link Controller and BIG-IP GTM link cost-based and inbound link path-based load balancing features have reached End of Life (EoL).

Conditions:
BIG-IP Link Controller and BIG-IP GTM link cost-based and inbound link path-based load balancing features.

Impact:
Cannot use these features.

Workaround:
None.

Fix:
Link cost and inbound link path load balancing software support has reached EOL. For more information, see SOL15834: End of Life announcement for inbound and outbound cost-based link load balancing and inbound link path-based load balancing, available here: https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15834.html.


485833-2 : The mcpd process may leak memory when using tmsh to modify user attributes

Component: TMOS

Symptoms:
The Master Control Program Daemon (mcpd) may leak memory when you use the Traffic Management Shell (tmsh) to modify user attributes.

Note: The mcpd process is the messenger process that allows userland processes to communicate with the Traffic Management Microkernel (TMM), and the other way around.

As a result of this issue, you may encounter one or more of the following symptoms:

-- You are unable to configure the BIG-IP system.
-- You are unable to obtain statistics, or statistics may not be accurate.
-- In the /var/log/ltm file, you may observe an error message similar to the following example:
02001018:system library:fopen:Too many open files

Conditions:
This issue occurs when the following condition is met:

-- You are using the tmsh modify auth <user> command options to modify local user accounts. Some of the options include the following:
description User description.
partition-access The administrative partition which user has access.
password Set or modify the user password.
role Specifies the user role for the user account.
shell Specifies the shell to which the user has access.

Impact:
-- You cannot obtain or update the system status.
-- You cannot configure the BIG-IP system.
-- Userland processes may not be functional.

Workaround:
There is no workaround for this issue. To restore mcpd functionality, you can restart mcpd from the command line. To do so, perform the following procedure:

Impact of procedure: Restarting the mcpd process interrupts all traffic processing on the BIG-IP system. You should perform this procedure during a maintenance window.

Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh

To restart the mcpd process, type the following command:
restart sys service mcpd

Fix:
Ensure all user directory file descriptors are closed.


473759-3 : Unrecognized DNS records can cause mcpd to core during a DNS cache query

Component: Local Traffic Manager

Symptoms:
mcpd cores during a DNS cache record query if a DNS record with an unknown type is in the cache. mcpd attempts to translate the record's type into a text string, but ends up with a NULL pointer instead.

Conditions:
A DNS record with a type unknown by mcpd must exist in the DNS cache during the query.

Impact:
mcpd cores, causing either a failover (if there is a standby unit) or an outage while mcpd restarts (if there is no standby unit).

Fix:
Unrecognized DNS records no longer cause mcpd to core during a DNS cache query.


473163-5 : RAID disk failure and alert.conf log message mismatch results in no trap

Component: TMOS

Symptoms:
Due to a mismatch between the definition of an alert for RAID disk failure in alert.conf, and the actual log message syntax, the appropriate SNMP traps are not issued when a disk is failing.

Conditions:
This happens when there is a RAID disk failure and the definition RAID disk failure in alert.conf is similar to the following: alert BIGIP_RAID_DISK_FAILURE "raid[0-9]: Disk failure .*?" {
   snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.96";
   lcdwarn description="RAID disk failure." priority="3"
  }

Impact:
Actual log message syntax matches the following: 'alert kernel: md/raid1:md12: Disk failure on dm-29, disabling device.' As a result, there is no SNMP trap for a failing disk, so no SNMP trap is issued, and the LCD message is not displayed.

Workaround:
For information about configuring custom traps, see SOL3727: Configuring custom SNMP traps, available here: https://support.f5.com/kb/en-us/solutions/public/3000/700/sol3727.html.

Fix:
RAID disk failure and alert.conf log message now match, so appropriate SNMP traps are now issued when a disk is failing.


472093-5 : APM TMUI Vulnerability CVE-2015-8022

Vulnerability Solution Article: SOL12401251


471467-3 : gtmparse segfaults when loading wideip.conf because of duplicate virtual server names

Component: Global Traffic Manager

Symptoms:
gtmparse segfaults when loading wideip.conf with duplicate virtual server names, or whose names differ only by spaces.

Conditions:
wideip.conf contains duplicate virtual server name definitions, or the virtual server names are unique only because of leading or trailing spaces.

Impact:
gtmparse segfaults during a wideip.conf load, causing GTM configuration load to fail.

Workaround:
Change virtual server definitions so that there are no duplicate named virtual servers. Note that adding only leading or trailing spaces does not result in a unique virtual server name.

Fix:
gtmparse will now throw descriptive errors when encountering duplicate vs names in wideip.conf, for example:

./gtm/wideip.conf:61: "opt_vs_long_def: vs set name vs_1 on vs 10.221.43.28:1545 failed, duplicate name exists" at character '1545' in line:

      name "vs_1"
      address 10.221.43.28:1545


470756-3 : snmpd cores or crashes with no logging when restarted by sod

Component: TMOS

Symptoms:
Prior to sod restarting snmpd following a heartbeat timeout, there are often no snmpd warning/error logs leading up to the restart condition that might indicate root-cause.

Conditions:
snmpd can be blocked waiting for mcpd responses to its database queries. This is typically experienced when CPU utilization is very high.

Impact:
sod continues restarting snmpd (and generating a core dump) as long as the blocking conditions continue for longer than the configured snmpd heartbeat interval. During this time, external MIB queries might timeout/fail.

Workaround:
Address CPU utilization issues.

Fix:
The snmpd daemon now periodically logs warning messages regarding slow query responses from mcpd. snmpd also attempts to maintain heart-beat communication with sod under these conditions.


467633-7 : WAM CSS minification can add spaces to the output, potentially coring TMM (in rare cases)

Component: WebAccelerator

Symptoms:
TMM coring, or exhibiting strange behavior. Checking the WAM stats reveals an underflow for bytes_minified in wam_css_stat, for example:

active parses bytes_parsed bytes_queued partial_parses partial_parse_bytes
------ ------ ------------ ------------ -------------- -------------------
     0 4 612 0 4 586

annotations resets parser_errors bytes_minified images_inlined
----------- ------ ------------- -------------------- --------------
          5 0 0 18446744073709551564 0

images_bytes_inlined images_uninlined images_uninlined_expiry
-------------------- ---------------- -----------------------
                   0 0 0

Conditions:
The CSS data that is being minified must already be minified and contain no extraneous whitespace.

Impact:
TMM may core or behave unexpectedly. The wam_css_stat stat's bytes_minified will be incorrect.

Workaround:
Disable CSS minification.

Fix:
Extra spaces are no longer added to the minified CSS.


452643-9 : Pool member's lb_value is not updated when transistioning from disabled to enabled

Component: Local Traffic Manager

Symptoms:
Some members may not receive traffic when the pool's load balancing method is set to one of the following:
 - Least Connections
 - Fastest
 - Least Sessions

Conditions:
Member's lb_value is non-zero when transitioned to disabled.

Impact:
Member does not receive traffic

Workaround:
Enable pool member and change load balancing method from original to Ratio and back.

Fix:
A Members lb_value is updated upon transitioning from disabled to enabled states when using one of the following load balancing methods:
 - Least Connections
 - Fastest
 - Least Sessions


452318-3 : Apache Commons FileUpload vulnerability CVE-2014-0050

Vulnerability Solution Article: SOL15189


451003-4 : SSL/TLS client certificate verification may fail due to SHA algorithms that are advertised but not supported

Component: Local Traffic Manager

Symptoms:
When using ClientSSL, client certificate authentication may fail, if client certificate authentication is set to 'request' or 'require'.

Conditions:
This occurs when the following conditions are met: -- A ClientSSL profile exists on the virtual server. -- The ClientSSL profile is configured with client certificate authentication set to 'request' or 'require.' -- The client responds with a certificate signed by one of the following affected signature algorithms: SHA256-RSA(0x0401), SHA384-RSA(0x0501), or SHA512-RSA(0x0601).

Impact:
SSL/TLS connections fail to establish for some clients on virtual servers that request or require client certificates.

Fix:
Unsupported SHA algorithms have been removed, so SSL/TLS client certificate verification completes successfully.


450814-3 : Early HTTP response might cause rare 'server drained' assertion

Component: Local Traffic Manager

Symptoms:
Early HTTP response from the server might cause 'server drained' assertion and traffic disruption.

Conditions:
This occurs when the server sends an early response, which might occur if the server responded before the system completed processing the entire incoming HTTP request data from the client.

A filter other than HTTP is also required on the chain.

Impact:
The system posts a 'server drained' assertion and traffic is disrupted.

Workaround:
None, however, this issue occurs very rarely.

Fix:
HTTP will not cause a "server drained" assertion if a server ends a connection in an early server response.


449848-7 : Diameter Monitor not waiting for all fragments

Component: Local Traffic Manager

Symptoms:
When the server returns response in two fragments, the Diameter monitor sends an ACK for the first fragment followed by a FIN and then a reset.

Conditions:
Server returns response in two fragments.

Impact:
Pool member is marked down.

Workaround:
None.

Fix:
Diameter Monitor now handles fragments as expected.


449052-1 : WOM failover in chassis

Component: Local Traffic Manager

Symptoms:
After a failover on VIPRION chassis, the WOM tunnel fails to pass traffic.

Conditions:
HA configured in multi-bladed VIPRION chassis
WOM tunnel configured, with MAC Masquerading in use

Impact:
WOM will not pass traffic after failover occurs.

Fix:
Fixed an issue with passing traffic via WOM after a failover event.


447424-3 : SSL session resumption can mistakenly use software path

Component: Local Traffic Manager

Symptoms:
Resumed SSL server-side sessions can be routed to the software encryption path because the key-size structure is not properly initialized. This causes a performance degradation when encryption hardware is available.

Conditions:
Server SSL profile and SSL resumption in play for a connection using a cipher that is allowed to be encrypted in hardware.

Impact:
Slower rate and more CPU usage due to SSL session being encrypted/decrypted in software when it is a valid hardware cipher.

Fix:
Resumed SSL server-side sessions are now correctly using hardware encryption when it is applicable, instead of always defaulting to software.


446835-2 : fastl4 tcp-handshanke-timeout

Component: Local Traffic Manager

Symptoms:
fastl4 tcp-handshanke-timeout value does not change to become the idle timeout value after TCP 3 way handshake completes.

Conditions:
This issue is transient and occurs when using a fastl4 profile. After the system returns to the TCP_CLOSED state, it will be OK.

Impact:
Instead of switching to the idle timeout value after the 3-way handshake completes, a connection can retain the tch-handshake-timeout value, which could cause it to timeout early.

Fix:
Fixed an issue with fastl4 profile tcp-handshake-timeout setting.


437627-9 : TMM may crash if fastl4 vs has fragmeneted pkt

Component: Local Traffic Manager

Symptoms:
TMM may crash if a fast L4 profile has a fragmented packet

Conditions:
fastl4 configure
incoming fragmented packets

Impact:
Traffic disrupted while tmm restarts.

Workaround:
In fast L4 profile, enable option "Reassemble IP Fragments"

Fix:
Improved handling of a fragmented packet that could cause a crash if using a fastL4 profile.


437285-5 : Multiple socat vulnerabilities

Vulnerability Solution Article: SOL14919


435993-5 : Tunnel recipient drops encapsulated traffic instead of forwarding

Component: Local Traffic Manager

Symptoms:
It is possible for the GRE tunnel to decapsulate SYN packets to wrong tmm, causing intermittent failures when accessing the local virtual server on CMP systems.

Conditions:
This occurs on CMP systems.

Impact:
TMM suffers packet/xfrag leakage over time and eventually cores due to out of memory.

Workaround:
None.

Fix:
Establishment of CMP-redirected flows no longer erroneously expires/replaces NOEXPIRE flows, so this probably no longer occurs.


433466-7 : Disabling bundled interfaces affects first member of associated unbundled interfaces

Component: TMOS

Symptoms:
When the bundled interface (e.g., 2.1) is disabled, it might result in link issues observed with the first member of the associated unbundled interfaces (e.g., 1.1).

Conditions:
Disabling bundled interfaces affects first member of associated unbundled interfaces.

Impact:
Traffic unable to pass due to ports 'Down' status.

Workaround:
Do not disable the associated bundled interface (e.g., 2.1) when intending to use the first member of the associated unbundled interfaces (e.g., 1.1). Same for the interface bundle/unbundle relationships for 2.2/1.5, 2.3/1.9, vice-versa, etc.

Fix:
Disabling bundled interfaces no longer affects the first member of associated unbundled interfaces.


430117-2 : DIAMETER can double-free data leading to unpredictable behavior

Component: Service Provider

Symptoms:
Resets on the server side of a hudchain; Unpredictable behavior. Different stack trace of core dumps.

Conditions:
Persistence was enabled and server initiate message was sent.

Impact:
V11.0.0, v11.1.0, v11.2.0-hfn

Workaround:
N/A

Fix:
A double-free condition in the Diameter profile has been fixed.


428735-1 : TACACS+ system auth and file descriptors leak

Component: TMOS

Symptoms:
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure):
httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files]. This can eventually lead to lack of access to the BIG-IP system from all but the root account.

Conditions:
Remote system authentication configured to use TACACS+. Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST. Repeated automated access using iControl is the fastest route.

Impact:
If the leak is allowed to accumulate to the point that no file descriptors are available, administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.

Workaround:
Several workaround options:
1. Use a system auth method other than TACACS+.
2. Use only SSH for administrative access.
3. Restart httpd as needed.

Fix:
A TACACS+ system auth and file descriptors leak has been corrected.


425420-3 : Server-side SSL can reuse expired session IDs

Component: Local Traffic Manager

Symptoms:
Server side SSL might send a session ID that should have expired to the SSL server

Conditions:
Expiring SSL sessions

Impact:
Very minimal. This is only a problem when the cache timeout set on the server ssl profile is less than the timeout set on the SSL server.

Workaround:
None.

Fix:
Server side SSL will no longer send expired session IDs to the server.


424931-3 : Creating or copying large files may cause the csyncd service to spike CPU utilization.

Component: Local Traffic Manager

Symptoms:
Creating or copying large files may cause the csyncd service to spike CPU utilization.

As a result of this issue, you may encounter one or more of the following symptoms:

BIG-IP iHealth lists Heuristic H484968 on the Diagnostics > Identified > High screen.
CPU utilization may spike to 90-100 percent.
Using the Linux command line utility top to view the csyncd service CPU utilization shows the csyncd service using a high percentage of CPU right after you have created a large file.
For example, type the following command:

top | egrep '%CPU|csyncd'

You see output similar to the following example:

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

7179 root 20 0 32028 17m 10m S 1.7 0.2 8:45.50 csyncd
7179 root 20 0 32028 17m 10m S 1.7 0.2 8:45.55 csyncd
7179 root 20 0 32028 17m 10m S 1.7 0.2 8:45.60 csyncd
7179 root 20 0 32028 17m 10m R 20.9 0.2 8:46.23 csyncd
7179 root 20 0 32028 17m 10m R 96.9 0.2 8:49.15 csyncd
7179 root 20 0 32028 17m 10m R 96.6 0.2 8:52.06 csyncd
7179 root 20 0 32028 17m 10m R 96.6 0.2 8:54.97 csyncd
7179 root 20 0 32028 17m 10m R 97.3 0.2 8:57.90 csyncd
7179 root 20 0 32028 17m 10m R 97.3 0.2 9:00.83 csyncd
7179 root 20 0 32028 17m 10m R 96.6 0.2 9:03.74 csyncd
7179 root 20 0 32028 17m 10m R 97.0 0.2 9:06.66 csyncd
7179 root 20 0 32028 17m 10m R 97.3 0.2 9:09.59 csyncd
7179 root 20 0 32028 17m 10m R 97.0 0.2 9:12.51 csyncd
7179 root 20 0 32028 17m 10m R 96.9 0.2 9:15.43 csyncd
7179 root 20 0 32028 17m 10m S 15.9 0.2 9:15.91 csyncd
7179 root 20 0 32028 17m 10m S 1.3 0.2 9:15.95 csyncd
7179 root 20 0 32028 17m 10m S 2.0 0.2 9:16.01 csyncd
7179 root 20 0 32028 17m 10m S 1.3 0.2 9:16.05 csyncd

Conditions:
This issue occurs when the following condition is met:

You have created or copied a large file to a directory monitored by the csyncd service.

Note: The CPU utilization spike length correlates directly to the large file size and the capacity of the BIG-IP system.

Impact:
Extended high CPU utilization can degrade performance, and the system may eventually become unresponsive or reboot.

Workaround:
None.

Fix:
Creation of a large file, such as a UCS archive is now handled correctly, and csyncd process no longer causes high CPU utilization.


424816 : TMM crash in pfp_process_ingress

Component: Local Traffic Manager

Symptoms:
TMM crashes in pfp_process_ingress when there are no available pool members.

Conditions:
There are no available pool members for a flow, and multiple frames arrive.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes in pfp_process_ingress when there are no available pool members.


416250-1 : HTTPS monitor hangs when SSL handshake not completed

Component: Local Traffic Manager

Symptoms:
After a TCP connection is established, and the monitor sends a CLIENT HELLO, if the server does not respond with SERVER HELLO, the monitor stays in this state, never re-sending the request.

Conditions:
SSL handshake stalls and does not complete (e.g., if server does not ACK Client Hello, does not send Server Hello, etc).

Impact:
Cannot LB to down nodes.

Workaround:
Disable bigd.reusesocket.

Fix:
Added timeout to cancel incomplete SSL handshakes and retry, so HTTPS monitor do not hang when SSL handshake not completed.


415814-2 : ICMP error pkt handled incorrectly by not decrementing the TTL when forwarding the pkt

Component: Local Traffic Manager

Symptoms:
The TTL value of an ICMP error pkt is always set to 255 when it is forwarded instead of decrementing it. So the system always reports a TTL value of 255.

Conditions:
This occurs when the system forwards an ICMP error pkt.

Impact:
When the system forwards the error packet, there are cases where the packet could forward forever and never expire.

Workaround:
None.

Fix:
BIG-IP decrements the TTL when forwarding ICMP error packet instead of setting the TTL to 255.


410465-2 : Using config sync with partition default route-domains.

Component: TMOS

Symptoms:
The config sync operation might fail with an error similar to the following:
Virtual address /P/12.0.0.69%0 encodes IP address 13.0.0.69 which differs from supplied address field 12.0.0.69%1

Conditions:
If you create a virtual/virtual-address in a partition which has a default route-domain set whose address is in route-domain 0 (zero).

Impact:
Config Sync fails.

Workaround:
None.

Fix:
If you create a virtual/virtual-address in a partition which has a default route-domain set whose address is in route-domain 0, the config sync operation now succeeds.


407353-2 : TMM might fail under heavy load when using cmp.

Component: Local Traffic Manager

Symptoms:
TMM might crash under heavy load when clustered multi-processing (CMP) forwarding is triggered, resulting in TMM core.

Conditions:
Heavy TMM load, CMP forward triggered.

Impact:
TMM crashes. Traffic might be disrupted.

Workaround:
None.

Fix:
TMM no longer crashes under heavy load when clustered multi-processing (CMP) forwarding is triggered.


407056-2 : GNU tar doesn't support backslash in filename, breaking UCS process

Component: TMOS

Symptoms:
GNU tar can't handle files with backslash in the filename when '--files-from' option is used. The "im" process on BIG-IP is using '--files-from' to tar files to a package. If there is a backslash is any filename, the process will fail.

Conditions:
Creating UCS files, and files in the file system contain a backslash. This can occur with TACACS remotely authenticated BIG-IP users, and there could be other scenarios that cause this.

Impact:
The UCS process will fail.

Fix:
BIG-IP's tar command now supports files that contain backslashes in the file name.


405399-2 : AOM software package is not automatically updated to the latest version.

Component: TMOS

Symptoms:
AOM software package is not automatically updated to the latest version.

Conditions:
If AOM software (aomctld) is already running.

Impact:
Not updated to the latest version.

Workaround:
None.

Fix:
AOM software is now always updated when there is a newer version available.


405053-1 : Intermittent getLopCpldInfo read CPLD register errors

Component: TMOS

Symptoms:
At non-deterministic intervals, messages similar to the following may be logged in the /var/log/ltm file of a BIG-IP system:

warning chmand[8522]: 012a0004:4: getLopCpldInfo read CPLD register 0x## error: LopDev: sendLopCmd: Lopd status: 1 packet: action=1 obj_id=e sub_obj=## slot_id=ff result=e len=0 crc=#### payload= (error code:0xe)

Such messages will typically be followed by messages similar to:

notice chmand[8522]: 012a0005:5: reinitialize LOP CPLD sensors

These messages indicate errors reading one of the CPLD (Complex Programmable Logic Device) registers which are polled periodically to provide information about the internal status of BIG-IP hardware. These errors are typically intermittent, and the CPLD register reads typically succeed during the next polling interval.

Conditions:
This symptom may occur at non-deterministic intervals on the following F5 hardware platforms:
VIPRION B2100 blades
BIG-IP 2000-series appliances
BIG-IP 4000-series appliances
BIG-IP 5000-series appliances
BIG-IP 7000-series appliances
BIG-IP 10000-series appliances

Impact:
This problem will result in log messages reporting errors reading CPLD registers.
Information obtained from CPLD registers is read periodically and reported by various BIG-IP utilities. CPLD register read errors will result in temporarily incorrect or missing hardware details. If the CPLD register is read successfully during the next polling period (typically every 30 seconds), the correct information will be displayed.

Workaround:
If these errors occur intermittently and infrequently, they can be safely ignored.
If these errors occur frequently and persistently, further hardware diagnostics should be considered.

Fix:
Reduced error rate reading LOP CPLD sensors.


402976-1 : tmm core on out of memory

Component: Local Traffic Manager

Symptoms:
Tmm can crash on an out of memory condition

Conditions:
Normal operation, but tmm is heavily loaded and there is memory pressure.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
If this is a vCMP or VE instance, consider increasing the available memory for the instance.

Fix:
Fixed a tmm crash related to handling out of memory conditions.


400325-1 : Valid SSL handshakes can sometimes fail on 2xxx/4xxx

Component: Local Traffic Manager

Symptoms:
Sometimes, valid SSL handshakes can fail on BIG-IP 2000, 2200, 4000, and 4200 appliances.

Conditions:
Performing SSL.

Impact:
Valid SSL handshakes can fail.

Fix:
Valid SSL handshakes should not fail.


395901-1 : Persisted connections will not bump pool member out of slowramp

Component: Local Traffic Manager

Symptoms:
A pool member that is getting only persisted connections might inadvertently stay in slowramp. Slowramp is removed once a connection comes in and the system determines the slowramp period has expired.

Conditions:
A pool member that is getting only persisted connections during slowramp time.

Impact:
Poolmember stays in slowramp and might reject a new connection, causing the connection to go to another pool member. Once a new connection is sent to the pool member past the slowramp period, that should bump the poolmember out of slowramp and subsequent connections should be fine.

Workaround:
None.

Fix:
The system now removes slowramp as expected for a pool member that is getting only persisted connections.


395171-1 : The BIG-IP system may monitor a gateway fail-safe pool configured for a peer BIG-IP system

Component: TMOS

Symptoms:
The BIG-IP system may monitor a gateway fail-safe pool configured for a peer BIG-IP system.

As a result of this issue, you may encounter the following symptom:

After receiving a ConfigSync operation, the BIG-IP system status will be green (available) or red (unavailable) for a gateway fail-safe pool configured to be monitored by a peer BIG-IP system.

Note: Prior to a ConfigSync operation, the BIG-IP system status will be blue (unknown) for a gateway fail-safe pool configured to be monitored by a peer BIG-IP system.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is a member of a high availability device group.
-- Each BIG-IP system in the device group is configured to monitor a unique gateway failsafe pool.
-- The BIG-IP system receives a ConfigSync operation.

When the BIG-IP system receives a ConfigSync operation from a peer BIG-IP system, the bigd process will begin monitoring all gateway fail-safe pools, even if the BIG-IP system is configured to be monitored by a peer BIG-IP system.

For example:

A pair of BIG-IP systems are configured with two gateway fail-safe pools (GWPool1 and GWPool2).
-- GWPool1 is configured to be monitored by BIG-IP-1, and GWPool2 is configured to be monitored by BIG-IP-2.
-- BIG-IP-1 performs a ConfigSync operation to BIG-IP-2.
-- BIG-IP-2 begins monitoring both pools.

Impact:
The BIG-IP system erroneously monitors a gateway fail-safe pool configured for a peer system.

Workaround:
To work around this issue, reload the configuration on the affected BIG-IP system. To do so, perform the following procedure:

Impact of workaround: None

Log in to the Traffic Management Shell (tmsh) by typing the following command:

tmsh

Note: If you are currently logged in to the tmsh shell, you can skip this step.

Reload the configuration by typing the following command:

load sys config

Fix:
Gateway Failsafe pool members are no longer incorrectly updated for devices that they do not belong to.


394895-1 : tmm crash after installation before configuration/provision

Component: Local Traffic Manager

Symptoms:
tmm crash after installation before configuration/provision

Conditions:
Booting the BIG-IP after installation, but before Configuring/Provisioning.

Impact:
TMM cores. Since BIG-IP is not provisioned yet, this has no impact to traffic.

Fix:
TMM no longer cores due to a TCL assert prior to provisioning.


394126-1 : Intrachassis mirrored connections with ratio lb might not take poolmember out of slowramp.

Component: Local Traffic Manager

Symptoms:
Poolmember stays in slowramp on a particular blade.

Conditions:
Intrachassis mirroring is enabled along with ratio lb being in effect.

Impact:
Poolmember stays in slowramp on a particular blade as the intrachassis mirroring connections count against the ratio, and thus connections are sent to other pool members.

Workaround:
None.

Fix:
Intrachassis mirrored connections with ratio lb now takes poolmember out of slowramp as expected.


386589-2 : During failover, mirrored hardware acceleration connection might be dropped

Component: TMOS

Symptoms:
If there is an existing accelerated connection on an active unit, upon failover, that connection might be dropped. This applies to hardware acceleration at SYN time, not 3WHS - established time.

Conditions:
This occurs when the following conditions are met:
-- Connection is offloaded in hardware and remains in hardware.
-- Connection was originally offloaded at TCP SYN time.
-- Upon failover to standby unit, server side traffic arrives first, and no client traffic arrives before the default handshake time expiration time.

Impact:
After failing over, the mirrored hardware acceleration connection might be dropped if no client traffic arrives before the timeout.

Workaround:
Use 3WHS establishment time offload instead.

Fix:
The first server packet after failover no longer triggers pva mirror connection to handshake timeout, so the connection is retained as expected.


386032 : Modifying the BIG-IP management interface media type to any value other than auto or 1000baseT full disables Auto-MDIX.

Component: TMOS

Symptoms:
Auto-MDIX stays enabled even when the management port settings are forced.

Conditions:
Modifying the BIG-IP management interface media type to any value other than auto or 1000baseT full.

Impact:
Disables Auto-MDIX.

Workaround:
None.

Fix:
Modifying the BIG-IP management interface media type to any value other than auto or 1000baseT full no longer disables Auto-MDIX.


384002-1 : freetype security update

Component: TMOS

Symptoms:
Multiple flaws were found in the way FreeType handled TrueType Font (TTF), Glyph Bitmap Distribution Format (BDF), Windows .fnt and .fon, and PostScript Type 1 fonts.

Multiple flaws were found in the way FreeType handled fonts in various formats.

Conditions:
N/A

Impact:
If a specially-crafted font file was loaded by an
application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-1134, CVE-2012-1136, CVE-2012-1142, CVE-2012-1144)

If a specially-crafted font file was loaded by an application
linked against FreeType, it could cause the application to crash.
(CVE-2012-1126, CVE-2012-1127, CVE-2012-1130, CVE-2012-1131, CVE-2012-1132, CVE-2012-1137, CVE-2012-1139, CVE-2012-1140, CVE-2012-1141, CVE-2012-1143)

Workaround:
install hotfix


365219-5 : Trust upgrade fails when upgrading from version 10.x to version 11.x.

Component: TMOS

Symptoms:
Trust upgrade fails when upgrading from version 10.x to version 11.x. The upgrade fails without apparent error, but there will be one of the two following error messages in /var/log/ltm log:

-- com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:425): Trust configuration update for HA Pair has failed: [STACK TRACE: {java.lang.Exception: Config sync password is invalid.}{ at com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:200)}.

-- devmgmtd[7983]: 015a0000:3: Trust Config Update: [TrustConfigUpdateForHAPair.cpp:521 ] Skipping already-completed trust.

Conditions:
Upgrading high availability version 10.x configurations that use the factory default admin password.

Impact:
Trust upgrade for version 10.x high availability configuration fails.

Workaround:
Change the default admin password in the 10.x configuration before upgrading to 11.0.0.

Fix:
Upgrades of high availability configurations from version 10.x to version 11.x or later now succeed, even if the 10.x system was still using the factory default admin password. It is recommended that you change the default admin password before deployment.


355661-4 : sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address

Component: TMOS

Symptoms:
During system startup, particularly after an upgrade or 'load sys config', the sod daemon will repeatedly log errors failing to bind() to the appliance management address to listen for network failover packets. This is caused by a race condition between the chassis management daemon programming the management port address and the failover daemon attempting to access that address.

Conditions:
The management address is configured as a device unicast address.

Impact:
Excessive logging traffic at error level for a valid configuration.

Workaround:
None.

Fix:
The sod daemon has been modified to validate the unicast addresses against the configured management addresses and non-floating self-IPs, and retries the bind() without logging an error if a race condition occurs. The daemon now reports when it is successfully listening on each of the configured unicast addresses, and only logs bind() errors if the configured address is invalid, which is correct behavior.




Cumulative fixes from BIG-IP v11.2.1 Hotfix 15 that are included in this release

Note: F5 has recently changed the bug numbering scheme in our bug tracking database. Now all bugs have a single version assigned to them and so bugs can now have sub bugs denoted by a '-' and then the sub bug number, i.e. 404716-4 with 404716 being the parent bug. The release notes for previous rollups will also reflect this change so some bugs may now contain a sub bug prefix.

TMOS Fixes

ID Number Description
534630-2 Upgrade BIND to address CVE 2015-5477
530744-1 kernel.ntp: livelock in leapsecond insertion :: watchdog reboots
529509-2 CVE 2015-4620 BIND vulnerability
527630-7 CVE-2015-1788 : OpenSSL Vulnerability
523863-3 istats help not clear for negative increment
523032-2 qemu-kvm VENOM vulnerability CVE-2015-3456
519877-5 External pluggable module interfaces not disabled correctly.
517578-4 statsd crash when failed to open stats files
513916-2 String iStat rollup not consistent with multiple blades
513454-4 An snmpwalk with a large configuration can take too long
513382-8 Resolution of multiple OpenSSL vulnerabilities
513341-3 CVE-2015-0292 : OpenSSL Vulnerability
507327-8 Programs that read stats can leak memory on errors reading files
483683-5 MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error
477281-7 Improved XML Parsing
476157-9 Fix for CVE-2014-4341, CVE-2014-4342, and CVE-2014-4343.
475647-5 VIPRION Host PIC firmware version 7.02 update
467022-6 11050 platform will not go active citing error 01071335:3: Invalid logical_disk (0) for application volume (mysqldb_.2).
466486-3 CVE-2014-0224: CCS vulnerability
465803-8 CVE-2014-0221 CVE-2014-0195: DTLS flaws
465009-4 VIPRION B2100-series LOP firmware version 2.10 update
464043-6 Integration of Firmware for the 2000 Series Blades
460444-5 VIPRION B4300 BIOS version 2.03.052.0 update
460428-5 BIG-IP 2000-/4000-series BIOS version 2.02.171.0 update
460406-5 VIPRION B2100-series BIOS version 1.06.043.0 update
451424-6 SNMP subagent/snmpd might restart under certain conditions
447075-7 CuSFP module plugged in during links-down state will cause remote link-up
436682-2 SFP modules shows a higher optical power output for disabled switch ports
429122-2 istatsd has high CPU usage when segment files get corrupted
428724-3 VIPRION Chassis Fantray PIC firmware version 4.00 update
428721-3 VIPRION Chassis Annunciator PIC firmware version 3.00 update
428718-3 VIPRION SPR PIC firmware version 3.00 update
426332-2 Load common partition, rule_event objects in other partitions are removed
421772-3 TMM cores when certain types of IPSec traffic(initiator) has to be moved between TMMs by CMP.
418329-1 Diskmonitor calculates incorrect alert and warning values
416292-7 MCPD can core as a result of another component shutting down prematurely
415616-1 qkview may generate error messages for very long file names
411838-1 TMSH list/show doesn't label vCMP and virtual-disks objects appropriately
410563-2 BIG-IP 2000-/4000-series CPLD version 0xA update
405752-4 Monitors sourced from specific source ports can fail
405067-3 System applies active bonus value when the HA score is zero
404716-2 Packet filtering and dropped decapsulated tunnel packets
399327-2 VIPRION B4200 HSB bitstream version 2.1.48.1 update
396818-2 Mezzanine HSB Bitstream v1.3.19.1 release for BIG-IP 8950 and 11050 appliances
388985-1 HSB v2.1.43.1 Bitstream release for BIG-IP 8900 and 8950 appliances
369460-2 Ability to delete SNMP configuration
364556-2 SNMP OID generation mechanism can cause premature OID truncation


Local Traffic Manager Fixes

ID Number Description
530829-4 UDP traffic sent to the host may leak memory under certain conditions.
523079-4 Merged may crash when file descriptors exhausted
518020-3 Improved handling of certain HTTP types.
508716-1 DNS cache resolver drops chunked TCP responses
504538 OneConnect and Least connections (member) lb mode does not balance load as expected
504306-5 https monitors might fail to re-use SSL sessions.
491030-9 Nitrox crypto accelerator can sometimes hang when encrypting SSL records
486066-4 TMM cored with Assertion "listener unbound" failed
478617-2 Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
478439-2 Unnecessary re-transmission of packets on higher ICMP PMTU.
478257-2 Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed
474002-7 Server SSL profile unable to complete SSL handshake when server selects DHE-based key exchange, and is configured with 2048-bit or larger DH keys
472148-2 Highly fragmented SSL records can result in bad record errors on Nitrox based systems
470715 Excessive IP fragmentation on tmm_bp vlan causes ftp data loss when long vlan name is used
465908-6 CVE-2014-0224: behavior change
460197-4 BIG-IP Stratos 2200s and 4200v LTM xdata memory leak
457934 SSL Persistence Profile Causing High CPU Usage
455553-6 ICMP PMTU handling causes multiple retransmissions
454476-6 somtimes ssl sends an incorrect version in the alert
452516-9 Excessive memory consumption after extended use
451059-4 SSL server does not check and validate Change Cipher Spec payload.
449920-6 Memory leak using compression on BIG-IP 2000-series and 4000-series appliances
448606-4 tmm cores with panic string %slistener ref non-zero%s
443157-2 zxfrd might crash when the zone file (zxfrd.bin) is deleted from the directory /var/db
443098-8 Memory leakage when Proxy SSL feature enabled
439773-5 "Request for segment from middle of queue" condition converted to reset that particular flow instead of causing tmm core
437866-1 2000/4000 platform firmware error, number of active requests not decremented
437448-5 Rate limited pool member might stop accepting traffic under certain conditions
429952-2 tmm will loop in error handling with plugins
426600-3 tmm may loop with priority group and rate limit enabled
424379-7 TMM may reset when loading many FIPS keys
422314-2 Multicast IPv4 or IPv6 packets can erroneously be looped back to the transmitting SFP interface on 2000, 2200, 4000, 4200 platforms.
420330-2 TMM crash in SSL module with large amount of traffic
416536-1 Remote link status remains up after disabling blade connected via CuSFP
416443-2 TMM memory reaping can lead to crash
413236-2 SSL session ID reuse may fail if the Client SSL profile name is 32 characters or more
408958-3 Malformed SSL packet causes lockup
406224-1 TMM may crash on standby with mirroring enabled
384111-1 iRule nexthop cmd not compatible with other load balancing pick commands
383853-2 Added argument "eom" as valid for TCP::notify
381512 Bringing system down with active tcpdump causes tmm to core
374339-12 HTTP::respond/redirect might crash TMM under low-memory conditions
342013-3 TCP filter doesn't send keepalives in FIN_WAIT_2
336255-3 OneConnect Connection Limits with Narrow Source Address Masks
226892-10 Packet filter enabled, default action discard/reject and IP fragment drop


Global Traffic Manager Fixes

ID Number Description
420440-9 Multi-line TXT records truncated by ZoneRunner file import
225443-3 gtmparse fails to load if you add unsupported SIP monitor parameters to the config


Access Policy Manager Fixes

ID Number Description
477278-7 CVE-2014-6032 and CVE-2014-6033
477274-3 Buffer Overflow in MCPQ
441830-12 VPN driver installer was modified to support Windows 8.1
439280-3 Blue Screen error when installing VPN driver on Windows 8.1
436183-1 Fixed crash of PWS caused by incorrect usage
436180-2 Improved security around webcontrol installation
436177-1 Improved security around Endpoint security modules
429362-5 BIG-IP EDGE client for Windows creates new session when connectivity ro server restored
428820-12 Blank gateway network access with two or more NICs.
421446-1 Fixed bug in APM which doesn't allow InstallerService to update.
394826-1 When using Active Directory module, password change may fail if UPD port 464 is unavailable


WebAccelerator Fixes

ID Number Description
522231-6 TMM may crash when a client resets a connection
511534-7 A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load,
439904-3 Wamd crashed after command 'tmsh restart sys service mcpd'
412089-1 WAM policy matching error when multiple regex rules match
400671-1 Issue with wamd when it cannot connect to MySQL
388751-1 With the wrong calculation of iov buffers from xbuf, TMM can crash.


Service Provider Fixes

ID Number Description
503676-7 SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events
499701-2 SIP Filter drops UDP flow when ingressq len limit is reached.
482436-4 Inefficient handling of invalid SIP request
466761-1 Heartbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss.
455006-3 Invalid data is merged with next valid SIP message causing SIP connection failures


Global Traffic Manager Fixes

ID Number Description

 

Cumulative fix details for BIG-IP v11.2.1 Hotfix 15 that are included in this release

534630-2 : Upgrade BIND to address CVE 2015-5477

Component: TMOS

Symptoms:
See SOL https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16909.html for complete information. BIND will issue a REQUIRE assert and exit under certain conditions. It will automatically be restarted by bigstart.

Conditions:
A deliberately constructed packet can exploit an error in the handling of queries for TKEY records, permitting denial of service.

Impact:
DNS resolutions that are answered by the on box BIND server may be interrupted.

Workaround:
Please see F5 Solution SOL16909.

Fix:
BIND was upgraded, which addresses this vulnerability. F5 is less vulnerable than the industry rating due to system design.


530829-4 : UDP traffic sent to the host may leak memory under certain conditions.

Component: Local Traffic Manager

Symptoms:
Possible memory leak with UDP traffic.

Conditions:
When UDP traffic is sent to the host.

Impact:
If memory leak becomes large enough over time, there could be a reboot.

Workaround:
Block UDP traffic to the host.

Fix:
Memory no longer leaks when UDP traffic is sent to the host.


530744-1 : kernel.ntp: livelock in leapsecond insertion :: watchdog reboots

Component: TMOS

Symptoms:
On rare occasions systems hang due to leap-second livelock. As a result of this issue, you may encounter one or more of the following symptoms: -- The BIG-IP system fails to process traffic for a brief period of time. -- The BIG-IP system fails over to another host in the device group. -- Error messages similar to the following example may appear in the /var/log/daemon.log file: notice ntpd[6789]: kernel time sync enabled Error messages similar to the following example appear in the /var/log/ltm file: notice boot_marker : ---===[ MD1.2 - BIG-IP 11.3.0 Build 3158.21 ]===--- chmand[6586]: 012a0005:5: CPLD indicates prior Host CPU subsystem reset chmand[6587]: 012a0005:5: Host CPU subsystem reset - PCI reset asserted chmand[6588]: 012a0005:5: Host CPU subsystem reset caused by a Southbridge system reset chmand[6589]: 012a0004:4: Host CPU subsystem reset caused by *** Super I/O watchdog timeout ***

Conditions:
During the 24 hour window leading up to a leap second event a RedHat kernel livelock condition may occur. A a result the BIG-IP hardware watchdog will trigger a reboot to allow the system to recover. This occurs due to the Redhat kernel-based livelock condition reference by the follwoing link: https://rhn.redhat.com/errata/RHBA-2012-1198.html

Impact:
BIG-IP system will restart.

Workaround:
Once affected, running this command resets the clock and eliminates the issue: date -s "$( date )". You can read more about this issue in SOL16839: The BIG-IP system may reboot when configured to synchronize its clock with an NTP server, available here https://support.f5.com/kb/en-us/solutions/public/16000/800/sol16839.html, and on the Redhat site, here: https://access.redhat.com/solutions/154713.

Fix:
The issue resulting from NTP inserting the leap second has been resolved.


529509-2 : CVE 2015-4620 BIND vulnerability

Component: TMOS

Symptoms:
A flaw was found in the way BIND performed DNSSEC validation.

Conditions:
Red Hat Product Security has rated this update as having Important security impact. Due to F5 architecture and design this has restricted impact and can only impacts GTM and only in a non-default configuration.

Impact:
An attacker able to make BIND (functioning as a DNS resolver with DNSSEC validation enabled) resolve a name in an attacker-controlled domain could cause named to exit unexpectedly with an assertion failure. (CVE-2015-4620)

Workaround:

Fix:
Upgrade to the latest version.


527630-7 : CVE-2015-1788 : OpenSSL Vulnerability

Component: TMOS

Symptoms:
https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16938.html

Conditions:
See F5 Solution for complete information. https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16938.html

Impact:
A potential denial-of-service (DoS) by way of a session that uses an Elliptic Curve algorithm against a server that supports client authentication.

Workaround:


523863-3 : istats help not clear for negative increment

Component: TMOS

Symptoms:
The help for the istats command line tool was not clear on how to specify a negative increment for a gauge iStat.

Conditions:
Try to increment a gauge iStat by a negative amount using the istats command line tool.

Impact:
Bash shell would print a cryptic error and the help did not clarify how to make it work

Workaround:
Research bash shell options for the cryptic error.

Fix:
The help for the istats command line was augmented to clearly state that the double-dash option should be specified before the negative number.


523079-4 : Merged may crash when file descriptors exhausted

Component: Local Traffic Manager

Symptoms:
The merged daemon crashes.

Conditions:
The limit on file descriptors is exceeded.

Impact:
Merged crashes leaving a core file. The collection of system stats and merging of blade stats will not work until merged restarts.

Workaround:
Monitor the system file descriptor use and avoid exceeding the limit.

Fix:
Fixed a crash bug in Merged.


523032-2 : qemu-kvm VENOM vulnerability CVE-2015-3456

Component: TMOS

Symptoms:
A vCMP hosted guest may be able to execute code in the context of the vCMP host hypervisor.

Conditions:
An attacker with root access on a vCMP guest may be able to crash the guest instance and/or execute code in the context of the vCMP hypervisor.

Impact:
A attacker in a vCMP guest can crash the guest system and/or execute code in the context of the hypervisor.

Workaround:
None.

Fix:
Integrated fixes to resolve CVE-2015-3456.


522231-6 : TMM may crash when a client resets a connection

Component: WebAccelerator

Symptoms:
When a client resets a connection while AAM is preparing to serve a response from cache TMM may crash causing failover and restart of AAM. A profile on a virtual from another BIG-IP module (other than AAM and LTM) may contribute to the issue.

Conditions:
1) AAM must be provisioned. 2) A response to the requested URL must be cached and fresh. 3) Client resets a connection immediately after the request is done and the response has not started to serve.

Impact:
TMM crashes when the issue occurs causing failover for a high availability group or service disruption on a standalone device or temporary load increase if the device is a member of a cluster (AAM farm, for example).

Workaround:
Install the fix.

Fix:
Fix removes the condition when AAM starts to serve the response to the already aborting connection.


519877-5 : External pluggable module interfaces not disabled correctly.

Component: TMOS

Symptoms:
External pluggable module interface may show link UP status, when administratively disabled.

Conditions:
Disable any external pluggable module interface that is connected to an enabled peer interface.

Impact:
Disabled external pluggable module interface may link UP and potentially pass traffic.

Workaround:

Fix:
Software fix prevents disabled external pluggable module interface from being re-enabled, as a result of periodic linkscan operations.


518020-3 : Improved handling of certain HTTP types.

Component: Local Traffic Manager

Symptoms:
Improperly formatted HTTP connection through BIG-IP may cause the connection to hang and eventually timeout.

Conditions:
If the HTTP version token in the request is improperly crafted, BIG-IP ends up treating the request as HTTP 0.9. Hence any data after the first CRLF is held back by BIG-IP due to pipeline handling, and is not passed to the backend server. If the backend server is Apache or IIS, this improperly crafted HTTP request line causes the request to be treated as 1.1, and both the servers wait for the Host header and CRLFs. Since no data is forthcoming, the connection hangs and the backend servers timeout the connection a few seconds later. F5 Networks would like to acknowledge Eitan Caspi, Security Researcher of Liacom Systems, Israel for bringing this to our attention.

Impact:
This has the potential to exhaust the number of connections at the backend.

Workaround:
Mitigations: 1) iRule that can drop the connections after a specified amount of idle time. 2) iRule to validate the request line in an iRule and fix it. 3) Tuning of profile timeouts 4) ASM prevents this issue.

Fix:
This release has improved handling of certain HTTP types, so that an HTTP request with a version token that is not properly crafted is no longer treated as HTTP 0.9. This has the effect of all of the request data being forwarded to the backend.


517578-4 : statsd crash when failed to open stats files

Component: TMOS

Symptoms:
When certain errors occur trying to open stats files, the statsd daemon could crash calling tmidx_free.

Conditions:
Something like permissions, file descriptor exhaustion, etc. that could lead to an error opening stats files.

Impact:
The statsd daemon crashes leaving a core file and a gap in collecting systems stats and historical stats.

Workaround:
none

Fix:
A logic error on an error path was fixed.


513916-2 : String iStat rollup not consistent with multiple blades

Component: TMOS

Symptoms:
An iStat of type string does not merge consistently in a multi-bladed chassis, so the value read on different blades at the same time may differ.

Conditions:
The iStat must be of type string, and the chassis must have multiple blades.

Impact:
The value of the iStat after the merge differs on different blades.

Workaround:
Use clsh to write the string iStat value to all blades together.

Fix:
The rollup of strings is based on a timestamp of the last update, but this value was not preserved through the first level of merge so the second level done on each blade was arbitrary. Now, the value is preserved, so the iStat value for multiple blades is correct.


513454-4 : An snmpwalk with a large configuration can take too long

Component: TMOS

Symptoms:
The snmpwalk will fail and the mcpd daemon could be restarted.

Conditions:
The configuration must be large so that the number of configured items related to the snmpwalk are in the tens of thousands.

Impact:
Failure to read SNMP data, mcpd restart and temporary loss of service.

Workaround:
Spread the configuration among more BIG-IPs or avoid running snmpwalks.

Fix:
Cache internal query data to optimize statistical queries.


513382-8 : Resolution of multiple OpenSSL vulnerabilities

Component: TMOS

Symptoms:
Resolved multiple vulnerabilities in OpenSSL. CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288

Conditions:
None.

Impact:
Update of OpenSSL to resolve multiple vulnerabilities.

Workaround:

Fix:
Resolved multiple vulnerabilities in OpenSSL. CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288


513341-3 : CVE-2015-0292 : OpenSSL Vulnerability

Component: TMOS

Symptoms:
Low rated vulnerability. See SOL4602 for vulnerability response.

Conditions:
Requires reading specifically crafted PEM file. It doesn't affect external functionality

Impact:
This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

Workaround:


511534-7 : A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load,

Component: WebAccelerator

Symptoms:
When loading an AAM policy, the tmm compiles the rules to an internal structure that is efficient for execution. Some conditions however may cause this process to take too long and the tmm gets halted before the system has finished compiling the policy.

Conditions:
The compilation time increases dramatically when regular expressions are used on more than one or 2 operands. Since you can have conditions on many different path-segments (e.g. the 1st, 2nd, 3rd, etc), using regular expression on path-segments are a likely way to trigger this condition.

Impact:
The compilation time increases dramatically when regular expressions are used on more than one or two operands. Since conditions might exist on many different path-segments (e.g., the 1st, 2nd, 3rd, etc.), using regular expression on path-segments is a likely way to trigger this condition.

Workaround:
None.

Fix:
Now, you can prevent AAM policy compilation from taking too long by turning the regular expression into plain matches using the '\' character to escape those symbols that turn a string into a regular expression. For example, previously, 'favicon.ico' was treated as a regular expression because '.' means 'any character'. Now the user can specify 'favicon\\.ico' (double '\' required by tmsh), which causes the '.' to mean the period character, thus avoiding the (unintended) regular expression.


508716-1 : DNS cache resolver drops chunked TCP responses

Component: Local Traffic Manager

Symptoms:
DNS cache resolver drops chunked TCP responses

Conditions:
If the cache resolver uses TCP to resolve a query, and a nameserver does not include the complete reply in the first TCP segment.

Impact:
The response will be discarded, the connection dropped, and the query retried

Workaround:

Fix:
DNS cache resolver no longer drops chunked TCP responses


507327-8 : Programs that read stats can leak memory on errors reading files

Component: TMOS

Symptoms:
Daemons that read statistics might leak memory over time so the amount of memory they use continues to grow.

Conditions:
There is an error reading a statistics file. For example, permissions on the file or directory prohibit access.

Impact:
Eventually the daemon or system might run out of memory.

Workaround:
Remove anything causing an error reading a stats file such as deleting unneeded files or fixing permissions.

Fix:
A memory leak reading stats has been fixed.


504538 : OneConnect and Least connections (member) lb mode does not balance load as expected

Component: Local Traffic Manager

Symptoms:
OneConnect and Least connections (member) lb mode does not balance load as expected.

Conditions:
OneConnect and Least connections (member) lb mode.

Impact:
Connection distribution is skewed.

Workaround:
Disable OneConnect.

Fix:
OneConnect and Least connections (member) lb mode does now distributes connections equally.


504306-5 : https monitors might fail to re-use SSL sessions.

Component: Local Traffic Manager

Symptoms:
SSL handshakes for https monitors might fail to correctly re-use SSL session IDs.

Conditions:
A configuration that utilizes https monitors to servers that implement an SSL session cache. More servers utilizing the same https monitor make the problem more likely to occur. For the monitor flapping or false negative symptom in 11.5.0 or higher, a monitor must be configured for a combination of TLS 1.0 and TLS 1.2 servers.

Impact:
The bigd process might consume more CPU than necessary because it might always be performing complete SSL handshakes with monitored servers. BIG-IP version 11.5.0 or higher in environments with both TLS 1.0 and TLS 1.2 servers that perform SSL session caching may experience monitor flapping or servers that are marked down unexpectedly.

Workaround:
None.

Fix:
https monitors now properly perform SSL session re-use.


503676-7 : SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events

Component: Service Provider

Symptoms:
SIP REFER, INFO, and UPDATE requests do not trigger iRule events.

Conditions:
The occurs when the following conditions are met: -- Virtual server has a SIP profile. -- Virtual server has iRule(s) containing SIP_REQUEST or SIP_REQUEST_SEND events. -- SIP REFER, INFO, or UPDATE request is received on the virtual server.

Impact:
iRule event is not executed.

Workaround:
none

Fix:
SIP REFER, INFO, and UPDATE requests now trigger the SIP_REQUEST and SIP_REQUEST_SEND iRule events. This is the correct behavior.


499701-2 : SIP Filter drops UDP flow when ingressq len limit is reached.

Component: Service Provider

Symptoms:
UDP stats shows increase in the number of flows and valid SIP messages are dropped.

Conditions:
This occurs when an iRule processing delay occurs (session db operations) combined with increase in the SIP incoming flow.

Impact:
SIP UDP flows are dropped.

Workaround:
None.

Fix:
The SIP UDP flow now remains when the ingress len limit is reached.


491030-9 : Nitrox crypto accelerator can sometimes hang when encrypting SSL records

Component: Local Traffic Manager

Symptoms:
Sometimes when encrypting certain SSL records, the Cavium Nitrox crypto accelerator can hang with the LTM log message "request queue stuck".

Conditions:
Certain SSL records on a system with a Cavium Nitrox card.

Impact:
Nitrox crypto accelerator can hang.

Workaround:
This issue has no workaround at this time.

Fix:
The Nitrox crypto accelerator will no longer hang with certain SSL records.


486066-4 : TMM cored with Assertion "listener unbound" failed

Component: Local Traffic Manager

Symptoms:
TMM CORE panic: ../base/listener.c:303:Assertion "listener unbound" failed

Conditions:
LTM has virtual servers configured with clone-pools.

Impact:
TMM restarting, traffic affected.

Workaround:
This issue has no workaround at this time.

Fix:
TMM does not core


483683-5 : MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error

Component: TMOS

Symptoms:
"Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error on secondary blades when starting up. When this happens, MCP is left in a bad state and several issues (not obviously related to this error) can occur.

Conditions:
Only occurs on a chassis system, and only on secondary blades.

Impact:
This error is the precursor to bad behavior on the system. The exact issues seen are hard to quantify, as they vary depending on what state MCP's database is in when the exception is thrown.

Workaround:

Fix:
Added code to catch exceptions in rm_DBLowHighWide. We now delete the binary MCP database when an exception is caught, and restart MCP. This restart without a binary database bypasses rm_DBLowHighWide and allows the secondary MCP to receive its configuration from the primary MCP.


482436-4 : Inefficient handling of invalid SIP request

Component: Service Provider

Symptoms:
Potentially CPU impacting.

Conditions:
Invalid SIP request may require more CPU than necessary.

Impact:
High CPU usage.

Workaround:
None.

Fix:
Improved security of invalid SIP messages.


478617-2 : Don't include maximum TCP options length in calculating MSS on ICMP PMTU.

Component: Local Traffic Manager

Symptoms:
TCP segment size is 40 bytes less.

Conditions:
ICMP implementation using Path MTU (PMTU)

Impact:
The impact of this issue is less data per TCP segment.

Workaround:
Disable Path MTU Discovery by doing the following, "tmsh modify sys db tm.enforcepathmtu value disable"

Fix:
Don't include maximum TCP options length in calculating MSS on ICMP PMTU.


478439-2 : Unnecessary re-transmission of packets on higher ICMP PMTU.

Component: Local Traffic Manager

Symptoms:
LTM re-transmits TCP segments even when ICMP Path maximum transmission unit (PMTU) is higher than existing MTU.

Conditions:
ICMP PMTU is higher than existing MTU.

Impact:
Burst traffic generated.

Workaround:
Disable Path MTU Discovery by entering the command: tmsh modify sys db tm.enforcepathmtu value disable.

Fix:
Fixed unnecessary re-transmission of packets on higher ICMP Path maximum transmission unit (PMTU).


478257-2 : Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed

Component: Local Traffic Manager

Symptoms:
Re-transmission of fragment needed packets.

Conditions:
Multiple ICMP Destination Unreachable with Fragmentation needed code messages.

Impact:
Burst traffic generated.

Workaround:
Disable Path MTU Discovery by doing the following, "tmsh modify sys db tm.enforcepathmtu value disable"

Fix:
Don't re-transmit packets if the MTU is not changed.


477281-7 : Improved XML Parsing

Component: TMOS

Symptoms:
With certain requests, XML parsing improperly returns the incorrect document.

Conditions:
A certain set of parameters are sent to pages which utilize DocumentBuilderFactory to process and return XML documents.

Impact:
The document that was requested is not returned. Another document is returned instead.

Workaround:
None.

Fix:
XML Parser configuration was changed to ensure only correct documents are returned to all requests.


477278-7 : CVE-2014-6032 and CVE-2014-6033

Component: Access Policy Manager

Symptoms:
This release fixes CVE-2014-6032 and CVE-2014-6033.

Conditions:

Impact:
Potential base OS vulnerability where with the fix we are no longer susceptible.

Workaround:
None.

Fix:
This release fixes CVE-2014-6032 and CVE-2014-6033.


477274-3 : Buffer Overflow in MCPQ

Component: Access Policy Manager

Symptoms:
MCPQ crashes with core shown in "dmesg" or /var/log/kern.log, when user sends POST query with invalid parameters in several places, and with large POST body.

Conditions:
supply "func=stat&obj1=<large text>" Or "function=<large text>"

Impact:
MCPQ becomes unavailable and cannot serve XUI pages while it is down (before it is restarted)

Workaround:
None

Fix:
Issue Fixed. A crash in mcpq from bad user input is now prevented.


476157-9 : Fix for CVE-2014-4341, CVE-2014-4342, and CVE-2014-4343.

Component: TMOS

Symptoms:
Vulnerabilities from upstream vendor that need to be fixed.

Conditions:

Impact:
Potential attack vectors on the base OS that could be utilized by an attacker.

Workaround:

Fix:
This release fixes CVE-2014-4341, CVE-2014-4342, and CVE-2014-4343.


475647-5 : VIPRION Host PIC firmware version 7.02 update

Component: TMOS

Symptoms:
Correctly report part numbers of current-manufacture VIPRION B4300 series blades (part numbers 400-0076-00 and 400-0077-00).

Conditions:
Affects VIPRION B4300 series blades.

Impact:
Features of current-manufacture VIPRION B4300 series blades (part numbers 400-0076-00 and 400-0077-00) may not be properly supported by the BIG-IP software.

Workaround:
None.

Fix:
VIPRION Host PIC firmware version 7.02 update now supports all expected BIG-IP software features on VIPRION B4300 blades.


474002-7 : Server SSL profile unable to complete SSL handshake when server selects DHE-based key exchange, and is configured with 2048-bit or larger DH keys

Component: Local Traffic Manager

Symptoms:
If a BIG-IP virtual server is configured with a Server SSL profile, and a pool member or server selects a DHE-based ciphersuite (e.g. DHE-RSA-AES128-SHA), the BIG-IP system might not successfully complete an SSL handshake with the server.

Conditions:
This occurs when the following conditions exist: - HTTPS Pool member or server. - Virtual server with Server SSL profile. - Server is configured with 2048-bit or larger Diffie-Hellman keys.

Impact:
Traffic to affected pool members fails, although the pool members are marked up by HTTPS monitors.

Workaround:
Either disable the use of ephemeral Diffie-Hellman (DHE) key exchange on the backend servers, select a smaller set of DH parameters on the backend servers, or disable DHE ciphersuites in affected virtual servers' Server SSL profiles.

Fix:
BIG-IP system now successfully completes an SSL handshake with a server that is using Diffie-Hellman parameters that are 2048-bits or larger.


472148-2 : Highly fragmented SSL records can result in bad record errors on Nitrox based systems

Component: Local Traffic Manager

Symptoms:
If a highly fragmented SSL record is decrypted by a system with a Cavium Nitrox card, the system will incorrectly respond with a bad SSL record error.

Conditions:
Highly fragmented SSL records and a system with a Cavium Nitrox card.

Impact:
Lost SSL connections.

Workaround:
This issue has no workaround at this time.

Fix:
The Nitrox driver was updated to properly handle highly fragmented SSL records.


470715 : Excessive IP fragmentation on tmm_bp vlan causes ftp data loss when long vlan name is used

Component: Local Traffic Manager

Symptoms:
When a very long vlan name (>= 16 characters including the /Common/ folder name prefix) is being used, Maximum size packet on tmm_bp vlan will exceed configured MTU size of 1582 if packet is being forwarded through MPI channel. That would causes excessive IP fragmentation on tmm_bp vlan and high cpu usage. In some cases it would also cause packet loss.

Conditions:
long vlan names (16 characters or longer) are being used.

Impact:
This can cause excessive IP fragmentation on tmm_bp vlan and high cpu usage. In some cases it would also cause packet loss.

Workaround:
Use shorter vlan names.

Fix:
A new db variable vlan.backplane.mtu is added to configure tmm_bp vlan mtu size, default to 1640.


467022-6 : 11050 platform will not go active citing error 01071335:3: Invalid logical_disk (0) for application volume (mysqldb_.2).

Component: TMOS

Symptoms:
When booting an affected release, the system will not go active and mcpd will not come up. In /var/log/ltm, an error similar to the following will be seen. err mcpd[1234]: 01071335:3: Invalid logical_disk (0) for application volume (mysqldb_.2). This causes the system to have an inconsistent view of the disks and subsequent steps in the boot process fail to complete.

Conditions:
This only happens on the 11050 platform running an affected release. It occurs on boot into TMOS.

Impact:
The system will not go active.

Workaround:
If there is a duplicate platform name in /etc/hal/platform-capabilities.xml, the xml file is loaded improperly which causes problems. Specifically, the software raid capability of the 11050 is not detected properly. The fix is to manually edit the /etc/hal/platform-capabilities.xml file and resolve this conflict, and then reboot. Changing the 11050 Nebs platform name to "BIG-IP 11050N" will workaround the issue. /etc/hal/platform-capabilities.xml: --BEFORE--- <platform name="BIG-IP 11050" pid="E102" > <!-- Turbo Apollo --> <raid type="software" /> </platform> <platform name="BIG-IP 11050" pid="E103" > <!-- Turbo Apollo NEBS --> <------ Duplicate entry <raid type="software" /> <nebs value="true" /> ---AFTER--- <platform name="BIG-IP 11050" pid="E102" > <!-- Turbo Apollo --> <raid type="software" /> </platform> <platform name="BIG-IP 11050N" pid="E103" > <!-- Turbo Apollo NEBS --> <------ fixed entry <raid type="software" /> <nebs value="true" /> </platform> All you need to do is add an "N", changing the platform name for Turbo Apollo NEBS to "BIG-IP 11050N", which resolves the conflict. After making the change, save the file, reboot the box, and it should come up normally.

Fix:
The platform capabilities file which was causing this issue has been modified to allow the system to go active normally.


466761-1 : Heartbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss.

Component: Service Provider

Symptoms:
Heartbeat, UDP packet with only double CRLF, on existing SIP flow might result in connection loss.

Conditions:
SIP heartbeat message, a UDP packet with double CRLF, sent by the client to the server.

Impact:
Connection might be terminated.

Workaround:
None.

Fix:
The heartbeat SIP message, which is a UDP packet with CRLF, is ignored and connection is maintained.


466486-3 : CVE-2014-0224: CCS vulnerability

Component: TMOS

Symptoms:
An early change cipher spec message could result in a man in the middle attack against OpenSSL 0.9.8 servers. The management GUI uses OpenSSL0.9.8 on 11.4.0 and 11.4.1. This patch fixes OpenSSL so that it is not vulnerable to a MITM. BIG-IP virtual servers doing TLS termination are not vulnerable to the man in the middle attack.

Conditions:
11.4.0 and 11.4.1 are only vulnerable on the management port.

Impact:
Potentially vulnerable to listed CVE.

Workaround:

Fix:
OpenSSL has been upgraded to eliminate the man in the middle attack.


465908-6 : CVE-2014-0224: behavior change

Component: Local Traffic Manager

Symptoms:
BIG-IP virtual servers doing TLS termination are not vulnerable to CVE-2014-0224. OpenSSL has made a change to disallow early change cipher spec messages. This fix imitates that behavior.

Conditions:
CCS(change-cipher-spec) is received before Client key exchange

Impact:
We should not tolerate the received wrong SSL message sequence. In this case, CCS(change-cipher-spec) is received before Client key exchange.

Workaround:
N/A

Fix:
BIG-IP TLS virtual servers will now reject the connection when an early CCS message is received.


465803-8 : CVE-2014-0221 CVE-2014-0195: DTLS flaws

Component: TMOS

Symptoms:
CVE-2014-0221 CVE-2014-0195 are OpenSSL flaws in the DTLS implementation. BIG-IP does not have any DTLS servers. BIG-IP does not by default have any DTLS clients, but some may be configured by customers. These clients might be vulnerable.

Conditions:
BIG-IP virtual servers doing DTLS termination are vulnerable only with configured COMPAT ciphers.

Impact:
Vulnerable to CVE-2014-0221 CVE-2014-0195.

Workaround:

Fix:
OpenSSL is updated to fix CVE-2014-0221 and CVE-2014-0195.


465009-4 : VIPRION B2100-series LOP firmware version 2.10 update

Component: TMOS

Symptoms:
Booting the blade via PXE results in garbled PXE menu. (ID464614)

Conditions:
VIPRION B2100 and B2150 blades with LOP firmware version 2.09.

Impact:
PXE menu display is garbled, although responds correctly to correct inputs.

Workaround:


464043-6 : Integration of Firmware for the 2000 Series Blades

Component: TMOS

Symptoms:
Integration of Firmware for the 2000 Series Blades.

Conditions:
When firmware has changes that benefit platforms, it is internally released and updated in the latest version of software.

Impact:
This will improve functioning of the hardware.

Workaround:
None. This is an action item.

Fix:
Integration of Firmware for the 2000 Series Blades.


460444-5 : VIPRION B4300 BIOS version 2.03.052.0 update

Component: TMOS

Symptoms:
1. The Disk Erase operation takes longer than expected, and may time out before completion. The Disk Erase progress bar may show 100% with 1 minute still remaining. 2. Pressing the ESC key at Disk Erase confirmation dialogs results in continuation. Pressing the ESC key in the Disk Erase intermittently causes the highlighted action to be performed. (ID458683-2)

Conditions:
Affects VIPRION B4300 series blades.

Impact:
1. The Disk Erase operation may time out before completion. The Disk Erase progress bar may show 100% completion prematurely. 2. Disk Erase operations may be initiated unintentionally. (ID458683-2)

Workaround:


460428-5 : BIG-IP 2000-/4000-series BIOS version 2.02.171.0 update

Component: TMOS

Symptoms:
1. The Disk Erase operation takes longer than expected, and may time out before completion. The Disk Erase progress bar may show 100% with 1 minute still remaining. 2. Pressing the ESC key at Disk Erase confirmation dialogs results in continuation. Pressing the ESC key in the Disk Erase intermittently causes the highlighted action to be performed. (ID458683-4)

Conditions:
Affects BIG-IP 2000-/4000-series appliances.

Impact:
1. The Disk Erase operation may time out before completion. The Disk Erase progress bar may show 100% completion prematurely. 2. Disk Erase operations may be initiated unintentionally. (ID458683-4)

Workaround:


460406-5 : VIPRION B2100-series BIOS version 1.06.043.0 update

Component: TMOS

Symptoms:
1. The Disk Erase operation takes longer than expected, and may time out before completion. The Disk Erase progress bar may show 100% with 1 minute still remaining. 2. Pressing the ESC key at Disk Erase confirmation dialogs results in continuation. Pressing the ESC key in the Disk Erase intermittently causes the highlighted action to be performed. (ID458683-1)

Conditions:
Affects VIPRION B2100 and B2150 blades.

Impact:
1. The Disk Erase operation may time out before completion. The Disk Erase progress bar may show 100% completion prematurely. 2. Disk Erase operations may be initiated unintentionally. (ID458683-1)

Workaround:


460197-4 : BIG-IP Stratos 2200s and 4200v LTM xdata memory leak

Component: Local Traffic Manager

Symptoms:
This applies only to Stratos 2200s and 4200v platforms. Resetting connections with compressed content might not perform a complete clean-up.

Conditions:
Manifests when there is a reset on the flow. The resets slowly accumulate xfrags and active_requests.

Impact:
The incomplete reset results in orphaned xfrags and active_requests growing without bound. New requests on the affected virtual server will stall.

Workaround:
none

Fix:
active_requests is updated when a flow using hardware acceleration is reset.


457934 : SSL Persistence Profile Causing High CPU Usage

Component: Local Traffic Manager

Symptoms:
Some connections through a virtual server using SSL persistence hang and cause a high CPU condition in tmm.

Conditions:
This occurs only when SSL persistence is configured as the default persistence profile, and there is a fallback profile of either source_addr or dest_addr.

Impact:
Large increase in CPU usage on the box and a percentage of SSL connections through the virtual server are delayed and eventually reset

Workaround:
None.

Fix:
SSL Persistence Profile now operates correctly, and does not cause high CPU usage.


455553-6 : ICMP PMTU handling causes multiple retransmissions

Component: Local Traffic Manager

Symptoms:
When an improperly large TCP Maximum Segment Size (MSS) triggers ICMP PMTU messages, TCP responds by resending the entire send queue with the new MSS.

Conditions:
This occurs when you configure a path with an MTU less than 1500 Bytes and attempt a file transfer with initcwnd greater than 1.

Impact:
Large amounts of duplicate retransmission.

Workaround:

Fix:
No multiple retransmission of the entire send queue when the MSS size is improperly large.


455006-3 : Invalid data is merged with next valid SIP message causing SIP connection failures

Component: Service Provider

Symptoms:
SIP phone connections fail.

Conditions:
SIP over UDP.

Impact:
SIP phone connections fail.

Workaround:
Create a packet filter to discard the invalid UDP datagrams.

Fix:
Invalid UDP datagrams that interfered with SIP processing are now dropped.


454476-6 : somtimes ssl sends an incorrect version in the alert

Component: Local Traffic Manager

Symptoms:
When sending some alerts resulting from problems with the clienthello, the wrong TLS version is set in the header.

Conditions:
An error exists in the clienthello - notably a bad session id

Impact:
none

Workaround:

Fix:
In the event of an invalid parameter in the clienthello, the correct TLS version will be set in the alert.


452516-9 : Excessive memory consumption after extended use

Component: Local Traffic Manager

Symptoms:
Certain conditions can lead to excessive memory consumption. Excessive buffering results in performance drop, connections being dropped, and Out-of-memory core errors.

Conditions:
This can occur after a long period of time, such as a month or more.

Impact:
This might result in performance drop, connections being halted, and out-of-memory cores. Performance and stability can be impacted as well as full traffic-outages.

Workaround:
The command 'bigstart restart tmm' on the standby unit will clear up the condition.

Fix:
Memory usage has been improved for certain categories of connections that are not yet fully established.


451424-6 : SNMP subagent/snmpd might restart under certain conditions

Component: TMOS

Symptoms:
When an SNMP request is made to the BIG-IP system, snmpd decodes the request and sends a request to the process that supplies the data to answer the SNMP request.

Conditions:
This occurs when using SNMP.

Impact:
If the SNMP request times out before the process responds, the snmpd or SNMP subagent daemons might generate a core and restart. As a result, some data may be lost.

Workaround:
Restart snmpd using the command: bigstart restart snmpd.

Fix:
This release corrects a condition that could cause snmpd or SNMP subagent daemons to generate a core and restart.


451059-4 : SSL server does not check and validate Change Cipher Spec payload.

Component: Local Traffic Manager

Symptoms:
SSL server does not check and validate Change Cipher Spec payload.

Conditions:
This issue occurs when a clientssl profile is used.

Impact:
There is no impact to this issue.

Workaround:
This issue has no workaround.

Fix:
clientssl profile (SSL server) will now check and validate the CCS payload received from the SSL client. It will be ensured that the CCS payload is a single byte of value '1'.


449920-6 : Memory leak using compression on BIG-IP 2000-series and 4000-series appliances

Component: Local Traffic Manager

Symptoms:
While running BIG-IP on 2000-series and 4000-series appliances with compression enabled, xdata memory usage rapidly increases and can result in an out-of-memory condition and subsequent TMM core.

Conditions:
BIG-IP 2000-series and 4000-series appliances with compression enabled in an active profile.

Impact:
Performance degradation followed by out-of-memory condition and traffic outage due to TMM core.

Workaround:
n/a

Fix:
A memory leak using compression on BIG-IP 2000-series and 4000-series appliances was resolved.


448606-4 : tmm cores with panic string %slistener ref non-zero%s

Component: Local Traffic Manager

Symptoms:
The listener ref count might overflow and cause a TMM core and crash.

Conditions:
This intermittent issue occurs when the listener ref count increases and is never released.

Impact:
TMM cores with panic string tmm_panic ... %slistener ref non-zero%s.

Workaround:
None.

Fix:
The listener ref count no longer overflows and causes a TMM core and crash.


447075-7 : CuSFP module plugged in during links-down state will cause remote link-up

Component: TMOS

Symptoms:
If a CuSFP module is plugged into a port that is in a links-down state while connected via a cable to a remote switch or other network connection, the remote switch will report a links-up state. A port on the BIG-IP or VIPRION device may be in a links-down state while BIG-IP is not in a running state, or if the network interface has been administratively disabled.

Conditions:
Issue has been primarily observed with VIPRION B2100 or B2150 blades. However, the problem could potentially occur on other VIPRION blades or BIG-IP appliances which employ a Broadcom hardware switch (i.e., most F5 hardware products). BIG-IP appliances which do NOT employ a Broadcom hardware switch include: BIG-IP 2000-/4000-series appliances.

Impact:
The remote switch may erroneously attempt to direct traffic to what is seen as an active link, which the BIG-IP or VIPRION device will not be able to process.

Workaround:
You may work around this problem by any of the following methods: 1. Unplug the cable connecting the CuSFP (Copper SFP) module to the remote network connection before plugging the CuSFP into the port on the BIG-IP or VIPRION device. 2. Wait until the port on the BIG-IP or VIPRION device is in an enabled/links-up state before plugging in the CuSFP. 3. Enable the port on the BIG-IP or VIPRION device after plugging in the CuSFP.

Fix:
A remote network connection no longer shows as Up/Link when a CuSFP module is plugged into a port on a BIG-IP or VIPRION device that is in a links-down state, while connected via a cable to the remote switch/other network connection.


443157-2 : zxfrd might crash when the zone file (zxfrd.bin) is deleted from the directory /var/db

Component: Local Traffic Manager

Symptoms:
zxfrd might crash when the zone file zxfrd.bin is deleted and zxfrd is restarted.

Conditions:
Manually delete zxfrd.bin and restart zxfrd.

Impact:
The zxfrd daemon might crash.

Workaround:
Never manually delete zxfrd.bin.

Fix:
Manually deleting zxfrd.bin should no longer crash the zxfrd daemon.


443098-8 : Memory leakage when Proxy SSL feature enabled

Component: Local Traffic Manager

Symptoms:
When the ProxySSL feature is enabled, small amounts of memory used during connection handling is leaked. Over a long period of time, this leakage accumulates and causes memory pressure.

Conditions:
This occurs when the Proxy SSL feature is enabled.

Impact:
When this occurs, memory is leaked over time and eventually results in performance degradation and eventual traffic outage.

Workaround:
None.

Fix:
The Proxy SSL feature no longer leaks memory.


441830-12 : VPN driver installer was modified to support Windows 8.1

Component: Access Policy Manager

Symptoms:
If a user has an older VPN driver (older then - 7060.2012.0322.2004, e.g. 7050,2011,607,846 10.2.4 HF7) and is trying to update components by browser or package; The user will get an error that the modem (or other connecting device) is already in use or is not configured properly) or BSOD.

Conditions:
This may happen if the user has OS Windows 8.0 and uses BIG-IP 10.2.4, then the user upgraded Windows to 8.1 and at the same time upgraded BIG-IP to 11.5.0

Impact:
This can cause the users system to reboot.

Workaround:

Fix:
Incorrect overriding of VPN driver was causing BSOD. Old driver is now uninstalled before new one is installed.


439904-3 : Wamd crashed after command 'tmsh restart sys service mcpd'

Component: WebAccelerator

Symptoms:
Daemon wamd crashes when mcpd is not available.

Conditions:
AAM is provisioned and mpcd daemon is restarting.

Impact:
Wamd crashes producing a core.

Workaround:
This issue has no workaround at this time.

Fix:
When mcpd goes down with AAM provisioned wamd no longer crashes when it tries to communicate with mcpd.


439773-5 : "Request for segment from middle of queue" condition converted to reset that particular flow instead of causing tmm core

Component: Local Traffic Manager

Symptoms:
TMM will core with panic string "Request for segment from middle of queue."

Conditions:
The conditions are infrequent and not all of them are known fully. TCP is in an invalid state for that particular flow, and this flow cannot continue anymore.

Impact:
Entire tmm will core due to one flow being in this invalid state.

Workaround:
This issue has no workaround at this time.

Fix:
The ASSERTing condition has been converted to RESET that particular flow with the RST cause "Request for segment from middle of queue." This has been decided to be better for product stability as one affected flow does not core the full tmm.


439280-3 : Blue Screen error when installing VPN driver on Windows 8.1

Component: Access Policy Manager

Symptoms:
If client components without BZ430965 fixed are installed and then uninstalled on Windows 8.1, then the F5 Networks VPN Adapter will be uninstalled only partially. A subsequent attempt to install VPN Adapter driver on such client machine may lead to blue screen error.

Conditions:
VPN adapter not completed uninstalled

Impact:
Difficulty installing F5 VPN software on client system.

Workaround:
In order to completely uninstall VPN Adapter driver: 1) Open Device Manager. 2) In the main menu select View -> Show hidden devices. 3) Expand Network adapters. 4) Right-click on F5 Networks VPN Adapter. 5) In the popup menu select Uninstall. 6) In the next window check Delete the driver software for this device.

Fix:
When installing VPN driver on Windows 8.1 with partially uninstalled VPN driver, BSOD no longer occurs.


437866-1 : 2000/4000 platform firmware error, number of active requests not decremented

Component: Local Traffic Manager

Symptoms:
When 2000/4000 platforms return an error condition to the TMM driver, the number of active requests are not decremented. This can cause hardware compression to stop adding jobs to the hardware queue.

Conditions:
This occurs on 2000/4000 platforms that return an error condition to the TMM driver.

Impact:
When this occurs, the system might show a drop in performance. CPU usage might report as very high, and hardware compression jobs are no longer queued.

Workaround:
None.

Fix:
In this release, the system correctly decrements active jobs counter when this error is detected. CPU no longer runs high, and jobs are assigned to the correct compression queue.


437448-5 : Rate limited pool member might stop accepting traffic under certain conditions

Component: Local Traffic Manager

Symptoms:
Pool members may not be able to accept traffic once the rate limit is exceeded, even if it goes below the threshold.

Conditions:
Rate limit set on the pool member and the rate limit is exceeded. This causes the pool member to no longer accept traffic.

Impact:
Pool member will no longer accept traffic.

Workaround:
Remove the rate limit.

Fix:
Pool members with rate limits now resume accepting traffic when the rate limit is no longer exceeded.


436682-2 : SFP modules shows a higher optical power output for disabled switch ports

Component: TMOS

Symptoms:
Some SFP modules show a higher optical power output for disabled switch ports, which can attribute to false link states.

Conditions:
This occurs on SFP modules with disabled switch ports.

Impact:
When this occurs, it produces false link states.

Workaround:
None.

Fix:
Some SFP modules now show the correct optical power output for disabled switch ports, which no longer attributes to false link states.


436183-1 : Fixed crash of PWS caused by incorrect usage

Component: Access Policy Manager

Symptoms:
If PWS is used incorrectly it may crash

Conditions:
PWS page incorrectly customized or fishing site contains malicious code.

Impact:
PWS crashes

Workaround:

Fix:
Check if critical section object was initialized before deleting.


436180-2 : Improved security around webcontrol installation

Component: Access Policy Manager

Symptoms:
Web controls may download custom file as result of sophisticated attack from phishing site.

Conditions:

Impact:
Custom file download on client machine.

Workaround:

Fix:
Security issue has been resolved.


436177-1 : Improved security around Endpoint security modules

Component: Access Policy Manager

Symptoms:
Sophisticated attack can lead to Network Access disconnect on client side.

Conditions:
User accessed malicious site with specially crafted page

Impact:
Network Access is disconnected after attack

Workaround:

Fix:
Now Endpoint security modules provides more security for endpoint clients and prevents the issue


429952-2 : tmm will loop in error handling with plugins

Component: Local Traffic Manager

Symptoms:
tmm will loop with plugin errors.

Conditions:
some error condition. Plugin enabled.

Impact:
tmm will loop and eventually killed by sod

Workaround:
None.

Fix:
tmm no longer loops with plugin errors.


429362-5 : BIG-IP EDGE client for Windows creates new session when connectivity ro server restored

Component: Access Policy Manager

Symptoms:
BIG-IP EDGE client for Windows does not reconnect to existing BIG-IP session when connectivity to the server is lost for some period of time. When network connectivity is restored to BIG-IP server, the BIG-IP EDGE client creates a new session.

Conditions:
This occurs when using the BIG-IP EDGE client for Windows when connectivity to server is lost and then restored.

Impact:
Full reconnection is made and the previous session is not removed.

Workaround:

Fix:
EDGE Client properly reconnects when network connectivity is restored. Previously full reconnection was done in this case and the previous session was not removed.


429122-2 : istatsd has high CPU usage when segment files get corrupted

Component: TMOS

Symptoms:
If for some other reason the istats segment files became corrupted, then istatsd could use excessive CPU.

Conditions:
The istats segment file became corrupted by some other problem.

Impact:
The high CPU use by istatsd could diminish resources available to other processes causing poor responsiveness for things like tmsh or web management.

Workaround:
Stop istatsd and remove the istats segment files. Then restart istatsd to recreate the segment files. This will cause all statistics in these files to be reset.

Fix:
Even when there is corruption, istatsd will no longer use an excessive amount of CPU.


428820-12 : Blank gateway network access with two or more NICs.

Component: Access Policy Manager

Symptoms:
Client cannot access network behind second NIC after ending of an APM VPN session; status of network interface shows blank gateway.

Conditions:
Two or more NICs on client machine.

Impact:
User isn't able use some part of network.

Workaround:
Re-enable affected Network interface.

Fix:
Clients can now access a network behind a second NIC after ending an APM VPN session.


428724-3 : VIPRION Chassis Fantray PIC firmware version 4.00 update

Component: TMOS

Symptoms:
Chassis backplane CAN bus traffic is filtered to minimize unnecessary traffic processing on devices, which improves reliability of chassis firmware updates and serial console redirection between blades (ID411726).

Conditions:
Affects VIPRION B4100 (PB100), B4200 (PB200), and B4300 series blades installed in VIPRION C4400 or C4480 chassis.

Impact:
Chassis firmware updates may fail, preventing the cluster from going on-line (ID408950). Redirected serial console output may appear incorrect.

Workaround:


428721-3 : VIPRION Chassis Annunciator PIC firmware version 3.00 update

Component: TMOS

Symptoms:
Chassis backplane CAN bus traffic is filtered to minimize unnecessary traffic processing on devices, which improves reliability of chassis firmware updates and serial console redirection between blades (ID411726).

Conditions:
Affects VIPRION B4100 (PB100), B4200 (PB200), and B4300 series blades installed in VIPRION C4400 or C4480 chassis.

Impact:
Chassis firmware updates may fail, preventing the cluster from going on-line (ID408950). Redirected serial console output may appear incorrect.

Workaround:


428718-3 : VIPRION SPR PIC firmware version 3.00 update

Component: TMOS

Symptoms:
1. Chassis backplane CAN bus traffic is filtered to minimize unnecessary traffic processing on devices, which improves reliability of chassis firmware updates and serial console redirection between blades (ID411726). 2. More efficient buffering and packet sizing is used for redirected serial console output (ID411724). 3. Using the AOM menu to power-on a blade which is already powered on will cause the blade to reboot (ID419637).

Conditions:
Affects VIPRION B4100 (PB100), B4200 (PB200), and B4300 series blades.

Impact:
1. Chassis firmware updates may fail, preventing the cluster from going on-line (ID408950). Redirected serial console output may appear incorrect. 2. Chassis firmware updates may fail, preventing the cluster from going on-line (ID408950). Redirected serial console output may appear incorrect. 3. Selecting a blade to power on/off via the AOM menu, then selecting to turn the blade on will cause the blade to reboot. There is no safe choice if the blade was selected by mistake.

Workaround:


426600-3 : tmm may loop with priority group and rate limit enabled

Component: Local Traffic Manager

Symptoms:
TMM may loop and be killed by SOD service in the end

Conditions:
rate limit and priority group enabled

Impact:
tmm will crash

Workaround:
None.

Fix:
tmm loop will be fixed.


426332-2 : Load common partition, rule_event objects in other partitions are removed

Component: TMOS

Symptoms:
Internal objects used as part of iRules in non-Common may be removed when only the Common partition is loaded. Sync may also trigger this.

Conditions:
This happens when only the Common partition is loaded ('load sys config' or 'load sys config partitions { Common }'). It does not happen when another partition is loaded individually ('load sys config partitions { p1 }') or when all partitions are loaded simultaneously ('load sys config partitions all').

Impact:
When the system is in this state, the dataplane may not run the relevant snippets.

Workaround:
Loading all partitions, instead of just Common, will work correctly. (That is, 'load sys config partitions all' will cause them to be recreated.)

Fix:
Rules and objects now appear correctly in the new partition.


424379-7 : TMM may reset when loading many FIPS keys

Component: Local Traffic Manager

Symptoms:
If BIG-IP system is configured with many FIPS keys, TMM will constantly reset.

Conditions:
A system with over 200 FIPS keys configured.

Impact:
BIG-IP system becomes unusable.

Workaround:
None.

Fix:
Configuring BIG-IP with many FIPS keys no longer causes TMM to constantly reset.


422314-2 : Multicast IPv4 or IPv6 packets can erroneously be looped back to the transmitting SFP interface on 2000, 2200, 4000, 4200 platforms.

Component: Local Traffic Manager

Symptoms:
tcpdump will show an inbound echo of some outbound L2 multicast IP traffic on the 2.x interfaces.

Conditions:
This will only occur when transmitting IPv4 or IPv6 packets to Ethernet multicast or broadcast addresses, and only on the 2.x bank of interfaces of a BIG-IP 2000, 2200, 4000, or 4200 platform.

Impact:
This may cause an incorrect or confusing fdb entry to appear for the source MAC address if the multicast IP packet is being bridged through from one interface on the VLAN to another (IPv6 router advertisements for example). For sites using neither IPv6 nor MAC level multicast IPv4 this is unlikely to occur.

Workaround:
The fix is simple, and can be implemented by editing an init script: In /etc/init.d/stratospfinit there is a line that reads: modprobe ixgbe max_vfs=$vfs,$vfs force_rss_sriov=1,1 lacp_target_queue=1,1 >/dev/null 2>&1 replacing it with a line that reads: modprobe ixgbe max_vfs=$vfs,$vfs force_rss_sriov=1,1 lacp_target_queue=1,1 L2LBen=0,0 >/dev/null 2>&1 will fix the problem (a reboot is required after the edit).

Fix:
Correct erroneous loopback of L2 multicast IP traffic on 2.x interfaces of BIG-IP 2000, 2200, 4000, and 4200 platforms.


421772-3 : TMM cores when certain types of IPSec traffic(initiator) has to be moved between TMMs by CMP.

Component: TMOS

Symptoms:
TMM core errors occur.

Conditions:
When there is traffic going through BIG-IP to be put into IPSec tunnel. This will happen after the security associations for the tunnel being negotiated.

Impact:
Traffic to be encrypted by IPsec will cause tmm to core on the multi-core platforms.

Workaround:
None


421446-1 : Fixed bug in APM which doesn't allow InstallerService to update.

Component: Access Policy Manager

Symptoms:
Installer service isn't updated if user access newer APM.

Conditions:
User accesses APM with special version: 11.4.0, 11.4.1, 11.5.0

Impact:
User has old InstallerService

Workaround:
N/a

Fix:
Added fix which allow InstallerService to update


420440-9 : Multi-line TXT records truncated by ZoneRunner file import

Component: Global Traffic Manager

Symptoms:
Checking your TXT record in the web interface causes the system to give an error. Querying for the data against a listener for the record reveals that the TXT rdata is incorrect.

Conditions:
GTM enabled and a zone file with a TXT record that has multi-line rdata has been imported via the GUI into ZoneRunner.

Impact:
Your DNS TXT records will be incorrect.

Workaround:
Enter your multi-line TXT records via the web interface as single line, quote separated lines.

Fix:
Multi-line TXT records are no longer truncated.


420330-2 : TMM crash in SSL module with large amount of traffic

Component: Local Traffic Manager

Symptoms:
When experience a large amount of traffic, TMM could crash due to corruptions.

Conditions:
The system is under stress and TMM memory is exhausted. SSL profiles are configured.

Impact:
TMM crash which would cause the system to either failover to redundant or traffic would be broken for TMM to restart.

Workaround:
None

Fix:
Fixed an issue on TMM SSL traffic handling to avoid crashing when TMM memory is exhausted.


418329-1 : Diskmonitor calculates incorrect alert and warning values

Component: TMOS

Symptoms:
Sys DB variables 'platform.diskmonitor.limitalert.var_log' and 'platform.diskmonitor.limitwarn.var_log' have values of "0" instead of "10" and "20" respectively.

Conditions:
Observed when displaying sys db variables from TMSH.

Impact:
No alerts nor warnings are issued by diskmonitor for the /var/log directory.

Workaround:

Fix:
Correct calculation of limitalert and limitwarn variables in diskmonitor script.


416536-1 : Remote link status remains up after disabling blade connected via CuSFP

Component: Local Traffic Manager

Symptoms:
If a VIPRION blade is connected to a remote device via a Copper Ethernet connect (using a Copper SFP) and the blade is disable, the remote device may detect that the Copper link remains up.

Conditions:
Affects VIPRION B4100, B4200, B4300, B2100, B2150, B2250 blades. Occurs when blade is connected to remote device via Copper SFP, and cluster member (blade) is Disabled.

Impact:
The remote device may continue to send packets to the disabled blade.

Workaround:
Disable any interfaces corresponding to the Copper SFP connection before disabling the cluster member. For example: tmsh mod net interface #/#.# disabled (where #/#.# represents blade/interface numbers) tmsh mod sys cluster default member # disabled (where # is the blade number)


416443-2 : TMM memory reaping can lead to crash

Component: Local Traffic Manager

Symptoms:
The customer sees that their unit had a tmm core with a TMM assertion. The follow trace is present in the customer's ltm log file: Aug 29 02:48:01 tmm2 warning tmm2[6166]: 011e0002:4: sweeper_update: aggressive mode activated. (198492/229376 pages) Followed by the TMM assertion: <13> Aug 29 02:48:06 dieg-iam-f5-a notice panic: ../kern/umem.c:976: Assertion "((UINTPTR)buf - (UINTPTR)sp->slab_base) < sp->slab_size" failed.

Conditions:
This issue can occur when the sweeper is in aggressive mode and a memory allocation fails, initiating memory reaping.

Impact:
TMM crashes and restarts.

Workaround:
The customer needs to install an Engineering Hotfix with the fix for this issue.

Fix:
Memory reaping that occurs due to a failed allocation - when the system is under high memory utilization - now succeeds.


416292-7 : MCPD can core as a result of another component shutting down prematurely

Component: TMOS

Symptoms:
During a small window of opportunity, mcpd can core if it is told to restart. This often occurs when another component has failed.

Conditions:
This issue generally occurs when another component has a problem which then initiates an mcpd restart.

Impact:
An mcpd core file is generated during shutdown, and it may initially appear as if mcpd coring was the cause of the restart.

Workaround:

Fix:
Ensured that the active CMI connection is destroyed when mcpd is shutting down.


415616-1 : qkview may generate error messages for very long file names

Component: TMOS

Symptoms:
File names that contain more than 100 characters in the full pathname cannot be added to qkview files. If such filenames are encountered by qkview, they will be discarded. This will be indicated in both the meta.xml file and the qkview_run.data file.

Conditions:
Filenames under paths collected by qkview exceed 100 characters in length.

Impact:
possible file containing useful diagnostic information is omitted.

Workaround:
Run qkview manually, and observe errors output to stderr. Copy these files manually to examine their contents.


413236-2 : SSL session ID reuse may fail if the Client SSL profile name is 32 characters or more

Component: Local Traffic Manager

Symptoms:
SSL session ID reuse may fail if the Client SSL profile name is 32 characters or more.

Conditions:
This occurs with Client SSL profile name containing 32 characters or more.

Impact:
A full SSL handshake is executed rather than an optimized handshake, so that SSL resumption does not work. When this occurs, SSL session IDs might not be reused appropriately, and new SSL session IDs might be presented during the SSL handshake, while the previous session ID is still valid.

Workaround:
Change SSL profile with name length of fewer than 32 bytes. Note: The 32-character limit includes the profile name and the characters that comprise the folder path (partition and folder). For example, the following profile name is 34 characters in length: /Common/client-ssl-profile-test123. For more information, SOL14372: SSL session ID reuse may fail if the Client SSL profile name is 32 characters or more.

Fix:
The system now successfully resumes SSL sessions when a Client SSL profile name is 32 characters or more.


412089-1 : WAM policy matching error when multiple regex rules match

Component: WebAccelerator

Symptoms:
If multiple regular-expressions were evaluated in the decision to choose a WAM policy node, the incorrect node (or no node) might be chosen.

Conditions:
Not easy to reproduce.

Impact:
The wrong WAM policy node might be chosen and incorrect cache settings might be used.

Workaround:
Don't use multiple regular expressions in policy matching or upgrade to a fixed version.

Fix:
The correct WAM policy node is now matched in all cases where regular expressions are used multiple times.


411838-1 : TMSH list/show doesn't label vCMP and virtual-disks objects appropriately

Component: TMOS

Symptoms:
TMSH is showing "unknown" labels for vCMP and virtual-disks objects in the list / show error commands related to this feature.

Conditions:
Run any list / show command in TMSH that needs to reference a non-existent vCMP or virtual-disk object (so it will throw an error message).

Impact:
Cosmetic. May cause confusion since the label is not appropriate.

Workaround:
None.

Fix:
Add the right labels in the label list.


410563-2 : BIG-IP 2000-/4000-series CPLD version 0xA update

Component: TMOS

Symptoms:
BIG-IP 2000-/4000-series appliances may occasionally fail to power up successfully. (ID410561)

Conditions:
BIG-IP 2000-/4000-series appliances

Impact:
Appliance may occasionally fail to power up.

Workaround:


408958-3 : Malformed SSL packet causes lockup

Component: Local Traffic Manager

Symptoms:
Certain malformed SSL application data record packets will cause a lock up.

Conditions:

Impact:
TMM will stop process SSL packets.

Workaround:
No workaround

Fix:
SSL application data no longer stalls when receiving malformed data records.


406224-1 : TMM may crash on standby with mirroring enabled

Component: Local Traffic Manager

Symptoms:
TMM may occasionally crash after switching from standby to active when mirroring is enabled.

Conditions:
HA pair configuration and a virtual with mirroring enabled.

Impact:
TMM may crash.

Workaround:
Disable mirroring.

Fix:
tmm no longer crashes in rare instance of moving from standby to active


405752-4 : Monitors sourced from specific source ports can fail

Component: TMOS

Symptoms:
Monitors using TCP transport; when sourced from ports 1097 (on some platforms), 1098, 1099 and 3306, will fail. Upon receipt of SYN-ACK from the monitored device, TMOS will filter the packet and respond with ICMP port unreachable.

Conditions:
Use one or more monitors which rely upon TCP as a transport. Port 1097 will be affected on the BIG-IP 800, 1600, 3600, 3900, 6900, 8900 (and derivative), 1100, and 11050 platforms.

Impact:
May result in false monitor failures.

Workaround:
1. Set bigd.reusesocket database variable to enable and follow F5 Network's best practices for monitors, specifying a timeout of three times the interval plus 1 second. 2. Modify iptables by removing the affecting iptable rule: -- /sbin/iptables -D INPUT -p tcp --dport 3306 -j REJECT --reject-with icmp-port-unreachable. -- /sbin/iptables -D INPUT -p tcp -m tcp --dport 3306 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset. -- /sbin/iptables -A INPUT -p tcp -m tcp --dport 3306 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset.

Fix:
Monitors using TCP transport sourced from certain ports now handle traffic as expected.


405067-3 : System applies active bonus value when the HA score is zero

Component: TMOS

Symptoms:
Contrary to documentation, release 11.2 and later apply the active bonus to HA group score even when the HA group score is 0 (zero).

Conditions:
This occurs when the HA group score is 0 and there is a value specified in Active Bonus.

Impact:
A minimal HA group configuration can result in a situation in which the active bonus alone is enough to keep an ailing unit active.

Workaround:
For configurations without pool/pool member with HA group, the workaround is to lower the Active Bonus value to a small value (one is sufficient).

Fix:
The system no longer adds the active bonus when the HA group score is 0 (zero). This is correct behavior.


404716-2 : Packet filtering and dropped decapsulated tunnel packets

Component: TMOS

Symptoms:
With the packet filter enabled and its default action set to discard or reject, decapsulated tunnel packets may be dropped.

Conditions:
This occurs with packet filter enabled with a default action of discard or reject.

Impact:
Decapsulated tunnel packets may be dropped even though the system explicitly allows those packets.

Workaround:
None.

Fix:
Decapsulated tunnel packets are correctly handled by packet filter.


400671-1 : Issue with wamd when it cannot connect to MySQL

Component: WebAccelerator

Symptoms:
Wamd crashes when it can't connect to MySQL.

Conditions:
Wamd is starting while MySQL is either down or going down due to harsh running conditions.

Impact:
Wamd crashes producing a core.

Workaround:

Fix:
Wamd restarts when a connection to MySQL is not establishing (default behavior).


399327-2 : VIPRION B4200 HSB bitstream version 2.1.48.1 update

Component: TMOS

Symptoms:
1. HSB lockup may occur when VLAN failsafe is enabled. (ID381848) 2. HSB lockup and possible silent reboot with corrupted packets. (ID375516) 3. HG MAC statistics may be misreported with corrupted packets. 4. IPv6 checksum offload added (supported by BIG-IP versions 11.3.0 and later).

Conditions:
VIPRION B4200 blades

Impact:
1. Possible HSB lockup when VLAN failsafe is enabled. 2. Possible HSB lockup and possible silent reboot. 3. Possible incorrect HG MAC statistics. 4. IPv6 checksum offload available on BIG-IP versions 11.3.0 and later.

Workaround:


396818-2 : Mezzanine HSB Bitstream v1.3.19.1 release for BIG-IP 8950 and 11050 appliances

Component: TMOS

Symptoms:
BIG-IP 8950 and 11050 appliances with Mezzanine HSB bitstream v1.3.17.4 or earlier might encounter the following issues: - IPv6 packets could be transmitted with checksums of 0, instead of the expected complement (all F's) as per RFC 768. - HSB lockup and system hang on reboot with rare malformed IPv4 packets. - Rare HSB lockup due to arbitration issues with datapath sharing between PDEs (Packet DMA Engines).

Conditions:
BIG-IP 8950 and 11050 appliances with Mezzanine HSB bitstream v1.3.17.4 or earlier: v1.3.9.20: v10.2.0, v10.2.1 v1.3.15.1: v10.2.2, v10.2.3, v11.0.0 v1.3.17.4: v10.2.4, v11.1.0, v11.2.0, v11.2.1

Impact:
Potential impacts include: - IPv6 packets could be transmitted with checksums of 0, instead of the expected complement (all F's) as per RFC 768. - HSB lockups and resulting failover. - HSB lockups followed by hard system hang upon reboot.

Workaround:
NOTE to Tech Writer: Symptoms are same as SOL16290, just different platforms/FPGAs and bitstream versions involved.

Fix:
Mezzanine HSB Bitstream v1.3.19.1 release for BIG-IP 8950 and 11050 appliances contains the following fixes: - IPv6 packets are no longer transmitted with checksums of 0, and are instead transmitted with the expected complement (all F's) as per RFC 768. - Prevents HSB lockup and system hang on reboot with rare malformed IPv4 packets. - Improved arbitration of datapath shared between PDEs (Packet DMA Engines) to prevent rare HSB lockups.


394826-1 : When using Active Directory module, password change may fail if UPD port 464 is unavailable

Component: Access Policy Manager

Symptoms:
If Access Policy contains AD Auth/Query agent and when user tries to login to bigip, it may request to change password if the password is expired. the password change operation fails when port 464 is not available using UDP protocol.

Conditions:
AD Auth/Query module is configured for Access Policy user's password has expired port 464 is unavailable over UDP at the configured domain controller

Impact:
user cannot change their active directory password

Workaround:

Fix:
after fix, bigip switches to TCP during the password change operation, when UDP port 464 is unavailable. after fix, password can be changed using TCP port 464


388985-1 : HSB v2.1.43.1 Bitstream release for BIG-IP 8900 and 8950 appliances

Component: TMOS

Symptoms:
BIG-IP 8900 and 8950 appliances with Mainboard HSB bitstream versions 2.1.41.4 or earlier might encounter the following issues: - IPv6 packets could be transmitted with checksums of 0, instead of the expected complement (all F's) as per RFC 768. - HSB lockup and system hang on reboot with rare malformed IPv4 packets. - Rare HSB lockup due to arbitration issues with datapath sharing between PDEs (Packet DMA Engines).

Conditions:
BIG-IP 8900 and 8950 appliances with Mainboard HSB bitstream versions 2.1.41.4 or earlier: v2.1.26.1 (BIG-IP v10.2.0, v10.2.1) v2.1.37.1 (BIG-IP v10.2.2, v10.2.3, v11.0.0, v11.1.0) v2.1.41.4 (BIG-IP v10.2.4, v11.0.0-hf4, v11.1.0-hf5, v11.2.0, v11.2.1)

Impact:
Potential impacts include: - IPv6 packets could be transmitted with checksums of 0, instead of the expected complement (all F's) as per RFC 768. - HSB lockups and resulting failover. - HSB lockups followed by hard system hang upon reboot.

Workaround:

Fix:
HSB v2.1.43.1 Bitstream release for BIG-IP 8900 and 8950 appliances contains the following fixes: - IPv6 packets are no longer transmitted with checksums of 0, and are instead transmitted with the expected complement (all F's) as per RFC 768. - Prevents HSB lockup and system hang on reboot with rare malformed IPv4 packets. - Improved arbitration of datapath shared between PDEs (Packet DMA Engines) to prevent rare HSB lockups.


388751-1 : With the wrong calculation of iov buffers from xbuf, TMM can crash.

Component: WebAccelerator

Symptoms:
There is a bug in the xbuf_xcur_to_iov where the first call to find out how many iovec is needed returns more than necessary. Since we use the return value to allocate iov arrays, we end up allocating more than we need. And the parser is using the same value to walk through the iovec array. However, in this case, portion of the iovec array is not used, and thus properly initialized and crashes tmm.

Conditions:
When we call the xbuf_xcur_to_iov() to get iov from xbuf.

Impact:
Possible tmm crash.

Workaround:
N/A


384111-1 : iRule nexthop cmd not compatible with other load balancing pick commands

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may not apply the nexthop iRule command when used in an iRule with other Layer 3 iRule commands. If an iRule performs the 'nexthop' command, but a destination IP address is chosen by pool or node selection, the destination VLAN and MAC address will be a route to the selected destination IP instead of the requested nexthop.

Conditions:
This issue occurs when all of the following conditions are met: -- One or more iRules associated with a virtual server uses both the nexthop iRule command and one of the following Layer 3 iRule commands: - pool, - node, - forward. Both the nexthop command and Layer 3 load balancing iRule command are triggered in the same connection. This issue may also occur when the nexthop and Layer 3 forwarding commands are in separate rules associated with the same virtual server.

Impact:
The connection may be forwarded to the incorrect node or pool. As a result of this issue, it might appear that the nexthop command is ignored, with the other Layer 3 load balancing command taking precedence.

Workaround:
None. For more information, see SOL14196: The BIG-IP system may not apply the nexthop iRule command when used in an iRule with other Layer 3 iRule commands, available here: http://support.f5.com/kb/en-us/solutions/public/14000/100/sol14196.html.

Fix:
The iRule 'nexthop' command now updates only 'nexthop' for the connection, and no longer overwrites the selected remote node's address.


383853-2 : Added argument "eom" as valid for TCP::notify

Component: Local Traffic Manager

Symptoms:
Need to signal end of message to TCP proxy asynchronously in CLIENT_DATA/SERVER_DATA events

Conditions:
All

Impact:
Can now signal TCP::release when done parsing messages in CLIENT_DATA

Workaround:
None

Fix:
Added synchronous event to signal end of message from RCP rule event to prevent performance degradation when traffic is returned to the wrong source port.


381512 : Bringing system down with active tcpdump causes tmm to core

Component: Local Traffic Manager

Symptoms:
If the system is going down while an active tcpdump session is ongoing, it causes tmm to core.

Conditions:
Having an active tcpdump session while the system is going down.

Impact:
tmm cores.

Workaround:
Turn off tcpdump sessions before running any bigstart restart command.


374339-12 : HTTP::respond/redirect might crash TMM under low-memory conditions

Component: Local Traffic Manager

Symptoms:
HTTP::respond/redirect might crash TMM under low-memory conditions.

Conditions:
Under low-memory conditions, if a new HTTP connection triggers an HTTP::respond/redirect event.

Impact:
TMM might crash.

Workaround:
Reduce memory usage

Fix:
HTTP::respond/redirect no longer crashes TMM under low-memory conditions.


369460-2 : Ability to delete SNMP configuration

Component: TMOS

Symptoms:
Before: SNMP default configuration used to be in /defaults/config_base.conf. User can modify it but can't delete it. After: SNMP default configuration is in /config/bigip_base.conf. User can modify and delete it.

Conditions:
If user deletes default SNMP access control configuration and run "tmsh load sys config" or reboot the box, the deleted configuration will come back.

Impact:
User is not able to delete default SNMP access control configuration.

Workaround:

Fix:
After the fix. SNMP default configuration is in /config/bigip_base.conf. User can modify and delete it. Loading will be consistent with user's change.


364556-2 : SNMP OID generation mechanism can cause premature OID truncation

Component: TMOS

Symptoms:
A previously untruncated SNMP OID may now become truncated. For example, the following gtmRegItem OID .1.3.6.1.4.1.3375.2.3.7.2.2.1.2.2.23.47.67.111.109.109.111.110.47.83.104.97.110.103.104.97.105.84.101.108.101.99.111.109.0.0.12.53.56.46.51.50.46.48.46.48.47.49.51 can become truncated as .1.3.6.1.4.1.3375.2.3.7.2.2.1.2.2.17.47.67.111.109.109.111.110.47.83.104.97.110.103.104.97.105.84.64.1.0.0.12.53.56.46.51.50.46.48.46.48.47.49.51 The following part from the original OID 101.108.101.99.111.109 is replaced by 64.1 in the truncated OID. During the truncation, 64 (ampersand) is followed by the internally assigned attribute index, which is 1 in the above case.

Conditions:
Configuring long in length SNMP LongDisplayString objects, which are part of the INDEX.

Impact:
The working untruncated SNMP OID that is being monitored may change and become truncated.

Workaround:
Mitigation: configure shorter in length SNMP LongDisplayString objects, which are part of the INDEX, to prevent the premature truncation. For example, ltmPoolMember has the following INDEX: INDEX { ltmPoolMemberPoolName, ltmPoolMemberNodeName, ltmPoolMemberPort } ltmPoolMemberPoolName and ltmPoolMemberPoolName are of LongDisplayString type, so they should be configured with the shorter length.

Fix:
Improved SNMP OID generation mechanism to prevent premature truncation.


342013-3 : TCP filter doesn't send keepalives in FIN_WAIT_2

Component: Local Traffic Manager

Symptoms:
TCP filter doesn not send keepalives in FIN_WAIT_2 (half close state). This may result in connections to remain open when they should be closed.

Conditions:
The problem is the BIG-IP stops sending keepalives once the connection enters half close state, and the server sends keep-alives. This ends up with us keeping connections open indefinitely if the client disappears, or a firewall drops its flow entry, etc. It is never sweeped as the server keepalives reset the idle timeout – one customer case has connections open for over 90 days not passing data!

Impact:
Possible open idle never ending connections.

Workaround:

Fix:
This is fixed by sending keepalives even in half close state, as idle connections intentionally left open will still be allowed, and clients will be detected disappearing.


336255-3 : OneConnect Connection Limits with Narrow Source Address Masks

Component: Local Traffic Manager

Symptoms:
If a OneConnect profile with a narrow source address mask (e.g. 255.255.255.255) is applied to a virtual with a SNAT pool, existing, idle, server connection can NOT be reused (because of the SNATted source address and narrow source address mask). New connections, therefore, will be created. Effectively, the pool member connection limits will be interpreted as applying to active connections, with in-flight (HTTP) requests or responses.

Conditions:
This can happen when OneConnect is used with SNAT pools and narrow OneConnect source address masks.

Impact:
More TCP connections to pool members than expected will occur.

Workaround:
Relax the OneConnect source address mask width.

Fix:
This fix introduces a "limit-type" OneConnect profile option (currently supported only via TMSH and iControl/REST -- GUI and iControl/SOAP support in progress). The limit-type can take on one of three values: none: behaviour is as before, "connections" are counted toward the pool member limit based on whether they have active, in-flight, requests or responses. strict: a hard TCP pool member connection limit is enforced. No attempt will be made to try to find a connection to reuse if at the TCP connection limit, EVEN IF ONE MIGHT BE AVAILABLE. This mode of operation is not recommended (though some customers find it useful with short idle connection timeouts). idle: if a client connection is accepted and we are at or above the TCP connection limit, a random idle connection will be dropped.


226892-10 : Packet filter enabled, default action discard/reject and IP fragment drop

Component: Local Traffic Manager

Symptoms:
With packet filter enabled with a default action of discard/reject, you might encounter the following symptoms: -- Packet captures show that the BIG-IP system is receiving return traffic for one or more connections, but failing to forward those packets. -- Some connections may fail. DNS traffic, or traffic with IP fragments, are more likely to fail due to how TMM handles connections. -- If logging is enabled for the affected packet filter rule, many entries similar to the following example are logged to the /var/log/pktfilter file: 'local/tmm notice tmm[4835]: 01250004:5: test_pf_rule (56687): reject on external, len: 98 [IPv4 84 192.168.1.1 -- 192.168.1.2 ICMP 0:0]'

Conditions:
After configuring packet filters, you may notice that the BIG-IP system is incorrectly dropping the return packets of certain connections. This issue occurs when all of the following conditions are met: -- The BIG-IP platform and software version support Clustered Microprocessing (CMP). -- CMP is enabled globally. -- CMP is enabled for the specific traffic-handling object. -- Packet filtering is enabled with the Filter established connections option disabled (this is the default setting).

Impact:
The BIG-IP system incorrectly drops return packets, which may cause your applications to fail or work intermittently.

Workaround:
To work around this issue, you can either define additional packet filter rules that explicitly allow return traffic, or disable CMP for the affected traffic-handling object. If the object does not allow CMP to be disabled (for example a SNAT), you can first replace it with a virtual server. For more information, see SOL12831: Using packet filters in conjunction with CMP may cause intermittent drops on return traffic, available here" http://support.f5.com/kb/en-us/solutions/public/12000/800/sol12831.html.

Fix:
Resolved intermittent issue when return packets were dropped after configuring packet filters for DNS traffic or traffic with IP fragments.


225443-3 : gtmparse fails to load if you add unsupported SIP monitor parameters to the config

Component: Global Traffic Manager

Symptoms:
Customers could either manually or via tmsh add unsupported properties to a GTM SIP monitor. Examples of properties that are supported by LTM SIP monitor but not GTM SIP monitor are "headers" and "filter neg". If these are added to a GTM SIP monitor definition in wideip.conf, gtmparse will fail to load the configuration.

Conditions:
Unsupported GTM SIP monitor properties like "headers" and "filter neg" are added either manually or via tmsh to wideip.conf and then customer runs gtmparse to load the config and/or the config is gtm sync'd to another box and fails to load there.

Impact:
Gtmparse will fail to load the configuration.

Workaround:
none

Fix:
Gtmparse will now successfully load a configuration that contains GTM SIP monitors that include the following properties: "headers" and "filter neg". Please note that if a single box in a GTM sync group is upgraded to this hotfix version and the "headers" or "filter neg" gtm sip monitor options are used, all of the boxes in the sync group must be upgraded to this version as well in order for the config to sync successfully between boxes in a sync group.




Cumulative fixes from BIG-IP v11.2.1 Hotfix 14 that are included in this release


TMOS Fixes

ID Number Description

492367-6

CVE-2014-8500.

492368-8

CVE-2014-8602.

497719-6

NTP Vulnerability CVE-2014-9295, CVE-2014-9293, CVE-2014-9294, CVE-2014-9296

503237-2

CVE-2015-0235 : glibc vulnerability known as Ghost.


Cumulative fixes from BIG-IP v11.2.1 Hotfix 13 that are included in this release


TMOS Fixes

ID Number Description

485012-2

CVE-2014-3566: A new command has been added to TMSH that allows the administrator to configure the SSL protocol version that is supported on the management interface. Use this command to enable or disable support for specific protocol versions. For example, the following command will disable SSL protocol versions 2 and 3, leaving TLS versions 1, 1.1 and 1.2 enabled: tmsh modify sys httpd { ssl-protocol "all -SSLv2 -SSLv3" }

486758

Resolved installation error when management port doesn't come up and causes the BIG-IP to be inaccessible to the automation system that required manual intervention.


Local Traffic Manager Fixes

ID Number Description

450804-6

Improved TLS finish messages.

451218-7

CVE-2014-8730: Corrected Nitrox TLS padding.

454465-5

CVE-2014-8730: Corrected TMM TLS padding

485188-6

When the SSL ClientHello contains the SCSV marker, if the client protocol offered is not the latest that the virtual server supports, a fatal alert will be sent.


Cumulative fixes from BIG-IP v11.2.1 Hotfix 12 that are included in this release


TMOS Fixes

ID Number Description

450058-6

Added changes from RHEL6.4 kernel sources prevent possible lockup conditions by yielding to other tasks waiting for the swap I/O requests to complete.

461580-2

Resolved intermittent kernel panic that causes crash using telnet with external monitor.

461646-4

Applied upstream fix to resolve telnet panic CVE-2014-0196.

480931-6

ShellShock bash vulnerability has been fixed with upstream patches for CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187.

481732-1

Address kernel vulnerability:CVE-2012-4461. Address kernel vulnerability:CVE-2012-6638 Address kernel vulnerability:CVE-2013-0311 Address kernel vulnerability:CVE-2013-1767 Address kernel vulnerability:CVE-2013-2094


Local Traffic Manager Fixes

ID Number Description

435652-2

The timing differences in the Nitrox crypto accelerator have been eliminated: CVE-2014-4024

435959-5

The system now correctly handles packets output on members of vlangroups where the packets are cached replies for the same vlan on which the request arrived.


Cumulative fixes from BIG-IP v11.2.1 Hotfix 11 that are included in this release


TMOS Fixes

ID Number Description

361095-1

Changes to Certificates and Keys associated with an SSL profile no longer invalidate the SSL profile. The fix is to disallow changes to the cert or key, unless they are in a single transaction.

384846-1

Improved reliability of BIGIP system with fixes found by internal F5 testing.

386566-1

The problem of processing remote user causes the secondaries to restart has been fixed.

389499-1

tmsh updated to support management-route types: interface/blackhole

411352-2

SNMP traps will be generated for TMM FIPS failures. The SNMP OID .1.3.6.1.4.1.3375.2.4.0.152 has been assigned to the TMM FIPS acceleration device failures.

414210-1

Fixed memory leak when adding and deleting VCMP guests

415864-1

Trunk IDs are no longer duplicated.

418308-1

Prevent TMM from crashing when recreating a deleted VCMP guest.

418339-1

Prevent unnecessary logging when deleting and re-creating vcmp guests

419319-1

Fixed a rare problem when not using the standard configuration that resulted in error message: 01070712:3: Cannot delete tunnel 'r10.10.10.2' in rd65535 - ioctl failed: No such device - net/validation/routing.cpp, line 523 Unexpected Error: Loading configuration process failed.

419664-6

Performing a mibwalk of SNMP-sysIfxStat now returns expected stats.

421210-4

Using Enterprise Manager to manage HA pairs with FIPS no longer causes key handle mismatches.

421886-2

MCPD will no longer crash during configuration synchronization. Steps were taken to ensure that objects were not prematurely deleted.

422471-4

alertd was missing requisite configuration and error map files. Those mappings are now populated and the traps should work.

424143-2

The SNMP configuration is now being saved to the correct file.

429105-1

Prevent restarts in rare circumstances

432826-4

Trunks now work upon reboot if not configured with LACP Active on BIG-IP 2000-/4000-series appliances.

442751-3

With this fix the BIG-IP has been upgraded to the appropriate version of BIND

446549-2

During a config sync, steps were taken to ensure that mcpd objects are not deleted until after they have been fully processed.

447266-4

Took steps to ensure that MCP would not attempt to modify an object that has been both created and deleted in the same transaction.

448787-1

Connection tracking is now correctly disabled in non-default route domains.

450089-4

Add diagnostic code to the request_group to abort when it is being deleted while actively processing.

450129-5

LOP (Lights Out Processor) firmware version 2.08 for VIPRION B2100, B2150 resolves the following issues: (ID446907) Alarm LED may be Red upon powering up VIPRION B2100, B2150 blades (ID439435) AOM Command Menu no longer reports failure when successfully powering up VIPRION B2100 or B2150 blades.

451479-2

Fixed the formatting used in rsync command

451621-3

We now preserve the MCP interface name mapping for VLANs when performing a configuration load operation.

456848-7

LBH firmware v4.08 for BIG-IP 2000-/4000-series appliances resolves the following issues: ID455728: PSU status/changes reported incorrectly ID450177: AOM controller resets when it has no IP configured ID451493: Fan speed higher than expected ID453493: Change fan control set points for less noise

458676-7

Corrected possible internal Rsync port exposure.

460630-1

 

433985

Fixed bug to improve system quality.

472662

Fixed regression found by internal F5 testing before release.


Local Traffic Manager Fixes

ID Number Description

349680-5

Correct the port number provided in Via header in SIP monitoring connections.

359978-7

Dashboard now presents throughput stats via the same calculation as used by other tools.

367081-1

http(s) monitors updated to supported NTLM authentication and chunked responses.

387009-2

Fixed an issue in TMM so it does not crash when memory is exhausted.

387342-1

For a virtual with a TCP profile and using a pool with queue-on-connection-limit enabled, if the client begins to close a queued connection, BIGIP now immediately resets that connection.

389620-1

Resolved potential core from race condition in ssly from timing mis-match of messages.

391039-1

FTP connection now mirrored successfully

392281-1

The Acct-Session-Id (type 44) attribute is present in the RADIUS accounting request packet.

393183-2

ARL hash table is rewritten to be an open hash table with chained list and hash collision will not result in arl entry loss any more.

394789-1

On a VLAN with VLAN failsafe configured, the system now prevents the currently active vCMP guest from sending itself a probe to which it responds (which might have prevented the VLAN failsafe from triggering).

395460-1

The Address Resolution Lookup (ARL) table is no longer susceptible to collisions.

399889-1

Updated code to prevent error with Config load fails: Can't load default profile errors if certs have changed.

402510-8

Pool members are properly counted when using TCP connection queueing and OneConnect together.

402801-1

This issue has been fixed to handle packets with an MTU size larger than 1500 to avoid unnecessary fragmentation that may lead to data corruption.

404116-1

A newly enabled pool member is now immediately used when the pool has queued connections to the other pool members.

404840-1

TCP connections that are queued due to unavailable pool members now complete successfully once pool member availability/capacity is restored.

405232-1

Fixed bug to improve system quality.

405237-6

pfmand daemon now generates the appropriate messages.

406666-2

Corrected TCP simultaneous close response to match RFC793.

407576-1

Fixed bug to improve system quality.

411101-1

Resolved an issue found in F5 testing for ability to tcpdump mgmt_bp_* and loopback. Also added vm_tap_* for guests.

411408-2

Fixed a potential TMM crash when the OneConnect profile is enabled.

414211-1

TMM will no longer send ARP or neighbor advertisements for proxied hosts to the same child VLAN that a request was received on.

417553-1

Fixed bug to improve system quality.

421145-3

Systems with many hundreds of active server-side flows on the affected thread no longer result in port exhaustion.

421768-3

Fixed a TMM SIGSEGV crash that can occur on BIG-IP 4000-series or 2000-series platforms that are low on memory and processing heavy amounts of compression and/or encrypted traffic.

421964-1

BIG-IP system now correctly aggregates an LACP-enabled link.

422897-4

FTP will work in case of port translation is needed.

423705-2

The SIP monitor will now internally retransmit a request after 0.5, 1, 2, and 4 seconds.

430746-2

iRule crash bug fixed.

436634-1

tmm no longer crashes if the profile changes and the virtual server is deleted immediately afterward.

437398-1

When datagram-load-balance mode is enabled on the UDP profile, the client's max udp payload size is "remembered" for the responses. If the BIG-IP system alters the response (e.g., DNSSEC signing) and increases its size beyond the max, before sending the response to the client, the response will be properly truncated (per the RFC).

438081-1

Bug fixed in zxfrd to continue large response processing.

439036-1

Multiple unnecessary restarts of zxfrd on startup prevented with use of swallow tag not found error for zxfrd.

439712-3

Single SSL transfers will perform much better on 4200/2200.

440786-4

Now when bad config occurs in virtual server, tmm won't crash, instead, such a virtual will not be responsive.

441048-1

The DNS Express Zone Resource Record counts now display accurate numbers when an AXFR answer is returned for an IXFR query.

444710-1

Out-of-order segments received before 3WHS is completed are no longer dropped.

447091-4

Ensured that packet filters with orders greater than 32767 are able to be deleted.

448327-2

Prevent memory leak when iRule suspends or aborts an DNS command.

448846-3

A crash bug related to HSM and memory exhaustion has been fixed.

450713-6

Out-of-order segments received after FIN will be forwarded as expected.

452232-1

iRule no longer uses stale qname.

454018-1

The nexthop ref-count is thoroughly examined and corrected.

454463-6

A memory leak when executing a suspended DNS iRule many times has been fixed.

456942-3

After the fix, if the domain name in the iRule is invalid or memory allocation failure happens when modifying the RR owner name using the DNS:name iRule, TMM will not crash.

458597-1

Now there is no memory leak when transfer a zone to zxfrd.

465866-1

The current tag file only indexes the sources for tmm. This makes it difficult when debugging customer issues that reference code within libraries, primary tmjail (xbuf/xfrags) and tmm_tcl. The fix is simple: index libraries that are commonly used, along with tmm.

428864

Lowering the virtual server connection limit now works, even when traffic is already being processed

450087

Unacknowledged TCP segments are re-transmitted upon re-opening of window.

452317

ARP entries reported as resolved will be removed upon expiration if they cannot be refreshed (i.e. resolved).

452482

Cookie persistence records are ignored when the connection limit of the persisted pool member has been reached. This results in incoming connections to be offloaded to another pool member (if available).

454646

Fixed bug to improve system quality.

472680

Fixed regression found by internal F5 testing before release.


Global Traffic Manager Fixes

ID Number Description

387999-1

Fixed a code defect which causes TMM memory usage growth over time in a GTM box if the GTM is configured with persistence and/or an LB method that uses LDNS path metrics.

390086-1

The ZoneRunner GUI View moving functionality had a bug in that the View pulldown menu was empty. This bug has been resolved.

423317-3

Link status for GTM server and virtual server IPs should work properly now after a config load.

430200-1

When an explicit link is changed by a user on a server or virtual server configuration, the updated links should apply immediately.

437025-1

Very large configs will no longer cause big3d to be Aborted.

442980-1

All pool members returned now have their statistics increased.


Application Security Manager Fixes

ID Number Description

225123-1

Non-latin characters in requests that were always presented correctly in the Configuration utility are now also presented correctly in the exported requests PDF document.

421452-3

We improved the Policy Builder's performance of processing a long list of Extraction URLs.

433407-2

Allow Base64 Import/Export of Policies and Signature files.

436924-4

We added the internal parameter "dont_norm_high_ascii". If the value is set to 0 (the default value), the system removes high ASCII bytes as part of the normalization process. If the value is set to 1, the system leaves and does not remove high ASCII bytes. Consider setting this parameter to 1 if your web application uses non-English encoding where high ASCII bytes are legal. Removing these bytes may lead to false positive detection of attack signatures when the remaining bytes exactly compose an attack signature.

438809-3

To improve brute force mitigation, we made the following changes: -We added a new internal parameter: bf_num_sec_per_value. This defines how many seconds is a single measure unit for a failed login. For example, if you want to configure 7 failed logins per 5 seconds, in the Configuration utility configure "7" as the threshold value (the "Failed Login Attempts Rate reached" setting in the Detection Criteria area of the Brute Force Protection Configuration screen), and from the command line configure "5" as the value of this internal parameter. If this value is configured, the system will detect an attack only by the threshold (and not by the increase). If this value is configured, all traffic from suspicious IP addresses are blocked. The default value for the internal parameter is 1 second. -In the Configuration utility, we removed the validation for all the threshold and minimal values. You can put now very low values such as 1 or 2 in the detection and suspicious criteria.

445508-5

We optimized the memory usage among long requests in conditioning to various platforms. We introduced a new internal parameter: long_request_mem_percentage. This parameter defines the memory percentage for long requests. The default is 10%. Upon upgrading to version 11.6, we discard the old internal parameter 'max_concurrent_long_request' in favor of the new internal parameter 'long_request_mem_percentage'.

447319-1

Due to the fact that our PDF generating mechanism does not support all character encodings, you now have the option of exporting Requests and Event Correlation as an HTML file, or as a PDF file.

447331-1

Improved handling of potential memories issues found in F5 testing in multiple locations when working with umem.

447489-1

Resolved potential crash found by F5 internal testing.

464371

On the Charts screen, selecting to view statistics from "Last Month" will now only display data from the last 30 days.


Access Policy Manager Fixes

ID Number Description

390462-4

Visual policy editor now supports Internet Explorer 10 and 11.

397958-1

These logs (referer_log and agent_log) under the path /var/log/httpd/ are now being rotated periodically under the control of logrotate.

400433-6

Daemons (apd/apmd) are more robust.

416076-2

Applying Access Policy completes two steps now.

417751-2

hex encoded HTML entities are decoded at client side before url rewriting.

420736-2

[Mac][Linux]Set 100Mbps speed of PPPD instead of 9.60 Kbps.

423430-1

Now valid host chars from header 'Host:' until 1st invalid character are used.

424253-5

BIG-IP APM changes required for Windows 8.1 support.

424357-3

Resolved rare case when URI were not properly percent decoded.

424587-7

A SharePoint 2013 homepage can now successfully render in Internet Explorer 11 when it runs through APM content rewrite.

429286-4

Added test for History object into F5_Invoke_go(obj,url).

430330-2

Swap functionality is restored

430833-2

Now Network Access client proxy settings are correctly applied on Windows German with IE10.

432784-13

Clean up the memory buffers that store sensitive information immediately after usage.

433605-4

At the end of an APM network access session, the route is now restored for an interface that has a gateway and IP address on different subnets, provided that the gateway and IP address have not changed during the session.

433982-3

Detection of Internet Explorer is improved in APM Portal Access.

435329-2

Layered virtual servers are now assigned the correct IP addresses, and no longer conflict or interfere with each other.

435552-1

Now Java applets correctly work when client proxy is configured for Network Access connection.

437731-1

Optimized tunnel does not crashes Internet Explorer now.

437952-3

VPN installation now launches under Protected Workspace (PWS) on Windows 8.1.

438190-4

DSCP marking for client traffic control is now passed through APM VPN tunnel.

438248-2

Fixed issue when user can't login to OWA2010 using FireFox or Chrome browser through Portal Access Webtop.

438292-3

Resolved issue of Web AppTunnel re-using wrong existing loopback for different backend server IP.

438433-4

Uploading an image without proper message ID is now ignored.

438436-3

Security improvements resulting from F5 internal testing were made.

438696-5

Now Java RDP and Java App Tunnels work without showing a security warning.

440792-1

Client proxy settings specified in a Network Access resource are applied without an occasional miss now.

443139-5

Session variables have been made available during the ACCESS_SESSION_CLOSED event. As a side effect, session variables are still available even after issuing the "ACCESS::session remove" command, because the actual removal is deferred until after the current iRule completes. However, it is considered an error to access that data outside of the ACCESS_SESSION_CLOSED event.

445970-6

[Java][Mac][NA][EPS] NA and EPS auto installation is now working with Java 7 update 51

450845-6

Under logging stress, logd no longer writes duplicate fd errors in the log.

453164-1

Routes are restored after disconnecting from the Network Access connection.

454550-1

Proxy auto configuration now works with Internet Explorer when a URL cannot be resolved on a client.

458211-7

The EAM module now continues to function correctly when the size of a cookie in the HTTP request is greater than 4095.

449793

Force restarting edge client when new epsec build is installed on BIG-IP.


Service Provider Fixes

ID Number Description

409675-1

Set error code appropriately when checking for SIP/1.0

420588-1

SIP ingress queue length was 16 and is now 512. TMOS v11.3 and later uses the larger buffer size.

421270-2

Made the parameter (shutdown-timeout) configurable Default value is 5 seconds tmsh list ltm profile mblb all-properties

429773-2

The mblb profile's egress settings could control the egress pending Q size and prevents it from growing to a size that impacts performance of other connections.

431635-1

SIP connections with MBLB+OneConnect are no longer being terminated upon failure to send/connect to the client.

433665-1

The reference counting is shared between the proxy and the filter. This prevents the message from being released by the filter since the proxy holds the reference to the SIP message.

450001-1

Flow control in the SIPP filter no longer blocks flow improperly.

450019-1

When you use the LB::prime pool command, the system tries to flush the queue, but if there is a server side congestion the messages do not get processed. However, if there is no LB::prime, the queue is not flushed.


Global Traffic Manager Fixes

ID Number Description

386747-1

The search should now function properly


Cumulative fixes from BIG-IP v11.2.1 Hotfix 10 that are included in this release


TMOS Fixes

ID Number Description

388282-1

A timing issue that caused occasional failures to update the Host PIC and/or Serial PIC firmware on VIPRION PB100, PB200 or B4300 blades on pre-release versions of BIG-IP v11.4.0 was resolved.

392794-1

Read pluggable module media ability at module detect time. This fixes the behaviour where this info was incorrectly read and cached prior to module probing and caused CuSFP to fail auto-negotiating to 10/100 speeds.

429172-1

LBH firmware version 3.02 for BIG-IP 2000-/4000-series appliances corrects intermittent power supply fan failure and bad status error logs.

386679

Host based traffic is now egressed out of the same tmm instance that it will ingress when destination IP address cmp hash algorithm is enabled for a vlan.

387679

Disk monitor now correctly monitors the root filesystem.

409991

An internal process to handle firmware installation into Engineering hotfixes was improved.

412642

When the configuration of the floating management is handled internally, wipe out all other mgmt ip addresses and reprogram the floating ip as primary.

416659

Device sync has been fixed in TMOS 11.4.0 to appropriately fix FIPS key handles after each sync operation.

420188

This release corrects the issue in which mcpd failed to synchronize a device group and logged the message indicating that the sync for the device group was already in progress to a different device. In this release, the system does not block a load when another load is already in progress.

424173

Network device configuration no longer cause some of the directories under /sys/class/net to become unreadable.

427071

Resolved issue preventing GUI from displaying traffic selector list.

427342

If you filter by the Status column under Local Traffic > DNS Express Zones > DNS Express Zone List, the page now correctly renders without error.

428706

False positive messages warning of 100% CPU use have been corrected.

431160

Fixed divide by zero kernel panic.

437739

TMOS now monitors all tmms for looping/locked on a Centaur/Victoria2 BIGIP.


Local Traffic Manager Fixes

ID Number Description

374792-2

Added the global DB variable ARP.ReapTimeout, analogous to IPv6.Nbr.ReapTimeout, to control expiration of ARP table entries. Note the default value remains the current 20 seconds, which is substantially smaller than the IPv6 default of 3600 seconds.

377421-3

Fixed an issue whereby persistence records who are subject to matching across virtual servers could cause tmm to reset the traffic.

422800-4

F5 OPT-0011-00 1Gb LX fiber SFPs are now enabled successfully when inserted into an SFP port in a BIG-IP 2000-/4000-series appliance.

374553

Proxy SSL now supports TLS 1.1 and TLS 1.2 handshakes.

382682

Mid-stream SSL renegotiation now functions correctly for Virtual Servers with clientssl and serverssl profiles that have Proxy SSL enabled.

391440

FIPS certificates can now be viewed correctly on a sync'ed pair device.

410051

This issue is not a memory leak, but an error in how the memory stats are incremented/decremented. There are two different mechanisms that can be used for allocating/freeing memory, one which increments/decrements the stats and another which doesn't. This type of memory (magazine cache) used both mechanisms, which caused the stats to be incremented on an allocation and not decremented when freed. It is only safe to choose one mechanism and always use that same mechanism for allocating/freeing memory, which was the fix for this issue.

410368

This fix allows all 1.x ports on the 2x00 and 4x00 platforms to be enabled and disabled separately without impacting other ports.

410680

The DNSSEC hash algorithm will be changed from SHA-256 to SHA-1.

413213

CPU usage is no longer adversely affected when HTTP cookie encryption is used.

418781

The TMM has been fixed to delay linking child route-domains until all the RD's are loaded.

420200

More types of DNS messages are now passed through the BIG-IP system, so that, for example, the DNS_UPDATE response (which is a valid header-only DNS message) is correctly passed through without processing.

420941

A potential TMM crash in low-resource situations with persistence cookies no longer occurs.

424040

TMM no longer restarts on assertion "tunnel is on different tmm".

425580

By setting the confg.allow.rfc3927 database variable to "enable," addresses in the 169.254.0.0/16 range can be configured on a BIG-IP.

425921

Compression on the 4200v platforms now behave properly in these cases.

425953

The commit ID is now synchronized to secondary blades of a chassis; a sync will not be required if a different blade becomes primary.

427012

BIGIP no longer truncates DNS over TCP; nor does it send more than 512 bytes over UDP when edns0 is not present.

427607

The fix is to modify the polling behavior in the quickassist driver to allow more efficient handling of hardware compression requests.

427972

Unrecognized or non-standard types are ignored for the purpose of stats collection.

428150

The fix is to include the latest version of the quickassist SDK to resolve dependencies between the quickassist driver and quickassist libraries.

431602

TMM now switches over gracefully during failover when there is a rate shaper profile in use.

431914

The v1.1 cave creek firmware allows for compressed streams greater than 4 gigabytes. This addresses the issue where requests for file download (with compression) resulted in a reset when the compressed stream exceeded 4G in size.

434336

Resolved rare condition found in F5 testing that could case a core.


Global Traffic Manager Fixes

ID Number Description

384629

GTM configuration synchronization will now exit gracefully upon failure.

390576

Fixed a code defect which causes GTM to mark certain GTM virtuals hosted on LTM servers to be marked DOWN although they are actually UP.

412112

GTM no longer incorrectly adds Self IP addresses that correspond to gateway pool members.

424997

Big3d no longer restarts in certain circumstances when retrying a connection to mcpd, and no longer produces a segmentation fault.

426957

Attempting to create a zone using the ZoneRunner GUI using the "Transfer From Server" option now works correctly.

429127

Changes in the DNS Zone Files are now properly synchronized between peer GTM group members.

431157

GTM now correctly include all information necessary for the monitor to make the correct determination of status.

433358

The Active member of the HA Link Controller pair will not display the correct stats and the will apply the correct traffic based limits.


Application Security Manager Fixes

ID Number Description

433418-4

After updating the GeoIP database (see SOL11176) and restarting the ASM bd daemon, the bd daemon no longer fails to read the system's GeoIP files (/shared/GeoIP/).

366861

We fixed an issue that sometimes caused the Enforcer's XML parser to crash.

405316

We introduced two internal parameters in order to enable users to control the time it takes for the remote logger to try and re-establish a connection to the external syslog server. This is in order to prevent the remote logger from delaying client requests if the external Syslog server is unreachable. The new parameters are the following: - remote_logger_reconnect_timeout (default is 5 seconds) - remote_logger_reconnect_max_failed_messages (default is 3 messages)

423009

The Enforcer no longer crashes upon startup if remote logging for ASM is assigned to hundreds of virtual servers.

426425

We fixed a scenario where under certain circumstances, part of a request that is blocked by ASM appeared in the response to a subsequent non-blocked response.

427147

We fixed an issue that sometimes caused the Enforcer's XML parser to crash.

428327

We fixed an issue that happened rarely, where the Enforcer crashed after connecting and disconnecting VIPRION blades due to memory corruption.


Access Policy Manager Fixes

ID Number Description

424244-1

Client initiated form based SSO no longer fails to replace password token in rare cases when using Internet Explorer.

429661-1

Fixed issue when window.XMLHttpRequest overriden by web-application code was used for internal needs of portal access instead of real XMLHttpRequest.

381486

Information about session length, connection timeout and idle time is added to BIG-IP Edge Client. Information about used tunnel type, session length, idle time and session timeout is added to web browsers.

382166

Session timeout issue with internal F5_ST cookie was fixed, namely if proxy is used and if a proxy follows RFC 6265, then F5_ST cookie was corrupted.

384311

Previously, after establishing and closing Network Access connection with the option Force all traffic through tunnel enabled and the option Allow Local Subnet disable the client machine become unreachable from other hosts. Now the client machine remains reachable.

384391

Now one Network Access resource can be launched automatically right after user login.

385460

Now the rules for determining when a request with a hostname should be sent via proxy configured in Network Access resource are as follows: 1) if the hostname matches DNS Address Space the request is sent via proxy, 2) if any IP address of the resolved hostname matches IP LAN Address Space the request is sent via proxy. Also added special handling for IPv4 prefix "0.0.0.0/0" and IPv6 prefix "::/0" which are not recognized by isInNetEx.

388299

Now apm log shows error message if Citrix Web Interface is incorrectly configured as "Gateway Direct" instead of "Direct".

395719

Validate resourcename parameter as used by network access and app tunnel.

398018

APM now supports Citrix Receiver for Windows 8 and Windows Runtime (WinRT) clients.

401658

APM now hides network access, remote desktop, and application tunnel resources from APM webtops on Windows 8 ARM.

416347

Replace feature check that blocks this functionality with apm license check.

416583

Now client proxy settings are correctly applied on Network Access connections on Windows with Internet Explorer 10 installed.

421259

Secure session variable now decrypts correctly and is the correct length.

421499

BIG-IP Edge Client for MAC OS X code now handles network access over a third party PPTP VPN connection.

422516

A notification displays when reboot is required after the Cred Mgr has been updated.

423897

BIG-IP Edge Client for MAC OS X handles ending redirect correctly.

424067

Proper Windows 8.1 and Internet Explorer 11 detection implemented for BIG-IP APM.

424199

Initial access to cookies on a page from a dynamically loaded script no longer causes intermittent Firefox browser halt.

424371

Protected Workspace code was changed to allow Internet Explorer 11 and Windows Explorer to start on Protected Workspace Desktop (on Windows 8.1).

424577

Support for Windows 8.1 Inbox F5 VPN detection is available in APM visual policy editor; an additional branch was implemented for the Client Type Access Policy action.

424762

With APM Standalone license, it is now possible to configure gateway fail-safe.

424969

Fixed a rewrite plugin crash that could occur when sending POST requests with specific XML data through portal access.

425166

Fixed BIG-IP Edge Client crash which caused incorrect memory copying routine during disconnect process.

425359

Improved APM reliability for clients

425853

Included Launch Application for MAC OS X to work if the string contains an ampersand.

427076

An error no longer occurs during logon to a web application using client initiated form-based SSO.

427804

The IE 11 on Windows 7 user agent is now detected correctly.

427819

Network access restores proxy settings when a user signs out from a Windows-based session and schedules proxy cleanup operations to start on the next Windows user sign in.

428306

When using the svpn plugin proxy service on a Mac system, the plugin works correctly when it probes 127.0.0.1:44444.

428417

Support for Windows 8.1 platform detection implemented in Windows client code.

428450

The rewrite process no longer loops when working with malformed Flash files.

429617

Windows RT users can now access webtop links and portal access resources on APM webtop.

429741

A Windows RT branch is added to the "Client OS" action in APM Access Policy.

430404

Fixed issue where Firefox can freeze at cookies transport between client and APM.

430565

manifest file version updated for google chrome plugins.

430669

The issue where Internet Explorer 11 did not always allow access to "window.opener" is fixed.

430965

Resolved issue where Windows 8.1 SetupDiGetDeviceRegistryProperty function returned hardware IDs with spaces replaced with underscores, to allow VPN driver to be uninstalled. This addresses issues with the VPN driver update.

431076

Driver installer fixed to re-install client stonewall driver independently from VPN driver.

431134

Allow connection for large expression.

431144

After Fail-over (only applies to chassis) when users try to connect to the virtual server they might see "Access Policy configuration has changed on gateway" message. This issue has been fixed

431216

IE11 does not recognize PAC files specified with the "file://" prefix. To work around this issue Network Access automatically enables "Client Proxy Uses HTTP for Proxy Autoconfig Script" for Internet Explorer 11 clients.

431776

This temporary fix disables Protected Workspace on Windows 8.1. Windows 8.1 users are directed to the fallback branch in APM Access Policy until ID 424371 resolved.

431834

When using the Oracle ASDK API to obtain the Redirect URL during the authentication process, APM handles exceptions gracefully.

431915

Cannot edit VPE. Shows blank page. This is now fixed.

432049

Sessions from BIG-IP Edge Client on iOS now can be filtered by CPU type in visual policy editor.

432636

Citrix, VMware View, JavaPatcher, MobileSDK connections now always update session statistics and inactivity timeout.


WebAccelerator Fixes

ID Number Description

417883

improved handling of image optimization CPU quota


Wan Optimization Fixes

ID Number Description

435957

Fix the communication problem between local and remote endpoints in WAN optimisation setup. The problem exists only then multiblade chasse presents on both sides of the WAN communication. Problem may be not visible without HA setup (Active/Standby boxes).


Cumulative fixes from BIG-IP v11.2.1 Hotfix 9 that are included in this release


TMOS Fixes

ID Number Description

426341

BIND has been updated to address CVE-2013-4854.


Cumulative fixes from BIG-IP v11.2.1 Hotfix 8 that are included in this release


TMOS Fixes

ID Number Description

391843-8

Deleting and re-creating File Objects (keys, certificates, iFiles, etc) with the same name no longer causes the new version of the file to fail to synchronize to peers during config-sync operations.

406929-2

We now capture alerts and the new primary sends the alerts upon going to primary.

411151-2

1) Detect tunnel loops due to misconfiguration and abort transmission if detected. 2) Set EtherIP tunnel overhead to zero. This will allow encapsulation of packets with lengths less than or equal the MTU size of the underyling interface

424293-1

LBH firmware version 3.01 for BIG-IP 2000-/4000-series appliances corrects intermittent "read error" messages when getting information about installed power supplies.

352630

Fixed bug to improve system quality.

359477

Fixed corner-case of file objects where the contents were not updated appropriately.

362619

A memory leak in real-time statistics (rtstats) has been fixed.

387361

The system now correctly syncs status after device reboot.

391584

This Machine Check Exception is resolved by HSB bitstream v1.4.3.0, which is included in the following BIG-IP versions and later: BIG-IP v11.2.1 HF8 BIG-IP v11.3.0

396261

syncing is now more robust in the case of specific monitor instances that match the pool monitor rule.

397939

When a 4200v box is powered up, the system no longer posts a false negative, power-on event message. Also, messages reporting a system power-supply event now correctly identify the appropriate power supply as the source of the report.

399293

This fix populates the SNMP Management Information Base (MIB) with the correct OID for BIG-IP 4000-series platforms platforms. # snmpwalk -v2c -c public localhost sysObjectID.0 SNMPv2-MIB::sysObjectID.0 = OID: F5-BIGIP-SYSTEM-MIB::bigip4000 # snmpget -c public localhost .1.3.6.1.2.1.1.2.0 SNMPv2-MIB::sysObjectID.0 = OID: F5-BIGIP-SYSTEM-MIB::bigip4000

399323

This problem occurs infrequently on VIPRION B4300 blades. It is possible that this problem may also occur on VIPRION B4100 and B4200 blades. The problem may occur when BIG-IP installs a newer Host PIC firmware version than is currently installed on the VIPRION blade. This firmware update is typically performed when BIG-IP boots and determines that the firmware installed on the Host PICs is older than the Host PIC firmware version included in BIG-IP. This issue is resolved in BIG-IP versions 11.2.1 HF8, 11.3.0 and later.

399464

Copper 1Gbps SFP interfaces configured for requested speeds of 10Mbps or 100Mbps no longer cause configuration load errors.

402394

The BIG-IP configuration will have correct failover traffic group assignment for the "/", "/Common" and other non-default system folders.

405195

Fixed bug to improve system quality.

405839

Improvements in hard drive error detection and correction have been made.

407674

Devices in a data group should no longer fail to sync with the following error message after an upgrade from earlier 11.x releases: Sync error: "Caught configuration exception (0), file(/config/filestore/.snapshots_d/data_group_d/fileobjectname ) expected to exist.

411064

The fix drops a packet whenever the misconfiguration conditions are detected.

415028

Fixed bug to improve system quality.

416007

Changed log messaging to distinguish between recoverable and unrecoverable sector problems

416803

The connection service now ignores excessive concurrent connection requests to the same address.

417557

You can now provision both APM and ASM when both modules are licensed.

419698

This fix populates the SNMP Management Information Base (MIB) with the correct OID for BIG-IP 2000-series platforms. # snmpwalk -v2c -c public localhost sysObjectID.0 SNMPv2-MIB::sysObjectID.0 = OID: F5-BIGIP-SYSTEM-MIB::bigip2000 # snmpget -c public localhost .1.3.6.1.2.1.1.2.0 SNMPv2-MIB::sysObjectID.0 = OID: F5-BIGIP-SYSTEM-MIB::bigip2000

421349

Using Enterprise Manager to manage HA pairs with FIPS no longer causes key handle mismatches.


Local Traffic Manager Fixes

ID Number Description

227368

Connections no longer stall indefinitely beyond their timeout when clients send pipelined HTTP requests to virtual servers with fallback hosts configured, half-closing their connections and triggering a load balancing failure.

374976

A traffic handling issue that can core TMM has been fixed.

381333

Packets handled by mirrored Standard (L7) virtual servers during a failover event are now processed in a more timely fashion by the newly-Active system.

386991

DHCPv6 pool members are no longer required to have a persistent route to prevent a tmm crash.

391242

Fixed a defect which could cause TMM to core and restart while handling access policy traffic.

393297

The TMM could crash under load in some circumstances. The issue has been corrected.

401718

TMM no longer has the potential to crash when handling certain iRule commands that suspend execution ('after', 'session', etc) in SERVER_CLOSED events.

403111

HSB tx watchdog failsafe has been increased to a reasonable value that avoids triggering the failsafe in circumstances where the HSB is not locked up, just consistently utilized.

412586

Fixed a rare condition where the ARP table for one TMM may get out of sync with the others for a period of time, causing connectivity failures. This can happen more frequently when VLAN failsafe is configured.

413477

The BIG-IP system now load-balance to pool members when a pool is chosen from an iRule, fallback persistence is configured, and the virtual server has no default pool. Multiple iRule persist commands also now work as expected when the persist record exists on a remote TMM.

415714

DNS Cache now correctly truncates responses (for non-EDNS0 queries) to 512 bytes.

415991

Active FTP works when there is no route back to the client.

417554

Fixed a DNS-Express memory leak in the zxfrd process.

420131

Fixed a TMM core that could occur while processing certain connection teardown scenarios for virtual servers with a DNS profile. The following log message could indicate that this was encountered: 'Assertion "valid pcb" failed'.

420498

If a query that does not have the RD bit set is answered by a virtual server with transparent cache enabled, a subsequent query for the same query name with RD bit set will get a correct answer.

420585

An occasional TMM crash when using a DNS cache resolver or validating resolver has been corrected.

422105

Transparent DNS Cache no longer inserts a truncated response into the cache.


Global Traffic Manager Fixes

ID Number Description

406176

Fixed a code defect which causes high memory usage by the big3d agent in certain configurations.


Application Security Manager Fixes

ID Number Description

398699-1

The Enforcer now correctly injects JavaScript when tags generated by JavaScript are split between quotation marks, like: 'ht' + 'ml'.

397551

We improved the way we implement the web scraping feature's client-side challenge so that when web scraping triggers a client-side challenge to a page of the web application, the user can click on a link in that page and click the "BACK" button on the browser without the browser displaying an error message.

401957

We created a new internal parameter, "cs_embedded_script" whose value the Enforcer inserts into the client-side's check challenge response. This was done to improve how Google analytics learns direct links.

405001

We fixed a crash that rarely occurred during regular-expression signature matching on excluded headers. Currently, we perform better verification on PCRE functionality.

407927

Apply policy no longer fails due to invalid URL Content Profile records.

408074

We added the internal parameter "FTP_access_error" that controls the response code and string sent by the system after it blocks an FTP command. The default response code and string the system sends for a blocked FTP command is "550 Requested command not allowed" To add the parameter, from the command line, type: ./add_del_internal add FTP_access_error "[response code] [String message]" To delete the parameter, from the command line, type: ./add_del_internal del FTP_access_error "[response code] [String message]"

410800

Older learning suggestions are always removed before newer ones, even if ASM is restarted. This was sometimes an issue in previous releases.

412201

We fixed the way the Enforcer handles cases of invoking a client-side challenge, where reconstructing a POST request to a GET request is needed. The system no longer blocks these requests with the "HTTP protocol compliance failed: Unparsable request content" violation.

415008

There is no longer a JavaScript error when there are multiple injections of AJAX or CSRF code in the response (for example, if the AJAX Blocking page or CSRF feature is enabled).

418396

You can now have the risk and accuracy of each signature logged in the remote logger appended to the signature names. To do this, from the command line, set the new internal configuration boolean variable "remote_logger_include_sig_risk_accuracy" to 1 (enabled). Its default value is 0 (disabled).

419396

Improved APM reliability for clients

419884

If the system performs an automatic attack signature update, it also now honors the "Auto Apply New Signatures Configuration After Update" setting when it is enabled.

420108

Policy export in XML format now includes all attack signature settings, even if attack signatures were deleted from the system.

420315

The system now reports brute force drops even from the last seconds of an attack.

420376

The Enforcer internal encoding table is no longer corrupted when all of these conditions are met: - A security policy has an encoding language that has many secondary encoding languages (such as the Chinese encoding). - The Enforcer receives transactions at a high rate with parameters or URLs in different secondary encoding languages. - At the same time the user reconfigures the security policy and changes the encoding to one of the secondary encoding languages.

421250

The Enforcer no longer crashes when the remote logger is enabled, and FTP or SMTP traffic has a security violation that should be logged, and the connection is then closed (on the server side or the client side).

421438

Methods in WSDL files that contain non-alphanumeric characters (such as period) are now enforced correctly.

421450

We fixed an issue that sometimes caused the Enforcer to incorrectly parse multipart data.

421451

The Automatic Policy Builder no longer crashes when processing thousands of URLs in the Extraction list.

423797

We added the following internal parameters that you can add to headers and URLs in order to avoid requests receiving a client side challenge: cs_excluded_headers - Contains one or more headers, separated by a comma [,]. When one of these headers is presented in the transaction, the client side challenge is not injected in the transaction. (The URL qualification will still work in this case, as it is expected that the same URL may appear with or without these headers). The default value is an empty string. cs_excluded_urls - Contains one or more explicit URLs, separated by a comma [,]. These URLs will never be qualified for a client-side challenge. The default value is an empty string.


Application Visibility and Reporting Fixes

ID Number Description

421437-1

Devices no longer report as unsychronized due to scheduled report transmission.


Access Policy Manager Fixes

ID Number Description

354474-1

Improved APM reliability for clients

416238-2

Improved APM reliability for clients

357882

Improved APM reliability for clients

359227

Improved APM reliability for clients

361822

Improved APM reliability for clients

369886

APM webtop does not show Citrix client detection dialog on mobile devices anymore.

376000

Uploading files when accessing a web application using APM portal access mode now works correctly. This includes sending an email message with an attached file using OWA.

378969

Now a captive portal is properly detected in the Force all traffic through tunnel mode.

385982

Improved APM reliability for clients

388014

WEBSSO works when you select a BASIC SSO configuration using the WEBSSO::select iRule command even in the following situation. The default configuration in the ACCESS profile (or resource) is FORM BASED and uses session variables (for example, in Hidden Form parameters).

396078

websso did not fully reset sso config context on new requests on same flow. With this fix, multiple sso objects behind one virtual ltm with a reused client/browser flow resets sso configuration state between requests.

402070

Improved APM reliability for clients

402092

Improved APM reliability for clients

402324

Improved APM reliability for clients

402556

Improved APM reliability for clients

402699

For BIG-IP Edge Client on Windows systems, when APM network access is configured to close idle connections, a notification about the idle connection displays ahead of time.

403832

Fixed a memory leak when accessing some flash files through APM Portal Access

405242

Improved APM reliability for clients

405365

ActiveSync device may fail to finish the request due to various reasons such as bad signal, and the connection is being reset. Rarely, if this request is the one which was trying to establish a session, then it left stale state in APM, which disallow the device to recover for certain period of time, until the stale state is self deleted. This fix allows the device to recover early.

406603

Improved protection for CSRF.

406844

Improved system reliability with fixes for bugs found by internal F5 testing.

406969

Improved system reliability with fixes for bugs found by internal F5 testing.

407148

APM now works with ActiveSync on Windows Phone 8, Windows Phone 7, and Windows RT devices.

407747

Improved APM reliability for clients

408138

Improved APM reliability for clients

408426

Tmm crash when legacy standalone client connects at second time. This is now fixed.

408695

Split domain now works consistently with the HTTP 401 Response action.

409887

APM can now display up to 100 resources (maximum 20 characters length) on a webtop.

410179

Import is now working for both encodings

411422

Improved APM reliability for clients

412041

PWS starts on Windows XP even when the browser uses a large amount of memory.

412138

You can now import an access policy when a new ACL is order 0 and an ACL with that order already exists.

412435

Fixed two client get assigned with the same IP address from the same lease pool when establishing a Network Access connection channel.

412493

This release fixes a memory leak that occurred when APM cached many /vdesk/my.acl URIs for tunnel traffic.

412665

Fixed new network access tunnels fail to establish on the new active device during a failover using LDAP for authentication.

412797

Javascript source conversion to utf16 is be fixed.

413415

Improved APM reliability for clients

413661

Access policies that were copied from other policies no longer lose their images when the original policy is deleted.

414354

ACCESS no longer sends multiple HUDCTL_REPSONSE_DONE messages, so HTTP no longer logs lots of errors.

414475

A cross-site scripting vulnerability has been fixed.

414555

ZIP files now processes correctly when Java patching feature enabled.

415251

SSO plugin now caches the load balancing decision made during the first request/response and reuses the same load balancing policy to send the type 1 message.

415392

iRules are now visible even if APM is unlicensed.

416042

Improved Firepass client and server support for better system behavior.

416339

After an authorization failure, APM webgate redirect behavior is now similar to Oracle webgate redirect behavior and obssocookie is no longer reset to loggedoutcontinue.

416574

Improved Firepass client and server support for better system behavior.

416658

Improved security through access policy for multidomain SSO.

417908

Now accounts in Citrix Receiver for Windows can be registered by entering only the domain name of APM virtual server.

418610

Various APM related cookies are now set to a secure option.

419295

An ACCESS session can no longer be shared inadvertently by a Citrix Receiver that connects to different virtual servers on the same BIG-IP system.

419773

 

419780

APM now encodes URLs for the prevention of XSS attacks using a less aggressive mechanism.

419955

CPU usage by Kerberos library during some error conditions is acceptable now.

421315

A TMM core for network access scenarios no longer occurs.

421356

A rewrite plugin crash that could happen when accessing some HTML pages through APM portal access no longer occurs.

421522

APM now handles an empty AVP-24 ("state") in a RADIUS Access-Challenge request.

421566

logd service may core due to unsafe localtime() call. The root cause of the logd core has been corrected with thread save call to localtime_r().

421711

Improved APM reliability for clients

422331

The access policy Deny ending agent displays the correct error message now for some additional cases: Your session could not be established.

422488

Improved APM reliability for clients

422830

Improved APM reliability for clients

423417

Improved APM reliability for clients

424007

Properly restore connections after reconnecting.

424113

Resolved bug so the "add new entry" button works with newly created Variable Assign action.

424117

APM supports Windows Citrix Receiver 4.0

424196

Improved APM reliability for clients

425095

Improved APM reliability for clients


WebAccelerator Fixes

ID Number Description

387559

Fixed a defect which could cause the wamd process to core and restart.


Wan Optimization Manager Fixes

ID Number Description

393941

The assertion, "valid isession pcb", no longer occurs when application or optimized tunnels are terminated.

395974

APM: a TMM crash bug has been fixed.


Cumulative fixes from BIG-IP v11.2.1 Hotfix 7 that are included in this release


TMOS Fixes

ID Number Description

421718

 


Local Traffic Manager Fixes

ID Number Description

409219

IPv6 packet reassembly now succeeds.

421614

Handling of qnames in DNS requests has been made more robust.


Access Policy Manager Fixes

ID Number Description

420103-1

CVE-2013-0150 is closed now.


Cumulative fixes from BIG-IP v11.2.1 Hotfix 6 that are included in this release


TMOS Fixes

ID Number Description

408085-1

Integrate Victoria LOP firmware v1.18 into Victoria TOS

410168-1

Support new hardware platforms.

410169-1

Support new hardware platforms.

412078-1

Integrate Victoria LOP firmware v1.19 into Victoria to BIG-IP.

327024

A routing issue with the management address of chassis platforms has been corrected.

373068

A link routing issue with the management interface on cluster primary for chassis based platforms has been corrected.

387640

syslog-ng has been update to version 2.1.4.9.el5.

388277

Starting with hostpic firmware version 5.02, the fan speed set messages were incorrectly filtered for Puma1 and Puma2 blades and, as a result, not forwarded to the fan controller. As a built-in safe-guard, when the fan controller does not receive fan speed set messages, the fans operate at 100% duty cycle. The hostpic firmware has been fixed to allow processing of fan speed control messages from BIG-IP.

396064

Fixed a defect that could cause previously in-sync device groups to become out of sync when one device is rebooted.

404255

This has fixed the issue - when setting Sync Leader, the packet-filter-trusted settings are incorrectly cleared.

405400

mcpd no longer loops waiting on input from background processes, avoiding a situation where it could drop a core file after receiving a heartbeat timeout.

405638

GTM/big3d now correctly identifies LTM virtuals in traffic group 'none' and 'traffic-group-local-only' as HA active.

409218

TCP traffic from the TMOS host (e.g., health monitors) is no longer blocked for the following destination ports: 1028, 6123, 6124, 6125, 6126, 6127, 6128, 6698, 6699, 9090, 9781, and 10001.

410605

Fixed an issue where software images might not be detected on a blade after it is moved to a new slot in the chassis. The resulting status for the image during this condition is: "waiting for product image".

413217

The ability to boot BIG-IP Virtual Edition or vCMP guests with less memory than they had previously been allocated has been made more robust.


Local Traffic Manager Fixes

ID Number Description

365766

We have significantly mitigated the possibility a TMM core and failover event that manifests with the following panic log message in /var/log/tmm: - Assertion "rt_entry ref valid" failed.

372295

LACP no longer gets in a state where ports in a trunk that have been moved or re-ordered do not fully function as a reference port when there is another real functioning port in the trunk. LACP would stay in this state without a timeout until the reference port recovered. Now, LACP detects the state and moves the reference port to the real functioning port.

383867

Fixed a TMM core caused by connection RSTs when iRule commands have temporarily suspended execution in CLIENT_ACCEPTED events.

387124

Fixed a TMM memory leak that can occur when ramcache is enabled on a virtual server that issues an HTTP::disable command in an iRule.

388869

There is a new option for a DNS Express zone which allows one to disable TSIG verification for NOTIFY messages it receives from the Master DNS server. To accomplish this, issue the following command: tmsh modify /sys db dnsexpress.verifynotifytsig value false

394484

In this release LTM fixed a bug that sometimes return a ETAG header with a 'NUL' (or 0) in the header.

396475

Fixed a TMM SIGSEGV core caused by improper handling of serverside ICMP Destination Unreachable messages.

397152

tmm crash is fixed when a fail-over happens for ftp when a lasthop pool is configured for ftp VS and the fail-over action is reselect.

397637

Fixed an issue where lasthop pool failover does not work for FTP uploads or downloads when fail-over involves two different networks and connection.vlankeyed is set to disabled.

398059

Fixed a TMM core which could be triggered by, among other things, FastL4 and persistence profiles on a virtual server.

398414

Certificate Revocation List verification now functions correctly when the client certificate being verified and the CRL are signed by different Certificate Authorities.

398593

Fixed a problem that Route pool fail-over does not work for FTP.

399825

Passive FTP now works when a no-translate virtual server and a gateway pool are configured. Previously, the client received a RST with cause "NO ROUTE to host".

404706

Fixed a timing issue where, in some rare circumstances, not all blades in a chassis system will become active when the chassis comes from standby to active.

405652

Default routes are now correctly propagated via IS-IS to peer devices when "metric-style wide" is configured.

407145

BIG-IP no longer drops tunnel packets when the traffic group has an HA MAC masquerade configuration.

417057

When DNS cache is enabled, TMM will not crash when processing a malformed DNS query with name compression since the malformed DNS query is will not send to DNS cache. It will be processed according to the "Unhandled Query Actions" configured in the profile.

419412

 


Global Traffic Manager Fixes

ID Number Description

391991

This fixes a regression from v10.x, introduced in v11.0, which caused different GTMs in a sync group to auto-discover virtuals inconsistently when synchronization is disabled for the sync group.

403125

GTM virtual server auto-discovery now works correctly when the GTM is v11.x and an LTM is upgraded from v10.x to v11.x.


Application Security Manager Fixes

ID Number Description

366011

An empty Accept-Encoding header no longer triggers the HTTP Protocol Compliance sub-violation "Header name with no header value". This complies with the RFC.

377191

An Enforcer core was fixed that happened on a blocked request that had some specific matched attack signatures and had the signature names ("sig_names") field in the remote logger.

394960

We improved the way the system handles evasion techniques.

394980

Security Policies built using the third party vulnerability assessment tool output scenario are now not case sensitive, by default.

401538

Learning suggestions are presented with full request data even in the case where one type of violation already exists in the Learning database and is then triggered repeatedly.

407871

We fixed an issue that sometimes caused a problem with the attack signature configuration after rolling forward a system configuration.

407937

The system's XML parser now recognizes "0" and "1" as valid xsi:nil boolean values, so that XML elements that contain the attribute xsi:nil="1" no longer incorrectly triggers an XML violation.

408846

The JavaScript code that ASM inserts when the CSRF feature is enabled now conforms to the W3C standard.

409405

When a NULL character appears in a header or a request payload, the system now continues to enforce the rest of the request.

409423

We fixed an issue where ASM sometimes injected client side JavaScript in responses when it should not have.

409752

We eliminated a large growth of memory to the system (causing an out of memory error) that sometimes occurred while the system reported Web scraping attacks.

409787

We fixed an issue where the Enforcer might crash if a malformed JSON request is sent.

411202

To allow for backward compatibility with previously archived logs, and multiple versions of ASM, remote logging profiles have the fields "http_class_name" and "web_application_name". Both these fields report the name of the HTTP Class.

417604

The system no longer crashes when there is remote logging for an FTP or SMTP security profile.


Access Policy Manager Fixes

ID Number Description

394363-7

BIG-IP Edge Client and client components were unable to install due to an expired certificate. This problem no longer occurs.

372070

APM tmm crashes related to Network Access (NA) tunnel usage (iClient) have been corrected.

394056

Multi Domain SSO primary authentication URI can use a custom port number.

394363

BIG-IP Edge Client and client components were unable to install due to an expired certificate. This problem no longer occurs.

405956

A transient interruption in communication with a KDC resulted in a 10-minute lockout if no alternate KDC was available. The lockout interval could save time by preventing repeated attempts to use an unavailable KDC. However, if no alternate KDC is available and the interruption is actually brief, the lockout is excessive. The lockout value is now configurable. For more information, see SOL14319 on www.F5.com.

406444

Improved Firepass client and server support for better system behavior.

407273

Improved system reliability with fixes for bugs found by internal F5 testing.

407603

Possible XSS via cookie tampering on APM logout pages has been fixed.

409252

Improved Firepass client and server support for better system behavior.

409773

Added handling special for non IE browsers to resolve clients issues.

409912

Support for Chrome 25 has been added.

409946

Support for Firefox 19 has been added.

411792

If you use the iRule "ACCESS::session data set" with an invalid SID, TMM no longer crashes.

412084

The network access client now supports TLS1.2.

413467

TMM now handles ACLs correctly.

413921

Now the rewrite plugin correctly handles Visual Basic event handlers attached to HTML tags for HTML portal access resources.

418613

 


WebAccelerator Fixes

ID Number Description

394536

Fixed a defect which could cause TMM to core and restart when Access Policy Manager or WebAccelerator handles certain poorly formatted HTML href attributes.


Cumulative fixes from BIG-IP v11.2.1 Hotfix 5 that are included in this release


TMOS Fixes

ID Number Description

416636

BIND has been updated to address CVE-2013-2266.


Cumulative fixes from BIG-IP v11.2.1 Hotfix 4 that are included in this release


TMOS Fixes

ID Number Description

394417

IPsec SHA1 authentication now works on VADC.

394432

Secondary blades now bring their interfaces up when booting for the first time from a new install when VCMP is provisioned.

397825

CVE-2012-4929 CVE-2012-4930: protect again the CRIME attack.

401193

A self IP can be created within a partition which has a default route domain set.

403928

mcpd no longer cores when upgrading configurations with APM rules.

405366

IPsec no longer stops handling incoming ESP packets after rekey.

406904

Improved system reliability with fixes for bugs found by internal F5 testing.

407028

A Linux kernel bug causing unpredictable errors up to and including crashes after 208.5 days of uptime has been fixed.

409303

Upgrading configurations with iApp templates no longer cause configuration loads to fail with an error like the following: "01070734:3: Configuration error: The object (folder /Common/foldername.app) is owned by a non-existent application (/Common/foldername.app/foldername)."

410001

iControl calls no longer fail with the following error message resulting on the BIG-IP: "01180009:3: get_ff_present feature flag 310 out of range."


Local Traffic Manager Fixes

ID Number Description

385579

A condition that could lead to a TMM core during persistence-record mirroring when the standby device comes online has been corrected.

398102

Fixed an issue which could cause traffic disruptions when running v11.2.0 or later vCMP guests on vCMP 11.1.0 or earlier host.

405418

Fixed a TMM core which could happen while running ASM or other plugin modules.

407706

BIG-IP is no longer susceptible to the attacks described in CVE-2013-0169.

408753

TMM no longer cores when enabling the dns-cache feature.


Global Traffic Manager Fixes

ID Number Description

224131-1

New gtm global setting send-wildcard-rrs was introduced in 11.0.0. It is disabled by default. When enabled, it is supposed to trigger resource record auto-creation in BIND when creating wildcard wide IPs. But this functionality never worked. It is fixed in this release.

224131

New gtm global setting send-wildcard-rrs was introduced in 11.0.0. It is disabled by default. When enabled, it is supposed to trigger resource record auto-creation in BIND when creating wildcard wide IPs. But this functionality never worked. It is fixed in this release.

406751

This fix corrects a defect whereby a GTM using topology load balancing can intermittently experience TMM crashes shortly after topology records are added or removed from the configuration.

407256

GTM is now able to collect the right hop count for LDNSs.


Application Security Manager Fixes

ID Number Description

406792

We improved the PSM SMTP code in order to prevent system cores.

407867

We fixed an issue that sometimes caused the Enforcer to crash when it updated the statistics counters of SMTP violations.

407908

We fixed a scenario where some bad JSON requests sometimes caused the Enforcer to crash.

408412

Configuration synchronization will now be sent asynchronously to prevent the relay listener from blocking on trying to send a second configuration to a device before the first configuration finished.


Application Visibility and Reporting Fixes

ID Number Description

398370

We added the field "rechunk=1" to /etc/bigstart/scripts/md. Changing it to "rechunk=0" and restarting the MD daemon ensures that the system does not rechunk server responses. We recommend you set "rechunk=0" in the following cases: 1. The server response is not chunked and not compressed. 2. The server response is not chunked and the virtual server is configured with an HTTP Compression Profile.

407688

mcpd daemon file descriptor leaks no longer occur when email notifications (alerts) are configured for analytics profiles.


Access Policy Manager Fixes

ID Number Description

398724-4

[win8] Sometimes client doesn't apply client proxy settings from Autoconfig Script. This is now fixed.

405659-1

Improved Firepass client and server support for better system behavior.

406280-1

Resolved error that prevented input on the login window when accessing RDP server through TS resources defined under: GUI: Application Access -> Terminal Servers -> Resources (Java RDP) with a Mac OS X 10.8 client with screen resolution set to "Full Screen".

410613-1

CVE-2013-0169: Lucky 13 SSL/TLS.

390095

Maximum item length was increased to 123 characters

398051

Now APM supports HTML5 Receiver client with Citrix StoreFront in proxy mode.

399148

For a Citrix remote desktop resource on a webtop, visible application icons (those that are not in folders) are loaded first.

400168

Improved Firepass client and server support for better system behavior.

400743

Export and import now is possible with OCSP auth is restored

402462

Improved Firepass client and server support for better system behavior.

404461

APM improved response time when processing an index of type number.

404477

 

405464

 

405972

Flash rewriting errors are now reported with the correct (ERR) log level.

406036

APM correctly handles "Access Server TimeOut Exceeded" exceptions from the Oracle Access Manager SDK.

406130

This release fixes a rarely occurring TMM crash. It happened when a user session was terminated while a form-based client-initiated Single Sign-On operation was in progress.

406971

Improved Firepass client and server support for better system behavior.

407254

Improved Firepass client and server support for better system behavior.

407509

Support Windows Citrix Receiver 3.4

407510

Support MAC Citrix receiver 11.7

407833

When a report fails to run, the Configuration utility now displays a specific error and logs error exception details to the webui.log file even when it is configured in default logging mode.

407860

Export is now working for empty sso configurations

407940

The Session Details report now runs without error.

408150

Support Receiver for iOS 5.7

408917

BIG-IP Edge Client for Mac no longer displays a captive portal when the XML response from the Mac does not contain the doctype element.

410514

End user can now establish a connection via Network Access.


WebAccelerator Fixes

ID Number Description

410320

The wamd process no longer loops indefinitely when encountering a DOCTYPE tag that has a trailing space (e.g., "<DOCTYPE HTML >").


Cumulative fixes from BIG-IP v11.2.1 Hotfix 3 that are included in this release


TMOS Fixes

ID Number Description

371131-1

Enhance LDAP auth to search for group membership.

385719-2

Improved system reliability with fixes for bugs found by internal F5 testing.

246920

Transparent IPv6 monitors in LTM and GTM now work correctly.

248139

Messages logged from TMM to syslog now correctly contain the hostname for the BIG-IP they are logged from, rather than the generic hostname "tmm".

336920

Parameters to tcpdump are now included in pcap output files when using the '-w' option.

374969

A defect has been fixed which could cause master key decryption failures upon syncing configuration between devices. The following message in /var/log/ltm indicates such a failure condition: "Master Key decrypt failure - decrypt failure - final"

378043

Modifying a single GTM pool object in the GUI no longer causes all pools to update with the same changes.

388590

Certificates can now successfully be updated using the iControl Management::KeyCertificate interface.

390569

The dependency issue between App Template TCL script and TMSH CLI script has been fixed.

390715

Fixed a defect with configsync that could cause internal certificates to not be synchronized correctly, resulting in a failure to load configuration on the target system and the following log message: "File object by name (dtdi.crt) is missing."

390768

Fixed a defect which could cause snmpd to restart and leave a core file.

391874

The management port of BIGIP now correctly connects to a peer at 100Mbps. This resolves a previous issue where if a management port was disconnected during load of BIGIP, it would fail to connect at 100Mbps when the port was reconnected.

392484

Improved system reliability with fixes for bugs found by internal F5 testing.

393211

After configuring a gateway-failsafe-device on a pool in a chassis environment and restarting the system, the secondary blade(s) no longer fail to load their configuration.

393294

Refreshing the browser page in GTM no longer fails with the following error: "an error has occurred..."

393530

HA groups can now use pools outside of the /Common partition.

393671

SNMP traps are now correctly sent from the system when the primary blade in the cluster fails and a secondary blade takes over.

393986

On the slave blade in a chassis, bgpd will no longer spin and consume excessive CPU.

394104

Enhanced content-type detection to no longer assume type binary upon reading one or more initial NUL characters. So, for example, HTML pages beginning with any arbitrary number of NUL characters are now correctly categorized as HTML pages and are correctly rewritten.

394580

The configuration in the Common partition is now loaded before that of others, to avoid a variety of post-upgrade configuration load issues.

396158

Users are now able to delete 'send', 'receive' and 'disable' parameters from configured monitors in the GUI.

396308

SNMP ifSpeed OID now correctly reports the interface's current bandwidth in bits per second.

396493

TMI filter no longer incorrectly overwrites proxy reset cause set by plugins.

397632

Remote authentication sessions are properly initialized.

398594

Fixed a rare crash of the mcpd process as a result of changing passwords.

398931

When add/removing a trunk member, the percentage-up members of the trunk is now updated accordingly.

401715

Fixed a defect which could cause some Access policy items to not roll-forward properly from 10.x configurations.

402067

Validation for virtual servers with web application java patching enabled have been corrected to require a rewrite profile with a trusted CA, signer and sign-key.

405398

GTM Global settings will no longer be lost during a sync.

406206

BIND has been updated to address CVE-2012-5688.

406748

It is now possible to install BIG-IP v11.3.0 on a VCMP guest with Software Management from a slot that is running this hotfix version.

406930

VCMP hosts now perform better and are more stable under moderate and heavy IO activity.


Local Traffic Manager Fixes

ID Number Description

377421-1

Fixed an issue whereby persistence records who are subject to matching across virtual servers could cause tmm to reset the traffic.

383692-1

https monitors no longer use SSL ticket extensions, which works more reliably with older versions of SSL.

389078-1

An issue that causes an iRule hang in the following circumstances has been corrected: * The virtual server has no default pool and is cmp-enabled. * You have an iRule that issues a [persist lookup uie {$value any pool}] before a pool is selected. * A request comes in that is handled by a TMM other than tmm0.

398482-1

Fixed a TMM core caused by usage of Web Accelerator and RAMCache.

364973

BIG-IP now correctly sends SetMemberState messages to SASP global workload managers upon SASP-monitored pool member state changes.

380880

Database monitors now support multiple route domains.

383696

HTTP cookie headers with leading whitespace before the first colon (':') separator are now processed correctly, rather than discarded.

384634

In previous versions of BIG-IP after 11.1.0, there were conditions under which both the text of an iRule script and its priority (or order in application to the virtual) were changed and caused a core. This could also happen during configsync. These conditions have been addressed, and the core no longer occurs.

386078

Fixed a defect which could cause TMM to core and restart when servers send responses with invalid 'Location' headers and redirect rewrite is enabled on the virtual server's HTTP profile.

389078

An issue that causes an iRule hang in the following circumstances has been corrected: * The virtual server has no default pool and is cmp-enabled. * You have an iRule that issues a [persist lookup uie {$value any pool}] before a pool is selected. * A request comes in that is handled by a TMM other than tmm0.

389278

ICMP monitors no longer erroneously mark down IPv6 nodes that are also configured with a transparent gateway ICMP monitor.

389324

Fixed a defect which could cause TMM to core and restart under certain conditions.

389409

Modifying the connection limit on a pool member with a priority group configuration no longer causes the BIG-IP to fail to load-balance to pool members that are otherwise below the configured connection limit.

390514

The SNMP_DCA_BASE monitor now correctly uses the USEROID_COEFFICIENT and USEROID_THRESHOLD when determining pool member weights.

391313

The RST cause is no longer incorrectly set to "internal error (persist)" when persistence entries are being added, avoiding a situation where the legitimate RST cause is overwritten.

391633

Resolved problem found by internal F5 testing where arp-replies were sent to incorrect IP Address.

391986

A code defect that causes CMP persistence lookups to fail after the first request returns has been corrected.

392029

Statsd no longer leaks if ASM is configured.

392037

Virtual servers with profile configured IPv6 to IPv4 mode as Secondary now respond the correct AAAA resource records for AAAA queries, rather than responding with rewritten A resource records.

392159

On chassis-based platforms (VIPRIONs), the Access Policy Manager module's apd service incorrectly used floating self-IP addresses to communicate with host daemons instead of an internal TMM IP address (127.20.x.x). This is no longer an issue.

394293

Fixed a TMM memory leak on virtual servers using either WebAccelerator or High Speed Logging.

394725

Fixed a defect that could cause TMM to core and restart while handling connection persistence entries.

394743

IP-fragmented packets are now handled correctly by virtual servers that are selected in iRules by the 'virtual' command.

395582

Fixed a defect which could cause TMM to hold excessive amounts of memory while processing APM or ASM traffic.

395767

Fix a regression which could cause vlan failsafes to intermittently not function.

396878

Improved automated testing suites at F5 for SSL handshake.

398092

Big-IP 2000 no longer outputs "Invalid core affinity settings" errors on bootup. These were cosmetic and did not indicate any failure.

398296

Fixed a defect which could cause TMM to core and restart when handling Access policy traffic.

400139

The monitor flapping (monitor being continuosly marked UP and then DOWN although the monitored node stays UP during this period) problem in transparent ipv6 monitors in LTM and GTM is fixed.

402457

Using sideband-connection iRule commands, such as "connect", no longer cause TMM to leak "tcl (variable)" memory allocations.

402552

A traffic processing issue on CMP platforms has been corrected.

402999

BIG-IP no longer transmits Destination Lookup Failure packets for addresses that it is not Active for.

403306

Fixed a TMM core that could be caused by iSession and FTP traffic.

403604

Fixed a potential memory leak in ServerSSL when authenticate-name is used.

404407

This fixes a kernel panic under some conditions during shutdown.

404408

Improved system reliability with fixes for bugs found by internal F5 testing.

406256

TMM no longer cores and restarts when tcpdump is being run on the BIG-IP and various forms of internal data structure fragmentation occur.


Performance Fixes

ID Number Description

398751

Improved performance with F5 testing and analysis of system.


Global Traffic Manager Fixes

ID Number Description

378175

The GTM bigip monitor should now work correctly.

385322

GTM path metrics collection for IPV6 LDNSs behind routers now works correctly.

386321

You can now create a Link via the GUI with Link Controller provisioned. Note that it will share the default datacenter with the default GTM server that Link Controller sets up.

391315

iRule pool commands now correctly handle selection where the pool has no CNAME Resource Record associated.

391569

GTM will now respect connection limits placed on pools.

392834

TMM no longer will core and restart while processing DNS requests after removing a wideip alias from the configuration.


Application Security Manager Fixes

ID Number Description

368337

If a remote logging server is configured incorrectly (for example, with the wrong IP address or port), the Enforcer spends a long time unsuccessfully trying to connect to the server. As a result, the Enforcer sometimes used to hang and crash. This is no longer the case.

376192

A request that contains the internal cookie TSxxxxxx_77 or TSxxxxxx_75 that was generated by another HTTP Class no longer causes the Enforcer to incorrectly trigger the "Modified ASM cookie" violation.

386019

We fixed an issue that caused the enforcer to perform a core dump when the system's plug-in was initialized or uninitialized repeatedly.

391372

The system no longer fails to import a XML schema file that includes a 'no namespace' element.

391493

The system now detects touch screen browser events as human events. Previously, the system only considered mouse movements and pressing on the keyboard as human events.

391826

The Configuration utility no longer hangs when trying to view Recent Incidents on the Traffic Learning > Attack Signature Detected screen. In the previous version this occurred under specific conditions.

392087

The system now correctly handles a case where a security policy imported from a v10.2.x policy export file may contain a misconfigured Blocking Response Page that, in limited instances, prevented the policy from being applied.

392719

If you are running standalone ASM and you delete the HTTP Class associated with an active security policy, the security policy is now correctly moved to Recycle Bin.

393468

You can now perform configuration synchronization between a device with a lower BIG-IP version to a device with a higher BIG-IP version if the devices are within the same device group.

394506

We optimized the Enforcer's memory allocation for large requests.

394959

Loading the configuration on a secondary VIPRION-2400 B3400 blade no longer fails.

395340

We fixed the close element for sequences having the "anyType" child.

395601

The system now cleans files in /ts/var/cluster/temp that are more than 1 hour old to keep the /var disk partition from filling up.

396327

We enhanced the Application Security -> Reporting -> Requests screen so that it no longer becomes unresponsive for a long period of time (around 90 seconds) after searching for a string in the filter.

396762

In a chassis, using the VIPRION 2400, when you create a security policy immediately after provisioning ASM, you no longer see meaningless error messages in the Configuration utility.

397525

SMTP, FTP, and HTTP protocol profiles are no longer unassigned by the system after you restart the system. Previously, this occurred if these profiles were created in partitions other than "/Common".

398175

To improve the integration between ASM and Whitehat Sentinel vulnerability assessment, the ASM Whitehat IP address range was updated.

398690

If ASM is not provisioned when a UCS file is loaded, then the ASM configuration is moved aside to be installed later (delayed load), and the configuration files are now created with the correct permissions. In previous versions, they were not created with the correct permissions.

398697

The browser no longer displays a JavaScript error when the "AJAX blocking page" feature is enabled and the CSRF protection feature is disabled.

399923

We fixed a memory corruption issue that rarely occurred during the encoding of Chinese characters.

400587

We added the internal parameter "allowXSIRename" that enables you to allow using a namespace prefix different from "xsi" for "http://www.w3.org/2001/XMLSchema-instance". Set this parameter to 1 to allow different names for the xsi prefix. The default value is 0 (disallow). To set the parameter value to 1, run the commands: /usr/share/ts/bin/add_del_internal add allowXSIRename 1 bigstart restart asm

401501

The system now correctly populates parameter learning suggestions in the Illegal Parameter screen. Previously, if you clicked a parameter in the Application Security > Policy Building: Manual > Traffic Learning > Illegal Parameter screen, the parameter name was always displayed as UNNAMED, and it was not possible to enforce or delete the parameter.

402535

Enterprise Management now deploys the correct version of previously exported security policies.

403061

Fixed the Enforcer from crashing during web scraping enforcement.

404638

The Deployment wizard's Configuration utility no longer times-out when more than 1000 virtual servers are configured in the system.

405669

We fixed an issue that occurred only in v.11.2.0. Currently, the system injects a client-side-challenge only when the request is qualified for JavaScript injection.

405690

The concurrent long requests count is now synchronized. This was done so that when there is a high load of long requests on a platform with many CPUs, the system no longer exceeds the maximum concurrent long request configuration value (determined by "max_concurrent_long_requests").


Access Policy Manager Fixes

ID Number Description

344912-1

Improved APM reliability for clients

371452-4

Improved APM reliability for clients

373495-1

Improved APM reliability for clients

386077-1

CRLDP no longer fails with valid certificates that use certain formats for their serial numbers.

386131-1

Improved Firepass client and server support for better system behavior.

395176-1

Improved Firepass client and server support for better system behavior.

396309-1

APM's access filter no longer rejects client certificates with an empty subject.

403062-2

APM now correctly throws a security exception when a DOM security violation occurs.

405218-3

APM rewrite profiles can now handle a bypass list that contains more than 26 entries.

370053

When using customization and other upload and import operations, temporary files no longer accumulate in the /tmp directory.

371452

Improved APM reliability for clients

371456

Improved APM reliability for clients

371459

Improved APM reliability for clients

377138

Fixed a defect which could cause the BIG-IP system to stay INOPERATIVE if services are restarted while APM logging sessions are active.

379550

Unicode white space characters outside the ASCII range are now recognized as such in JavaScript. JavaScript containing these characters is now rewritten correctly.

380319

Improved APM reliability for clients

380331

Improved system reliability with fixes for bugs found by internal F5 testing.

380333

Resolved defect found by internal F5 testing to improve system reliability and prevent customer issues.

380366

Resolved defect found by internal F5 testing to improve system reliability and prevent customer issues.

380385

APM now supports Windows 8

380678

Citrix published applications are displayed with correct Webtop icons in Internet Explorer 10.

382569

Some valid macros failed a check; this has been corrected.

382798

Can Upload multiple package files under Citrix Client bundles.

384138

Description text is now removed from Citrix application folders on APM Webtop to match Web Interface look and feel.

385535

APM now displays client DHCP address in reports.

385673

"Can't read "tmm_apm_citrix_username": no such variable" error no longer appears in logs.

386277

VPE no longer times out when you edit complex policies that assign many resources.

386788

Resolved defect found by internal F5 testing to improve system reliability and prevent customer issues.

386921

Resolved defect found by internal F5 testing to improve system reliability and prevent customer issues.

386933

Resolved defect found by internal F5 testing to improve system reliability and prevent customer issues.

387122

Resolved defect found by internal F5 testing to improve system reliability and prevent customer issues.

387376

 

387389

Resolved defect found by internal F5 testing to improve system reliability and prevent customer issues.

387498

Resolved defect found by internal F5 testing to improve system reliability and prevent customer issues.

387501

Resolved defect found by internal F5 testing to improve system reliability and prevent customer issues.

387853

Separate error code from SOCKS5 for invalid or expired session.

388035

Multi-Stream ICA connections were targeted to the same primary CGP port on XenApp backends. Now each connection goes to the corresponding Multi-Stream ICA port configured by the administrator in XenApp policies.

388220

APM now supports XenDesktop at PNAgent mode.

389350

HTTP query string is no longer corrupted by multi domain SSO.

390023

Edge Client Network Access now works on 64-bit Windows 8.

390167

Client signature check no longer fails for data greater than a large but reasonable limit.

391745

Logging to /var/log/apm would sometimes fail even after setting the db var 'log.access.syslog enable'. This error has been corrected.

391810

 

391944

 

392444

Improved APM product reliability from internal F5 testing for client and browser support.

392886

Now an administrator can configure the machine certificate checker not to check the private key when User Account Control right elevation is required for this operation.

392889

Google Chrome Extension Installation is stricter starting with Google Chrome 21. To install the extension on Google Chrome 21 and later, follow the directions that the BIG-IP system provides whenever it requires extension installed.

393116

Applications now work correctly when using the ACCESS::disable iRule command on a virtual server with an access profile with an SSO configuration assigned.

393275

SessionID rotation no longer breaks Multi Domain SSO.

393743

Windows Citrix Receiver 3.3 is supported now.

394024

Improved APM product reliability from internal F5 testing for client and browser support.

394025

A simplified Flash rewriting algorithm is used to avoid a problem with patching of SWF content with AS2.

394327

Render APM popups and remote desktops correctly with IE10 on Windows 8

394505

Improved APM product reliability from internal F5 testing for client and browser support.

394645

Add Chrome 22 support for APM.

394733

APM standalone licensed boxes failed to config sync if a node was created, with error message: "Ratio load balancing feature not licensed" This has been fixed.

394768

APM no longer incorrectly flags a security exception when checking an XHTML document node.

394775

APM no longer throws security exception when handling URI with ampersand in a XHTML document.

395069

Now FireFox 15 is supported.

395359

Resolved TMM core in xbuff.

395374

Resolved issue found in internal F5 testing that would generate sql error after multiple success installs of epsec using admin UI.

395625

A. Uninstall the old plugins. Try these steps in this order: 1. Safari method: Using the Safari browser, try connecting to the BIG-IP system to see whether the plugins upgrade seamlessly. If you have 32-bit Safari running on 10.7+, this method likely will not work. 2. Manual Plugin removal: 2a. In Spotlight, type "f5 sam inspection host plugin.plugin". Drag and drop the found plugin to the Trash. OR, Use 'terminal' and go to the Internet Plugin-Ins directory ( cd "~/Library/Internet Plug-Ins" ); remove the inspection host plugin directory ( rm -rf "f5 sam inspection host plugin.plugin" ). 2b. In Spotlight, type "F5 SSL VPN Plugin.plugin" and drag and drop the found document to the Trash. (If you want to make sure that it is a Plugin-in document, mouse over the document to see whether its type is "Plugin-in".) OR, Use 'terminal' and go to the Internet Plugin-Ins directory ( cd "/Library/Internet Plug-Ins" ); remove the inspection host plugin directory ( sudo rm -rf "F5 SSL VPN Plugin.plugin" ). B. Connect to the BIG-IP system now and follow the instructions it displays. The new plugins install.

395754

From the Basic Customization view, the Network Access screen now displays and allows you to update customization values after upgrades from 10.x.y.

395781

An issue where apd would crash due to a double file descriptor close has been fixed.

395832

Emulate IE7 on client system to make IE10 work.

395875

Properly handled exceptions in APD to avoid the process crash.

396052

All established Citrix connections for a user session are now terminated when user session expires.

396213

A memory leak that happened when AD module made a query to get all domain groups has been fixed.

396218

When access policy language is set to Japanese, PWS now correctly resumes session on clients with Japanese system locale.

396361

Improved APM product reliability from internal F5 testing for client and browser support.

396561

RADIUS accounting data (sent during stop) now includes assigned NA IP address in the Framed IP address field.

397040

Improved APM product reliability from internal F5 testing for client and browser support.

397052

Improved APM product reliability from internal F5 testing for client and browser support.

397088

APM now supports more than one referral by Active Directory authentication during cross-domain authentication. (In HFs the referral depth is limited to 5.)

397211

Improved APM product reliability from internal F5 testing for client and browser support.

397228

Resolved issue when using IE10 without switching it to compatibility mode using IPv6 VS and try to establish NA tunnel(IPv4&IPv6) that caused message "You navigated away from the webtop. Do you want to close current connections?" while tunnel establishing.

397358

Loading XML external entities in APM VPE is disabled now to eliminate possibility of XXE attack.

397373

Citrix functionality no longer fails when a TCP, Persist or Auth profile attached to the virtual server is re-configured.

397471

APM: a memory leak has been corrected.

397538

APM now supports Citrix Receiver for Mac 11.6.

397642

Multidomain SSO works properly now if the user has an MRHSHint cookie.

397668

An OAM exception from the Oracle ASDK, that occurred when an invalid host name passed to the ObUserSession constructor, has been resolved.

397853

Fixed a redirect loop in multidomain SSO when redirecting user to a URL with a query string that contains a field with no value (e.g., http://example.com/?field=).

398007

In network access tunnel cases with both TLS and DTLS, ICMP traffic would be dropped in some cases. This no longer occurs.

398028

Empty src attributes in xml elements are no longer incorrectly patched.

398037

APM now handles additional attributes for XML tags in PNAgent payload.

398132

OAM 'client' side localAddr is now correctly null terminated.

398147

OWA2010 portal access resource configured to not update user session on periodic client requests (/owa/keepalive*, /owa/ev.owa*) is now working as expected and does not cause user session to never expire.

398641

Rewriting of the 'href' attribute of 'xml-stylesheet' processing instructions now works for files of type HTML, XHTML, XML, and SVG.

399212

Previously, you could save an advanced customization for an access profile stored in a partition, but not for one stored in a folder. Now you can save an advanced customization for an access profile in a partition or in a folder.

400060

Fixed local SQL injection flaw.

400158

Improved testing and debugging capabilities.

400345

OAM header now properly included for POST request forwarded to back end server.

400662

Citrix clients could not reconnect when using CGP for transport. This works correctly now.

400675

When XML Broker is used in standalone mode, Citrix icons are now displayed on full webtop in Internet Explorer 9.

400759

Improved testing and debugging capabilities.

400760

Now APM correctly handles CGP setting in ICA file sourced from Web Interface site and tells Citrix clients to use CGP if CGP is supported by target XenApp server.

400896

An issue with handling certain types of commands within Flash has been corrected.

401025

The F5 WebGate did not set the "Expires" header in the HTTP response for SSO logout URL. Due to this, the browser continued to use the old ObSSOCookie value and hence, a new user who logged in without closing the browser could access information for the previously logged in user. Now the F5 WebGate sets the Expires header and matches the behavior of the Oracle-fabricated WebGate when receiving an SSO logout URL.

401351

Epsec Package Versions are not lost after upgrade

401393

Currently user can create Optimized Application for network access successfully without JS error "Error: 'compression_null' is undefined".

401409

It is now possible to disable logging to local log files but enable external syslog logging.

401738

The BIG-IP system did not return a RADIUS attribute, state, in unmodified format with the second access-request. This has been corrected; the BIG-IP system now returns the state attribute in unmodified (compliant) format.

401939

Resolved bugs found by internal F5 testing to improve quality of release.

402147

A regression that caused a missing Radius accounting stop message on session finish is resolved.

402252

Resolved bugs found by internal F5 testing to improve quality of release.

402586

Resolved bugs found by internal F5 testing to improve quality of release.

402741

The BIG-IP Edge Client now cleans up on exit when a user logs off while a network access connection is established.

402745

This release improves handling of URL arguments in Flash objects.

402785

Resolve system reliability issue found in F5 internal testing.

403497

Resolve system reliability issue found in F5 internal testing.

403841

The PPP proxy now correctly handles certain protocol errors.

404144

Support Android Citrix Receiver 3.2

404256

An infinite loop in logon page of Access Policy has been fixed.

404478

Fixed extra APM sessions, generated by Windows Receiver 3.x and Mac Receiver 11.6 may generate.

405180

Add support for IE 10 on Windows 7.

405429

Internet Explorer 8 no longer hangs for 5 minutes when all browser connections are in use; this was observed previously during portal access rewrite.

406537

Resolve system reliability issue found in F5 internal testing.

406649

Installing a hotfix will no longer cause apd to continuously restart.

406772

Resolve system reliability issue found in F5 internal testing.

407417

Add Chrome 24 support for APM.

407439

Improved APM product reliability from internal F5 testing for client and browser support.


WebAccelerator Fixes

ID Number Description

395915

WA now handles a rare out of memory condition and successfully tears down the connection when it happens, avoiding a TMM core.

397761

Fixed a potential memory leak in mcpd when running WebAccelerator.

399507

When a URL is embedded within a query string and its response had previously been cached in WAM, we no longer erroneously serve that response to the client rather than processing the URL that is being requested.

399967

Client connections are no longer incorrectly reset for virtual servers with Application Security Manager and WebAccelerator configured after a change is done in the associated Web Acceleration profile.

405497

Small optimized images are correctly re-cached after they are updated on OWS and re-optimized.


Wan Optimization Manager Fixes

ID Number Description

387886

Fixed a crash in the woc_plugin process when running the WAN Optimization Manager.

396982

A memory leak has been eliminated.

397856

The performance of CIFS operations for Wan Optimized virtual servers has been improved.


Service Provider Fixes

ID Number Description

395353

Virtual servers with SIP profiles now correctly forward well-formed SDP messages that do not end with a newline.


Cumulative fixes from BIG-IP v11.2.1 Hotfix 2 that are included in this release


TMOS Fixes

ID Number Description

362739

Support new hardware platforms.

396072

Improved reliability of BIGIP system with fixes found by internal F5 testing.

396284

Support new hardware platforms.

396715

Support new hardware platforms.

397836

Removing an operational PSU from a BIG-IP 2000-series or 4000-series appliance now operates correctly, and no longer results in spurious "Fan speed too low," "hardware sensor critical alarm," "Power supply #2 fan-1: fan speed (0) is too low," or "localhost emerg system_check" messages on the console. In addition, removing an operational PSU from a 4000 platform correctly results in a red Alarm LED and a CRITICAL error on the LCD screen, however, when you clear the alarm from the LCD module, the error does not return.

398974

In this release, there is a VIPRION 2000 Series-specific change in the clock interrupt initialization to correct CPU-utilization imbalance.

399661

On the 2000s / 2200s and 4200v platforms in 11.2.1 the first time you insert an SFP in interface 2.1 or 2.2 after booting with no SFP inserted the SFP would not be recognized. This corrects this issue.

399672

 

400775

The maximum number of trunk members on the 2000, 2200 and 4000 platforms is now correctly set to 8.

400789

BIND has been updated to address CVE-2012-5166.

403052

Adding support for the BIG-IP 2000 platform.

403177

Improved reliability of BIGIP system with fixes found by internal F5 testing.

403545

Support new hardware platforms.

403724

Support new hardware platforms.

403727

 

404433

The LED status now correctly turns to amber on the 2000s / 2200s platforms when the license has expired.

404435

 

404875

Support new hardware platforms.

404937

Starting with 11.2.1 HF2 slow/jerky response to interactive SSH sessions no longer occurs with SFP modules removed.

405199

Support new hardware platforms.

405235

 

405248

Support new hardware platforms.

405254

Support new hardware platforms.

405277

Support new hardware platforms.

405387

Support new hardware platforms.

405415

Support new hardware platforms.

405422

Support new hardware platforms.

405451

Support new hardware platforms.

405452

Support new hardware platforms.

405490

Support new hardware platforms.

405518

Support new hardware platforms.

405570

Support new hardware platforms.

406141

Support new hardware platforms.


Local Traffic Manager Fixes

ID Number Description

401776-1

Improved reliability of BIGIP system with fixes found by internal F5 testing.

398092

Big-IP 2000 no longer outputs "Invalid core affinity settings" errors on bootup. These were cosmetic and did not indicate any failure.

402164

Interfaces 2.1 and 2.2 on the 2000s / 2200s and 4200v platforms did not correctly account for dropped packets due to full rings. These packets now show up as drops in the interface stats.

404036

The following rate-shaper debug log message was incorrectly logging at the critical level, which could lead to system instability including TMM restarts: "Error: Trying to dequeue from empty queue for class 'rateclass'" This problem has been corrected.

404037

Rate shaper accounting was being done by bytes. This accounting has been modified to be done by packets to avoid error situations.


Performance Fixes

ID Number Description

405020

Improved performance of new hardware platforms.


Cumulative fixes from BIG-IP v11.2.1 Hotfix 1 that are included in this release


TMOS Fixes

ID Number Description

397916-1

 

378043

Modifying a single GTM pool object in the GUI no longer causes all pools to update with the same changes.

395272

HSB bitstream v2.1.47.1 update resolves a Super I/O watchdog timeout reboot on BIG-IP 11050 systems.

397435

BIND has been updated to address CVE-2012-4244.

397819

Resolve issue where an AOM host power on command may fail the first time after an AOM host power off command.

397882

Improved reliability of BIGIP system with fixes found by internal F5 testing.

398137

Improved reliability of BIGIP system with fixes found by internal F5 testing.


Access Policy Manager Fixes

ID Number Description

401544-2

 

404622

Firefox v17.0 has been added to the compatibility Matrix.






Known Issues in BIG-IP v11.2.x


TMOS Issues

ID Number Severity Description
405438 1-Blocking tmm core while provisioning WOM to dedicated and LTM to none in rapid succession
605476-1 2-Critical istatsd can core when reading corrupt stats files.
601527-2 2-Critical mcpd memory leak and core
556380-5 2-Critical mcpd can assert on active connection deletion
423772 2-Critical EtherIP tunnel packets are not MAC masqueraded
422460-9 2-Critical TMM may restart on startup/config-load if it has too many objects to publish back during config load
389540 2-Critical media type is incompatible with other trunk members
385345 2-Critical DHCP not supported on VIPRION platforms, but the system does not prevent its configuration, in pre-11.4.0 releases.
362619-1 2-Critical Memory leak in rtstats (real-time statistics) process
609119-1 3-Major Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
600944-5 3-Major tmsh does not reset route domain to 0 after cd /Common and loading bash
600558-1 3-Major Errors logged after deleting user in GUI
597729-3 3-Major Errors logged after deleting user in GUI
590904-2 3-Major New HA Pair created using serial cable failover only will remain Active/Active
587821-1 3-Major vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
583754-1 3-Major When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
579284-1 3-Major Potential memory corruption in MCPd
575735-5 3-Major Potential MCPd leak in global CPU info stats code
575726-5 3-Major MCPd might leak memory in vCMP interface stats.
575716-5 3-Major MCPd might leak memory in VCMP base stats.
575708-5 3-Major MCPd might leak memory in CPU info stats.
575671-5 3-Major MCPd might leak memory in host info stats.
575619-5 3-Major Potential MCPd leak in pool member stats query code
575608-5 3-Major MCPd might leak memory in virtual server stats query.
575368 3-Major Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card
565534-5 3-Major Some failover configuration items may fail to take effect
558779-2 3-Major SNMP dot3 stats occassionally unavailable
558573-5 3-Major MCPD restart on secondary blade after updating Pool via GUI
556277-2 3-Major Config Sync error after hotfix installation (chroot failed rsync error)
544888-2 3-Major Idle timeout changes to five seconds when using PVA full or Assisted acceleration.
542742-5 3-Major SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).
542191-5 3-Major Snmpd V1 and V2c view based access.
533866 3-Major Default SNMP community may disappear upgrading to 11.2.1 HF15
528276-5 3-Major The device management daemon can crash with a malloc error
528083-5 3-Major On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
527145-1 3-Major On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
524326-1 3-Major Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips
524193-1 3-Major Multiple Source addresses are not allowed on a TMSH SNMP community
523527-1 3-Major Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.
521144-2 3-Major Network failover packets on the management interface sometimes have an incorrect source-IP
519068-5 3-Major device trust setup can require restart of devmgmtd
517020-2 3-Major SNMP requests fail and subsnmpd reports that it has been terminated.
516669-4 3-Major Rarely occurring SOD core causes failover.
515667-1 3-Major Unique truncated SNMP OIDs.
488636 3-Major Garbled output/no console output during boot on 2000 and 4000 platforms.
486512-2 3-Major audit_forwarder sending invalid NAS IP Address attributes
485702-1 3-Major Default SNMP community 'public' is re-added after the upgrade
481648-9 3-Major mib-2 ipAddrTable interface index does not correlate to ifTable
473348-3 3-Major SNMP hbInterval value not set to 300 sec after upgrade from 11.2.x to 11.3.0 or later
460176-1 3-Major Hardwired failover asserts active even when standalone
455651-1 3-Major Improper regex/glob validation in web-acceleration and http-compression profiles
452660-1 3-Major SNMP trap engineID should not be configsynced between HA-pairs
449617-4 3-Major SSL-key file object configuration fails to validate when it includes a passphrase
441553-7 3-Major BIG-IP APM user sessions may fail to reconnect after multiple failover events between peer systems
437773 3-Major Some LACP trunk members are missing after rebooting primary blade
434573-3 3-Major Tmsh 'show sys hardware' displays Platform ID instead of platform name
431634-3 3-Major tmsh: modify gtm server 'xxx' virtual-servers replace-all-with 'yyy' fails
426267-1 3-Major vCMP guest management IP does not get set after config load failure
425980-1 3-Major Blade number not displayed in CPU status alerts
424322-2 3-Major Trunks containing empty SFP ports rejected on 2x00/4x00 appliances
415953-1 3-Major Port does not advertise 1 GB speed capability under auto-negotiation.
413689 3-Major ntlm + oneconnect + persistence + v2 plugin can cause crash
411591-2 3-Major ospfd core dump when redistributing ospf routes over ospf
405635-3 3-Major Using the restart cm trust-domain command to recreate certificates required by device trust.
399143-3 3-Major GARPs not sent out after reboot
396831 3-Major Provisioning vCMP on 2000/4000 series platforms and kernel panic
395720 3-Major Ethernet devices not getting renamed on BIG-IP 4000
395148 3-Major Baud rate change not reflected in LCD display until fpdd restart
393150 3-Major 42k item configuration and loading on 8 GB platform
389397 3-Major Setting platform.powersupplymonitor to disable on 12050/12250 platforms might not stop power supply error meassages
386644 3-Major B4300 blade may fail to join the cluster and reboot continuously
384995-1 3-Major Management IP changes are not synced to the device group.
378967-8 3-Major Users are not synchronized if created in a partition
375434-2 3-Major HSB lockup might occur when TMM tries unsuccessfully to reset HSB.
373949-1 3-Major Network failover without a management address causes active-active after unit1 reboot
369352-1 3-Major No verification prompt when executing 'load sys config default' for resource administrator role
365764-1 3-Major Loading UCS with no custom partition fails on system with GTM objects defined in custom partition
364981-2 3-Major Changing 'Idle time before automatic logout to non-default causes CPU usage to increase
362267-4 3-Major Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors
359774-3 3-Major Pools in HA groups other than Common
345930-1 3-Major LC: The "IPv6 NoError Response" and "Enabled" fields are missing for wide IPs
337934-8 3-Major remoterole: attributes ending in 'role' or 'deny' will be parsed incorrectly
224903-2 3-Major CounterBasedGauge64 MIB values do not work with Network Management Systems. The MIB should be Gauge32.


Local Traffic Manager Issues

ID Number Severity Description
565810-4 2-Critical OneConnect profile with an idle or strict limit-type might lead to tmm core.
540568-7 2-Critical TMM core due to SIGSEGV
529920-4 2-Critical Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit
489217-4 2-Critical "cipher" memory can leak
462025-1 2-Critical SQL monitors do not handle route domains properly
449526-3 2-Critical LB::prime iRule with SIP filter can result in a core
420585-1 2-Critical DNS cache resolver stability improvements
407904-1 2-Critical BIG-IP health monitors experience delayed checks for unresponsive pool members
396729-4 2-Critical Two mirroring connections and fastL4 connections
382052-1 2-Critical High memory usage when ssl profiles are in use
372332-2 2-Critical Unnecessary buffering of client-side egress in some circumstances.
610429-1 3-Major X509::cert_fields iRule command may memory with subpubkey argument
610302-4 3-Major Link throughput graphs might be incorrect.
602136-1 3-Major iRule drop command causes tmm segfault or still sends 3-way handshake to the server.
598874-4 3-Major GTM Resolver sends FIN after SYN retransmission timeout
591659-6 3-Major Server shutdown is propagated to client after X-Cnection: close transformation.
591476-2 3-Major Stuck nitrox crypto queue can erroneously be reported
591248 3-Major tmm cores when irule runs after "drop" command
589400-8 3-Major With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
583957-1 3-Major The TMM may hang handling pipelined HTTP requests with certain iRule commands.
576296-5 3-Major MCPd might leak memory in SCTP profile stats query.
575626-1 3-Major Minor memory leak in DNS Express stats error conditions
572680-1 3-Major Standby TMM might overflow send buffer if out of sync with Active TMM
569642-1 3-Major Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core
566361-6 3-Major RAM Cache Key Collision
560405-3 3-Major Optional target IP address and port in the 'virtual' iRule API is not supported.
556421 3-Major Occasional message length miscalculation in DNS messages over TCP
554761-2 3-Major Unexpected handling of TCP timestamps under syncookie protection.
517282-1 3-Major The DNS monitor may delay marking an object down or never mark it down
515759-5 3-Major Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time
515072-9 3-Major Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased
504854 3-Major OneConnect does not balance new traffic for all load balancing methods
504633-4 3-Major DTLS should not update 'expected next sequence number' when the record is bad.
503741-5 3-Major DTLS session should not be closed when it receives a bad record.
503257-2 3-Major Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST
503214-10 3-Major Under heavy load, hardware crypto queues may become unavailable.
502747-3 3-Major Incoming SYN generates unexpected ACK when connection cannot be recycled
500003-1 3-Major Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP
499950-3 3-Major In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs
499615-9 3-Major RAM cache serves zero length documents.
490174-1 3-Major Improved TLS protocol negotiation with clients supporting TLS1.3
474226-3 3-Major LB_FAILED may not be triggered if persistence member is down
468542-6 3-Major Virtual servers with a SPDY profile ignore SNAT none setting
468300-4 3-Major Filters may not work correctly with websockets or CONNECT
466875 3-Major SNAT automap may select source address that is not attached to egress VLAN/interface
462881-4 3-Major Configuration utility allows for mismatch in IP protocol and transport profile
462714-9 3-Major Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server
459596 3-Major Multicast packets leaking onto disabled interface
449798-2 3-Major Race condition on secondary blade where bigd service sometimes does not get built-in monitors
446526-1 3-Major TCP virtual server/UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules might cause TMM crash.
442618-6 3-Major TMM may core in low memory situations
441249-6 3-Major Activating session awareness may cause intermittent hanged request
440959 3-Major SNMP DCA monitor reject delayed responses with ICMP unreachable result.
440431-9 3-Major Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands.
440051-2 3-Major There is an issue concerning how the system applies security checks on partial responses.
438792-8 3-Major Node flapping may, in rare cases, lead to inconsistent persistence behavior
435022-1 3-Major TMM might crash if an ICMP packet refers to a closed UDP connection
434517-5 3-Major HTTP::retry doesn't work in an early server response
434400-9 3-Major tmm might core with rate-limiting on virtual server
433323-8 3-Major Ramcache handling of Cache-Control: no-cache directive in Response
429011-5 3-Major No support for external link down time on network failover
425953-1 3-Major Commit ID not synchronized to secondary blades
424248-4 3-Major Virtual servers bind failure on some tmm's
421429-5 3-Major Client-initiated renegotiation for server ssl profile does not work with DTLS when it connects to another BIG-IP clientssl.
420580-3 3-Major DTLS handshake fails when BIG-IP receives datagrams out of order
413477-1 3-Major Potential failure to connect or persist to server using iRule commands
413354-1 3-Major Port selection algorithm may prematurely reuse port
411405-1 3-Major Port may become temporarily unavailable in cmp mode
410415-2 3-Major tmm SEGV when reselect after a node failure on FastL4 virtual servers
407930-1 3-Major Reporting many Tcl errors can cause core in very low memory cases
405673-3 3-Major Mirrored TCP flows do not function properly due to HA Channel instability and may even core
400377-1 3-Major 'persist lookup' commands fail intermittently
400076-1 3-Major tmm crash in compression hardware
399213-1 3-Major IPv6 trunks do not balance traffic evenly across links
395570-2 3-Major TCP::Collect iRule can cause TMM failure.
385890-1 3-Major tmm core
382606-1 3-Major TMM core caused by connection RSTs when iRule commands have temporarily suspended execution in SERVER_CONNECTED events.
379236-1 3-Major TMM process may core while using the COMPRESS::nodelay iRule command to process traffic
375887-1 3-Major Cluster member disable or reboot can leak a few cross blade trunk packets
352848-1 3-Major HTTP client request followed by pipelined request with iRule
348000-10 3-Major HTTP response status 408 request timeout results in error being logged.
223446-2 3-Major The persist cookie insert and persist cookie rewrite iRule commands can fail to set session cookies


Performance Issues

ID Number Severity Description
473485-5 2-Critical Fixed a few issues in HTTP Auth module
497619-4 3-Major TMM performance may be impacted when server node is flapping and persist is used
395160-1 3-Major Multiple simultaneous requests to optimize an image before it is cached results in performance impact.


Global Traffic Manager Issues

ID Number Severity Description
469033-6 2-Critical Large big3d memory footprint.
559975-1 3-Major Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth


Application Security Manager Issues

ID Number Severity Description
478674-7 1-Blocking ASM internal parameters for high availability timeout was not handled correctly
427035-5 1-Blocking UCS install sets an incorrect internal parameter
405001-1 1-Blocking ---
401957-1 1-Blocking ---
552139-5 2-Critical ASM limitation in the pattern matching matrix builtup
453568-1 2-Critical Client side challenge request reconstruction may fail to restore original referrer header
423009-2 2-Critical BD crashes upon startup if configuration has over 1024 remote loggers attached
421450-1 2-Critical ---
420980-2 2-Critical Enforcer can crash when response logging is enabled
415008-1 2-Critical ---
409787-1 2-Critical Parsing malformed JSON request
614441-2 3-Major False Positive for illegal method (GET)
603945-4 3-Major BD config update should be considered as config addition in case of update failure
594123 3-Major Illegal HTTP status in response filling up the database
576591-1 3-Major Support for some future credit card number ranges
547000-1 3-Major Enforcer application might crash on XML traffic when out of memory
512487 3-Major Device keeps going offline/online with the message: HA mysqld_failure_t mysqlhad fails action is go offline.
504973-8 3-Major Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead
501612-1 3-Major Spurious Configuration Synchronizations
481792-7 3-Major BD may crash within HTTP payload parser.
476621-1 3-Major IE issues JS error when CSHUI code access undefined property of an object
451250-1 3-Major Detected DoS traffic can still reach the server
450929 3-Major Dos attack detects URL although URL mitigation is not configured
441601-1 3-Major Response is truncated in the log
441075-4 3-Major Newly added or updated signatures are erroneously added to Manual user-defined signature sets.
439321-2 3-Major Request to allow BOM for JSON in a middle of stream
433782-4 3-Major DCC error: Cannot add or update a child row: a foreign key constraint fails.
430762-3 3-Major ASM xml schema doesn't recognize SOAP global attribute 'encodingStyle'
430073-1 3-Major Slow GUI response when navigating to the Parameters
428952-3 3-Major Timer event for an expired connection.
428327-1 3-Major BD may crash on VIPRION anomaly events sync.
428121-1 3-Major Export Requests List with Severity filter fails.
428010-1 3-Major Remote logging of signature risk and accuracy
426564-3 3-Major Bad parsing of multipart requests with nameless parameters
423803-1 3-Major PSM Virtual server associations are lost after CMI sync.
423797-1 3-Major Add Client-Side challenge excluded URLs and headers internal parameters
421451-1 3-Major Policy Builder process exits with core if there are too many URLs in the Extraction list
420977-2 3-Major Improved the system's placement of ASM JavaScript code.
420376-2 3-Major ASM crashed during ASM encoding configuration
420315-1 3-Major Brute force attack drop reports are about 10% less than actual
420038-1 3-Major XML attribute form violation seems not accurate
412201-2 3-Major ---
410800-1 3-Major Learning suggestion cleaning order
409964-1 3-Major bd crash with remote logging configured
408074-1 3-Major ---
403702-2 3-Major Valid SOAP request fails schema validation
402137-1 3-Major ---
397551-1 3-Major ---
388678-2 3-Major Parameter Names are missing on URLs :: Allowed URLs : Advanced Extractions screen
366011-1 3-Major ---


Application Visibility and Reporting Issues

ID Number Severity Description
582029 3-Major AVR might report incorrect statistics when used together with other modules.
385143 3-Major AVR does not comma-separate fields


Access Policy Manager Issues

ID Number Severity Description
570520 2-Critical MAC Edge client doesn't handle redirects during profile download (/pre/config.php?version=2.0)
555272-6 2-Critical Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade
494098-7 2-Critical PAC file download mechanism race condition
489328-2 2-Critical When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash.
442532-1 2-Critical Log shows "socket error: resource temporarily unavailable"
442333-1 2-Critical Cluster HA state not updated correctly
431834-3 2-Critical Authentication with Oracle Access Manager API can throw an exception while obtaining redirect URL
430965-3 2-Critical F5 VPN driver re-installation may cause windows 8.1 crash
424371-5 2-Critical Protected Workspace does not work on Windows 8.1
407327-2 2-Critical Internet Explorer in "desktop mode" on Windows Phone 8
403283-3 2-Critical Connecting to a site with a certificate problem might be possible.
392255-1 2-Critical tmm core or apmd core on session information
386675-3 2-Critical rewrite plugin crash
597431-1 3-Major VPN establishment may fail when computer wakes up from sleep
552498-4 3-Major APMD basic authentication cookie domains are not processed correctly
549588-5 3-Major EAM memory leak when cookiemap is destroyed without deleting Cookie object in it
549086-5 3-Major Windows 10 is not detected when Firefox is used
539229-5 3-Major EAM core while using Oracle Access Manager
539013-4 3-Major DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases
528675-5 3-Major BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired
525429-7 3-Major DTLS renegotiation sequence number compatibility
502441-1 3-Major Network Access connection might reset for large proxy.pac files.
495319-7 3-Major Connecting to FP with APM edge client is causing corporate network to be inaccessible
495128-7 3-Major Safari 8 continues using proxy for network access resource in some cases when it shouldn't
494284-8 3-Major Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status.
494176-2 3-Major Network access to FP does not work on Yosemite using APM Mac Edge Client.
493588-1 3-Major EPS checkers can't be updated without clearing of the browser history
492153-9 3-Major Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated.
483379-7 3-Major High CPU consumption and unresponsive interface of the menubar icon after 20-30 minutes
480553 3-Major APM - Local Log Database Might Not Have Geo Data
480247-8 3-Major Modifying edge client application folder causes gatekeeper to throw warning
478751-7 3-Major OAM10g form based AuthN is not working for a single/multiple domain.
477966 3-Major Custom reports Available fields are broken
477841-6 3-Major Safari 8 does not use Network Access proxy.
476133-7 3-Major In APM OAM authentication, ObSSOCookie _lastUseTime was not updated.
475505-1 3-Major Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system.
474779-8 3-Major EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails.
470389 3-Major APM garbled characters observed in APM logs
469824-3 3-Major Mac Edge client on Mac mini receives settings for iOS Edge Client
463230-2 3-Major Aced service does not recover if child process dies.
462598-1 3-Major Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members.
462481-6 3-Major Missing exception handling in APM OAM authentication during SDK calls
460939-6 3-Major ObAccessException thrown by OAM SDK while checking if the resource is protected is not handled properly in EAM plugin.
456608-1 3-Major Direct links for frame content, with 'Frame.src = url'
454547-6 3-Major TMM cored after form-based SSO control object is double freed
451864-6 3-Major Always preserve locally configured DNS suffixes when establishing VPN connection.
451806-7 3-Major Preserve Source Port Strict has moved from Client Settings (Advanced) to General Settings
449225-6 3-Major Fixed APM client crash caused by regression introduced with ID430962
442699-3 3-Major APD process may leak memory in case password complexity check is enabled and user's displayName contains special chars
442698-5 3-Major APD Active Directory module memory leak in exception
441631-1 3-Major WebSSo may take 100% if new instance started manually
441073-1 3-Major Empty action in post data in form-post.html request
440589-2 3-Major Deleting a virtual server where Oracle Access Manager (OAM) support is enabled with an AccessGate assigned to it, also deletes the associated AccessGate object in the corresponding AAA OAM object.
440505-1 3-Major Default port should be removed from Location header value in http redirect
439977-3 3-Major apd crash in AD module
439887-1 3-Major OWA2010 works incorrectly in Chrome via portal access
438958-4 3-Major maximum session timeout of 0 is not infinite
438344-2 3-Major APM Websso (SSOv1) incorrectly handles POST request to Start URI
436201-7 3-Major JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11
433972-3 3-Major New Event dialog widget is shifted to the left and Description field does not have action widget
432900-7 3-Major APM configurations can fail to load on newly-installed systems
432332 3-Major APM Reporting DB Log rotation settings are not preserved on upgrade
431337-5 3-Major OWA 2013, IE11 throws JavaScript error when you click LinkedIn" button.
431216-2 3-Major Client proxy settings do not work when using Network Access with Internet Explorer 11
431076-13 3-Major Windows 8.1 can crash if you delete urfltv64.sys file.
429617-1 3-Major Full APM Webtop does not work Windows RT clients
429561-4 3-Major User-defined ACLs List Incorrectly Displays
427076-1 3-Major Wep Application SSO could fail with user account locked out
426209-1 3-Major exporting to a CSV file may fail and the Admin UI is inaccessible
425853-1 3-Major Launch Application for Mac OS X doesnt work if the arguments string contains ampersand
425746-2 3-Major CSS styles added via style.appendChild(document.createTextNode(style)) are not correctly patched.
424938-5 3-Major APD crashes when processing an access policy with Tcl expressions.
424936-3 3-Major apm_mobile_ppc.css has duplicate 1st line
424768-3 3-Major websso doesn't log startup process
424313-2 3-Major When profile is copied images are not copied together with it
423751-2 3-Major Session logged out if traffic is received during Policy evaluation and iRules are involved
423137-1 3-Major 'GZIP Compression' setting displayed when Compression not licensed
422512-1 3-Major APM SharePoint integration might not work using Internet Explorer 10 on Microsoft Windows 8.
421861-2 3-Major WebSSO may not forward serverside shutdown events
421499-1 3-Major MAC OS X Edge Client fails to establish network access connection to BIG-IP Edge Gateway if it is behind PPTP VPN connection.
420013-1 3-Major EMC applet fails with java.lang.NoSuchMethodError
414370-3 3-Major ACCESS::disable and ASM may send TCP reset
412493-2 3-Major ---
411107-3 3-Major Upload of large file using APM with Basic SSO can fail.
410604-3 3-Major websso daemon may crash due to memory exhaustion for large size HTTP POST
410578-3 3-Major ActiveSync fails with Kerberos SSO
410338-2 3-Major APM does not correctly recover the iSession control channel after the server closes a transport TCP connection.
407940-1 3-Major ---
407860-1 3-Major Unable export profile if's using default sso configuration
407833-1 3-Major ---
407350-1 3-Major Client side checks on Windows Phone 8
406971-1 3-Major Logout causes javascript error
405365-3 3-Major ---
405348-7 3-Major ActiveSync POST fails when body is larger than 64k.
404461-1 3-Major ---
404239 3-Major APM client for Microsoft Windows fails to establish a VPN connection if DTLS is configured on a link with 50-200 msec delay.
403326-2 3-Major Prevent caching of landing URI
402840-2 3-Major EAM restarts on using non urlencoded % parameter
401525-2 3-Major relative link rewrite issues
401135-1 3-Major Export custom report fails
400168-1 3-Major jquery menu does not display
399552-2 3-Major Policy disallowing CD/DVD burning is not effective with SPTI based CD/DVD burning tools
397711-3 3-Major "Add New Macro" causes JavaScript error
397402 3-Major Windows 8 x64 does not install new components
396905-2 3-Major Cache Cleaner does not clear autocomplete data.
395990-5 3-Major APM virtual server not accessible with route domains and SNAT pools
391745-1 3-Major APM fails to log
389744-1 3-Major Server address not updated in the UI
389328-1 3-Major RSA SecurID node secret is not synced to the standby node
385673-1 3-Major Citrix storefront fails to load
381258-2 3-Major 'with' statement in web applications works wrong in some cases
376000-3 3-Major Uploading files through APM portal access sometimes fails
354406-2 3-Major APM access policy on SNAT pool


WebAccelerator Issues

ID Number Severity Description
486346-5 2-Critical Prevent wamd shutdown cores
575631-5 3-Major Potential MCPd leak in WAM stats query code
506315-7 3-Major WAM/AAM is honoring OWS age header when not honoring OWS maxage.
488917-4 3-Major Potentially confusing wamd shutdown error messages
439709 3-Major WAM occasionally serves zero-length content
420893-1 3-Major Process errors in wamd
397789 3-Major WAM crash


Wan Optimization Manager Issues

ID Number Severity Description
395974-1 2-Critical EDGE: Assertion "peer ref valid" failed.


Service Provider Issues

ID Number Severity Description
543178 3-Major combined datagram LB and MBLB in one virtual will cause tmm busy

 

Known Issue details for BIG-IP v11.2.x

614441-2 : False Positive for illegal method (GET)

Component: Application Security Manager

Symptoms:
False Positive for illegal method (GET) and errors in BD log on Apply Policy:
----
ECARD|ERR |Sep 04 07:38:47.992|23835|table.h:0287|KEY_REMOVE: Failed to REMOVE data
----

Conditions:
This was seen after upgrade and/or failover.

Impact:
-- False positives.
-- BD has the incorrect security configuration.

Workaround:
Run the following command: restart asm.


610429-1 : X509::cert_fields iRule command may memory with subpubkey argument

Component: Local Traffic Manager

Symptoms:
The X509::cert_fields iRule command can leak memory in the 'method' memory subsystem if called with the 'subpubkey' argument, when the 'subpubkey' argument is not the last argument.

Conditions:
Create an iRule using X509::cert_fields where the subpubkey is not the last argument.

Example/signature to look for:
ltm rule rule_leak {
    when HTTP_REQUEST {
        if { [SSL::cert 0] ne "" } {
            HTTP::respond 200 content "[X509::cert_fields [SSL::cert 0] 0 subpubkey hash]\n"
        } else {
            HTTP::respond 200 content "no client cert (WRONG!)"
        }
    }
}

Impact:
Memory will leak, eventually impacting the operation of tmm.

Workaround:
Ensure that 'subpubkey' is the last argument to X509::cert_fields


610302-4 : Link throughput graphs might be incorrect.

Component: Local Traffic Manager

Symptoms:
The link throughput performance graphs available in the GTM, DNS or Link Controller modules might show the throughput for the wrong link in the graph.

Conditions:
Multiple links exist and one of the links has a name that is a prefix for the name of one or more other links.

For example, there are two links defined and named "mylink" and "mylink2".

Impact:
The graphs for all links that contain the prefix might show the throughput for the link whose name matches the prefix.

For example, the throughput graphs for both "mylink" and "mylink2" might both show the throughput data for "mylink"

As a result of this issue, the historical link throughput data is gathered and stored incorrectly. This data is used to generate the throughput graphs.

Workaround:
Do not create links where the name of one link forms a prefix for the name of other links.


609119-1 : Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:

Component: TMOS

Symptoms:
Occasionally the logging system prints out a blank message, similar to the following example:

-- err mcpd[19114]: 01070711:3:

For this log statement, there is text associated with the error in the bigip_mcpd_error_defs.in file, so something should be logged.

Conditions:
The problem is the result of an exception handler issue in mcpd's File Object validator. The damaged logs can come from anywhere in mcpd, but appear only after a File Object configuration change fails validation. If the problem occurs, it will happen only once per validation error. The damage caused by the exception handler is automatically corrected when the system rewrites the log.

Impact:
Except for the missing log text, the state and behavior of the BIG-IP system is unaffected.

Workaround:
None. The problem corrects automatically when the system rewrites the log.


605476-1 : istatsd can core when reading corrupt stats files.

Component: TMOS

Symptoms:
The istatsd process may consume excessive CPU resources.

As a result of this issue, you may encounter one or more of the following symptoms:

-- The system performance degrades and the system eventually stops responding or reboots.
-- In the /var/log/ltm file, you observe multiple messages that appear similar to the following example: emerg logger: Re-starting istatsd.

-- The istatsd process produces a core file in the /shared/core directory.

Conditions:
This issue occurs when the following condition is met:

The istatsd process attempts to read a corrupt iStats file.
Under these conditions, the istatsd process may continually restart and produce a core file.

Impact:
Over time, the system performance may degrade and the system may eventually stop responding or reboot due to resource exhaustion.

Workaround:
To work around this issue, you can remove the iStats files and restart the istatsd processes. To do so, perform the following procedure:

Impact of workaround: This workaround will cause all statistics in the iStats files to reset.

Log in to the BIG-IP command line.
To stop the istatsd and related processes, type the following command:
tmsh stop sys service istatsd avrd merged

To delete the iStats files, type the following command:
find /var/tmstat2/ -depth -type f -delete

To start the istatsd and related processes, type the following command:

tmsh start sys service istatsd avrd merged


603945-4 : BD config update should be considered as config addition in case of update failure

Component: Application Security Manager

Symptoms:
A configuration update fails when the system cannot find the item to update. Configuration failures are shown in bd.log.

Conditions:
The condition that leads to this scenario is not clear and is still under investigation.

Impact:
The update fails and the entity is not added.

Workaround:
Delete the faulty entity and re-add, and then issue the following command: restart asm.

This fixes the issue in the cases in which it is a single entity.


602136-1 : iRule drop command causes tmm segfault or still sends 3-way handshake to the server.

Component: Local Traffic Manager

Symptoms:
If you have a client-side iRule that drops a client-side connection, either tmm will segfault or the BIG-IP system still sends the SYN to the server, and then a RST. The reset cause will be 'TCP 3WHS rejected'.

Conditions:
Client-side iRule that drops a connection.

Impact:
TMM segfaults or the BIG-IP system still sends a SYN to the server.

Workaround:
None.


601527-2 : mcpd memory leak and core

Component: TMOS

Symptoms:
Mcpd can leak memory curing config update or config sync.

Conditions:
All of the conditions that trigger this are not known but it seems to occur during full configuration sync and is most severe on the config sync peers. It was triggered making a single change on the primary by configuring a monitor rule, e.g., tmsh create ltm pool p members { 1.2.3.4:80 } monitor http

Impact:
Loss of memory over time, which may result in out-of-memory and mcpd core.


600944-5 : tmsh does not reset route domain to 0 after cd /Common and loading bash

Component: TMOS

Symptoms:
In tmsh, you are in a partition with a custom route domain. When you run 'cd /Common' and run bash then run 'ip route', the routing table from the partition is displayed, not /Common

Conditions:
Attempting to see the route table from the /Common partition after leaving another parition

Impact:
You cannot get /Common's route table back without quitting and restarting tmsh.

Workaround:
Quit tmsh and restart.


600558-1 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may be observed:

1. After approximately 10 minutes, an error similar to the following appears in the LTM log (/var/log/ltm):

mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests

This message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.


598874-4 : GTM Resolver sends FIN after SYN retransmission timeout

Component: Local Traffic Manager

Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.

Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.

Impact:
Firewalls may log the FIN as a possible attack.


597729-3 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may potentially be observed:

1. After approximately 10 minutes, an error similar to the following may appear in the LTM log (/var/log/ltm):

mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests

Such message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
It is possible that this error could be encountered when deleting local users (Access Policy :: Local User DB : Manage Users), and may theoretically be encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.


597431-1 : VPN establishment may fail when computer wakes up from sleep

Component: Access Policy Manager

Symptoms:
EdgeClient doesn't cleanup routing table before windows goes to hibernate. This may result in establishment of VPN when computer wakes up. It may also result in other network connectivity issues

Conditions:
-VPN connection is not disconnected
-Computer goes in hibernation

Impact:
Issues with Network connectivity

Workaround:
Renew DHCP lease by running
ipconfig/renew.

or

reboot the machine.


594123 : Illegal HTTP status in response filling up the database

Component: Application Security Manager

Symptoms:
You see errors similar to the following: "[ERROR] /usr/sbin/mysqld: The table 'ENFORCER_CPU_USAGE' is full"

Conditions:
This can occur with ASM enabled and is triggering on "Illegal HTTP status in response". These entries are not getting cleaned at the appropriate time.

Impact:
Database eventually consumes all available space.

Workaround:
You can manually truncate the table by running the following command in MySQL:

TRUNCATE TABLE PLC.LRN_ILLEGAL_HTTP_STATUS_IN_RESPONSE;


591659-6 : Server shutdown is propagated to client after X-Cnection: close transformation.

Component: Local Traffic Manager

Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.

Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.

Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.

Workaround:
None.


591476-2 : Stuck nitrox crypto queue can erroneously be reported

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Nitrox systems (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The message "Device error: crypto codec cn-crypto-0 queue is stuck." will appear in the ltm log file.

Conditions:
Nitrox based system performing SSL under heavy load.

Impact:
Device errors reported in logs and crypto HA action is taken, possibly resulting in failing over.


591248 : tmm cores when irule runs after "drop" command

Component: Local Traffic Manager

Symptoms:
tmm cores when irule runs after "drop" command.

Conditions:
irule runs "drop" command and there are other commands after it.

Impact:
Traffic disrupted while tmm restarts.


590904-2 : New HA Pair created using serial cable failover only will remain Active/Active

Component: TMOS

Symptoms:
After creating a new sync-failover device group without network failover enabled, both devices remain Active.

Conditions:
Create a new sync-failover device-group without enabling network failover.

Impact:
Both device in the HA pair will be Active, which is unlikely to pass traffic successfully.

Workaround:
After adding the 2nd device to the sync-failover group, restart sod with "bigstart restart sod" on both devices.


589400-8 : With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Component: Local Traffic Manager

Symptoms:
With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Conditions:
Congestion window is small relative to message size; abc is enabled; also might manifest when serverside MTU is greater than clientside MTU.

Impact:
Additional connection latency.

Workaround:
Enabling proxy-mss on the serverside TCP profile significantly reduces incidence of this problem in observed cases.

If init-cwnd is low, raising it might also help.

Disabling abc can also reduce the problem, but might have other negative network implications.


587821-1 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.

Component: TMOS

Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.

In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.

Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.

Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.

Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.

Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.


583957-1 : The TMM may hang handling pipelined HTTP requests with certain iRule commands.

Component: Local Traffic Manager

Symptoms:
Rarely, the TMM may hang during a HTTP::respond or HTTP::redirect iRule command if it is part of a pipelined HTTP request.

Conditions:
A HTTP::respond or HTTP::redirect iRule is used.
The iRule command is in an event triggered on the client-side.
A pipelined HTTP request is being handled.

Impact:
The TMM will be restarted by SOD.


583754-1 : When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.

Component: TMOS

Symptoms:
Executing 'show ltm persist persist-records' results in a blank error message.

Conditions:
TMM must be down.

Impact:
Non-obvious / unhelpful error message is generated, leading to customer confusion.

Workaround:
N/A


582029 : AVR might report incorrect statistics when used together with other modules.

Component: Application Visibility and Reporting

Symptoms:
When AVR is assigned to a virtual server that also has APM or Behavioral DoS, it can lead to AVR getting false readings of the activity and as result report on unexpectedly large numbers.

Conditions:
AVR Module is used together with other modules, and these module affect the traffic flow.

Impact:
AVR reports incorrect statistics: unexpectedly large numbers.

Workaround:
None.


579284-1 : Potential memory corruption in MCPd

Component: TMOS

Symptoms:
Memory in mcpd could get corrupted. The effect of this is unpredictable.

Conditions:
Varies. One way (but not the only way) this could be seen is by cancelling a chunked stats query (e.g. hitting ctrl-c during "show sys connection").

Impact:
Varies. Sometimes nothing will happen; other times MCP could start acting unpredictably. In one case it closed its connection to TMM, which caused all TMMs to restart.


576591-1 : Support for some future credit card number ranges

Component: Application Security Manager

Symptoms:
ASM does not block or mask when a specific credit card number range (planned for the future) appears in the response.

Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card number with specific ranges.

Impact:
The traffic passes unmasked or unblocked to the end client.

Workaround:
A custom pattern is possible for these cases, but should be adjusted to each customer specifically.


576296-5 : MCPd might leak memory in SCTP profile stats query.

Component: Local Traffic Manager

Symptoms:
The memory allocation for mcpd might grow by a small amount if SCTP profile stats are queried. In order to begin to impact the performance of the system, the stats would have to be queried many thousands of times.

Conditions:
An SCTP profile is configured, and the stats are displayed in TMSH or the GUI.

Impact:
Performance may be degraded.

Workaround:
None.


575735-5 : Potential MCPd leak in global CPU info stats code

Component: TMOS

Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.

Conditions:
In some cases, querying global CPU information stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575726-5 : MCPd might leak memory in vCMP interface stats.

Component: TMOS

Symptoms:
MCPd might leak memory in vCMP interface stats.

Conditions:
The memory leak occurs when viewing VCMP interface statistics.

Impact:
Over time this can cause MCPd to run out of memory and core.

Workaround:
None.


575716-5 : MCPd might leak memory in VCMP base stats.

Component: TMOS

Symptoms:
MCPd might leak memory in VCMP base stats.

Conditions:
This occurs when looking at VCMP base statistics.

Impact:
Over time this might cause MCPd to run out of memory and core.

Workaround:
None.


575708-5 : MCPd might leak memory in CPU info stats.

Component: TMOS

Symptoms:
MCPd might leak memory in CPU info stats.

Conditions:
In some cases, querying CPU information stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575671-5 : MCPd might leak memory in host info stats.

Component: TMOS

Symptoms:
MCPd might leak memory in host info stats.

Conditions:
In some cases, querying host information stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575631-5 : Potential MCPd leak in WAM stats query code

Component: WebAccelerator

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying WAM stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575626-1 : Minor memory leak in DNS Express stats error conditions

Component: Local Traffic Manager

Symptoms:
A minor memory leak might occur in certain error conditions relating to DNS Express statistics.

Conditions:
There are no known DNS Express configurations that lead to this issue. The problem was detected through standard code review practices.

Impact:
Memory leaks might eventually lead to system reboots.

Workaround:
None.


575619-5 : Potential MCPd leak in pool member stats query code

Component: TMOS

Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.

Conditions:
In some cases, querying pool member stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575608-5 : MCPd might leak memory in virtual server stats query.

Component: TMOS

Symptoms:
MCPd might leak memory in virtual server stats query.

Conditions:
In some cases, querying virtual server stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575368 : Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card

Component: TMOS

Symptoms:
When a UCS with FIPS keys is loaded after re-initializing the FIPS card, errors should be posted that the FIPS keys in the configuration that are now invalid. Instead, the configuration loads without any errors, and SSL handshake failures are seen when a clientSSL profile uses the FIPS key.

Conditions:
UCS file with FIPS keys is loaded after re-initializing the FIPS card.

Impact:
SSL handshake failures are seen when a clientSSL profile uses the FIPS key.

Workaround:
You can delete the FIPS keys, re-initialize the FIPS card, then install the needed keys.


572680-1 : Standby TMM might overflow send buffer if out of sync with Active TMM

Component: Local Traffic Manager

Symptoms:
Send buffer size is unlimited on a standby TMM. If sync is lost with the active TMM while a TCP client is advertising a zero receive buffer, the standby TMM might continue to use a zero send buffer indefinitely. This eventually leads to the send buffer overflowing on the standby TMM.

Conditions:
Standby TMM loses sync with active TMM while a TCP client's advertised receive window is zero.

Impact:
Standby TMM can accumulate too much data in the send buffer and overflow.

Workaround:
This issue is less likely with a low zero-window-timeout value in the TCP profile.


570520 : MAC Edge client doesn't handle redirects during profile download (/pre/config.php?version=2.0)

Component: Access Policy Manager

Symptoms:
MAC Edge client doesn't handle redirects during profile download (/pre/config.php?version=2.0) and eventually edge client is not able to connect.

Conditions:
MAC edge client with BIG-IP v11.2.1

Impact:
Edge client cannot establish connection successfully


569642-1 : Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core

Component: Local Traffic Manager

Symptoms:
In certain circumstances TMM may core if an HA pair configured with mirroring has all the routes to the server pool removed.

Conditions:
- HA pair.
 - FastL4 VIP with mirroring.
 - default route to pool via an intermediate router.
 - The active unit is handling traffic.
 - Active unit fails over and loses its mirroring connection.
 - Prior active unit comes back and HA connection is reestablished.
 - During the loss of HA and its recovery the now active unit loses its only route to the pool member.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not remove all routes to poolmembers. If this is needed please create other backup routes prior to the deletion.


566361-6 : RAM Cache Key Collision

Component: Local Traffic Manager

Symptoms:
Intermittent tmm SIGSEGV when RAM Cache is enabled

Conditions:
This occurs when RAM cache is enabled in certain circumstances.

Impact:
Invalid response format, and/or serving the wrong object from cache, and/or tmm crash, interruption of service.

Workaround:
None.


565810-4 : OneConnect profile with an idle or strict limit-type might lead to tmm core.

Component: Local Traffic Manager

Symptoms:
OneConnect profile with an idle or strict limit-type might lead to tmm core.

Conditions:
OneConnect profile with a limit-type value of idle or strict.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use a limit-type of 'none'.


565534-5 : Some failover configuration items may fail to take effect

Component: TMOS

Symptoms:
These symptoms apply to version 12.0.0 and higher:

When only multicast failover is configured, traffic-groups are active on all devices in the device-group. If unicast failover is also configured, the traffic-group unexpectedly switches to a different device.

These symptoms can occur on all versions:

When the unicast address list is changed at the same time as other device properites, sod (the failover daemon) may fail to recognize one of the other changes.

Conditions:
For version 12.0.0 and higher:

Multicast failover is configured and the system loads the configuration from the configuration files. For example during the first boot of a new boot location or after performing the procedure in Sol13030.

For all versions:

A change is made to the cm device configuration that includes a unicast-address change along with something else.

Impact:
When only multicast failover is configured, traffic-groups may become active on all devices in the device-group. If unicast failover is also configured, the traffic-group might switch to a different device.

Workaround:
Mitigation for v12.0.0 symptom:

To restore multicast failover, disable and re-enable multicast failover.

CLI:
This must be done on the the local device:
Determine which interface is being used for multicast failover:
tmsh> list cm device bigip1 multicast-interface
Disable and re-enable multicast failover.
tmsh> modify cm device bigip1 { multicast-interface none }
tmsh> modify cm device bigip1 { multicast-interface eth0 }


Mitigation for all versions symptoms:
Do not make cm device unicast-address changes simultaneously with changes to other cm device properties.


560405-3 : Optional target IP address and port in the 'virtual' iRule API is not supported.

Component: Local Traffic Manager

Symptoms:
In certain scenarios there is a need to redirect an HTTP request through a given virtual server to a another virtual server (or remote endpoint). Such an operation is also known as 'vip-to-vip' forwarding. The available iRule API (specifically, the 'virtual' command) does not currently support this functionality.

Conditions:
Using an iRule to forward a request through a given virtual server to another virtual server or remote endpoint.

Impact:
Cannot implement HTTP Forward Proxy plus Transparent redirection to Web-Cache Pool.

Workaround:
None.


559975-1 : Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth

Component: Global Traffic Manager

Symptoms:
HTTP basic authentication uses a base64 encoded string. When an HTTP monitor username or password is changed, the b64 string is regenerated and may become malformed.

Conditions:
When an http monitor username or password is changed, e.g. shortened, then the HTTP basic auth string may be mangled.

Impact:
An HTTP monitor may show its resource as unavailable after changing the username or password.

Workaround:
Restart big3d, or delete then recreate the monitor instead of modifying the existing monitor.


558779-2 : SNMP dot3 stats occassionally unavailable

Component: TMOS

Symptoms:
SNMP would not provide values for some dot3 stats.

Conditions:
Not conditional.

Impact:
SNMP would not provide values for some dot3 stats.

Workaround:
None


558573-5 : MCPD restart on secondary blade after updating Pool via GUI

Component: TMOS

Symptoms:
If you use the LTM GUI in a clustered environment to add an IP Encapsulation profile to a Pool, then click Update, mcpd and other daemons may restart on secondary blades in the cluster.

When this occurs, errors similar to the following will be logging from the secondary blades:
-- err mcpd[22537]: 01020036:3: The requested pool profile (49825) was not found.
-- err mcpd[22537]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool profile (49825) was not found.

Conditions:
This problem may occur when operating BIG-IP in a clustered environment (VIPRION), and using the GUI to update the properties of an LTM pool with an IP Encapsulation profile defined.

Impact:
Daemon restarts, disruption of traffic passing on secondary blades.

Workaround:
Perform pool updates via the tmsh command-line utility.


556421 : Occasional message length miscalculation in DNS messages over TCP

Component: Local Traffic Manager

Symptoms:
DNS messages over TCP passing through a DNS virtual may be marked as corrupt due to a message length miscalculation.

Conditions:
A virtual must have a DNS profile assigned, a DNS message must be exactly two bytes longer than a multiple of the TCP segment size, and the TCP stack on the DNS client or resolver must bundle the first two bytes (the TCP message length) with the message in the first TCP segment.

Impact:
DNS messages over TCP passing through a DNS virtual may be marked as corrupt due to a message length miscalculation.

Workaround:
Use UDP with EDNS instead of TCP if possible. Alternatively, adjust the TCP MSS setting by a few bytes for the DNS virtual.


556380-5 : mcpd can assert on active connection deletion

Component: TMOS

Symptoms:
When all of the peers in an HA / DSC configuration are removed, then it is possible for the connection tear down to result in an assert.

Conditions:
Removal of all peers while a connection is handling a transaction.

Impact:
MCPD asserts and restarts.

Workaround:
No workaround is necessary. MCPD restarts.


556277-2 : Config Sync error after hotfix installation (chroot failed rsync error)

Component: TMOS

Symptoms:
Once an installation has been booted into, applying a hotfix over that installation does not change the SELinux policy, but instead uses the previously installed SELinux policy.

Conditions:
This affects installations of a later hotfix atop an earlier hotfix, or onto a base build of the same software version. Installation onto a new volume is unaffected.

To determine whether the configuration will experience this issue, use md5sum to see whether the following have the same checksums:
-- /etc/selinux/targeted/modules/active/modules/f5_mcpd.pp
-- /usr/share/selinux/targeted/f5_mcpd.pp.

If the checksums are the same, the system will use the SELinux policy installed with the previous hotfix, and this issue will occur.

Impact:
Sync of file objects might fail with an error similar to the following:

01071488:3: Remote transaction for device group [name] to commit id [number] failed with error 01070712:3: Caught configuration exception (0), verify_sync_result:() :Failed to sync files. - sys/validation/FileObject.cpp, line 6276..

Workaround:
Instead of installing the hotfix over an existing installation of the base build of that version (or an earlier hotfix), install the base ISO (for example 11.5.4) into a volume, and then install the hotfix onto that volume, without booting the volume in between.


555272-6 : Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade

Component: Access Policy Manager

Symptoms:
Previously, F5 Client components were signed using SHA1 certificate. SHA1 is now considered insecure and Windows will reject components signed using a SHA1 certificate after March 31st 2016.

To support this new requirement, F5 has changed the client component signing certificates to utilize a higher security validation algorithm.

The result of this change is that clients utilizing client components built prior to these versions:

Big-IP 12.0.0HF1 or earlier
Big-IP 11.6.0 HF6 or earlier
Big-IP 11.5.4 (base release) or earlier

cannot Endpoint Security updates build 431 or greater.

If you require updated Endpoint Security (OPSWAT / EPSEC) builds greater than 431 you must upgrade to these versions:

Big-IP 12.1.0 or later
Big-IP 12.0.0HF2 or later
Big-IP 11.6.1 or later
Big-IP 11.6.0 HF7
Big-IP 11.5.4 HF1 or later

Conditions:
Running incompatible BIG-IP version with EPSEC build 431 or later.

Impact:
User will see certificate warnings and installation of client component updates may fail. The failure may occur multiple times.

Workaround:
Upgrade BIG-IP to the correct version.

Use the BIG-IP Web GUI's Software Management :: Antivirus Check Check Updates section to install an EPSEC build prior to 431.


554761-2 : Unexpected handling of TCP timestamps under syncookie protection.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system experiences intermittent packet drops.

Despite being negotiated during TCP handshake, the BIG-IP system fails to present timestamp option in subsequent segments.

The BIG-IP system calculates invalid round trip time immediately after handshake, which might result in delayed retransmissions.

Conditions:
This occurs when the following conditions are met:
- Virtual server configured with a TCP profile with timestamps enabled.

- The syncookie mode has been activated.

- Clients that support timestamps.

Impact:
Connection might be reset by remote TCP stack (e.g., NetBSD and FreeBSD), which requires timestamps to be maintained once negotiated.

Retransmission timeout (RTO) value may be skewed. Segments that are subject to RTO might take up to 64 segments to retransmit.

Workaround:
Choose or create a TCP profile that has timestamps disabled.


552498-4 : APMD basic authentication cookie domains are not processed correctly

Component: Access Policy Manager

Symptoms:
401 responses containing Set-Cookie headers might not be processed correctly. Domains that begin with a dot will be truncated and the cookies will not be sent to pool members.

Conditions:
An access policy needs to use Basic or NTLM authentication and one or more of the 401 responses must contain Set-Cookie headers. If a domain is specified and the domain begins with a dot, it will not be processed correctly.

Impact:
Cookies assigned during the authentication handshake might not be sent to pool members.

Workaround:
An iRule can be used to process the 401 responses and remove any leading dots from domain fields of Set-Cookie headers.


552139-5 : ASM limitation in the pattern matching matrix builtup

Component: Application Security Manager

Symptoms:
The signature configuration is not building up upon adding new signatures. This can look like a configuration change is not finishing, or if it does, it may result in crashes when the Enforcer starts up resulting in constant startups.

Conditions:
Too many signatures are configured with custom signatures. The exact number varies (depending on the signature) but hundreds of signatures may be enough to trigger it.

Impact:
Configuration change doesn't finish or crashes in the ASM startup (which results in constant startups of the system).

Workaround:
Workarounds are possible only in a custom signature scenario, only using fewer signatures or by removing unused signatures.


549588-5 : EAM memory leak when cookiemap is destroyed without deleting Cookie object in it

Component: Access Policy Manager

Symptoms:
EAM memory growing and OOM kills EAM process under memory pressure.

Conditions:
This occurs when using access management such as Oracle Access Manager, when an authentication request is redirected to IDP (redirect URL is present) with cookies present, memory can grow unbounded.

Impact:
EAM memory usage increases and OOM kills EAM process if the system is under memory pressure.

Workaround:
No Workaround


549086-5 : Windows 10 is not detected when Firefox is used

Component: Access Policy Manager

Symptoms:
Windows 10 is not detected when the Firefox browser is used.

Conditions:
Windows 10 and Firefox (at least versions 40 and 41).

Impact:
The Client OS agent chooses an incorrect branch. Network Access might be disabled for such a client.

Workaround:
There is no workaround.


547000-1 : Enforcer application might crash on XML traffic when out of memory

Component: Application Security Manager

Symptoms:
Enforcer application might crash on XML traffic when out of memory.

Conditions:
This occurs when the system is out of memory.

Impact:
The BIG-IP system might temporarily fail to process traffic.

Workaround:
None.


544888-2 : Idle timeout changes to five seconds when using PVA full or Assisted acceleration.

Component: TMOS

Symptoms:
When FastL4 performs hardware acceleration during the TCP handshake, the FastL4 handshake timeout is not updated to match the profile timeout value after the connection is established.

Conditions:
Accelerated, established TCP flows with no traffic for more than five seconds.

Impact:
TCP flows in the established state are dropped if they have more than five seconds of inactivity.

Workaround:
Disable embedded Packet Velocity Acceleration (ePVA) acceleration.


543178 : combined datagram LB and MBLB in one virtual will cause tmm busy

Component: Service Provider

Symptoms:
When MBLB is used with ip-protocol udp, tmm can experience extreme slowdown.

Conditions:
A virtual has both enabled datagram LB and has MBLB profile.

Impact:
tmm busy, performance seriously degraded. In severe cases tmm can be killed by sod, traffic disrupted while tmm restarts."

Workaround:
Avoid using both datagram LB and MBLB at same time. this is an invalid combination.


542742-5 : SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).

Component: TMOS

Symptoms:
SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).

Conditions:
Querying the OIDs.

Impact:
Unable to monitor the moving averages of the current connection counts as they return 0.

Workaround:
There is no known workaround.


542191-5 : Snmpd V1 and V2c view based access.

Component: TMOS

Symptoms:
SNMP v3 allows for 'views' to be created. These views can be a union of multiple sub-branch OID access config statements. Users/groups can then be assigned to a view.

Conditions:
If more that one snmpd view is specified per community string the second view is not accessible. Note: A view is a portion of a MIB tree defined by an OID.

Impact:
The BIG-IP system does not support view configuration. If multiple views are created using the lines: rouser USER [noauth|auth|priv [OID]], the system adds only one of them to the snmpd.conf file.

Workaround:
Multiple views with the same community string are not supported.


540568-7 : TMM core due to SIGSEGV

Component: Local Traffic Manager

Symptoms:
TMM may core due to a SIGSEGV.

Conditions:
Occurs rarely. Specific conditions unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


539229-5 : EAM core while using Oracle Access Manager

Component: Access Policy Manager

Symptoms:
Authentication with Oracle Access Manager can result in an exception while checking whether authentication is required. This is an intermittent issue.

Conditions:
This event can be triggered while using the Oracle Access Manager.

Impact:
An unhandled exception will cause EAM to core and possible access outage.

Workaround:
No workaround


539013-4 : DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases

Component: Access Policy Manager

Symptoms:
DNS resolution stops working on a Windows 10 desktop when the VPN connection is established.

Conditions:
This occurs when the client system meets all of the following conditions:
- Running BIG-IP software version Hotfix-BIGIP-11.5.3.1.47.167-HF1-ENG.iso.
- Running Microsoft Windows version 10.
- Has multiple NICs and one of them is in the disconnected state, with a statically assigned IPv4 configuration.

Impact:
User cannot access resources by DNS name.

Workaround:
Disable disconnected NICs that have a statically assigned IPv4 configuration.


533866 : Default SNMP community may disappear upgrading to 11.2.1 HF15

Component: TMOS

Symptoms:
After upgrading to 11.2.1 HF15, SNMPd might not reply when a GetRequest is sent to localhost, management IP, or to the self-IP address of the BIG-IP system.

Conditions:
Upon upgrading from 11.2.1 base install (with only the default comm-public community configured) to 11.2.1 HF15, the system boots up with no communities configured, even though no command was issued to remove the default comm-public community.

Impact:
SNMPD does not send replies to client.

Workaround:
Configure a 'public' SNMP community after upgrading to 11.2.1 HF15.


529920-4 : Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit

Component: Local Traffic Manager

Symptoms:
TMM crashes on the standby unit.

Conditions:
This is a standby-only failure. Connection mirroring on a OneConnect virtual server can lead to a TMM crash during connection establishment.

Impact:
TMM restarts, and the standby is not available for failover. When the standby unit comes back up it does not have the mirrored flows from the active unit, so failover results in loss of those connection flows.

Workaround:
None.


528675-5 : BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired

Component: Access Policy Manager

Symptoms:
Edge Client can stuck in "disconnecting..." state if connected through with captive portal session and captive portal session expired. This happens when BIG-IP EDGE client keep HTTP connection to captive portal probe URL alive.

Conditions:
BIG-IP EDGE Client for Windows connecting to BIG-IP APM on network with active captive portal.
Captive portal session expired before user terminate active Network Access connection.

Impact:
When user run into this condition BIG-IP EDGE client for Windows cannot connect to BIG-IP APM server without restart.

Workaround:
User can exit and restart BIG-IP EDGE client.


528276-5 : The device management daemon can crash with a malloc error

Component: TMOS

Symptoms:
The device management daemon can core if a timeout condition occurs during an iControl query. The daemon recovers and proceeds with the operation.

Conditions:
A timeout can occur during an iControl query and in some instances this can cause a core.

Impact:
The daemon crashes and recovers.

Workaround:
This issue has no workaround at this time.


528083-5 : On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.

Component: TMOS

Symptoms:
On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.

Conditions:
System shutdown. Unable to reproduce the issue reliably, so conditions for the crash are unknown

Impact:
Since the core happens on shutdown, operation on the device is not affected, but a core file may be generated.

Workaround:
None


527145-1 : On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.

Component: TMOS

Symptoms:
Occasionally SOD core dumps on shutdown during memory cleanup.

Conditions:
System shutdown. Cannot reproduce the issue reliably, so conditions for the crash are unknown.

Impact:
Minimal additional impact on services because a shutdown was already in process.

Workaround:
None.


525429-7 : DTLS renegotiation sequence number compatibility

Component: Access Policy Manager

Symptoms:
OpenSSL library was modified to keep it compatible with RFC 6347 complaint DTLS server renegotiation sequence number implementation.

Conditions:
The old OpenSSL library is not compatible with RFC6347, the new OpenSSL library is modified to be compatible with RFC6347.
The current APM client is compatible with old OpenSSL library, not the new OpenSSL library.

Impact:
The current APM client is not compatible with new OpenSSL libary.


524326-1 : Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips

Component: TMOS

Symptoms:
Current configuration validation will allow a user to delete the last (only remaining) IP address on a GTM server. However, since a GTM server cannot be created/loaded without at least one IP address, the configuration will fail to load.

Conditions:
User has deleted the last IP address on a GTM server.

Impact:
Configuration load will fail. If the GTMs are in a sync group, this will also break sync because the config change cannot be loaded by any GTM.

Workaround:
User must either delete the server from the config if it has no more valid IPs, or must add at least one IP to the server's IP address list.


524193-1 : Multiple Source addresses are not allowed on a TMSH SNMP community

Component: TMOS

Symptoms:
If multiple source addresses are specified on a TMSH snmp community command (add, modify,delete, replace-all). Only the first address will be saved.

Conditions:
Specifying multiple source addresses are specified on a TMSH snmp community command.

Impact:
The command is accepted, but only the first address will be allowed snmp access.

Workaround:
Add an additional source address to another snmp community object that has the same community string.


523527-1 : Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.

Component: TMOS

Symptoms:
If you are directly upgrading from version 10.x to version 11.2.0 or later with a working dynamic routing protocols configuration may encounter that the routing protocol is disabled on upgrade to 11.2.0 or later.

Conditions:
- Upgrade from 10.x to 11.2.0 or later.
- Routing protocol enabled in tmrouted dbkeys.
- No route domain 0 (zero) (RD0) configuration, that is defaults of all VLANs in RD0, no comment, leading to no existing configuration in bigip_base.conf

Impact:
Routing protocol information is missing from RD0, ZebOS is not running (although configured).

Workaround:
There are several workarounds to this issue:
  - Causing the RD0 configuration to exist by adding a comment to the 10.x description field and saving prior to upgrade.
  - Re-adding the routing protocol to the RD0 configuration after the upgrade.
  - Perform an intermediate upgrade from 10.x to 11.0.0 or 11.1.0 prior to upgrading to an 11.2.0 or later version.


521144-2 : Network failover packets on the management interface sometimes have an incorrect source-IP

Component: TMOS

Symptoms:
After reboot, network failover packets might be transmitted with an internal source address, on the 127/8 network.

Conditions:
This problem might occur if the members of a device service clustering (DSC)/high availability (HA) device group have management ports on different IP networks, so that a management-route is necessary for them to communicate.

Impact:
If there are intervening firewalls or routers that drop packets with improper/unroutable source addresses, then the members of the device group cannot communicate on this channel.

Workaround:
Remove the management-route from tmsh, and add a static route to the Linux kernel routing table. For example:

  # tmsh delete sys management-route 10.208.101.0/24
  # tmsh save sys config
  # echo "10.208.101.0/24 via 10.208.102.254 dev eth0" > /etc/sysconfig/network-scripts/route-eth0
  # reboot


519068-5 : device trust setup can require restart of devmgmtd

Component: TMOS

Symptoms:
Depending on the order of operations, the device trust might enter a state in which the device trust connections between devices are continuously reset and messaging about self-signed certificates.

Conditions:
This occurs when devices are being added to and deleted from the device trust.

Impact:
This prevents devices from being able to communicate with each other. The device trust goes to Disconnected and cannot synchronize.

Workaround:
A restart of the devmgmtd daemon clears any stale cached information that it has. However, the administrator may still need to reset the device trust (remove devices from the trust and re-add them).


517282-1 : The DNS monitor may delay marking an object down or never mark it down

Component: Local Traffic Manager

Symptoms:
The DNS monitor may not mark an object down within the monitor timeout period or may never mark the object down.

Conditions:
A DNS monitor with no configured recv string and the monitor receives an ICMP error other than port unreachable.

Impact:
The DNS monitor may not mark an object down within the monitor timeout period or may never mark the object down.

Workaround:
Supply an appropriate recv string to the monitor definition:
  tmsh modify ltm monitor dns mydns recv 10.1.1.1

Or add another monitor to the object:
  tmsh modify ltm pool dnspool monitor min 2 of { mydns gateway_icmp }


517020-2 : SNMP requests fail and subsnmpd reports that it has been terminated.

Component: TMOS

Symptoms:
After an unspecified period of time, SNMP requests fail and subsnmpd reports that it has been terminated.

Conditions:
SNMP polls sent to a system start to fail after a few days, until subsnmpd is restarted. When in the failed state, you can determine the status of subsnmpd by running the following command: tmsh show sys services. Here is an example of the status when the system is in this state: subsnmpd run (pid 4649) 26 days, got TERM.

Impact:
Loss of snmp data set to a client. The /var/log/snmpd.log contains numerous messages similar to the following: Received broken packet. Closing session. The /var/log/sflow_agent.log contains numerous messages similar to the following: AgentX session to master agent attempted to be re-opened.

Workaround:
Restart subsnmpd using the following command: bigstart restart subsnmpd.


516669-4 : Rarely occurring SOD core causes failover.

Component: TMOS

Symptoms:
Spontaneous failover occurs rarely due to a SOD core dump.

Conditions:
Cannot reproduce the issue reliably, so conditions for the crash are unknown.

Impact:
When SOD cores, all traffic groups fail over to another device. Non-mirrored flows will be interrupted.

Workaround:
None.


515759-5 : Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time

Component: Local Traffic Manager

Symptoms:
tmm memory growth over time.

Conditions:
Conditions leading to this issue include: one or more virtual servers, NATs, SNATs, or LSNs with more than four VLANS in a vlan allow or vlan deny list.

Impact:
tmm memory usage can grow over time eventually causing memory exhaustion.

Workaround:
Mitigation: Minimize the number of VLANs in the VLAN list for virtual servers, NATs, SNATs and LSNs. Minimize the number of configurations changes to Self-IPs, virtual servers, NATs, SNATs and LSNs.


515667-1 : Unique truncated SNMP OIDs.

Component: TMOS

Symptoms:
When a BIG-IP generates SNMP OID-required truncation in order to stay within the OID max length limit of 128, the truncated OID is not always consistent or unique.

Conditions:
An SNMP table has a unique index (key) consisting of one or more table attributes of various types. String type index attributes with values lengths approaching or exceeding 128 characters expose this truncation issue.

Impact:
SNMP get, get-next, and set commands might fail or even operate on incorrect data when the target OID is not consistent or unique.

Workaround:
The long string values triggering this issue are typically identified as user-supplied names that were introduced as part of BIG-IP configuration. Often these names can be reconfigured to a shorter length.


515072-9 : Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased

Component: Local Traffic Manager

Symptoms:
When a virtual server has priority groups and connection limit configured, if the connection limit is reached and is increased while the member is limited, then subsequent connections will be reset rather than allowed.

Conditions:
Using priority groups and a non-zero connection limit, with one of the following load balancing methods: least-connections-member, least-sessions, ratio-member, ratio-least-connections-member, ratio-session. The issue occurs when the connection limit is adjusted higher when the connection limit is reached on the high-priority pool.

Impact:
New connections are reset without being able to send traffic.

Workaround:
If it is feasible to adjust the priorities, adjust the connection limit to its initial value, and adjust the priority groups so that the traffic currently on the limited pool drains out. When the pool has no connections, increase the limit to restore the correct priorities.


512487 : Device keeps going offline/online with the message: HA mysqld_failure_t mysqlhad fails action is go offline.

Component: Application Security Manager

Symptoms:
Device keeps going offline/online with the message: HA mysqld_failure_t mysqlhad fails action is go offline.

Conditions:
The conditions that cause this are not yet known. This was discovered when ASM was provisioned

Impact:
Device keeps going offline/online.


506315-7 : WAM/AAM is honoring OWS age header when not honoring OWS maxage.

Component: WebAccelerator

Symptoms:
WAM/AAM policy is configured to ignore OWS maxage header values, but the policy does not ignore the OWS Age header.

Conditions:
BIG-IP system with AAM provisioned, content matching a policy node not honoring OWS headers maxage and or s-maxage, and a large 'Age' value.

Impact:
This results in WAM/AAM improperly reducing the lifetime of OWS responses by the amount of the Age header, and more frequent WAM/AAM revalidation of the affected content (possibly on every request if the Age header is larger than the policy-specified cache lifetime).

Workaround:
You can use any one of the following as a workaround:
-- Honor OWS lifetime headers (s-maxage and max-age).
-- Use an iRule to delete OWS Age header.
-- Increase cache AAM/WAM cache lifetime for that content to compensate.


504973-8 : Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead

Component: Application Security Manager

Symptoms:
When creating a policy using a route domain and a full 32 bit subnet mask, the ASM saves it as a 128 bit mask.

Conditions:
Provisioned ASM

Impact:
Wrong 128 bit subnet mask is saved instead of the configured 32 bit mask.


504854 : OneConnect does not balance new traffic for all load balancing methods

Component: Local Traffic Manager

Symptoms:
With several load balancing methods, OneConnect does not load-balance new connections to pool members as desired.

These methods include ratio (node), least connections (node), observed (node) and predictive (node).

In these cases, new traffic will continue going to a limited number of pool members.

Conditions:
Using OneConnect along with one of the following load balancing methods: ratio (node), least connections (node), observed (node) or predictive (node).

Impact:
Traffic does not balance across nodes as desired.

Workaround:
This can be partially mitigated if load balancing can be done with other methods; however, using these methods there is no workaround.


504633-4 : DTLS should not update 'expected next sequence number' when the record is bad.

Component: Local Traffic Manager

Symptoms:
DTLS updates the 'expected next sequence number' even if the record is bad. This might cause the unexpected sequence number of good records dropping.

Conditions:
DTLS receives a bad record with a very large sequence number.

Impact:
DTLS might drop the good records that have smaller sequence number packets than the bad records.

Workaround:
None.


503741-5 : DTLS session should not be closed when it receives a bad record.

Component: Local Traffic Manager

Symptoms:
According to RFC6347: 4.1.2.7. Handling Invalid Records:
'Unlike TLS, DTLS is resilient in the face of invalid records (e.g., invalid formatting, length, MAC, etc.). In general, invalid records SHOULD be silently discarded, thus preserving the association; however, an error MAY be logged for diagnostic purposes. Implementations which choose to generate an alert instead, MUST generate fatal level alerts to avoid attacks where the attacker repeatedly probes the implementation to see how it responds to various types of error. Note that if DTLS is run over UDP, then any implementation which does this will be extremely susceptible to denial-of-service (DoS) attacks because UDP forgery is so easy. Thus, this practice is NOT RECOMMENDED for such transports.'

In the BIG-IP implementation, DTLS chooses to disconnect the session when it receives invalid record.

Conditions:
DTLS receives a bad record packet.

Impact:
DTLS disconnects the session.

Workaround:
None.


503257-2 : Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST

Component: Local Traffic Manager

Symptoms:
Client connections to a virtual server with persistence, connection limits, and an iRule that issues an HTTP response may receive a RST with a cause of "pmbr enqueue failed" even though connection queuing is not enabled.

Conditions:
This can happen if the connection makes an HTTP request and an iRule directly responds to the first request on the connection. A future request on that TCP connection would be reset if it is persisted to a pool member that is at its connection limit. The iRule would use HTTP::respond (without "connection close") or HTTP::redirect.

Impact:
Clients may receive a RST and fail to connect to an available pool member under some traffic patterns.

Workaround:
If using HTTP::respond or HTTP::redirect in an iRule, change to HTTP::respond with the "Connection close" option in order to force the connection to terminate and the client to start a new connection after the redirect is sent.


503214-10 : Under heavy load, hardware crypto queues may become unavailable.

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system is under heavy load, it may erroneously determine that the hardware crypto queues are unavailable and trigger an HA failover event.

Conditions:
BIG-IP system under heavy load and using hardware crypto.

Impact:
HA failover. You might see messages similar to the following:
 -- crit tmm2[22560]: 01010025:2: Device error: crypto codec cn-crypto-2 queue is stuck.
 -- warning sod[6892]: 01140029:4: HA crypto_failsafe_t cn-crypto-2 fails action is failover.
 -- notice sod[6892]: 010c0052:5: Standby for traffic group /Common/traffic-group-1.

Workaround:
None.


502747-3 : Incoming SYN generates unexpected ACK when connection cannot be recycled

Component: Local Traffic Manager

Symptoms:
Incoming SYN causes the BIG-IP system to generate ACK instead of SYN-ACK.

Conditions:
This can occur when the following conditions are met:
 - IP addresses and ports of SYN match an existing connection;
 - Sequence number of the SYN is greater than 2^31+ from previously sent FIN;
 - Existing connection is in TIME_WAIT state;
 - Virtual server has time_wait_recycle enabled.

Impact:
Client will generate RST and connection must be re-tried.

Workaround:
Set time-wait-timeout to 1 millisecond per SOL12673.


502441-1 : Network Access connection might reset for large proxy.pac files.

Component: Access Policy Manager

Symptoms:
Network Access connection might reset when large proxy.pac files are configured in the access policy.

Conditions:
MAC Edge client, browsers, Network Access, large proxy.pac file.

Impact:
Network Access connection might reset.

Workaround:
Reduce the proxy.pac file size to be less than 10 KB.


501612-1 : Spurious Configuration Synchronizations

Component: Application Security Manager

Symptoms:
Some items (for example, Incidents) were considered to be config elements that require synchronization when their status changes (such as being read), but are not actually synchronized in a device group.

Conditions:
Event Correlation Incidents occur and are read by the user while in a manual sync device group for ASM.

Impact:
The synchronization state of a device group erroneously changes to "Pending"

Workaround:
None.


500003-1 : Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP

Component: Local Traffic Manager

Symptoms:
When incoming NTP packets from the configured NTP server arrive for a non-local IP on a BIG-IP system that is either a Virtual Edition (VE) guest, an appliance, or a vCMP guest on an appliance host, an iptables rule is triggered that results in further outgoing packets to the NTP server to have their destination IP addresses changed to 127.3.0.0, which is not routable and thus causes NTP time syncs to stop.

Conditions:
An NTP server is configured on a BIG-IP system that is either a VE, an appliance, or a vCMP guest on an appliance host, and packets arrive from the configured NTP server destined for an IP address belonging to another machine on the network. This can happen for several reasons:

1) The customer has a device on the same management network doing very low-to-zero volume of traffic over its management port. NTP syncs time less often than the L2 FDB expiration time.

2) The customer is using a L2 topology that uses redundant switches with NIC teaming / bonding, and one of the hosts cuts over to the other switch. This also causes transmits of packets that have no valid L2 FDB entry.

3) An STP topology change occurs in a given network, causing switches to drop L2 FDB entries for relevant hosts and flood unknown unicast destination traffic to all ports of a given VLAN.

4) Any unicast misdirection of NTP traffic to the management port not covered above.

Impact:
NTP time syncing stops on affected BIG-IP systems.

Workaround:
To remove the iptables rule that is causing the problem:

# iptables -t nat -D bpnet-in -p udp --dport 123 -j DNAT --to-destination 127.3.0.0.

Comment out the following line in the function setup_virtual_backplane() in the file /etc/init.d/cluster to prevent the rule from coming back upon reboot:

iptables -t nat -A bpnet-in -p udp --dport 123 -j DNAT --to-destination $int_mgmtip.


499950-3 : In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs

Component: Local Traffic Manager

Symptoms:
Inconsistent persistence entries across TMMs.

Conditions:
This occurs under the following conditions are met: -- intra_cluster HA configuration. -- node flapping.

Impact:
Inconsistent persistence behaviors.

Workaround:
Add an iRule command to the PERSIST_DOWN event that deletes the persistence entry for this connection. One example might be:

when PERSIST_DOWN {
    persist delete source_addr [IP::client_addr]
}

For more information, see SOL14918: Node flapping may cause inconsistent persistence records, available here: http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14918.html.


499615-9 : RAM cache serves zero length documents.

Component: Local Traffic Manager

Symptoms:
RAM cache serves zero length documents.

Conditions:
Forcing caching in an iRule.

Impact:
RAM Cache will cache a HEAD response, if an iRule is configured to force it to do so. This causes RAM cache to serve zero length documents.

Workaround:
If the HTTP operation is a HEAD request, do not cache the response.


497619-4 : TMM performance may be impacted when server node is flapping and persist is used

Component: Performance

Symptoms:
TMM consumes a higher percentage of the CPU resources when handling traffic.

Conditions:
This intermittent issue occurs when a pool members goes up and down when using source_addr persistence.

Impact:
System performance is impacted.

Workaround:
This issue has no workaround at this time.


495319-7 : Connecting to FP with APM edge client is causing corporate network to be inaccessible

Component: Access Policy Manager

Symptoms:
Connecting to FirePass with a BIG-IP Edge Client for Mac that was downloaded from APM might not provide complete network access.

Conditions:
APM Edge Client, Firepass server, network access connection.

Impact:
Incomplete network access.

Workaround:
None.


495128-7 : Safari 8 continues using proxy for network access resource in some cases when it shouldn't

Component: Access Policy Manager

Symptoms:
If a client machine uses proxy and Network Access does not specify any proxy, then Safari should not use proxy for some Network Access resource after the Network Access tunnel is created. However, Safari does so.

This problem occurs with Safari 8. Other versions of Safari and other browsers work as expected in our testing.
Apple has been notified: rdar://problem/18651124

Conditions:
The problem occurs when all of these conditions exist:
1. OS = Mac OS X Yosemite.

2. Configuration = Client machine has local proxy configured and Network Access on BIG-IP system access policy does not specify any proxy.

3. Action = Accessing Network Access resource after tunnel is created.

Impact:
As a result, some Network Access resource might be unavailable.

Workaround:
There is no workaround at this time.


494284-8 : Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status.

Component: Access Policy Manager

Symptoms:
With BIG-IP Edge Client for Mac, when primary language is set to German on the Mac, the text shown under the disconnected status contains extra, unneeded text wording.

Conditions:
Edge Client for Mac, when primary language is set to German on the Mac.

Impact:
Shows the following message: 'Um eine Verbindung herzustellen, wählen Sie aus dem Menü oben einen Server aus, und klicken Sie dann auf die Schaltfläche 'Auto-Verbindung' oder 'Verbinden' sichern und Werner der Seite standen aufs Auge drücken als Schadenersatz einer Woche kein Telefonat erneute.'

Workaround:
None.


494176-2 : Network access to FP does not work on Yosemite using APM Mac Edge Client.

Component: Access Policy Manager

Symptoms:
If APM BIG-IP Edge Client for Mac on OS X Yosemite attempts to connect to FirePass, network access cannot be established.

Conditions:
APM Edge Client for Mac on OS X Yosemite connecting to FirePass.

Impact:
Network access cannot be established with FirePass.

Workaround:
None.


494098-7 : PAC file download mechanism race condition

Component: Access Policy Manager

Symptoms:
PAC file download mechanism might encounter a race condition if /etc/hosts is patched with the static entry of the host that contains PAC file.

Conditions:
The /etc/hosts is patched with the static entry of the host that contains PAC file.

Impact:
Proxy PAC file fails to download.

Workaround:
Add delay in proxy PAC file download to avoid race condition.


493588-1 : EPS checkers can't be updated without clearing of the browser history

Component: Access Policy Manager

Symptoms:
EPS checkers can't be updated without clearing of the browser cache.

Conditions:
Endpoint software checks in access policy on BIG-IP, establish connection from browser.

Impact:
EPS checkers can't be updated without clearing of the browser cache


492153-9 : Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated.

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel changes to deprecated.

Conditions:
BIG-IP Edge Client monitors the state of IP address for the DTLS tunnel, so the system can react quickly to any network connectivity issues. The monitor correctly disconnects the tunnel if the adapter loses the IP address. However, there is an issue that causes the tunnel to shut down when the state of IP address is changed to deprecated.

Impact:
Tunnel processing halts.


490174-1 : Improved TLS protocol negotiation with clients supporting TLS1.3

Component: Local Traffic Manager

Symptoms:
When a TLS client connects to a BIG-IP TLS server requesting TLS1.3, the handshake will fail. A message will be logged in the Local Traffic Manager (LTM) log about a handshake failure.

The estimated deployment of clients supporting TLS1.3 is 2016.

Conditions:
A TLS client handshake with the protocol version set to TLS1.3 in the ClientHello.

Impact:
Lower performance is the most likely outcome. The hanshake requesting TLS1.3 will fail, after which a client will reconnect with a TLS 1.2 hanhdshake and succeed.

The worst case scenario is inability to establish a connection for clients that only implement standard TLS version negotiation mechanism.

The estimated deployment of clients supporting TLS1.3 is 2016.

Workaround:
This issue has no workaround at this time.


489328-2 : When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash.

Component: Access Policy Manager

Symptoms:
If a BIG-IP virtual server is accessed from multiple tabs with long initial URLs before session creation, this might cause TMM to crash.

Conditions:
Rare condition: a user opens the browser and different tabs in the browser pointing to BIG-IP APM virtual server and they cause the access policy to run from both tabs. If the length of the encoded URL falls into 4K boundary then TMM might crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


489217-4 : "cipher" memory can leak

Component: Local Traffic Manager

Symptoms:
When performing SSL handshakes, memory usage can increase. Examining "cipher" memory in the "memory_usage_stat" may show large amounts of "cipher"memory allocated.

Conditions:
BIG-IP performing SSL handshakes.

Impact:
Memory usage increases until no more memory is available.


488917-4 : Potentially confusing wamd shutdown error messages

Component: WebAccelerator

Symptoms:
When shutting down, wamd might log debug messages that appear serious.

Conditions:
wamd shutdown.

Impact:
Unnecessary log messages generated, similar to the following:
-- WA Debug (17637): * WARNING: The server encountered an unexpected condition. -- WA Debug (17637): * Contact F5 support if you are experiencing problems and include -- WA Debug (17637): * the following diagnostic information. These messages are cosmetic and do not indicate a problem with the system.

Workaround:
None.


488636 : Garbled output/no console output during boot on 2000 and 4000 platforms.

Component: TMOS

Symptoms:
After installing 11.2.1 HF5 and rebooting to the installed volume, there might be garbled/no console output until the BIG-IP login prompt appears.

Conditions:
2000 and 4000 platforms with 11.2.1 HF5 installed.

Impact:
Garbled output/no console output.

Workaround:
None.


486512-2 : audit_forwarder sending invalid NAS IP Address attributes

Component: TMOS

Symptoms:
Forwarded auditing messages contain the incorrect nas-ip-address attribute. It should be the local IP of the box. Instead nas-ip-address is another, random IP address.

Conditions:
This seems to work fine when the BIG-IP is a virtual machine.The issue reproduces only on the actual hardware.

Impact:
Cannot pass certification because config auditing is not working as expected (invalid NAS IP Address).

Workaround:
None.


486346-5 : Prevent wamd shutdown cores

Component: WebAccelerator

Symptoms:
Under some circumstances, wamd cores while trying to exit.

Conditions:
wamd during shutdown.

Impact:
Unnecessary core files generated consuming some resources.

Workaround:
None.


485702-1 : Default SNMP community 'public' is re-added after the upgrade

Component: TMOS

Symptoms:
If the SNMP default community (public) has been removed from the configuration, and a new version of the software is installed, the default community will be added to the new configuration.

Impact:
The impact of this issue is that the SNMP default community will be added to the new configuration.

Workaround:
After upgrading to versions after 11.4.0, delete the default 'public' community again.


483379-7 : High CPU consumption and unresponsive interface of the menubar icon after 20-30 minutes

Component: Access Policy Manager

Symptoms:
MAC edge client has high CPU consumption and unresponsive interface of the menubar icon after 20-30 minutes

Conditions:
MAC Edge client usage for 20-30 minutes

Impact:
Hig CPU consumption and unresponsive menubar resource


481792-7 : BD may crash within HTTP payload parser.

Component: Application Security Manager

Symptoms:
The BIG-IP system may temporarily fail to process traffic.

Conditions:
Fix JSON parser issue with errors in escaped character - will not copy an error character.

Impact:
The BIG-IP system may temporarily fail to process traffic.

Workaround:
This issue has no workaround at this time.


481648-9 : mib-2 ipAddrTable interface index does not correlate to ifTable

Component: TMOS

Symptoms:
The ipaddrTable's ipAdEntIfIndex value does not match the ifTable's ifIndex value for the same interface.

Conditions:
Using SNMP to monitor F5 and other network devices.

Impact:
Data in the mib-2 ifTable does not correlate to the data in the ipAddrTable.

Workaround:
Use the F5 MIB to monitor F5 devices.


480553 : APM - Local Log Database Might Not Have Geo Data

Component: Access Policy Manager

Symptoms:
The log entry with geo data will always be found in /var/log/apm, but it might now show up in the local log database. This problem happens intermittently in version 11.2.0 and 11.2.1.

Conditions:
Conditions leading to this issue include: Error in log macros.

Impact:
The impact of this issue is that no geo data is found in log reports for some APM session.

Workaround:
This issue has no workaround at this time.


480247-8 : Modifying edge client application folder causes gatekeeper to throw warning

Component: Access Policy Manager

Symptoms:
Configuration file exist in edge client application folder and this keeps getting modified by edge client (e.g. when user adds new server), gatekeeper throws warning if this file is modified by edge client.

Conditions:
MAC Edge client, OS X Yosemite, configuration.

Impact:
Gatekeeper throws warning, edge client might keep working correctly.


478751-7 : OAM10g form based AuthN is not working for a single/multiple domain.

Component: Access Policy Manager

Symptoms:
OAM10g form based AuthN is not working for a single/multiple domain.

Conditions:
Conditions leading to this issue include double encoding of parameters and race condition on parsing form body.

Impact:
Form based OAM authentication might not work.

Workaround:
This issue has no workaround at this time.


478674-7 : ASM internal parameters for high availability timeout was not handled correctly

Component: Application Security Manager

Symptoms:
The internal parameters bd_hb_interval and bd_hb_interval_low_platforms are not handled correctly and a different value is registered against the high availability (HA) system. This causes the system to have faster than expected failovers. Also, when bypass asm is turned on and a bigstart restart asm was applied, a failover happens.

Conditions:
Two possible conditions:
1. An internal parameter is configured for the timeout to the HA system. When ASM does not send a lifesign to the HA system for 10 seconds (instead of the configured time)
2. bypass asm is internal parameter is applied and a bigstart restart asm happens.

Impact:
A failover happens.

Workaround:
This issue has no workaround at this time.


477966 : Custom reports Available fields are broken

Component: Access Policy Manager

Symptoms:
When admin tries to create or edit Custom Report, the left pane shows endless amount of nested Available Fields folders instead of the fields. The user interface stops responding and the user needs to restart the browser.

Conditions:
This issue only happens when something is wrong in installation that prevents the table apm.log_param_metadata_ui from being created.

This rarely happens.

Impact:
User cannot create custom report.

Workaround:
The user can restart the BIG-IP system to fix custom report error. Make sure the table apm.log_param_metadata_ui is created in mysql db.


477841-6 : Safari 8 does not use Network Access proxy.

Component: Access Policy Manager

Symptoms:
Network Access (NA) proxy settings are applied to the system, but Safari 8 doesn't use them.

Conditions:
Using Safari 8.

Impact:
End users trying to use the Network Access feature of APM will be unable to if they are connecting using Safari 8. Safari 8 was available on OSX Yosemite.

Workaround:
Network Access can be launched using other browsers like Firefox and Chrome.


476621-1 : IE issues JS error when CSHUI code access undefined property of an object

Component: Application Security Manager

Symptoms:
Since Javascript is executed on client side. When it comes to page render, javascript errors might break your page.

Conditions:
Using Internet Explorer with Web-Scraping ASM enabled.

Impact:
Since Javascript is executed on client side. When it comes to page render, javascript errors might break your page.

Workaround:
N/A


476133-7 : In APM OAM authentication, ObSSOCookie _lastUseTime was not updated.

Component: Access Policy Manager

Symptoms:
_lastUseTime in APM OAM ObSSOCookie is not updated after the user is authenticated using ObSSOCookie. This results in ObSSOCookie expiring prematurely.

Conditions:
User is already authenticated and provided with an ObSSOCookie.

Impact:
With ObSSOCookie gets expired prematurely and authentication with ObSSOCookie fails, User is asked to submit credentials for authentication.

Workaround:
No known workaround


475505-1 : Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system.

Component: Access Policy Manager

Symptoms:
Windows Phone 8.1 built-in browser is not properly detected by the BIG-IP system.

Conditions:
Windows Phone 8.1 built-in browser.

Impact:
Built-in browser is not properly detected.


474779-8 : EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails.

Component: Access Policy Manager

Symptoms:
On EAM process initialization, the plugin is unable to register a thread (MPI channel) with TMM on rare occasions. A subsequent system call to end the process fails.

Conditions:
Unknown.

Impact:
EAM plugin is up but the access gates are not initialized correctly.

Workaround:
Establish connection to OAM server.
bigstart stop eam
Clear config.cache from each accessgates by deleting /config/aaa/oam/<partition_name>/<aaa_oam_obj_name>/<accessgate_name>/config.cache using commandline.
bigstart restart eam


474226-3 : LB_FAILED may not be triggered if persistence member is down

Component: Local Traffic Manager

Symptoms:
LB_FAILED may not be triggered if persistence member is down.

Conditions:
This occurs when the following conditions exist: - Incoming connection has cookie matching persistence entry. - Persisted pool member has been marked down. - No other pool members are available.

Impact:
Cannot utilize LB::reselect command.

Workaround:
None.


473485-5 : Fixed a few issues in HTTP Auth module

Component: Performance

Symptoms:
1. possible buffer overflow when session var CookieClientData is >8K
2. inappropriate use of mc_get_session_var in agent that may cause apd crash
3. per-request memory leak of cookies struct

Conditions:
1. session variable CookieClientData is > 8K
2. apd may crash unexpectedly when HTTP Auth agent cannot get session variable
3. When HTTP Auth agent is configured for an Access Policy apd might leak memory per-request

Impact:
apd might crash
apd might leak memory per-request


473348-3 : SNMP hbInterval value not set to 300 sec after upgrade from 11.2.x to 11.3.0 or later

Component: TMOS

Symptoms:
The hbInterval determines the amount of time the snmpd daemon can wait for a response. Software versions 11.2.x use an hbInterval of 60 sec. Software versions 11.3.0 and later use an hbInterval of 300 sec.

Conditions:
When upgrading from version 11.2.x to version 11.3.0 or later.

Impact:
After upgrade, the hbInterval is still set to 60 sec and not set to 300 sec. An snmpd core is created.

Workaround:
Edit bigipTrafficMgmt.conf and set hbInterval value to 300 using the following procedure:
1. Run the command: bigstart stop snmpd.
2. Change the value of hbInterval in /config/snmp/bigipTrafficMgmt.conf and save the file.
3. Run the command: bigstart start snmpd.


470389 : APM garbled characters observed in APM logs

Component: Access Policy Manager

Symptoms:
Garbled characters (or control characters) are seen in the /var/log/apm log file.

Conditions:
This issue occurs under the following conditions: username/password are not provided when accessing the virtual; Network Access resource is launched and VPN is established; and when accessed from another browser, the first session is killed and sometimes garbled characters appear.

Impact:
Unnecessary garbled characters occur in log messages.

Workaround:
There is no workaround at this time.


469824-3 : Mac Edge client on Mac mini receives settings for iOS Edge Client

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac on Mac mini receives settings for iOS Edge Client. Edge Client behavior might be different than expected if Mac Edge Client settings are different from iOS Edge Client settings.

Conditions:
Mac mini, iOS Edge and Mac Edge Client setting in connectivity profile on BIG-IP.

Impact:
Different than expected behavior of Edge Client for Mac.


469033-6 : Large big3d memory footprint.

Component: Global Traffic Manager

Symptoms:
The big3d process might take up a large amount of memory.

Conditions:
Using GTM in various configurations.

Impact:
Large big3d memory footprint. This is a configuration- and usage-dependent issue.

Workaround:
None.


468542-6 : Virtual servers with a SPDY profile ignore SNAT none setting

Component: Local Traffic Manager

Symptoms:
Virtual servers with a SPDY profile ignore SNAT 'None' setting.

Conditions:
This occurs on virtual servers that have an associated SPDY profile when the Source Address Translation setting is 'None'.

Impact:
Virtual servers with a SPDY profile determine the server-side source address using SNAT Automap, which might result in the incorrect server-side source address.

Workaround:
This issue has no workaround at this time.


468300-4 : Filters may not work correctly with websockets or CONNECT

Component: Local Traffic Manager

Symptoms:
If filters that buffer messages exist on the chain, then when HTTP switches to pass-through mode, those filters may spuriously fail to see the headers of the response that cased that switch.

The problem is due to HTTP immediately switching into pass-through mode, and then sending the headers as raw data through the chain.

Conditions:
A filter on the chain that buffers a RESPONSE_DONE message, and HTTP switches to pass-through, combined with looking at the headers in a filter other than HTTP.

This is more likely to happen if the server sends data immediately after a successful CONNECT or transition to websockets. (Without waiting for a response from the client.)

Impact:
The TMM may core, or wrong information may be obtained from filters looking at the HTTP headers of a response that causes a switch to pass-through mode.

Workaround:
This issue has no workaround at this time.


466875 : SNAT automap may select source address that is not attached to egress VLAN/interface

Component: Local Traffic Manager

Symptoms:
Egress packets have a source address that is not associated with the VLAN or interface.

Conditions:
Occurs when the following conditions are met:
 - Virtual utilizes SNAT automap.
 - There exists a route matching a self-ip on interface A to a VLAN on interface B.

Impact:
Packets may not be routed properly.

Workaround:
Use SNAT pool instead of automap.


463230-2 : Aced service does not recover if child process dies.

Component: Access Policy Manager

Symptoms:
If a child process is killed, cored, or dies, the parent process does not restart it and the service stops serving SecurID authentication.

Conditions:
In some exceptional cases, the child process exits.

Impact:
SecurID authentication failed, but service recovered by runsv.


462881-4 : Configuration utility allows for mismatch in IP protocol and transport profile

Component: Local Traffic Manager

Symptoms:
tmsh allows configuration of a virtual server with mismatched ip-protocol and transport-layer profile. For example, ip-protocol tcp with a UDP profile or ip-protocol udp with a TCP profile.

Conditions:
Configure a virtual server with mismatched ip-protocol and transport-layer profiles (e.g. ip-protocol udp, profiles { tcp }).

Impact:
Traffic reaching a misconfigured virtual server can crash tmm, resulting in an outage.

Workaround:
Configure virtual server with matching ip-protocol and transport-layer profile.


462714-9 : Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server

Component: Local Traffic Manager

Symptoms:
A source address persistence record created on a virtual server with a FastL4 profile times out and is aged out even while traffic is flowing through that flow. The traffic that results in this issue is UDP with checksum of 0.

Conditions:
The profile has to be FastL4. Traffic that is either UDP with checksum of 0, or SCTP, or ESP, are definitely affected.

Impact:
Source address persistence is not usable as the entry ages out when it should not.

Workaround:
None.


462598-1 : Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members.

Component: Access Policy Manager

Symptoms:
When the APM Access renderer or renderer pool (used for serving internal pages) goes down for an unknown reason, tmm goes into retry loop and sod kills the tmm.

Conditions:
For the problem to occur, at the very least, APM must be in use. The problem showed up in the past with a mangled iRule in place.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This has only been observed with an incorrectly formed iRule. So it is likely that fixing an associated iRule to operate as intended will resolve the problem. If this occurs without an associated iRule, there is no workaround.


462481-6 : Missing exception handling in APM OAM authentication during SDK calls

Component: Access Policy Manager

Symptoms:
Access Policy Manager Oracle Access Manager (APM OAM) unhandles ObAccessRuntimeException and ObAccessException that could be thrown by Access SDK (ASDK) API calls.

Conditions:
This occurs when OAM is in use.

Impact:
EAM process cores if an exception thrown by SDK is not handled properly.

Workaround:
This issue has no workaround at this time.


462025-1 : SQL monitors do not handle route domains properly

Component: Local Traffic Manager

Symptoms:
SQL monitors cannot be started consistently when route domains are involved. SQL monitors include MySQL, MSSQL, Oracle SQL, and PostgresSQL.

Conditions:
Configure a SQL monitor on a node inside a route domain.

Impact:
SQL monitors do not work as expected. They might hang or only intermittently return results.

Workaround:
None.


460939-6 : ObAccessException thrown by OAM SDK while checking if the resource is protected is not handled properly in EAM plugin.

Component: Access Policy Manager

Symptoms:
On the EAM Client side handler while processing TMEVT_INGRESS, ObAccessException is sent from the Oracle Access Manager (OAM).

Conditions:
The exact conditions required to reproduce the error are unknown. However, in rare instances, the OAM SDK throws the ObAccessException while checking whether the requested resource is protected by accessgate.

Impact:
EAM process cores and restarts. This exception is thrown in very rare instances, and in those cases, the unhandled exception causes the EAM plugin to core. The EAM process is restarted, and then handles user requests.

Workaround:
None.


460176-1 : Hardwired failover asserts active even when standalone

Component: TMOS

Symptoms:
In BIG-IP software versions 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.6.0, and 12.0.0, the serial failover 'Active' signal is asserted even if the unit is not configured to be in a high availability (HA) pair. A unit can become Standalone if the configuration is reset, or if a return merchandise authorization (RMA) is performed. If the serial cable is still connected to its peer, then the HA peer may defer the Active status to the Standalone system, which does not actually take over and process traffic.

Conditions:
Serial cable failover in-use between two members of an HA pair.

Impact:
Traffic is interrupted when the Active unit transitions to Standby.

Workaround:
During an RMA, the serial cable failover can be temporarily disabled on the Active unit by issuing the following command:

tmsh modify sys db failover.usetty01 value disable


459596 : Multicast packets leaking onto disabled interface

Component: Local Traffic Manager

Symptoms:
Packets leak onto network. Memory leak appears in TMM.

Conditions:
Multicast traffic and a disabled interface

Impact:
Eventual TMM low memory, OOM, and traffic outage due to TMM coring.

Workaround:
Restart TMM. Once TMM is restarted, manually or by coring, the leaked memory is released.


456608-1 : Direct links for frame content, with 'Frame.src = url'

Component: Access Policy Manager

Symptoms:
Direct links in web-application with Portal Access.

Conditions:
Direct links for frame content, when using 'Frame.src = url'.

Impact:
Web-Application misfunction.


455651-1 : Improper regex/glob validation in web-acceleration and http-compression profiles

Component: TMOS

Symptoms:
The use of regex or glob patterns in certain MCP configuration objects leads to inconsistent parsing across MCP and TMM. For glob patterns, for example, the TMM produces an error indicating that the regex is invalid, while entries such as *.js are correctly treated as globs.

Conditions:
MCP configuration objects supporting regex and glob inclusion/exclusion patterns lead to inconsistent parsing across MCP/TMM.

Impact:
Cacheable objects are improperly cached or are not cached, or objects are deflated or are not deflated in opposition to the customer's intent.

Workaround:
None.


454547-6 : TMM cored after form-based SSO control object is double freed

Component: Access Policy Manager

Symptoms:
TMM was cored due to memory corruption caused by a double free in form based SSO. A forms-based SSO control failing to decrypt could lead to a double free. The decryption failure message is logged in LTM log.

Conditions:
Double free and TMM core could happen only if forms-based SSO control failed to decrypt.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.


453568-1 : Client side challenge request reconstruction may fail to restore original referrer header

Component: Application Security Manager

Symptoms:
Client side challenge reconstruction failed to restore the original referrer header.

Conditions:
During client side web scraping mitigation, the client side challenge is injected by the Enforcer to the browser end-user.

Impact:
During client side challenge injections, wrong referrer header reaches the web application.

Workaround:
N/A


452660-1 : SNMP trap engineID should not be configsynced between HA-pairs

Component: TMOS

Symptoms:
When configuring an engine_id for a SNMPv3 trap destination, the engine_id was synchronized to all HA peers.

Conditions:
All

Impact:
Received SNMPv3 traps would appear as if they originated from the same Big-IP system after failover to a backup Big-IP.

Workaround:
Workaround is to disbale configsync (change 'yes' to 'no') on engine_id in /defaults/config_base.conf. However, you must first remount the /usr partition to modify the file and then run tmsh load. For more information on remounting the /usr partition, see SOL11302: The /usr file system is mounted in read-only mode
at https://support.f5.com/kb/en-us/solutions/public/11000/300/sol11302.html


451864-6 : Always preserve locally configured DNS suffixes when establishing VPN connection.

Component: Access Policy Manager

Symptoms:
Locally configured DNS suffixes are not preserved when establishing VPN connection.

Conditions:
This occurs with client machines that have DNS search suffixes configured on their local workstation.

Impact:
Locally configured DNS suffixes are not preserved when establishing VPN connection.

Workaround:
Use split-tunneling with 0.0.0.0/128.0.0.0 128.0.0.0/128.0.0.0 address space.


451806-7 : Preserve Source Port Strict has moved from Client Settings (Advanced) to General Settings

Component: Access Policy Manager

Symptoms:
The Network Access GUI and default value for the Preserve Source Port Strict setting has changed. Preserve Source Port Strict has moved from Client Settings (Advanced) to General Settings (Basic). By default, the check box is cleared and the setting is disabled.

Conditions:
Preserve Source Port Strict has moved from Client Settings (Advanced) to General Settings.

Impact:
Admin UI component placement is changed.

Workaround:
The Network Access GUI and default value for the Preserve Source Port Strict setting has changed. Preserve Source Port Strict has moved from Client Settings (Advanced) to General Settings (Basic). By default, the check box is cleared and the setting is disabled.


451250-1 : Detected DoS traffic can still reach the server

Component: Application Security Manager

Symptoms:
When bypass_upon_load internal parameter is turn on, and there is a high load, a part of the detected DoS and brute force attacking traffic may bypass the ASM and reach the server.

Conditions:
This can occur if bypass_upon_load is set to true.

Impact:
ASM marks the traffic as dropped but LTM still passes it to the server.

Workaround:
Disable bypass_upon_load


450929 : Dos attack detects URL although URL mitigation is not configured

Component: Application Security Manager

Symptoms:
URL dos attacks may be detected, even if the URLs mitigation is not marked and detection criteria is not configured. A workaround can be to configure very high numbers at the URL detection criteria, and then un-mark the URL mitigation.

Conditions:
This can occur if you have only an IP based rate limit.

Impact:
False detection of DoS attack.

Workaround:
A possible workaround would be to set higher value for the URL detection criteria (check a url mitigation to make the detection criteria visible in the GUI, change the values and uncheck it back).


449798-2 : Race condition on secondary blade where bigd service sometimes does not get built-in monitors

Component: Local Traffic Manager

Symptoms:
There is a race condition on secondary blade in which the bigd service sometimes does not get built-in monitors.

Conditions:
Intermittently, when a failure on a VIPRION blade in a clustered system causes mcpd to restart, the bigd service does not receive configuration information for built-in monitors, causing the service to log failures and misidentify which monitors it should be running.

Impact:
Causes some nodes/pool members to not be monitored, while others may be monitored by multiple bigd processes in the cluster. The system posts messages similar to the following in LTM and logs: -- err bigd[9433]: 01060129:3: Template /Common/postgresql is not initialized. -- err bigd[9433]: 01060129:3: Per-invocation log rate exceeded; throttling.

Workaround:
Manually restart bigd on the affected blade.


449617-4 : SSL-key file object configuration fails to validate when it includes a passphrase

Component: TMOS

Symptoms:
If a configuration file includes a passphrase for an ssl-key file object, the object may fail to validate when loading the configuration.

Conditions:
Passphrase present in ssl-key file object

Impact:
Configuration fails to load

Workaround:
Remove passphrase line from the file object.


449526-3 : LB::prime iRule with SIP filter can result in a core

Component: Local Traffic Manager

Symptoms:
Rarely LB::prime iRule with SIP filter can result in a tmm core due the flow control mechanism added in the SIP hudfilter and the fact that LB::prime, adds necessary count of prime messages in Q and calls mblb_connect synchronously which has the potential to traverse the entire serverside chain.

Conditions:
LB::prime iRule with SIP filter is used.

Impact:
Rarely results in a core with LB::prime iRule. Traffic disrupted while tmm restarts.


449225-6 : Fixed APM client crash caused by regression introduced with ID430962

Component: Access Policy Manager

Symptoms:
Fix for ID430962 introduced regression which may cause VPN client to crash on establishing VPN connection.

Conditions:
All clients which contains fix for 430962.

Impact:
EdgeClient can crash while trying to establish network access.


446526-1 : TCP virtual server/UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules might cause TMM crash.

Component: Local Traffic Manager

Symptoms:
When a TCP virtual server, or a UDP virtual server without datagram-LB mode enabled, runs an iRule which suspends itself, and the traffic that virtual server is handling is destined for the DNS cache, subsequent responses attempting to execute an iRule crash TMM because the first response is suspended. Those subsequent responses should be queued before attempting to execute the iRule.

Conditions:
Configuration contains TCP virtual server, or a UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Enable datagram-LB mode on the UDP profile. There is no workaround in the case of TCP.


442699-3 : APD process may leak memory in case password complexity check is enabled and user's displayName contains special chars

Component: Access Policy Manager

Symptoms:
If "Complexity check for Password Reset" option is enabled in an Active Directory (AD) agent, then the APD process may throw an exception in some conditions. That will cause APD to leak memory.

Conditions:
"Complexity check for Password Reset" option is enabled
user's displayName attribute contains special characters (e.g. "(" ")" "{" or any other).
password change is requested during user's logon process

Impact:
memory leak in APD process

Workaround:
disable password complexity check if displayName contains special characters


442698-5 : APD Active Directory module memory leak in exception

Component: Access Policy Manager

Symptoms:
The APD Active Directory module might leak memory if an exception happens.

Conditions:
exception happens when request is being processed

Impact:
session request failed, apd leaks a memory

Workaround:
NA


442618-6 : TMM may core in low memory situations

Component: Local Traffic Manager

Symptoms:
TMM cores after running out of memory.

Conditions:
The BIG-IP system cannot keep up with incoming packet rate, leading to allocated memory build-up.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


442532-1 : Log shows "socket error: resource temporarily unavailable"

Component: Access Policy Manager

Symptoms:
Response could not be sent to remote client. This happens rarely with huge access policy configuration. We could not reproduce the issue.

Conditions:
Conditions leading to this issue are not yet known.

Impact:
Box still works okay. Reconnect works.

Workaround:
This issue has no workaround at this time.


442333-1 : Cluster HA state not updated correctly

Component: Access Policy Manager

Symptoms:
Cluster HA state is not getting properly updated.

Conditions:
This occurs in an HA environment at failover time on chassis systems with 2 slots (one primary and other secondary).

Impact:
At failover, all traffic should go to next primary slot. In this case, traffic goes to wrong slot. This causes APD and APMD to stop executing the access policy, and traffic to be dropped,


441631-1 : WebSSo may take 100% if new instance started manually

Component: Access Policy Manager

Symptoms:
100% of CPU resources could be used by the websso process if it is not started properly. A WebSSO session should be started/restarted using bigstart script.
However, if /etc/bigstart/scripts/websso.start script is running manually when previous websso.N proccesses are still working, then it will bring up new websso.N instances that will cause original websso.N proccess to spin in a loop and could use up to 100% of CPU resources.

Conditions:
websso started manually

Impact:
original websso.N do not function properly and takes ~100% CPU

Workaround:
bigstart restart websso


441601-1 : Response is truncated in the log

Component: Application Security Manager

Symptoms:
Response is truncated in the ASM events log when the client closes the connection before the response arrives.

Conditions:
Client sends a FIN before the server finishes responding.

Impact:
The response logging doesn't show all the response.


441553-7 : BIG-IP APM user sessions may fail to reconnect after multiple failover events between peer systems

Component: TMOS

Symptoms:
BIG-IP APM user sessions may fail to reconnect after multiple failover events between peer systems.

As a result of this issue, you may encounter the following symptoms:

The system logs messages for each user attempt to reestablish the session after the failover events.
For example:

notice apd[5421]: 01490102:5: 63db9fd4: Access policy result: Network_Access
notice tmm1[8742]: 01490505:5: 63db9fd4: No leasepool assigned
notice tmm[8742]: 01490501:5: 63db9fd4: Session deleted due to user logout request.

Conditions:
This issue occurs when all of the following conditions are met:

-- The active BIG-IP APM system experiences a failover event, causing the peer standby BIG-IP APM system to become active.
-- The newly active BIG-IP APM system also experiences a failover event, causing the initial active BIG-IP APM system now in standby to become active.
-- Users have established network access sessions with either of the BIG-IP APM systems prior or between failover events.

Impact:
Network access sessions fail to reestablish.

Workaround:
No workaround. Failovers triggered because of tmm crash or reboots do not have this problem.


441249-6 : Activating session awareness may cause intermittent hanged request

Component: Local Traffic Manager

Symptoms:
The customer sometimes sees hanged requests that expire after 5 minutes.

Conditions:
1. Enabling session awareness.
2. Changing mandatory/custom headers configuration during traffic.

Impact:
The customer sometimes sees hanged requests that expire after 5 minutes.

Workaround:
N/A


441075-4 : Newly added or updated signatures are erroneously added to Manual user-defined signature sets.

Component: Application Security Manager

Symptoms:
Further investigation shows the signature was added to another blocking signature set simultaneously unexpectedly.

Conditions:
Customer reported that they encountered unexpected violation when they assigned an user defined signature to a unblocking signature set.

Impact:
Further investigation shows the signature was added to another blocking signature set simultaneously unexpectedly.

Workaround:
N/A


441073-1 : Empty action in post data in form-post.html request

Component: Access Policy Manager

Symptoms:
When using Portal Access, an input tag in forms cannot receive a value that is dynamically created by JavaScript on the client.

Conditions:
This issue is specific to Microsoft Internet Explorer versions 9 and 10.

Impact:
Empty action in post data in form-post.html request.


440959 : SNMP DCA monitor reject delayed responses with ICMP unreachable result.

Component: Local Traffic Manager

Symptoms:
SNMP DCA monitor reject delayed responses with ICMP unreachable result. Within the threshold of configured timeout and retry, in the event of an ICMP unreachable, the monitor marks the weight to the default (1).

Conditions:
Configure a pool_member with SNMP_DCA monitor. Delay the SNMP server's response.

Impact:
Delayed SNMP responses are rejected by the monitor.

Workaround:
Write an external monitor script, using the snmpget utility.

For example:
------------
# values provided by bigd
node_ip=`echo $1 | sed 's/::ffff://'`

# example: use snmp get
command=$(snmpget -v 2c -c private '$node_ip' -r 3 -t 5 .1.3.6.1.4.1.2021.4.5.0 .1.3.6.1.4.1.2021.4.6.0 .1.3.6.1.4.1.2021.11.50.0 .1.3.6.1.4.1.2021.11.51.0 .1.3.6.1.4.1.2021.11.52.0 .1.3.6.1.4.1.2021.11.53.0 .1.3.6.1.4.1.2021.9.1.2 .1.3.6.1.4.1.2021.9.1.9)

To configure an external monitor:
---------------------------------
-- tmsh create sys file external-monitor my_snmp_exec source-path file:/config/monitors/my_snmp2.sh.
-- tmsh create ltm monitor external my_snmp run my_snmp_exec.
-- tmsh create ltm node nodeA address 1.1.1.1 monitor my_snmp.


440589-2 : Deleting a virtual server where Oracle Access Manager (OAM) support is enabled with an AccessGate assigned to it, also deletes the associated AccessGate object in the corresponding AAA OAM object.

Component: Access Policy Manager

Symptoms:
Deleting a virtual server where Oracle Access Manager (OAM) support is enabled with an AccessGate assigned to it, also deletes the associated AccessGate object in the corresponding AAA OAM object.

Conditions:
This issue occurs when deleting a virtual server that has OAM support enabled and an AccessGate object assigned to it.

Impact:
The associated AccessGate object is also deleted from its corresponding AAA OAM object.

Workaround:
None. This is by design. Using multiple virtual servers with the same AccessGate is not supported.


440505-1 : Default port should be removed from Location header value in http redirect

Component: Access Policy Manager

Symptoms:
Browser recognizes page loaded with URL without default port and page loaded after receiving Location header that contains rewritten URL with default port included in it as different pages and loads page twice.

Conditions:
Resource is loaded through Portal Access; page is loaded after receiving Location header with default port included in rewritten part; navigation occurs to this page without default port in domain part (for example, to anchor in this page).

Impact:
Resource is loaded twice and this can possibly change behavior of backend.

Workaround:
This issue has no workaround at this time.


440431-9 : Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands.

Component: Local Traffic Manager

Symptoms:
Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands.

Conditions:
This issue occurs when the following condition is met:

A virtual server with Response Logging configured has an iRule assigned that uses either the HTTP::respond or HTTP::redirect command.
The Request Logging profile gives you the ability to specify the data and format for HTTP requests and responses that you want to include within the log file. Parameters, such as $HTTP_STATUS, are used to specify information that is included within the log file. The HTTP::respond and HTTP::redirect iRule commands allow you to customize the response sent to the client and are intended to run immediately when triggered. Therefore, no further processing of response data should occur. As a result, the system logs blank status information when using the $HTTP_STATUS parameter within the Request Logging profile for Response Logging.

Impact:
The system logs invalid information. As a result of this issue, you may encounter the following symptom: -- BIG-IP iHealth lists Heuristic H465653 on the Diagnostics :: Identified :: Medium screen. If $HTTP_STATUS is used within the Response Logging template, the output will be blank.

Workaround:
To work around this issue, you can use the iRule to generate the required logs, rather than the Request Logging profile. If an iRule is calling HTTP::respond or HTTP::redirect, you can log directly from that iRule using the log iRule command, and record parts of the old response, or the new one, depending on what is required.


440051-2 : There is an issue concerning how the system applies security checks on partial responses.

Component: Local Traffic Manager

Symptoms:
There is an issue concerning how the system applies security checks on partial responses.

Conditions:
Occurs when the system processes partial responses.

Impact:
Detection/handling of truncated responses.

Workaround:
None.


439977-3 : apd crash in AD module

Component: Access Policy Manager

Symptoms:
APD process may crash when running AD Agent

Conditions:
the intermittent crash of apd process may happen if:
- group cache update is required
- DC is not available / connection to DC failed

Impact:
apd crashed and restarted

Workaround:
NA


439887-1 : OWA2010 works incorrectly in Chrome via portal access

Component: Access Policy Manager

Symptoms:
Drag-and-drop and some other mouse operations work incorrectly in Outlook Web App (OWA) 2010 if accessed using APM Portal Access from the Chrome v.31.x browser.

Conditions:
APM Portal Access from the Chrome v.31.x browser

Impact:
Navigation and message copy/move operations can be done using the keyboard only; mouse operations might not work.

Workaround:
Use Chrome v.40 or later.


439709 : WAM occasionally serves zero-length content

Component: WebAccelerator

Symptoms:
A burst of simultaneous requests for a small expired document can result in incorrectly serving and caching the document as 0 length.

Conditions:
Requesting a compressed document which is smaller than 4k compressed but larger than 4k when uncompressed.

Impact:
Content is cached and served as zero length.

Workaround:
disable small object cache with this command:
tmsh modify sys db wam.cache.smallobject.threshold value 0


439321-2 : Request to allow BOM for JSON in a middle of stream

Component: Application Security Manager

Symptoms:
Customer has ASM policy for their OWA Exchange service. They noticed ASM blocks the post JSON page when tried to submit the autoreply in OWA.

Conditions:
Sending post JSON page with BOM (Byte Order Mark).

Impact:
False blocking request.

Workaround:
N/A


438958-4 : maximum session timeout of 0 is not infinite

Component: Access Policy Manager

Symptoms:
If an administrator sets the Maximum Session Timeout to 0 (zero), APM interprets it as exactly 7 days instead of interpreting it as infinite as expected.

Conditions:
Set the Maximum Session Timeout to 0.

Impact:
Affects all versions after 11.0.0.

Workaround:
Put a really large value for the session timeout. For example, 999999999 is an allowed value, which will be about 31 years and 8 months, effectively "infinite".


438792-8 : Node flapping may, in rare cases, lead to inconsistent persistence behavior

Component: Local Traffic Manager

Symptoms:
If persistence is used, and a node is marked down and then up in quick succession (less than about 7 seconds), then persistence may act inconsistently (meaning, not all connections expected to persist to a server will do so). Further requests in certain circumstances may hang (the client will be left waiting for a response).

Conditions:
Persistence, rapid node flapping, new connection (via a TMM with an existing connection) after node has been re-marked as up.

Impact:
Inconsistent persistence behaviors. If persistence records are examined, you might find multiple, conflicting entries. This is an intermittent issue.

Workaround:
Add an iRule command to the PERSIST_DOWN event that deletes the persistence entry for this connection. One example might be:

when PERSIST_DOWN {
    persist delete source_addr [IP::client_addr]
}

For more information, see SOL14918: Node flapping may cause inconsistent persistence records, available here: http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14918.html.


438344-2 : APM Websso (SSOv1) incorrectly handles POST request to Start URI

Component: Access Policy Manager

Symptoms:
APM WebSSO (SSOv1) incorrectly handles POST request to Start URI.

Conditions:
WebSSO appends SSO parameters to the payload from a POST request without adding the ampersand (&) delimiter.

Impact:
WebSSO does not update Content-Length on sending to backend server.

Workaround:
This issue has no workaround at this time.


437773 : Some LACP trunk members are missing after rebooting primary blade

Component: TMOS

Symptoms:
Some of the Link Aggregation Control Protocol (LACP) trunk members are missing after rebooting the primary blade.

Conditions:
This occurs on VIPRION chassis with more than one blade, configured for LACP after rebooting the primary blade.

Impact:
Some LACP trunk members are missing.

Workaround:
If you have not saved the configuration in the bad state (that is, saved the configuration while the LACP trunk members are missing), you might be able to recover by running the command: tmsh load sys config.


436201-7 : JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11

Component: Access Policy Manager

Symptoms:
JavaScript can misbehave when encountering the 'X-UA-Compatible' META tag from clients using Microsoft Internet Explorer 11.

Conditions:
Internet Explorer 11 and meta http-equiv='X-UA-Compatible' content='IE=10'.

Impact:
Web application malfunction.

Workaround:
Use an iRule.


435022-1 : TMM might crash if an ICMP packet refers to a closed UDP connection

Component: Local Traffic Manager

Symptoms:
TMM might crash if an ICMP packet refers to a closed UDP connection.

Conditions:
- A virtual server with UDP profile. This is more likely to occur if the UDP profile 'Datagram LB' option is enabled and/or if the UDP profile timeout is 0 or 'immediate'.

- An ICMP packet (such as destination-unreachable) arrives matching the IP and port tuple of an old UDP connection just after a new UDP packet arrives from a client with the same tuple for a new connection.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
If the UDP profile timeout is set to 0 or 'immediate', consider increasing this value.


434573-3 : Tmsh 'show sys hardware' displays Platform ID instead of platform name

Component: TMOS

Symptoms:
While running a version of BIG-IP older than the most recent release on a new hardware platform (recently purchased or recently acquired through RMA exchange), the 'tmsh show sys hardware' command may display the Platform ID code in place of the official F5 platform name.

For example, the 'tmsh show sys hardware' command may display a Platform ID like the following:

Platform
  Name D113

instead of the official platform marketing name, such as:

Platform
  Name BIG-IP 10000F

Conditions:
This may occur if the version of BIG-IP software installed is not the most recent release, and the hardware platform is a newer variant (due to added hardware features or other manufacturing change) than was originally supported by the older BIG-IP software release.

Impact:
Custom automation scripts which depend on correctly matching F5 platform marketing names may fail to match the platform ID.

Workaround:
Update platform-identification scripts to include the relevant platform IDs among the recognized match values.


434517-5 : HTTP::retry doesn't work in an early server response

Component: Local Traffic Manager

Symptoms:
If a HTTP_RESPONSE event fires due to the server sending an early response (i.e. a response before the entire request has been sent), then HTTP::retry does not work correctly.

Conditions:
Client begins sending a request. The server responds before that request is completely sent. A HTTP::retry is called in the HTTP_RESPONSE event.

Impact:
Typically, early server responses are error conditions.

Workaround:
HTTP::respond or HTTP::redirect may be used at the cost of an extra client-side request.


434400-9 : tmm might core with rate-limiting on virtual server

Component: Local Traffic Manager

Symptoms:
tmm might core when rate-limiting is configured on a virtual server.

Conditions:
This occurs on a virtual server with rate-limiting enabled and unexpected filter operations that send LB selection after connection is in progress. This might also occur with an iRule that behaves similarly, for example, issuing an LB command after a TCP::release.

Impact:
Traffic disrupted while tmm restarts.


433972-3 : New Event dialog widget is shifted to the left and Description field does not have action widget

Component: Access Policy Manager

Symptoms:
When you access Microsoft SharePoint 2013 through APM and use a rewrite profile, the rewritten New Event dialog box is shifted to the left and action widgets are not displayed above the Description field.

Conditions:
The problem occurs in Internet Explorer 11 with meta http-equiv='X-UA-Compatible' content='IE=10'.

Impact:
SharePoint 2013 malfunctions.

Workaround:
You could potentially use an iRule to mitigate the problem.


433782-4 : DCC error: Cannot add or update a child row: a foreign key constraint fails.

Component: Application Security Manager

Symptoms:
DCC error: Cannot add or update a child row: a foreign key constraint fails. The following messages appear in /var/log/ts/dcc.log:

dcc|INFO|Oct 01 14:00:00.288|11314| [DB::add_client_side_drop_data_entry, ] The table CLIENT_SIDE_DROPPED_STAT is empty.
dcc|ERR|Oct 01 14:00:00.321|11314| [DB::insert_ev_client_side_dropped_data_reporting, ] mysql_stmt_execute, failed.
dcc|ERR|Oct 01 14:00:00.321|11314| [DB::insert_ev_client_side_dropped_data_reporting, ] Cannot add or update a child row: a foreign key constraint fails =(`DCC`.`CLIENT_SIDE_DROPPED_STAT`, CONSTRAINT `CLIENT_SIDE_DROPPED_STAT_ibfk_1` FOREIGN KEY (`account_id`) REFERENCES `ACCOUNTS` (`account_id`) ON DELETE ).
dcc|INFO|Oct 01 14:00:00.321|11314| [DB::insert_ev_client_side_dropped_data_reporting, ] invalid affected rows by MySQL.

Conditions:
After upgrading, ASM keeps logging error messages, but there is no impact on the traffic.

Impact:
The error message is mostly benign. It occurs on storing counters for web scraping attacks to the database, and could include records for multiple policies in a single update. If the failing record were inserted in a batch, all records in the batch will be silently lost. However, under most conditions, individual records will be saved, so this is unlikely to have an impact.

Workaround:
Run the following command: bigstart restart asm.


433323-8 : Ramcache handling of Cache-Control: no-cache directive in Response

Component: Local Traffic Manager

Symptoms:
Previously, when a Cache-Control header from the OWS contained a no-cache directive, RAM Cache mistakenly interpreted that the same as a no-store directive.

Conditions:
Configure a virtual server with HTTP caching.

Impact:
Failure to cache a cachable document.

Workaround:
This issue has no workaround at this time.


432900-7 : APM configurations can fail to load on newly-installed systems

Component: Access Policy Manager

Symptoms:
APM upgrades fail if the /shared/apm directory is not present before you load the configuration. APM writes a configuration loading error to the /var/log/ltm file with content similar to this:

Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: EPSEC::In copy_file - src (/config/filestore/files_d/Common_d/epsec_package_d/:Common:EPSEC:Images:epsec-1.0.0-160.0.iso_14866_1) dst (/shared/apm/images/epsec-1.0.0-160.0.iso)
Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: Failed in file copy errno=(No such file or directory)
....
01071558:3: EPSEC - File Copy to /shared location failed Unexpected Error: Loading configuration process failed.

Conditions:
If the system is fresh from manufacturing or has had a recent formatting installation, it is vulnerable to this upgrade defect. The failure is only observed if the configuration being applied contains elements of APM.

Impact:
After booting into an upgraded system, the configuration will fail to load. A load failure can also be observed when manually loading a UCS file.

Workaround:
Create the directory /shared/apm and try to load the configuration again.


432332 : APM Reporting DB Log rotation settings are not preserved on upgrade

Component: Access Policy Manager

Symptoms:
Log rotation settings are reset to default values after upgrade.

Conditions:
This issue occurs when there is an upgrade from versions before 10.3.0 to versions 11.3.0 and after 11.3.0.

Impact:
Unexpected changing of log rotation settings.

Workaround:
Use previous log rotation settings to manually apply them for upgraded system.


431834-3 : Authentication with Oracle Access Manager API can throw an exception while obtaining redirect URL

Component: Access Policy Manager

Symptoms:
Authentication with Oracle Access Manager API can throw an exception while obtaining redirect URL. This is an intermittent issue.

Conditions:
It could be triggered when ASDK fails to return the URL string for redirection or if it returns null string.

Impact:
Without the fix, the unhandled exception cause EAM core and service outage. With fix, the exception is handled gracefully and return an eror page with error message to end user. The process will not core.


431634-3 : tmsh: modify gtm server 'xxx' virtual-servers replace-all-with 'yyy' fails

Component: TMOS

Symptoms:
If you have a gtm server object for which you wish to modify its virtual servers, the following tmsh command fails:

modify gtm server <gtm-server-name> virtual-servers replace-all-with <vs-name>

with this error:

"The requested Virtual Server (/Common/<gtm-server-name> ) was not found."

Conditions:
You have a gtm server object whose virtual servers you are attempting to modify via the replace-all-with method.

Impact:
You cannot set the virtual server(s) on a gtm server object via the replace-all-with method in tmsh.

Workaround:
You still can still add and delete virtual servers to the gtm server object via tmsh, you just cannot use the replace-all-with method to accomplish this.


431337-5 : OWA 2013, IE11 throws JavaScript error when you click LinkedIn" button.

Component: Access Policy Manager

Symptoms:
The LinkedIn button is a part of the new feature, Apps in Outlook Web App, in Outlook Web App 2013. A JavaScript error occurs if you click the LinkedIn button in Outlook Web App 2013 while using Internet Explorer 11.

Conditions:
OWA 2013, IE11 throws following JS error on clicking "LinkedIn" button

Impact:
Java Script error: Unable to get property 'apply' of undefined or null reference.

Workaround:
No known workaround


431216-2 : Client proxy settings do not work when using Network Access with Internet Explorer 11

Component: Access Policy Manager

Symptoms:
Internet Explorer does not recognize Proxy Auto-Configuration (PAC) files specified with the "file://" prefix. As a result Client proxy settings does not work when using Network Access with Internet Explorer 11.

Conditions:
Client proxy setting are enabled in NA configuration

Impact:
Proxy settings will not be used by client.

Workaround:
Enable "Client Proxy Uses HTTP for Proxy Autoconfig Script" option in Network Access resource.


431076-13 : Windows 8.1 can crash if you delete urfltv64.sys file.

Component: Access Policy Manager

Symptoms:
If you delete the file %systemroot%\system32\drivers\urfltv64.sys Windows can crash when establishing VPN connection.

Conditions:
User manually deletes %systemroot%\system32\drivers\urfltv64.sys

Impact:
May result in crash of Windows OS

Workaround:
Do not delete driver manually.


430965-3 : F5 VPN driver re-installation may cause windows 8.1 crash

Component: Access Policy Manager

Symptoms:
Windows 8.1 changed format of hardware IDs strings it exposed a bug in VPN driver installer: Driver installer does not properly remove VPN driver from Windows 8.1.
Subsequent driver re-installation may case Windows crash [windows core dump].

Conditions:
F5 VPN driver installed (uninstalled) on Windows 8.1.

Impact:
May cause windows 8.1 crash

Workaround:
This issue has no workaround at this time.


430762-3 : ASM xml schema doesn't recognize SOAP global attribute 'encodingStyle'

Component: Application Security Manager

Symptoms:
The internal XML schema processor does not support the global attributes mustUnderstand and encodingStyle on the Envelope element as being global, and it should. As a result, violations are incorrectly triggered.

Conditions:
WSDL configured with encodingStyle or mustUnderstand elements.

Impact:
A violation is triggered even though the WSDL is configured to allow it.


430073-1 : Slow GUI response when navigating to the Parameters

Component: Application Security Manager

Symptoms:
Any navigation away from and back to this page incurs the same delay, and opening multiple pages in tabs will incur a cumulative delay (the customer has experienced a delay of 75 seconds when opening 5 tabs showing parameter details)

Conditions:
Simply navigating to Application Security -> Parameters -> Parameter List will show the same issue.

Impact:
Given a normal workflow through ASM this is causing significant problems in day-to-day management operations.

Workaround:
This issue has no workaround at this time.


429617-1 : Full APM Webtop does not work Windows RT clients

Component: Access Policy Manager

Symptoms:
Windows RT clients with Internet Explorer cannot access APM Full Webtop. "Sorry! Unsupported platform." text presented instead of webtop page.


429561-4 : User-defined ACLs List Incorrectly Displays

Component: Access Policy Manager

Symptoms:
The list of User-defined ACLs is expected to display only ten listings per page. If more than ten ACLs exist, end-users can switch between listing pages by selecting the page number or the "Show All" option from the drop down element under the lower right of the main table. Similarly, end-users should be able to click the arrows that appear to either side of the aforementioned drop-down element to navigate to a different page of listings.

Currently, only the first ten ACLs are listed even when end-user selects a different page number from the drop-down or when the navigation arrows are used.

Conditions:
When more than ten User-defined ACLs exist.

Impact:
End user may be unaware of all ACLs that exist.

Workaround:
From the drop-down element, the "Show All" selection will still work to display all listings.

The `tmsh list apm acl` can be run from the command line.


429011-5 : No support for external link down time on network failover

Component: Local Traffic Manager

Symptoms:
For switch based platforms, the bcm56xxd daemon monitors the active/standby state using the failover.bigipunitmask DB variable and if this indicates a transition from Active to Standby, it downs external links and starts a timer for re-enabling the links after a customer-specified delay as per the failover.standby.linkdowntime DB variable.

Conditions:
This occurs on BIG-IP 2000 series and 4000 series platforms.

Impact:
No support for external link down time on network failover.

Workaround:
None.


428952-3 : Timer event for an expired connection.

Component: Application Security Manager

Symptoms:
The customer may face a crash on slow post request.

Conditions:
This issue occurs when a slow post request with timer expired on released connection.

Impact:
The BIG-IP system may temporarily fail to process traffic.

Workaround:
This issue has no workaround at this time.


428327-1 : BD may crash on VIPRION anomaly events sync.

Component: Application Security Manager

Symptoms:
BD may crash on VIPRION anomaly events sync.

Conditions:
1. Enabled Brute Force or Web Scrapping on VIPRION machines.
2. upon connection and disconnections of Viprion blades.

Impact:
The BIG-IP system may temporarily fail to process traffic.

Workaround:
This issue has no workaround at this time.


428121-1 : Export Requests List with Severity filter fails.

Component: Application Security Manager

Symptoms:
Facing the following error:

----------------------------------------------------------------------
Error after running Requests events export script; Error: Export proxy log failed: DBD::mysql::st execute failed: Unknown column 'A.severity_id' in 'where clause' at /usr/lib/perl5/site_perl/F5/ExportProxyLog.pm line 107.
----------------------------------------------------------------------

Conditions:
Export Requests List as binary (gzipped CSV) with a Severity filter.

Impact:
Cannot export requests upon specific Severity filter.

Workaround:
This issue has no workaround at this time.


428010-1 : Remote logging of signature risk and accuracy

Component: Application Security Manager

Symptoms:
Signature risk and accuracy may not show up in remote logger messages when "sig_names" is included.

Conditions:
Configure remote logger adding "sig_names" field. Restart ASM

Impact:
Remote logger message does not contain risk and accuracy

Workaround:
Add or modify a user-defined signature with "Auto Apply" enabled


427076-1 : Wep Application SSO could fail with user account locked out

Component: Access Policy Manager

Symptoms:
In rare cases, logon to web application using client initiated form-based SSO could fail and cause user account to be locked out in directory service.

Impact:
Some users may intermittently fail to logon to web applications and have their accounts locked in directory service.

Workaround:
None.


427035-5 : UCS install sets an incorrect internal parameter

Component: Application Security Manager

Symptoms:
After installing a ucs file with ASM provisioned, you notice this error in the log: "mu_pool_threaded_t enum should be ordered by size pool[6](size:10000001) > pool[7](size:25601)"

Conditions:
This can occur when applying a UCS file from a previous version.

Impact:
Config will fail to load and bd will not run.


426564-3 : Bad parsing of multipart requests with nameless parameters

Component: Application Security Manager

Symptoms:
A multipart request that includes a nameless parameter with a null value does not trigger the enforced violation.

Conditions:
Send multipart request with nameless parameters

Impact:
No enforcer occurs for "Null in multi-part parameter value" violation on nameless parameter.

Workaround:
This issue has no workaround at this time.


426267-1 : vCMP guest management IP does not get set after config load failure

Component: TMOS

Symptoms:
If a guest's config load fails and is then subsequently corrected, the management IP passed in from the hypervisor is not applied until it is changed to a different value.

Conditions:
The guest has had a config load failure that has been fixed, and is not configured to override the management IP given by the hypervisor.

Impact:
The guest is not reachable on its management IP address.

Workaround:
1. Change the guest's management IP on the hypervisor side (and then change it back):
  tmsh modify vcmp guest <guest-name> management-ip <new-address>

2. Change the guests's management IP in the guest (TODO: verify if this also works), to override the one passed in by the hypervisor.


426209-1 : exporting to a CSV file may fail and the Admin UI is inaccessible

Component: Access Policy Manager

Symptoms:
If there are a large number of APM report records, exporting them to a CSV file might fail and the Admin GUI can then become inaccessible.

Conditions:
When the amount of report data is large.

Impact:
The Admin UI is inaccessible.

Workaround:
Avoid exporting large amounts of report data.


425980-1 : Blade number not displayed in CPU status alerts

Component: TMOS

Symptoms:
Messages displayed on the VIPRION chassis LCD display always reference the blade number of the Primary blade in the chassis at the time that the message was issued.
The slot number where the blade-specific condition is not included in message in the LCD display.
In the case of CPU status alerts, where the CPU temperature is too high or the CPU fan speed is too low, the identification of the blade is not included in the console output or log messages produced by the system_check utility.

Conditions:
Affects:
VIPRION B4100 (PB100), B4200 (PB200) and B4300-series blades in VIPRION C4400, C4480 and C4800 chassis.
VIPRION B2100, B2150 and B2250 blades in VIPRION C2400 and C2200 chassis with external LCD displays attached.

Impact:
It may not be possible to accurately determine which blade has actually experienced a blade-specific condition reported on the chassis LCD display.

Workaround:
Use one of the following commands to examine the CPU measurements to determine which CPU on which blade is experiencing excessive temperature and/or slow fan speed:
1. tmsh show sys hardware
2. tmctl cpu_status_stat


425953-1 : Commit ID not synchronized to secondary blades

Component: Local Traffic Manager

Symptoms:
The accounting information used to track sync status does not get copied to secondary blades of chassis. If one of them becomes primary then it may appear out of sync.

Conditions:
Any chassis in config sync where the primary changes.

Workaround:
Perform a sync and this data will again be up to date.


425853-1 : Launch Application for Mac OS X doesnt work if the arguments string contains ampersand

Component: Access Policy Manager

Symptoms:
Launch Application fails to launch the application (on MAC OS X) if the argument string contains an ampersand character ("&").

Conditions:
BIG-IP APM and Mac OS X all versions.

Impact:
Application Launch will fail for any customer trying to connect to the BIG-IP system but they will be able to connect to the corporate network using network access.

Workaround:
None


425746-2 : CSS styles added via style.appendChild(document.createTextNode(style)) are not correctly patched.

Component: Access Policy Manager

Symptoms:
Some images could be missing in the page requested through Portal Access.
HTTP Request log will show that these images are requested with unmangled URLs.

Conditions:
CSS styles dynamically inserted in client-side JavaScript code with construction like <style>.appendChild(document.createTextNode(css))

Impact:
Direct or failed requests to image files.

Workaround:
iRule which replaces .createTextNode(x) with .createTextNode(F5_WrapStyleAttr(x)).


424938-5 : APD crashes when processing an access policy with Tcl expressions.

Component: Access Policy Manager

Symptoms:
APD crashes when processing an access policy with Tcl expressions.

Conditions:
This happens very rarely; the chance is greater with a higher number of Tcl expressions with session variables in APM configurations. APD must be processing an access policy with Tcl expressions using session variables while the administrator makes a configuration change to one of the policies containing Tcl expressions.

Impact:
Rare APD crash with core, which might cause brief authentication outage.


424936-3 : apm_mobile_ppc.css has duplicate 1st line

Component: Access Policy Manager

Symptoms:
An extra line (that consists of "<?") appears at the top of the apm_mobile_ppc.css file and
causes an error like this one:
Jul 9 08:37:10 roeislfl4gm err httpd_sam[13917]: [error] [client 127.1.1.4] PHP Parse error: syntax error, unexpected '&amp;lt;' in /var/sam/www/php_include/webtop/renderer/customization/general_ui/Common/tmsproext-apm_general_ui/en/apm_mobile_ppc.css on line 2

Impact:
Generate an error message in /var/log/http_errors log file.

Workaround:
To work around the problem, remove the extra line
("<?") from var/sam/www/php_include/webtop/renderer/customization/general_ui/Common/tmsproext-apm_general_ui/en/apm_mobile_ppc.css.


424768-3 : websso doesn't log startup process

Component: Access Policy Manager

Symptoms:
when websso starts up, it doesn't log any messages until it reads some variables from mcpd

Conditions:
websso is configured

Impact:
in some situations it's impossible to figure out why websso can not start, as there is no indication of a problem in the logs.

Workaround:
NA


424371-5 : Protected Workspace does not work on Windows 8.1

Component: Access Policy Manager

Symptoms:
Protected Workspace does not work on Windows 8.1.
Internet Explorer 11 and Windows Explorer cannot start on the Protected Workspace Desktop.

Conditions:
Protected workspace is configured in Access Policy.

Impact:
Protected workspace cannot be launched.

Workaround:
This issue has no workaround at this time.


424322-2 : Trunks containing empty SFP ports rejected on 2x00/4x00 appliances

Component: TMOS

Symptoms:
Attempting to create a trunk containing an unpopulated SFP port and ANY other member (including another unpopulated port) would generate an error about incompatible media types.

# tmsh create net trunk test-trunk interfaces add { 2.1 2.2 }
01070619:3: Interface 2.2 media type is incompatible with other trunk members

Impact:
Config load could fail if the target system doesn't have transceivers installed in all SFP ports designated as trunk members by the incoming config.

Workaround:
Install transceivers before configuring the BIG-IP.


424313-2 : When profile is copied images are not copied together with it

Component: Access Policy Manager

Symptoms:
If you copy a policy that has two images assigned with the same object but in different languages, at least one of images will not get copied.

Conditions:
Object that support customizaiton and images, two images assigned at the same spot for different languges

Impact:
All customizable objects with images

Workaround:
Copy profile than reassign missing images manually


424248-4 : Virtual servers bind failure on some tmm's

Component: Local Traffic Manager

Symptoms:
Packets arriving on the BIG-IP system that should match a specific virtual server are dropped, or are matching a less-specific virtual server. In this case, the virtual servers have failed to bind on some tmm's and therefore not able to forward traffic.

When a client uses passive FTP, and there are multiple control connections, the data connection of a client might end up going to one of the other duplicate listeners, resulting in the data connection eventually going to the wrong server/poolmember.

Conditions:
Two or more virtual servers that are listening on the same ip, port, and protocol but have different vlan assignments, typically with a vlan enable list on one, and a vlan disable list on the other, although this may not be strictly required.

For the FTP case, the client must be using passive FTP. Also, there must be at least two FTP control connections from the client.

Impact:
Dropped or misdirected traffic. Misdirected in the sense that the traffic does not match the more-specific virtual server and is matched to a less-specific one or dropped outright.

The passive FTP data connections from a client may end up going to the wrong server.

Workaround:
At this time, we recommend using vlan enable lists for all virtual servers that are listening on the same ip, port, and protocol as a workaround if the customer runs into this issue.

This workaround does not apply to the passive FTP issue.


423803-1 : PSM Virtual server associations are lost after CMI sync.

Component: Application Security Manager

Symptoms:
If the configuration between devices in a device group is not fully synchronized, the association between Virtual Servers and HTTP Profiles may be lost.

Conditions:
This occurred when the same VS and FTP profiles existed on both devices, but the ftp profile had security enabled on A and disabled on B.

Impact:
If the LTM configuration between devices in a CMI group are not synchronized, then PSM associations can be lost.

Workaround:
This issue has no workaround at this time.


423797-1 : Add Client-Side challenge excluded URLs and headers internal parameters

Component: Application Security Manager

Symptoms:
CS Challenge from Web Scraping is impacting the customer's website causing the browser to display a blank page.

Conditions:
Configure ASM policy with client side challenge for brute force and the different web scraping features.

Impact:
CS Challenge from Web Scraping is impacting the customer's website causing the browser to display a blank page.

Workaround:
This issue has no workaround at this time.


423772 : EtherIP tunnel packets are not MAC masqueraded

Component: TMOS

Symptoms:
BIG-IP may not recover from a Standby-to-Active transition.

Conditions:
Tunnel local endpoint address is a floating address.
The device group of the address has a masquerading MAC address.

Impact:
BIG-IP may not recover from a Standby-to-Active transition.

Workaround:
None


423751-2 : Session logged out if traffic is received during Policy evaluation and iRules are involved

Component: Access Policy Manager

Symptoms:
Sporadic session logout (by admin action as per apm logs) when client sends traffic just after submitting logon page.

Conditions:
N/A

Impact:
Sessions are logged out even before policy completes evaluating.

Workaround:
Turn off session rotation.


423137-1 : 'GZIP Compression' setting displayed when Compression not licensed

Component: Access Policy Manager

Symptoms:
The compression setting pull-down is available on the Network Access resource page. If an end-user sets this to GZIP when compression is not licensed, the system posts a TMM error explaining that compression license limit has been exceeded for the day.

Conditions:
Set compression to 'GZIP compression' using a box that does not have compression licensed. Run traffic.

Impact:
GZIP compression appears available when it is not.

Workaround:
Set compression to none.


423009-2 : BD crashes upon startup if configuration has over 1024 remote loggers attached

Component: Application Security Manager

Symptoms:
BD crashes upon startup if configuration has over 1024 remote loggers attached.

Conditions:
The configuration has over 1024 remote loggers attached.

Impact:
ASM crashes upon startup, Device is dropping BD cores, Site is considered down at this time.

Workaround:
The customer can remove remote loggers from web applications (maybe some are not in use, or don not need remote logging).


422512-1 : APM SharePoint integration might not work using Internet Explorer 10 on Microsoft Windows 8.

Component: Access Policy Manager

Symptoms:
Microsoft Windows 8 does not share persistent cookies between the browser and Office components. This prevents session management tools like APM from connecting Windows 8 clients with SharePoint services.

The Microsoft case number is 112090575901186.

Conditions:
APM SharePoint integration in IE 10 on Windows 8

Impact:
System produces an error when trying to open documents from SharePoint through APM.

Workaround:
Word/Excel integration (i.e., Document library features) support is fixed by KB2846960.


422460-9 : TMM may restart on startup/config-load if it has too many objects to publish back during config load

Component: TMOS

Symptoms:
TMM restarts without any core file on startup or when mcpd is loading the configuration if the size of configuration is considered big (for example over 1000 passive monitors).

Conditions:
This issue occurs when all of the following conditions are met:
-- The mcpd process loads a large configuration with thousands of objects.
-- The platform is running 12 or more TMM instances (BIG-IP 11000, 11050 platform, or VIPRION B4300 blade).

Impact:
Traffic processed by the affected TMM instance is interrupted while TMM restarts. TMM might enter a restart loop and restart multiple times, without producing a core file. You might see errors similar to the following in log/tmm or log/daemon:
-- LTM01 crit tmm11[28599]: 01010020:2: MCP Connection aborted, exiting. -- LTM01 emerg logger: Re-starting tmm. This might cause serious traffic disruption.

Workaround:
This workaround is a mitigation and may not work in all cases; the zero-window timeout may need to be adjusted to a higher value for some configurations.

To work around this issue, increase the timeout used for the MCP connection.

1. Open the tmm_base.tcl file for modification.
2. Locate the tcp _mcptcp stanza.
3. Add the following line:
   zero_window_timeout 300000

This lengthens the timeout, which avoids the restart. For more information, see SOL14498: The mcpd connection to TMM may time out on either startup or configuration load and cause TMM to restart, available here: http://support.f5.com/kb/en-us/solutions/public/14000/400/sol14498.html.


421861-2 : WebSSO may not forward serverside shutdown events

Component: Access Policy Manager

Symptoms:
In certain instances, WebSSO may not forward server-side shutdown events.

Conditions:
Use of WebSSO

Impact:
No known impact. This was discovered in a code inspection.


421499-1 : MAC OS X Edge Client fails to establish network access connection to BIG-IP Edge Gateway if it is behind PPTP VPN connection.

Component: Access Policy Manager

Symptoms:
If you use 3rd party PPTP VPN connection and connect to BIG-IP Edge Gateway over this PPTP tunnel, MAC OS X Edge Client will fail to connect after initially establishing successful connection with BIG-IP Edge Gateway.

Conditions:
MAC OS X inbuilt PPTP client software, BIG-IP Edge Gateway and BIG-IP MAC OS X Edge Client.
Its untested but its very much possible to see this issue with some other third party PPTP client software too.

Impact:
MAC OS X Edge Client fails to establish network access connection.

Workaround:
None.


421451-1 : Policy Builder process exits with core if there are too many URLs in the Extraction list

Component: Application Security Manager

Symptoms:
If user adds to a policy large amount (~1700) of URLs in extractions list (Security > Application Security : Parameters : Extractions > Create New Extraction...) the Policy Builder can be shot down with a core by its internal watchdog.

Conditions:
Large amount of URLs added at once to extractions list.

Impact:
The Policy Builder is restarted.

Workaround:
Mitigation: install TMOS v11.2.1 HF8

Workaround: Press "Save button" every time you add a small amount of URLs (10-20) to the Extractions List.


421450-1 : ---

Component: Application Security Manager

Symptoms:
In 11.2.1-hf8 and later hotfix, ASM Enforcer may parse multi part parameters which violate RFC.


421429-5 : Client-initiated renegotiation for server ssl profile does not work with DTLS when it connects to another BIG-IP clientssl.

Component: Local Traffic Manager

Symptoms:
Client-initiated renegotiation for Server SSL profile does not work with DTLS when it connects to another BIG-IP Client SSL.

Conditions:
This issue occurs when the following condition is met: A BIG-IP system configured with a Server SSL profile attempts to renegotiate a DTLS connection with a BIG-IP system configured with a Client SSL profile, as follows:

BIG-IP (Server SSL) BIG-IP (Client SSL)
    | |
    |----ClientHello (no cookie)----->|
    |<---HelloVerifyRequest(cookie)---|
    |-----ClientHello(with cookie)--->|
    | |

Impact:
Attempts to renegotiate Datagram Transport Layer Security (DTLS) connections between BIG-IP systems might fail.

Workaround:
Do not directly connect two BIG-IP systems by DTLS.


420980-2 : Enforcer can crash when response logging is enabled

Component: Application Security Manager

Symptoms:
The BIG-IP system may temporarily fail to process traffic.

Conditions:
This issue occurs when response capturing is enabled.

Impact:
The BIG-IP system may temporarily fail to process traffic.

Workaround:
This issue has no workaround at this time.


420977-2 : Improved the system's placement of ASM JavaScript code.

Component: Application Security Manager

Symptoms:
If you have pages where browser compatibility is maintained via the use of the '<meta http-equiv="X-UA-Compatible" content="IE=8" />' tag, the CSRF script could be injected into the wrong place.

Conditions:
When you enable CSRF protection, the site breaks because the CSRF javascript is injected in the page before this tag. If you have other meta tags, the injection takes place after the first meta tag, that show up before the "X-UA-Compatible" one.

Impact:
CSRF script gets inserted after the first meta tag, not after the X-UA-Compatible meta tag. This can cause certain versions of Internet Explorer (IE10) to not load the pages properly.

Workaround:
This issue has no workaround at this time.


420893-1 : Process errors in wamd

Component: WebAccelerator

Symptoms:
The wamd process can core under heavy pdf linearization or image optimization load if disk or RAM resources abruptly become low.

Conditions:
If a disk or ram shortfall occurs abruptly and OWS is slow enough in responding, WAM may initially decide it has enough disk and ram to optimize but discover later it does not. This is mostly handled properly but there was one unlikely corner case which was not.

Impact:
wamd cores and restarts

Workaround:
If the shortfall is disk, free more space in /shared. If the shortfall is RAM, increasing RAM may help slightly.


420585-1 : DNS cache resolver stability improvements

Component: Local Traffic Manager

Symptoms:
TMM crashes when using a DNS cache resolver or validating resolver. In a failover scenario the same result occurs on the newly active system.

Conditions:
LTM virtual server with a cache resolver or validating resolver configured and handling traffic.

Impact:
Occasional TMM crash.

Workaround:
None.


420580-3 : DTLS handshake fails when BIG-IP receives datagrams out of order

Component: Local Traffic Manager

Symptoms:
The DTLS handshake fails when BIG-IP receives out-of-order handshake and CCS messages.

Conditions:
DTLS handshake messages are received out of order.

Impact:
Clients may fail to establish DTLS sessions with the BIG-IP system. The BIG-IP system responds with an incorrect DTLS handshake.

Workaround:
None.


420376-2 : ASM crashed during ASM encoding configuration

Component: Application Security Manager

Symptoms:
When a security policy has an encoding that has many secondary encodings (such as the Chinese encoding), and it receives transactions with parameters or URLs in different secondaries encoding at some high rate, if at the same the user reconfigures the security policy and changes the encoding to one of the secondary encodings, there is a chance that the Enforcer internal encoding table will get corrupted.

Conditions:
BD core when customer trying to apply policy on active unit.

Impact:
BD core when customer trying to apply policy on active unit.

Workaround:
This issue has no workaround at this time.


420315-1 : Brute force attack drop reports are about 10% less than actual

Component: Application Security Manager

Symptoms:
The drop reports are not accurate in brute force. The drops from the last seconds of the attack are not reported.

Conditions:
Customer encountered on their own and found the numbers of Rejected Connections and dropped_requests don't match the number of actually dropped requests on a client.

Impact:
Not accurate staticts reporting in GUI of rejected connections for brute force attack.

Workaround:
This issue has no workaround at this time.


420038-1 : XML attribute form violation seems not accurate

Component: Application Security Manager

Symptoms:
When XML schema validation attribute violation occurs, sometimes, the incorrect attribute reported in violation details.

Conditions:
XML schema validation attribute violation occurs.

Impact:
Sometimes incorrect attribute reported in violation details.


420013-1 : EMC applet fails with java.lang.NoSuchMethodError

Component: Access Policy Manager

Symptoms:
Applet loading fails with java.lang.NoSuchMethodError: F5Const.compare(Ljava/lang/String;Ljava/lang/String;)Z

Conditions:
Portal Access configured, EMC Documentum in use

Impact:
Applet fails to load, unable to use the resource


415953-1 : Port does not advertise 1 GB speed capability under auto-negotiation.

Component: TMOS

Symptoms:
Port does not advertise 1 GB speed capability under auto-negotiation.

Conditions:
This occurs when SFP+ fiber modules are configured to operate at 1 GB speeds without enabling the forced_gigabit_fiber setting.

Impact:
Port does not advertising 1 GB speed capability under auto-negotiation.

Workaround:
Enable the forced_gigabit_fiber setting when SFP+ fiber modules are configured to operate at 1 GB speeds without.


415008-1 : ---

Component: Application Security Manager


414370-3 : ACCESS::disable and ASM may send TCP reset

Component: Access Policy Manager

Symptoms:
Client receives TCP reset.

Conditions:
Both access profile and asm profile are assigned to a virtual.
And
The iRule ACCESS::disable is used on the virtual.

Impact:
Minimal. Most clients will automatically retry, and the retry will succeed. Most users will not notice this error.

Workaround:
None


413689 : ntlm + oneconnect + persistence + v2 plugin can cause crash

Component: TMOS

Symptoms:
If you apply NTLM, OneConnect, Persistence together WITH a V2 (TMI) Plugin, the TMM can crash.

Conditions:
The specific filters indicated above, together, can result in a TMM crash.

Impact:
TMM restarts, connections lost.

Workaround:
None.


413477-1 : Potential failure to connect or persist to server using iRule commands

Component: Local Traffic Manager

Symptoms:
The BIG-IP system might either fail to load balance when the iRule 'pool' command is used, or choose the wrong pool member if multiple iRule 'persist' commands are used in the same connection.

Conditions:
This occurs when an iRule that runs the 'pool' command is assigned to a virtual server with fallback persistence and no default pool, or an iRule which runs the 'persist' command multiple times.

Impact:
A portion of traffic fails to be sent to a correct pool member.

Workaround:
If fallback persistence is configured on the virtual server, also configure a default pool on the virtual server. If an iRule has the potential to run multiple 'persist' commands on the same CLIENT_ACCEPTED or L7 request event, you can modify the iRule to ensure 'persist' command runs only once, if it is appropriate for the traffic. For more information, SOL14628: Connections may stop responding or be directed to an incorrect pool member.


413354-1 : Port selection algorithm may prematurely reuse port

Component: Local Traffic Manager

Symptoms:
A BIG-IP system may reuse an ephemeral port which was recently used for a previous flow. This results the BIG-IP system sometimes being unable to pass FTP traffic.

Conditions:
This occurs when port range is used. since FTP use port range code, It can be observed often in FTP traffic.

Impact:
Remote host / pool member may ignore TCP handshake attempts due to holding a matching connection in TIME_WAIT, causing connection failure and application hang.

Workaround:
None.


412493-2 : ---

Component: Access Policy Manager


412201-2 : ---

Component: Application Security Manager


411591-2 : ospfd core dump when redistributing ospf routes over ospf

Component: TMOS

Symptoms:
The ospfd is dumping a core when ospf routes from other ospf instances are redistributed continuosly.

Conditions:
The ospfd is dumping a core when ospf routes from three ospf peers are configured to redistribute and no redistribute repeatedly into a fourth ospf instance on a BIGIP while the interface of the fourth ospf peer is flapping.

Impact:
ospfd termintaes on BIGIP.

Workaround:
None


411405-1 : Port may become temporarily unavailable in cmp mode

Component: Local Traffic Manager

Symptoms:
Some ports are not reusable immediately in cmp mode.

Conditions:
CMP-compatible platforms, and a virtual server is configured to use the same port as another virtual server, even if that virtual server is configured to timeout immediately.

Impact:
Some ports are not available immediately


411107-3 : Upload of large file using APM with Basic SSO can fail.

Component: Access Policy Manager

Symptoms:
File upload fails after all file content is sent to APM.

Conditions:
LTM virtual server with HTTP application, ACCESS profile, Basic SSO.

Impact:
Upload fails.

Workaround:
None


410800-1 : Learning suggestion cleaning order

Component: Application Security Manager


410604-3 : websso daemon may crash due to memory exhaustion for large size HTTP POST

Component: Access Policy Manager

Symptoms:
The websso daemon may crash due to memory exhaustion.

Conditions:
When the client send HTTP POST with large size payload (i.e., hundreds of megabytes), it is possible that will cause the websso daemon run into memory exhaustion situation, where the websso may core dump due to malloc failure. This is typically exaggerated or more likely to happen when the BIGIP platform is already under memory pressure at system level, for example, having many modules provisioned on a low end BIGIP platform.

Impact:
The websso will be restarted, and the operation at the time may hang until the TCP connection times out (which is 5 minutes by default).


410578-3 : ActiveSync fails with Kerberos SSO

Component: Access Policy Manager

Symptoms:
An ActiveSync client uses Basic HTTP authentication. When used with APM Kerberos SSO, APM fails to delete the authorization HTTP header from the client and adds another header for Kerberos. This results in two headers, causing the server to respond with 400 Bad Request.

Conditions:
1. Configure Kerberos SSO with always-insert-Authorization-header enabled.
2. Establish APM session.
3. Send a request with valid MRHSession cookie including a HTTP Authorization. (any method is OK).
4. Verify that request which forwarded to the backend will have two Authorization header.

Impact:
APM fails to delete the authorization header from the client and adds another header for Kerberos. This results in two headers causing the server to respond with a 400 Bad Request

Workaround:
Using the iRule to remove HTTP Authorization header.
when ACCESS_ACL_ALLOWED {
   HTTP::header remove Authorization
}


410415-2 : tmm SEGV when reselect after a node failure on FastL4 virtual servers

Component: Local Traffic Manager

Symptoms:
TMM may produce a core file when reselecting a pool member for a FastL4 virtual server.

Conditions:
This issue occurs when all of the following conditions are met: -- The affected virtual server is a FastL4 virtual server. -- The affected virtual server uses a pool configured with Action On Service Down set to Reselect. -- A pool member from the affected pool is marked down, requiring TMM to perform a reselect to service a subsequent request.

Impact:
When servicing a connection for a FastL4 virtual server, if the TMM is required to reselect a new pool member for a subsequent request, a segmentation violation (SEGV) may occur. TMM may produce a core file and temporarily fail to process traffic.

Workaround:
None.


410338-2 : APM does not correctly recover the iSession control channel after the server closes a transport TCP connection.

Component: Access Policy Manager

Symptoms:
APM does not correctly recover the iSession control channel after the server closes a transport TCP connection.

As a result of this issue, the log file contain many error messages similar to the following:
-- 4044,1660,, 1, \UiSessionChannel.cpp, 723, UiSessionChannel::receiveData(), failed to read data from underlying channel.
-- 4044,1660,, 1, \UiSessionChannel.cpp, 104, UiSessionChannel::Read(), reading/processing transport data failed, -2.
-- 4044,1660,, 48, \SoftWOC/CtrlChannelClient.h, 693, USoftWOCClient::processIncomingMessages(), connection was closed by server, -2.
-- 4044,1660,, 1, \UiSessionChannel.cpp, 723, UiSessionChannel::receiveData(), failed to read data from underlying channel.

Conditions:
Underlying TCP connection is reset by server.

Impact:
This causes requests to open a new Optimized tunnel to fail till a new control connection is established.

Workaround:
None.


409964-1 : bd crash with remote logging configured

Component: Application Security Manager

Symptoms:
While making changes bd crashes. /var/log/asm contains the signature "BD_MISC|ERR |23/01/13 13:56:46|9750|LoggingAccount.cpp:2904|remote log write FAILED"

Conditions:
This can occur if TCP remote logging is configured and there are issues between the BIG-IP and the remote logging facility.

Impact:
bd crashes. Traffic disrupted while bd restarts.

Workaround:
If your network environment permits, change the remote logging profile to udp.


409787-1 : Parsing malformed JSON request

Component: Application Security Manager


408074-1 : ---

Component: Application Security Manager


407940-1 : ---

Component: Access Policy Manager

Symptoms:
The Session Details report fails to run and displays server error "time out" for some users.

Workaround:
Restart the tomcat process.


407930-1 : Reporting many Tcl errors can cause core in very low memory cases

Component: Local Traffic Manager

Symptoms:
In rare, low memory cases, TMM may core when using the STREAM::match command in an iRule that reports many Tcl errors.

Conditions:
This occurs when there is very low memory available for TMM, and there are large numbers of errors reported in logs for iRules in a filter.

Impact:
May result in a traffic disruption and failover.

Workaround:
You can prevent this by fixing any Tcl errors.


407904-1 : BIG-IP health monitors experience delayed checks for unresponsive pool members

Component: Local Traffic Manager

Symptoms:
TCP monitor doesn't send out any SYNs for ~190 seconds or SYNs at 0,3,9,21,45,92 seconds and then retry at 189.

Conditions:
This issue occurs when the following conditions are met:

The pool member is monitored with a health monitor that uses TCP. For example, a TCP, HTTP, or HTTPS monitor.

Note: This issue has primarily been reported to affect HTTPS health monitors.
The pool member is unresponsive to the health monitor.
The bigd process should continue to monitor a pool member after the system has marked the pool member as Down. However, when a down pool member continues to be unresponsive after being marked Down, the bigd process may check the pool member less frequently than expected. As a result, the bigd process may experience a delay of several minutes before sending a health check and discovering that the affected pool member has recovered.

Impact:
The system may not mark recovered pool members Up in a timely manner.

Workaround:
Force down/up the pool_member or `bigstart restart bigd`.


407860-1 : Unable export profile if's using default sso configuration

Component: Access Policy Manager

Symptoms:
Export stacks, if profile using default sso configuration

Conditions:
1. profile is linked to sso config
2. sso config is default

Impact:
obvious

Workaround:
Change something in sso configuration so it would become not default or not use sso when exporting


407833-1 : ---

Component: Access Policy Manager

Symptoms:
When a report fails to run, the Configuration utility displays a generic time-out error that is not very helpful.

Workaround:
To log the exception trace, enable debug mode for webui.log.


407350-1 : Client side checks on Windows Phone 8

Component: Access Policy Manager

Symptoms:
Client side checks, such as antivirus, firewall, file, process, and so on, should be skipped for Microsoft Windows Phone 8, but are not skipped.

Conditions:
Access Profiled configured to use client side checks. Windows Phone 8 clients attempt to establish connection

Impact:
Windows Phone 8 users are prompted to install client components, but they cannot.


407327-2 : Internet Explorer in "desktop mode" on Windows Phone 8

Component: Access Policy Manager


406971-1 : Logout causes javascript error

Component: Access Policy Manager

Symptoms:
After clients log out, they get a javascript error: 'length' is null or not an object

Conditions:
Portal access in use and client logs out

Impact:
Javascript error occurs on the client; this error can be ignored.


405673-3 : Mirrored TCP flows do not function properly due to HA Channel instability and may even core

Component: Local Traffic Manager

Symptoms:
Under conditions of HA channel instability such as HA traffic being dropped, the mirrored TCP flows on the standby become unusable. They get into unreliable states and may even result in a tmm core

Conditions:
HA channel instability resulting in loss of HA packets is needed for this to manifest.

Impact:
Mirrored flows on the standby lose their integrity and get into an unstable state, and this may even result in a tmm core. Traffic disrupted while tmm restarts.


405635-3 : Using the restart cm trust-domain command to recreate certificates required by device trust.

Component: TMOS

Symptoms:
The device trust manages the certificates and keys SSL connections require between devices used for configuration synchronization. You should always have the necessary certificates and keys. If they are not present, device trust fails.

Conditions:
This might occur after manually removing the 'cm' stanzas from the config file, and reloading the configuration.

Impact:
No certificates and keys exist. If there are no certificates and keys, device trust cannot be set up, and the system cannot complete the SSL connections necessary for config synchronization.

Workaround:
To recreate the certs and keys, run the command: restart cm trust-domain.


405438 : tmm core while provisioning WOM to dedicated and LTM to none in rapid succession

Component: TMOS

Symptoms:
After provisioning WOM to dedicated, tmm will continually restart, and the only way to get out of the restart loop is to install BIG-IP to another slot and boot to it.

Conditions:
Provisioning WOM to dedicated, and provisioning LTM to none.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Never provision WOM dedicated with no LTM. Always provision WOM nominal with LTM nominal. WOM requires LTM.


405365-3 : ---

Component: Access Policy Manager

Symptoms:
Previously, under certain circumstances an interrupted connection could prevent the ActiveSync client from logging on. This has been corrected.


405348-7 : ActiveSync POST fails when body is larger than 64k.

Component: Access Policy Manager

Symptoms:
Sending of large mail (body greater than 64 KB) fails with an ERR_NOT_SUPPORTED message in /var/log/apm when using ActiveSync.

Conditions:
This occurs when the following conditions are met:
ActiveSync configured on the BIG-IP system.
Email is sent with a large attachment, when the device sending the email currently has no active session.

Impact:
Large POST bodies as in those found in emails with large attachments will not successfully send. The message fails to send with an error message that asks to use the mail server directly.

Workaround:
Modify the db variable 'tmm.access.maxrequestbodysize' to a value greater than the default, 64 KB.


405001-1 : ---

Component: Application Security Manager


404461-1 : ---

Component: Access Policy Manager


404239 : APM client for Microsoft Windows fails to establish a VPN connection if DTLS is configured on a link with 50-200 msec delay.

Component: Access Policy Manager

Symptoms:
APM client for Microsoft Windows fails to establish a VPN connection if DTLS is configured on a link with 50-200 msec delay.

Conditions:
DTLS is configured on a link with 50-200 msec delay.

Impact:
APM client does not fall back to TLS.

Workaround:
None.


403702-2 : Valid SOAP request fails schema validation

Component: Application Security Manager

Symptoms:
XML Schema processor incorrectly processes the extension of empty complex type with empty sequence. When you pass a SOAP request, you see an error "XML data does not comply with schema or WSDL document"

Conditions:
An ASM XML policy is configured

Impact:
The SOAP request fails to validate and ASM returns an error


403326-2 : Prevent caching of landing URI

Component: Access Policy Manager

Symptoms:
In web application access mode, when you try to access a backend server file, such as an Excel file, as the first request, APM adds some cache-related headers that do not allow Internet Explorer to open the file.

Conditions:
In web application access mode, when you try to access a backend server file, such as an Excel file

Impact:
Internet Explorer may not allow you to open the file.

Workaround:
Adjust cache control headers in the first object that APM accesses to maintain current behavior and work around Internet Explorer bug detailed in Microsoft Knowledge Base article 323308.
http://support.microsoft.com/kb/323308


403283-3 : Connecting to a site with a certificate problem might be possible.

Component: Access Policy Manager

Symptoms:
It might be possible to a site with a certificate problem.

Conditions:
Attempting to connect to a site with a certificate problem.

Impact:
Connection completes successfully when it should not.

Workaround:
None.


402840-2 : EAM restarts on using non urlencoded % parameter

Component: Access Policy Manager

Symptoms:
Oracle ASDK throws an unknown exception on using a non urlencoded % character in a URL parameter list. A fix needs to be implemented in the Oracle ASDK to avoid this unwanted exception.

Conditions:
A % parameter in the URL will cause EAM to restart

Impact:
Server returns status not defined in eam, causing EAM to restart


402137-1 : ---

Component: Application Security Manager


401957-1 : ---

Component: Application Security Manager


401525-2 : relative link rewrite issues

Component: Access Policy Manager

Symptoms:
If a relative link contains a path to a higher directory (e.g. ../style.css), rewrite can mangle the URL

Conditions:
Rewrite in use, inflate/deflate in use

Impact:
Clients unable to load certain files containing relative paths


401135-1 : Export custom report fails

Component: Access Policy Manager

Symptoms:
When you try to export a report you see get an error: java.io.FileNotFoundExeption/VERSION(permission denied)

Conditions:
Exporting custom reports in APM

Impact:
Unable to export the report


400377-1 : 'persist lookup' commands fail intermittently

Component: Local Traffic Manager

Symptoms:
On a CMP-enabled platform, performing 'persist lookup' can intermittently return NULL.

Conditions:
This can be encountered when using persist lookup commands in an iRule.

Impact:
persist lookup intermittently fails.


400168-1 : jquery menu does not display

Component: Access Policy Manager

Symptoms:
If you have an access resource that uses jquery menus, the menu does not render on the client browser.

Conditions:
Network access resource configured, the resource uses jquery menu functionality

Impact:
Menu does not display


400076-1 : tmm crash in compression hardware

Component: Local Traffic Manager

Symptoms:
In rare circumstances tmm may crash during compression.

Conditions:
This can occur during normal operation.

Impact:
Traffic disrupted while tmm restarts.


399552-2 : Policy disallowing CD/DVD burning is not effective with SPTI based CD/DVD burning tools

Component: Access Policy Manager

Symptoms:
CD/DVD burning through SPTI inside PWS works even though the policy disallows it.

Conditions:
1. Policy is set to disallow CD/DVD burning.
2. User uses SPTI based CD/DVD burning tool.

Impact:
Despite policy being set to disallow it, user is able to burn CD/DVD.


399213-1 : IPv6 trunks do not balance traffic evenly across links

Component: Local Traffic Manager

Symptoms:
On 11.2.1, IPv6 traffic passing over trunks on a 4000 platform does not get hashed by IP address, but rather by MAC address. This often ends up mainly using one link of the trunk.

Conditions:
IPv6 traffic passing over trunks on a 4000 platform.

Impact:
IPv6 trunks do not balance traffic evenly across links.

Workaround:
None.


399143-3 : GARPs not sent out after reboot

Component: TMOS

Symptoms:
In rare cases, BIG-IP may send gratuitous ARPs on system start-up before the interfaces have fully come up. Therefore the ARP traffic will not be sent to adjacent devices on the network.

Conditions:
This has been observed on system start-up, and is due to a race condition between tmm and the drivers for the switch hardware.

Impact:
In the case of a standalone BIG-IP, this can cause nearby switches and routers to not detect the interface and the virtual server(s) will appear down.

Workaround:
You can cause BIG-IP to re-send its gratuitous ARPs by issuing a bigstart restart tmm.


397789 : WAM crash

Component: WebAccelerator

Symptoms:
Under certain low-memory situations, it is possible for WA to core for out-of-memory.

Conditions:
This can occur under normal operation while WAM is under memory pressure.

Impact:
WAM crashes. Traffic disrupted while WAM restarts.


397711-3 : "Add New Macro" causes JavaScript error

Component: Access Policy Manager

Symptoms:
When you click "Add New Macro" in the VPE you get a javascript error

Conditions:
Using the Visual Policy Editor, clicking Add New Macro

Impact:
Unable to add macro


397551-1 : ---

Component: Application Security Manager


397402 : Windows 8 x64 does not install new components

Component: Access Policy Manager

Symptoms:
Components from an unsupported APM version installed on Windows 8 x64 will not be automatically updated if per-user installation is selected.

Conditions:
Clients running Windows 8 x64, that already have old components installed.

Impact:
Clients are unable to update their access software

Workaround:
To work around this issue uninstall unsupported components or select installation for all users.


396905-2 : Cache Cleaner does not clear autocomplete data.

Component: Access Policy Manager

Symptoms:
Cache Cleaner does not clear autocomplete data.

Conditions:
This occurs when using Cache Cleaner in a policy.

Impact:
Autocomplete data remains after running Cache Cleaner.

Workaround:
None.


396831 : Provisioning vCMP on 2000/4000 series platforms and kernel panic

Component: TMOS

Symptoms:
Provisioning Virtual Clustered Multiprocessing (vCMP) on 2000/4000 series platforms can cause a kernel panic. vCMP is not supported on these platforms.

Conditions:
This can occur on the 2000/4000 series platforms.

Impact:
A kernel panic can occur.

Workaround:
The release notes contain information about which platforms support vCMP. You can also check the AskF5 Knowledgebase. If a vmdisks application-volume was created on a platform that does not support vCMP, it should be removed.


396729-4 : Two mirroring connections and fastL4 connections

Component: Local Traffic Manager

Symptoms:
If you have configured two mirroring connections (both a primary and secondary pair), when the inactive mirror connection is dropped and then re-established, fastL4 connections expire on the standby after the timeout. To work around this issue, configure only one mirroring connection.

Conditions:
This occurs when using fastL4 and configuring two mirroring connections on an inactive mirror connection that is dropped and then re-established.

Impact:
The fastL4 connections expire on the standby after the timeout.

Workaround:
To work around this issue, configure only one mirroring connection.


395990-5 : APM virtual server not accessible with route domains and SNAT pools

Component: Access Policy Manager

Symptoms:
In some route domain and SNATpool deployments, the APM virtual server is not accessible. You may see this log signature in /var/log/ltm: tmm err tmm[3025]: 01230140:3: RST sent from <ip_addr> to <ip_addr>, [0x1338439:289] Internal error ((APM::SSO) trans begin failed)

Conditions:
This can occur if you have route domains configured and snat pools are in use.

Impact:
Traffic will not pass.


395974-1 : EDGE: Assertion "peer ref valid" failed.

Component: Wan Optimization Manager

Symptoms:
EDGE: Assertion "peer ref valid" failed.

Conditions:
APM.

Impact:
TMM crash.

Workaround:
None.


395720 : Ethernet devices not getting renamed on BIG-IP 4000

Component: TMOS

Symptoms:
On the BIG-IP 4000 platform, sometimes on boot, Ethernet devices do not get renamed. For example, eth6 should be renamed to pf1-7.

Conditions:
This occurs on the BIG-IP 4000.

Impact:
Ethernet devices do not get renamed.

Workaround:
To work around this issue, reboot the device.


395570-2 : TCP::Collect iRule can cause TMM failure.

Component: Local Traffic Manager

Symptoms:
TMM can fail when traffic sent to a SSL VIP.

Conditions:
Use of a TCP::Collect iRule together with the SSL filter being in use can cause a TMM failure.

Impact:
TMM Outage.


395160-1 : Multiple simultaneous requests to optimize an image before it is cached results in performance impact.

Component: Performance

Symptoms:
Multiple simultaneous requests to optimize an image before it is cached may result in re-optimizing that image more times in this release than in the previous release.

Conditions:
This occurs only when using 11.2.1 and there are multiple simultaneous requests to optimize an image before it is cached.

Impact:
Performance impact due to re-optimizing that image more times.

Workaround:
None.


395148 : Baud rate change not reflected in LCD display until fpdd restart

Component: TMOS

Symptoms:
When setting the baud rate for the front panel serial management port using the AOM command menu, the LCD display does not reflect the baud rate change until fpdd is restarted.

Conditions:
This occurs when changing the baud rate using the AOM command menu.

Impact:
The incorrect baud rate might be shown.

Workaround:
Restart fpdd using the command 'bigstart restart fpdd'.


393150 : 42k item configuration and loading on 8 GB platform

Component: TMOS

Symptoms:
When loading a configuration with 42,000 items or more on a system with 8 GB of memory, you may experience up to 45 seconds of extra load time.

Conditions:
This occurs with a 42,000-item configuration when loading on 8 GB platform.

Impact:
You may experience up to 45 seconds of extra load time.

Workaround:
To avoid this extra time, you can issue the following command before loading: 'tmsh modify sys db provision.extramb 512'.


392255-1 : tmm core or apmd core on session information

Component: Access Policy Manager

Symptoms:
Under high load and in deployments where users logs in and logs out pretty frequently, APM crashes intermittently. This was happening as APM was trying to free a already freed session DB entry. This fix resolves the double free issue.

Conditions:
This can occur while processing normal traffic with APM configured.

Impact:
Traffic disrupted while tmm restarts.


391745-1 : APM fails to log

Component: Access Policy Manager

Symptoms:
APM fails to make log entries; this error signature exists in /var/log/ltm: tmm3 err tmm3[11184]: 01490514:3: 00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_create_and_initialize_session_context, Line: 8328

Conditions:
APM logging is enabled. This is an intermittent issue, it is not known what prevents logging from occurring

Impact:
APM events are not logged.

Workaround:
Try re-enabling the log setting:
tmsh modify sys db log.access.syslog value disable
tmsh modify sys db log.access.syslog value enable


389744-1 : Server address not updated in the UI

Component: Access Policy Manager

Symptoms:
Mac Edge Client displays the server from the configuration rather than displaying the current server after redirection.

Conditions:
Mac Edge client in use, with URL redirect

Impact:
URL displayed is the before-redirect URL.


389540 : media type is incompatible with other trunk members

Component: TMOS

Symptoms:
When trying to add interfaces from the 1.x group and from the 2.x group into the same trunk, you get an error: 01070619:3: Interface 2.1 media type is incompatible with other trunk members

Conditions:
Attempting to add interfaces with different media types.

Impact:
This operation fails. All interfaces added to a trunk must share the same media type and speed.


389397 : Setting platform.powersupplymonitor to disable on 12050/12250 platforms might not stop power supply error meassages

Component: TMOS

Symptoms:
On 12050/12250 (D111) and 10350N (D112) platforms, setting the db variable platform.powersupplymonitor to disable might not stop power supply error messages on power supplies that are connected but not turned on.

Conditions:
This occurs on BIG-IP 12050/12250 (D111), 10350N (D112), and 10000s/10050s/10200v/10250v (D113) platforms on which platform.powersupplymonitor is set to disable.

Impact:
The power supplies in the system that are not turned on might log error messages until power is removed.

Workaround:
Remove power on disabled power supplies.


389328-1 : RSA SecurID node secret is not synced to the standby node

Component: Access Policy Manager

Symptoms:
When RSA SecurID node secret files are created on the active node, the files are not synced to the standby node. As a result, user will not be able to log on after switchover.

Conditions:
RSA node secret files are created on the active node after the first successful authentication.

Impact:
Service will be inaccessible after switchover.

Workaround:
1. Copy node secret files /config/aaa/ace/Common/<rsa_securid_aaa_server>/sdstatus.12 and /config/aaa/ace/Common/<rsa_securid_aaa_server>/securid from the active node to the same directory on the standby node.

2. Wait for at least 30 seconds

3. Execute the command "tmsh save sys config" to commit the changes to disk.


388678-2 : Parameter Names are missing on URLs :: Allowed URLs : Advanced Extractions screen

Component: Application Security Manager

Symptoms:
The parameter names are not displayed in the Advanced Extractions, Allowed URLs, and other screens.

Conditions:
This occurs when viewing Advanced Extractions

Impact:
This is a cosmetic issue in the GUI


386675-3 : rewrite plugin crash

Component: Access Policy Manager

Symptoms:
Certain headers can trigger a rewrite plugin crash. Errors in the rewrite log have this signature: "ERROR Occured with operation: tm_abort"

Conditions:
Access Portal configured with rewrite in use.

Impact:
The rewrite plugin can crash. Access traffic disrupted while it restarts.


386644 : B4300 blade may fail to join the cluster and reboot continuously

Component: TMOS

Symptoms:
When a B4300 blade is inserted into the VIPRION 4800 8-slot chassis, the blade fails to join the cluster and reboots continuously. This occurs because the VIPRION 4800 chassis only support blades running BIG-IP 11.3.0 or later software.

Conditions:
This issue occurs when the blade boots to a boot location that contains software that is earlier than BIG-IP 11.3.0.

Impact:
As a result of this issue: -- The blade fails to join the cluster with multiple daemon cores and restarts. -- The BIG-IP LTM log contains messages that indicate that the mcpd process on the adjacent blades cannot be contacted and the newly added blade isolates itself as a primary blade. -- The blade reboots continuously.

Workaround:
Before removing a B4300 blade from a 4-slot chassis to insert into an 8-slot chassis, first ensure that 11.3.0 (or later) is the only software installed on that blade. For more information, see SOL14255: The B4300 blade may fail to join the cluster and reboot continuously, available at http://support.f5.com/kb/en-us/solutions/public/14000/200/sol14255.html.


385890-1 : tmm core

Component: Local Traffic Manager

Symptoms:
In rare cases tmm can core during normal operation with an HTTP profile in use.

Conditions:
It is not known exactly what triggers this condition.

Impact:
Traffic disrupted while tmm restarts.


385673-1 : Citrix storefront fails to load

Component: Access Policy Manager

Symptoms:
Clients report that they are unable to connect to Citrix Storefront. Error in /var/log/ltm: tmm3 err tmm3[11019]: 01220001:3: TCL error: /Common/_sys_APM_Citrix <ACCESS_SESSION_STARTED> - can't read "tmm_apm_citrix_username": no such variable

Conditions:
Citrix storefront configured

Impact:
Clients unable to connect


385345 : DHCP not supported on VIPRION platforms, but the system does not prevent its configuration, in pre-11.4.0 releases.

Component: TMOS

Symptoms:
Automatically configuring the management port IP address via DHCP is not supported on VIPRION platforms

Conditions:
This occurs on VIPRION systems. In pre-11.4.0 releases, the system did not prevent its configuration. Post-11.4.0, there is no option to configure it. However, it is still not supported.

Impact:
DHCP is not supported on VIPRION systems, but the system does not prevent its configuration in pre-11.4.0 versions.

Workaround:
None.


385143 : AVR does not comma-separate fields

Component: Application Visibility and Reporting

Symptoms:
When AVR remote logging is set for short messages (without description), comma is missing between few fields.
It is easy to distinguish these fields since they are enclosed with (")

Conditions:
DB variable md.showexternalloggingdescription is set to 0

Impact:
AVR does not comma-delimit the statistics.

Workaround:
If you are encountering this you can set md.showexternalloggingdescription to 1


384995-1 : Management IP changes are not synced to the device group.

Component: TMOS

Symptoms:
A device group shows a device as offline when it was previously working, and the device's management IP address has recently changed.

Conditions:
When the management IP is changed on a device in a trust domain, it is not updated in the device group even though its config sync IP is a SelfIP and config sync continues to work. Other devices show it offline under Device Management :: Devices.

Impact:
Incorrect device status displayed when looking at the device group.

Workaround:
To resolve this, the device that changed must be discovered from a device that is not changed.

Note: If you attempt to discover a device that is not changed from the device that is changed, the operation loses the hostname and other configuration objects.


382606-1 : TMM core caused by connection RSTs when iRule commands have temporarily suspended execution in SERVER_CONNECTED events.

Component: Local Traffic Manager

Symptoms:
TMM core occurs in response to connection RSTs when iRule commands have temporarily suspended execution in SERVER_CONNECTED events.

Conditions:
Rare race condition that occurs when iRule commands have temporarily suspended execution in SERVER_CONNECTED events.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


382052-1 : High memory usage when ssl profiles are in use

Component: Local Traffic Manager

Symptoms:
If you have one or more ssl profiles attached to virtual servers configured with peer-cert-mode set to Require, the certificates will be stored in memory and can consume a lot of system memory.

Conditions:
This can occur if a client or server SSL profile is configured with eer-cert-mode set to require (Client Certificate set to "Require"), and SSL session caching is enabled.

Impact:
High memory usage by the ssl profile(s).

Workaround:
If you do not require client certificates to be presented, you should disable this setting.


381258-2 : 'with' statement in web applications works wrong in some cases

Component: Access Policy Manager

Symptoms:
Web-application misbehavior (exception, wrong rendering, and so on).

Conditions:
If the JavasScript operator 'with' is used in web-application code and, if after rewriting, 'F5_ScopeChain' is found within the 'with' statement in these contexts:

...F5_Inflate_xxxxx(F5_ScopeChain,...

...F5_Deflate_xxxxx(F5_ScopeChain,...

...F5_Invoke_xxxxx(F5_ScopeChain,...

then there is probability of this issue.

Impact:
Web-application functionality.

Workaround:
As a workaround, an iRule can be used for changing an 'interesting' variable name within the function's body. No general iRule exists. For each case, a custom iRule must be created as workaround.


379236-1 : TMM process may core while using the COMPRESS::nodelay iRule command to process traffic

Component: Local Traffic Manager

Symptoms:
TMM process may core while using the COMPRESS::nodelay iRule command to process traffic. As a result of this issue, you may encounter the following symptoms:

-- A TMM core file generated at the time of the crash in the /shared/core directory.
-- The BIG-IP system may log SIGSEGV to the /var/log/tmm file.
-- The BIG-IP system temporarily fails to process traffic.

Conditions:
The COMPRESS::nodelay iRule command prevents the compression buffer from delaying the delivery of data to the client. This iRule command is useful in situations where you require the HTTP servers to stream dynamic information to the client in a single HTTP transaction through the BIG-IP system without having to disable HTTP compression.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
To recover from this issue, you can remove the COMPRESS::nodelay iRule command from the affected iRule. To do so, perform the following procedure:

Impact of procedure: Removing the COMPRESS::nodelay command may affect your servers streaming dynamic HTTP data to the client.

1. Log in to the BIG-IP Configuration utility.
2. Click Local Traffic.
3. Click iRules.
4. Click iRule List.
5. Click on the name of the affected iRule.
6. Locate and remove any entry containing the COMPRESS::nodelay command.
7. Click Update.


378967-8 : Users are not synchronized if created in a partition

Component: TMOS

Symptoms:
Users in partitions attached to sync-only device groups do not sync to other devices in that device group.

Conditions:
There are users whose active partitions are attached to a sync-only device group.

Impact:
This affects sync-only device groups only, not the failover device group.

Workaround:
None.


376000-3 : Uploading files through APM portal access sometimes fails

Component: Access Policy Manager

Symptoms:
Sometimes uploading files when accessing a web application using APM Portal Access mode could fail. This includes sending an email message with an attached file using OWA.


375887-1 : Cluster member disable or reboot can leak a few cross blade trunk packets

Component: Local Traffic Manager

Symptoms:
Using the cluster member 'disable' command with a trunk that spans blades might cause a brief period where received broadcast and multicast packets egress out the enabled trunk members of the cluster.

Conditions:
This occurs on a trunk that spans blades.

Impact:
To an external device running spanning tree protocol or variant, this can look like a loop.

Workaround:
None.


375434-2 : HSB lockup might occur when TMM tries unsuccessfully to reset HSB.

Component: TMOS

Symptoms:
An HSB lockup might occur when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This failure can also result in a "DMA lockup on transmitter failure" reported in the TMM log files.

Conditions:
This occurs on HSB platforms that have AMD processors, which include the BIG-IP 6900, 8900, 8950, 11000, and 11050N platforms, and the VIPRION B4200 and B4200N blades.

Impact:
The HSB is non-functional and requires reinitialization. This occurs after the BIG-IP is rebooted, which is automatically triggered when this condition occurs.

Workaround:
None.


373949-1 : Network failover without a management address causes active-active after unit1 reboot

Component: TMOS

Symptoms:
A device in a Device Service Cluster may erroneously claim Active status when it is rebooted. This results in an Active/Active situation, which may resolve itself by causing a failover.

Conditions:
If a Device Service Cluster is configured with only self-IPs for unicast network failover communication, or if the management network between the peers is unavailable, the device may not detect that the peer is active when it is starting up. When using only self-IPs, communication with the peers is disrupted while the TMM is starting up.

Impact:
Unexpected failover may cause traffic interruption.

Workaround:
Configuring multiple redundant network failover paths, including the management network will reduce the possibility of this problem.


372332-2 : Unnecessary buffering of client-side egress in some circumstances.

Component: Local Traffic Manager

Symptoms:
BIG-IP can perform unnecessary buffering of client-side egress in some circumstances. This can cause a tmm crash on out of memory. Analysis of the core by support indicates that the system has run out of memory.

Conditions:
It is not known what triggers this event to occur but it has been observed when modules like APM and ASM are enabled.

Impact:
Traffic disrupted while tmm restarts.


369352-1 : No verification prompt when executing 'load sys config default' for resource administrator role

Component: TMOS

Symptoms:
When logged in as a resource administrator "load sys config default", which restores the configuration to factory defaults, doesn't prompt for verification as it should. If you execute the command from a normal administrator role you do get a prompt.

Conditions:
Login as a resource administrator
run "load sys config default"
restore begins without a verification prompt.

Impact:
System restore initiated without prompt when run as a resource administrator.

Workaround:
None.


366011-1 : ---

Component: Application Security Manager


365764-1 : Loading UCS with no custom partition fails on system with GTM objects defined in custom partition

Component: TMOS

Symptoms:
Loading a UCS with no custom partition in it fails on a system that has any GTM objects defined in a custom partition.

Conditions:
This applies when a GTM configuration exists in a custom partition.

Impact:
Requires manual intervention to load a UCS archive.

Workaround:
To work around this issue, delete all GTM objects in a custom partition prior to loading a UCS using a command similar to the following: rm -f /config/partitions/partition_name/bigip_gtm.conf. Then load the configuration using a command similar to the following: tmsh load sys config gtm-only partitions all


364981-2 : Changing 'Idle time before automatic logout to non-default causes CPU usage to increase

Component: TMOS

Symptoms:
On the System :: Preferences screen, changing 'Idle time before automatic logout to any non-default value causes the CPU usage to increase.

Conditions:
Changing 'Idle time before automatic logout to non-default.

Impact:
CPU usage increases.

Workaround:
To work around this issue, the iControlPortal.cgi processes by running the following command: killall iControlPortal.cgi. For more information, see SOL13679: The BIG-IP system fails to shut down the iControlPortal.cgi process when the 'Idle time before automatic logout' setting is modified, available here: http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13679.html.


362619-1 : Memory leak in rtstats (real-time statistics) process

Component: TMOS

Symptoms:
When end-users open the Dashboard (statistics GUI) rtstats memory size will continuously grow. This memory is not released when the Dashboard is closed.

Conditions:
The process leaks only when end-users have the Dashboard (GUI) open.

Impact:
Leak can lead to out-of-memory condition.

Workaround:
Avoid use of Dashboard (statistics GUI). Most statistics can be gleaned from other locations in the GUI or via tmsh.


362267-4 : Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors

Component: TMOS

Symptoms:
If a user configures network failover on a VIPRION that uses a blade's management address as the unicast address, the other blades cannot use this address and issues an error message. This is correct operation.

Conditions:
System is configured with per-blade management addresses as unicast network failover addresses.

Impact:
The system posts error messages that appear severe. However, there is no impact to system functionality.

Workaround:
No workaround is needed (under these conditions, message is cosmetic), but the use of multicast failover avoids the messages.


359774-3 : Pools in HA groups other than Common

Component: TMOS

Symptoms:
In v11.x, pools used in an HA group must be in Common. If the user has a v10.x configuration that has pools in different partitions that are used in an HA group, an upgrade to v11.x fails.

Conditions:
HA group pools in administrative partitions other than Common.

Impact:
Upgrade fails.

Workaround:
None, except ensuring that all pools used in HA groups exist in the Common administrative partition.


354406-2 : APM access policy on SNAT pool

Component: Access Policy Manager

Symptoms:
When a virtual server is configured to use a SNAT pool for doing source NAT of the traffic between the virtual and backend servers, if one of the IP addresses used in SNAT pool is a self-IP, the access policy does not work for the virtual server.

Conditions:
SNAT pool contains a selfip address

Impact:
Access policy fails, client is unable to connect.

Workaround:
Ensure the SNAT pool does not have a selfip address in it.


352848-1 : HTTP client request followed by pipelined request with iRule

Component: Local Traffic Manager

Symptoms:
If an HTTP client sends a request with a body, and there is a pipelined request following it, and there is an iRule performing an HTTP::collect, then the HTTP::payload command may include data from the following requests.

Conditions:
HTTP client request followed by pipelined request with iRule.

Impact:
HTTP::payload command may include data from the following requests.

Workaround:
None.


348000-10 : HTTP response status 408 request timeout results in error being logged.

Component: Local Traffic Manager

Symptoms:
HTTP response status 408 request timeout results in error being logged.

Conditions:
HTTP profile is attached to a virtual server. 408 response status is received from server and is not preceded by request from the client.

Impact:
The 408 response status received is consumed and the connection is reset. The response never makes it to the client. The following error is reported in the log: http_process_state_prepend - Invalid action EV_INGRESS_DATA during ST_HTTP_PREPEND_HEADERS.

Workaround:
None.


345930-1 : LC: The "IPv6 NoError Response" and "Enabled" fields are missing for wide IPs

Component: TMOS

Symptoms:
The "IPv6 NoError Response" and "Enabled" fields are missing input controls for Inbound Wide IPs in the Link Controller UI.

Conditions:
Using Link Controller module and hoping to modify the "IPv6 NoError Response" and "Enabled" fields

Impact:
The customer must use TMSH to change these configuration options.

Workaround:
For IPv6 NoError Response, run the command:
"tmsh modify <wideip> ipv6-no-error-response enabled".

To enable or disable a Wide IP, you can either enable/disable through the Wide IP List page in the UI: Link Controller :: Inbound Wide-IPs :: Wide IP List or through tmsh:
"modify gtm wideip <wideip name> enabled"


337934-8 : remoterole: attributes ending in 'role' or 'deny' will be parsed incorrectly

Component: TMOS

Symptoms:
The remoterole configurations in which one of the attributes ends in 'role' will have that attribute truncated. Also this could happen with an attribute that ends in 'deny' and has a deny directive.

Conditions:
remoterole attributes ending in 'role'. May also happen with attributes ending in 'deny'.

Impact:
Parsing truncates attributes.

Workaround:
Do not use remoterole configurations in which one of the attributes ends in 'role' or one that ends in 'deny" that has a deny directive.


224903-2 : CounterBasedGauge64 MIB values do not work with Network Management Systems. The MIB should be Gauge32.

Component: TMOS

Symptoms:
CounterBasedGauge64 MIB values do not work with Network Management Systems. The MIB should be Gauge32.

Conditions:
CounterBasedGauge64 MIB values.

Impact:
CounterBasedGauge64 MIB values do not work with Network Management Systems.

Workaround:
None.


223446-2 : The persist cookie insert and persist cookie rewrite iRule commands can fail to set session cookies

Component: Local Traffic Manager

Symptoms:
The persist cookie insert and persist cookie rewrite iRule commands fail to set session cookies when the expiration time is not explicitly listed.

Conditions:
When invoked with no additional arguments, the persist cookie insert and persist cookie rewrite iRule commands should set a session cookie. However, due to the issue described in this article, the iRule commands set a cookie that expires after 180 seconds.

In versions prior to 11.3, the same issue also occurs if the aforementioned iRule commands are invoked with the 0d 00:00:00 optional expiration argument, which tells the BIG-IP system to set a session cookie. 11.3 and above interpret an expiration argument of 0 correctly, and set a session cookie.

Impact:
TMM sets a cookie that expires in 180 seconds instead of a session cookie.

Workaround:
In 11.3 and above, explicitly specify a 0 for the cookie timeout in the iRule. In previous versions, set the persist profile timeout to 0.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************
Generated: Fri Sep 23 08:11:16 2016 PDT
Copyright F5 Networks (2016) - All Rights Reserved

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)