Applies To:

Show Versions Show Versions

Supplemental Document: Release Information: Hotfixes: BIG-IP 11.5.1

Original Publication Date: 09/28/2016

BIG-IP Hotfix Release Information

Version: BIGIP-11.5.1
Build: 207.0
Hotfix Rollup: 11

Cumulative fixes from BIG-IP v11.5.1 Hotfix 10 that are included in this release
Cumulative fixes from BIG-IP v11.5.1 Hotfix 9 that are included in this release
Cumulative fixes from BIG-IP v11.5.1 Hotfix 8 that are included in this release
Cumulative fixes from BIG-IP v11.5.1 Hotfix 7 that are included in this release
Cumulative fixes from BIG-IP v11.5.1 Hotfix 6 that are included in this release
Cumulative fixes from BIG-IP v11.5.1 Hotfix 5 that are included in this release
Cumulative fixes from BIG-IP v11.5.1 Hotfix 4 that are included in this release
Cumulative fixes from BIG-IP v11.5.1 Hotfix 3 that are included in this release
Cumulative fixes from BIG-IP v11.5.1 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.5.1 Hotfix 1 that are included in this release
Known Issues in BIG-IP v11.5.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
600662-6 CVE-2016-5745 SOL64743453 CGNAT: NAT64 vulnerability CVE-2016-5745
599168-6 CVE-2016-5700 SOL35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
598983-6 CVE-2016-5700 SOL35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
569467-10 CVE-2016-2084 SOL11772107 BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
580596-6 CVE-2013-0169 CVE-2016-6907 SOL14190 SOL39508724 TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Description
595874-2 3-Major Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.
556277-7 3-Major Config Sync error after hotfix installation (chroot failed rsync error)
547047-9 3-Major Older cli-tools unsupported by AWS
499537-4 3-Major Qkview may store information in the wrong format
494029-2 5-Cosmetic During boot the econsole shows "/etc/rc3.d/S15cluster: line 225: ebtables: command not found"


Local Traffic Manager Fixes

ID Number Severity Description
557645-8 3-Major Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.

 

Cumulative fix details for BIG-IP v11.5.1 Hotfix 11 that are included in this release

600662-6 : CGNAT: NAT64 vulnerability CVE-2016-5745

Vulnerability Solution Article: SOL64743453


599168-6 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Vulnerability Solution Article: SOL35520031


598983-6 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Vulnerability Solution Article: SOL35520031


595874-2 : Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) instances that use the Amazon Web Services (AWS) hourly billing license model may fail when upgrading to version 12.1.0.

As a result of this issue, you may encounter the following symptom:

After upgrading to version 12.1.0, the BIG-IP VE instance license is invalid.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have BIG-IP VE instances that use the hourly billing licensing model.
-- Your BIG-IP VE instances are running 11.5.x or 11.6.x software versions.
-- Your BIG-IP VE instances are running within the AWS EC2 environment.
-- You upgrade the BIG-IP VE instance using the liveinstall method.

Impact:
BIG-IP VE instance licenses are not valid after upgrading to software version 12.1.0.

Workaround:
To work around this issue, you can use the liveinstall method on the hotfix image directly (instead of installing the base software image and then the hotfix image). To do so, perform the following procedure:

Impact of workaround: Performing the following procedure requires rebooting the system and should be performed only during a maintenance window.

Download the BIGIP-12.1.0.0.0.1434.iso and Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso files to your workstation. For more information about downloading software, refer to SOL167: Downloading software and firmware from F5.
Copy the downloaded files from your workstation to the /shared/images directory on the VE instance.
To perform the installation by using the liveinstall method, and reboot the BIG-IP VE instance to the volume running the new software, use the following command syntax:

tmsh install sys software hotfix Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso volume <volume-number> reboot

For example, to install the hotfix to volume HD1.3 and reboot to the volume running the newly installed software, type the following command:

tmsh install sys software hotfix Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso volume HD1.3 reboot
 
Verify the installation progress by typing the following command:
tmsh show sys software

Output appears similar to the following example:

Sys::Software Status
Volume Product Version Build Active Status
----------------------------------------------------------------
HD1.1 BIG-IP 12.0.0 0.0.606 yes complete
HD1.2 BIG-IP 12.1.0 0.0.1434 no complete
HD1.3 BIG-IP 12.1.0 0.0.1434 no installing 6.000 pct

Fix:
BIG-IP VE instances that use the AWS hourly billing license model now complete successfully when upgrading to version 12.1.0.


580596-6 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907

Vulnerability Solution Article: SOL14190 SOL39508724


569467-10 : BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.

Vulnerability Solution Article: SOL11772107


557645-8 : Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.

Component: Local Traffic Manager

Symptoms:
Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.

Conditions:
VIPRION 2200 and 2400 platforms with more than one blade.

Multiple devices in an HA configuration.

TMM incorrectly identifies which TMM should handle host connections from an HA peer.

The host connection will be reset after the SYN retransmits are exceeded between TMM and the host process.

Impact:
Periodic reported failures in host-to-host communication. This could affect config sync, and other HA related communication.

Workaround:
None.

Fix:
Host communication on VIPRION 2200 and 2400 platforms behaves the same as host communication on non-VIPRION 2200 and 2400 platforms, as expected.


556277-7 : Config Sync error after hotfix installation (chroot failed rsync error)

Component: TMOS

Symptoms:
Once an installation has been booted into, applying a hotfix over that installation does not change the SELinux policy, but instead uses the previously installed SELinux policy.

Conditions:
This affects installations of a later hotfix atop an earlier hotfix, or onto a base build of the same software version. Installation onto a new volume is unaffected.

To determine whether the configuration will experience this issue, use md5sum to see whether the following have the same checksums:
-- /etc/selinux/targeted/modules/active/modules/f5_mcpd.pp
-- /usr/share/selinux/targeted/f5_mcpd.pp.

If the checksums are the same, the system will use the SELinux policy installed with the previous hotfix, and this issue will occur.

Impact:
Sync of file objects might fail with an error similar to the following:

01071488:3: Remote transaction for device group [name] to commit id [number] failed with error 01070712:3: Caught configuration exception (0), verify_sync_result:() :Failed to sync files. - sys/validation/FileObject.cpp, line 6276..

Workaround:
Instead of installing the hotfix over an existing installation of the base build of that version (or an earlier hotfix), install the base ISO (for example 11.5.4) into a volume, and then install the hotfix onto that volume, without booting the volume in between.

Fix:
Installing a hotfix over an existing base install now rebuilds the SELinux policy as expected.


547047-9 : Older cli-tools unsupported by AWS

Component: TMOS

Symptoms:
Older EC2 tools stopped working in some AWS regions.

Conditions:
This can happen in some AWS regions.

Impact:
BIG-IP high availability configurations may stop working in some AWS regions.

Workaround:
None.

Fix:
F5 Networks added the latest available version (1.7.5.1) of EC2 tools in this release/hotfix.


499537-4 : Qkview may store information in the wrong format

Component: TMOS

Symptoms:
When creating a new monitor, some information may be stored in the wrong format.

Conditions:
Create a new monitor. Run qkview.

Impact:
Occasionally, some information stored for the new monitor will be in the incorrect format.

Workaround:
None.

Fix:
Monitor information is now stored in the correct format.


494029-2 : During boot the econsole shows "/etc/rc3.d/S15cluster: line 225: ebtables: command not found"

Component: TMOS

Symptoms:
During boot the console shows "/etc/rc3.d/S15cluster: line 225: ebtables: command not found"

Conditions:
The issue occurs during startup on BIG-IP systems which do not support vCMP.

Impact:
This issue is purely cosmetic, it does not affect the BIG-IP operation in any way.

Fix:
Console messages about a missing ebtables command no longer appear during BIG-IP system startup.




Cumulative fixes from BIG-IP v11.5.1 Hotfix 10 that are included in this release

Note: F5 has recently changed the bug numbering scheme in our bug tracking database. Now all bugs have a single version assigned to them and so bugs can now have sub bugs denoted by a '-' and then the sub bug number, i.e. 404716-4 with 404716 being the parent bug. The release notes for previous rollups will also reflect this change so some bugs may now contain a sub bug prefix.

Local Traffic Manager Fixes

ID Number Description
511651-1 Performance improvement in packet processing.

 

Cumulative fix details for BIG-IP v11.5.1 Hotfix 10 that are included in this release

511651-1 : Performance improvement in packet processing.

Component: Local Traffic Manager

Symptoms:
There is a potential memory leak.

Conditions:
Undisclosed conditions for fragmented packet processing.

Impact:
Memory leak.

Workaround:
1. External Firewall 2. F5 AFM product can be used.

Fix:
Fixed memory leak related to packet processing.




Cumulative fixes from BIG-IP v11.5.1 Hotfix 9 that are included in this release


TMOS Fixes

ID Number Description

523032-4

Resolves CVE-2015-3456 security vulnerability, known as "Venom".


Cumulative fixes from BIG-IP v11.5.1 Hotfix 8 that are included in this release


TMOS Fixes

ID Number Description

481410-2

Automated Phone Home update check time is randomized to prevent intermittent problem when all machines would access the service at once.

492809-1

Ensured the APM stats code no longer leaks memory.

494078-2

The fix strengthens certificate validation, including hostname verification.

503237-6

CVE-2015-0235 : glibc vulnerability known as Ghost.

453489

Suppressed extraneous warning messages caused by ssh connections from peers on the 127.0.0.0/8 subnet.


Application Security Manager Fixes

ID Number Description

496849-4

We fixed a vulnerability in the ASM/DPI/FPS signature update mechanism.


Cumulative fixes from BIG-IP v11.5.1 Hotfix 7 that are included in this release


TMOS Fixes

ID Number Description

490577-1

An issue has been corrected which could result in the TMM process crashing and leaving a core during process shutdown.

492367-2

CVE-2014-8500.

492368-2

CVE-2014-8602.

497579-2

An issue has been corrected which can prevent a vCMP guest from processing SSL and compression traffic.


Access Policy Manager Fixes

ID Number Description

493993-1

In APM HA environments, the system now prevents global status from being updated before the initialization is completed on a standby device. TMM on the standby no longer dumps core files on startup.


Cumulative fixes from BIG-IP v11.5.1 Hotfix 6 that are included in this release


TMOS Fixes

ID Number Description

439559-1

If an APM policy sync puts the new policy on a member of a sync-failover device group then the sync of the sync-failover group used to fail. This now succeeds.

449100-2

Tunnel interfaces can be used by iRUle nexthop/lasthop commands to set a flow's nexthop/lasthop behaviors. 1. To send traffic to the tunnel, use "nexthop tun0 ..." on CLIENT_ACCEPTED iRule event, or "lasthop tun0 ..." on SERVER_CONNECTED iRule event. 2. A point-to-point tunnel can be supplied with an IP address, although it does not have an effect. 3. A wild-card tunnel can be supplied with the IP address of the remote-point to build the tunnel on the fly.

455311-3

vCMP guests access to the management network of the hypervisor has been restricted.

457166-1

An issue has been resolved which affected the ability to modify a vCMP guest's management network mode.

459155-4

Included the physdev netfilter module into the BIG-IP kernel package.

459694-1

vCMP guests ability to interfere with the management network of the hypervisor has been restricted.

459753-3

"bigstart restart" on a secondary blade no longer causes clusterd to restart continuously.

459973-3

You can now disable the Include Cluster option using the GUI.

462315-2

Saving a single partition out of the configuration ('save sys config' with the 'partitions { p1 }' option) now writes the configuration file properly. It previously appended to the file but now overwrites it as it should.

462943-4

Resolved issue where rewrite CSS filter/parser may use stale iovs in declaration_state resulting in SIGSEGV.

470796-3

CVE-2014-4023

471070-1

Users with access to the client SSL profile now have access to the clientssl_certkeychain configuration items.

471704-4

The vcmpd process is no longer vulnerable to malicious data passed from a vCMP guest.

476157-12

Security patches applied to krb5 library.

477959-1

Internal structure improvements, no customer facing functionality changes have been made.

478922-4

Resolved issue that ICSA logging did not contain information that is required for certification.

481648-2

The ipaddrTable's ipAdEntIfIndex value now matches the ifTable's ifIndex value for the same interface.

483436-2

Update to AWS License files

484453-1

Reduced the log level for registering with the LOP (lights out processor) to the debug level.

484635-2

CVE-2014-3513 CVE-2014-3567 CVE-2014-3566 CVE-2014-3568: Update OpenSSL to latest.

487800-3

The guest-specific configuration information blocks are now isolated from each other and the hypervisor is protected against invalid data injected by a vCMP guest.

474805

Internal build improvement.

476521

Use true timeout instead of retries limit in when to give up initializing FIPS device, and subsequently power cycle the unit to recover FIPS device.

477611

Apply DAG Round Robin to icmp echo only.

477888

ICSA logging no longer missing information that is required for certification.

479152

This release includes functionality to leverage hardware parity error mitigation capabilities, which reduces the number of fatal errors.

483762

MAC address conflicts no longer occur between vVMP guests.

484399

OVA will only create 1 slot and leave the remaining disk space free.

486514

The crash that happens in AFM logging module, when the TCP connection to a log destination server is re-established is fixed.

488461

Improve base build process and remove duplicate code.

492333

Resolved an sys-icheck bug that caused an auto_schema misconfiguration. This occured on all platforms.

492460

This error message used to occur intermittently when trying to delete a virtual and using sFlow: 01070265:3: The Virtual Server () cannot be deleted because it is in use by a sflow http data source (). This no longer occurs.


Local Traffic Manager Fixes

ID Number Description

226892-11

Resolved intermittent issue when return packets were dropped after configuring packet filters for DNS traffic or traffic with IP fragments.

424931-6

Creation of a large file, such as a UCS archive is now handled correctly, and csyncd process no longer causes high CPU utilization.

428864-2

Lowering the virtual server connection limit now works, even when traffic is already being processed

433946-1

Benign rsync errors are no longer logged in /var/log/ltm and instead are tracked via stats in the 'csync_stat' table.

436097-1

when the tmm restarts, pkcs11d also must be restarted automatically if present.

436811-4

Pool member status are updated correctly if there are multiple database monitors configured to the same ip::port destination.

437875-3

This spurious error message may have previously been displayed when the local user database feature is configured: 01071704:3: Not running command (/usr/libexec/localdb_mysql_restore.sh) because the request came from an untrusted connection. This error message has always been harmless, but now it no longer is displayed.

437906-3

WebSockets and the HTTP CONNECT method now work with OneConnect.

439424-1

SafeNet HSM install now needs to be done only on the primary slot on the BIG-IP cluster-mode chassis systems such as VIPRION. A single install on the primary slot will take care of installing SafeNet on all active slots. On any already-open sessions to the BIG-IP slot(s), the PATH environment variable will need to be reloaded by executing 'source ~/.bash_profile' in order to be able to use SafeNet utilities. If at a later stage, a new blade is added or a disabled or powered-off blade is made active or is powered-on, the user will have to run 'safenet-sync.sh -p ' *only* on the new secondary slot. If the new slot is made primary before running safenet-sync.sh on it, then the regular install procedure using nethsm-safenet-install.sh will be required on the new primary slot.

439490-3

The BIG-IP system now reconnects to SafeNet HSM if the connection is interrupted, so connections continue as expected.

439513-1

NETHSM: Initial few connection drops after each tmm restart

439540-2

To fix this issue, restart the pkcs11d process. The command is "tmsh restart sys service pkcs11d".

441894-1

Pkcs11d watchdog functionality to avoid manual restart.

443098-6

The Proxy SSL feature no longer leaks memory.

447515-3

Resolved intermittent issue that could cause an eventual crash when an iRule was parked longer than the time-out which caused the flow to be deleted but then the iRule is resumed and becomes in a bad state due to the missing flow.

449798-4

An issue has been corrected that potentially caused blade failures on secondary blades in a VIPRION chassis to have subsequent issues executing health monitors.

450031-2

Log messages are no longer observed when tm.rejectunmatched is set to false.

450804-2

Improved TLS finish messages.

451218-3

CVE-2014-8730: Corrected Nitrox TLS padding.

452121-1

BIG-IP now supports multiple SafeNet network-HSMs configured in a HA group.

452628-2

Add a bigdb variable for the pkcs11d threads.

453358-3

The memory leak is fixed.

454465-3

CVE-2014-8730: Corrected TMM TLS padding

454476-2

In the event of an invalid parameter in the clienthello, the correct TLS version will be set in the alert.

454636-4

The logging destination IP address only matches virtual servers, so no HSL logging is lost.

454692-2

Assigning 'after' object to a variable no longer causes memory leaks.

456859-3

Interface to hardware compression has improved allocation strategy.

458556-1

tmm will no longer core on startup when traffic arrives before transitioning to cmp ready.

460868-1

TMM no longer crashes if network HSM is improperly configured.

461578-2

This release provides improved handling of large objects in the session database.

462163-1

Allow Non Blade 0 MPI communication even after congestion.

462649-2

TMM no longer crashes under heavy load.

463902-1

Flat-buffer allocator for hardware compression tuned to be less greedy.

464163-2

Customized cert-key-chain of the child client-ssl profile is reverted to parent's profile cert-key-chain during config load.

467868-1

Previously, mcpd might leak memory when returning an error message that contained the reason for a monitor failure. The message now reports the reason without leaking memory.

469705-3

TMM will set a known route domain when processing SIP Requests to prevent panics caused by an invalid route domain.

471073-1

Now, when tmm is restarted, all HA connections are reestablished.

474757-16

OpenSSL Security Advisory 8/6/14 (1.0.1i Update).

477967-1

MPTCP component now correctly applies TSO processing to outbound packets, so tmm no longer segfaults.

480113-1

FIPS exported keys can now be successfully installed in FIPS cards without causing config-sync failure.

480699-1

Increased the maximum statemirror.queuelen db variable limits. If necessary, the statemirror.queuelen can now be increased beyond 256 MB up to 1 GB. Note that increasing the statemirror.queuelen increases memory requirements to approximately twice the queuelen multiplied by the number of tmms, and also increases the time required to detect an error in the mirroring connection. The statemirror.queuelen should be kept as low as possible to prevent repeated failure.

483328-1

SSL virtual servers now successfully negotiate SSL handshake, so the device no longer logs the following message: crit tmm[14270]: 01260000:2: Profile name-of-profile: could not load key/certificate.

485188-2

When the SSL ClientHello contains the SCSV marker, if the client protocol offered is not the latest that the virtual server supports, a fatal alert will be sent.

488208-3

Proper upgrade to OpenSSL 1.0.1j.

470394

The BIG-IP system calculates the correct number of members in the active priority group when the slow ramp feature is triggered.

470994

tmm now correctly applies TSO processing to outbound packets, so tmm no longer segfaults.

475055

Resolved core caused by accounting miscalculation of Nitrox I/O flows

477753

This change allows to use immediate idle timeout on UDP serverside flows as a workaround for SIP message loss and/or connection failures if (and only if) the logic of the SIP processing does not expect any return traffic to match the serverside connections. Configuration that require this workaround, but which expect return traffic to match the serverside flow could not have worked correctly (without specific iRule based band-aids) even prior to the first affected version.

480299

The Virtual Address throttling delayed update mechanism has been made more robust, and will now send delayed updates (roughly 3 seconds after change) regardless of previous status, guaranteeing that Virtual Address status will reach all subscribers.

483974

Unrecognized options are now ignored.

484429

TMM still log critical-level messages, but the system function properly and traffic is not affected.

486066

tmm does not core


Global Traffic Manager Fixes

ID Number Description

477240-1

SSL properly renegotiates rather than terminates connections when the session expires.

487808-2

Link cost and inbound link path load balancing software support has reached EOL. (See Solution 15834)


Application Security Manager Fixes

ID Number Description

248487-5

The enforcer does not convert parameter values into the web application language when parameters are defined as "file upload" or "ignore value" in the security policy.

434461-4

Improved the system's integration with IBM Guardium.

435520-3

We fixed an issue that sometimes stopped you from deleting an ASM security policy that was created using a template after you rolled-forward the policy's configuration from a previous version.

454142-1

Resolved intermittent Enforcer crash due to specific requests

461028-1

vCMP: We fixed an issue that caused the Enforcer to crash in a clustered environment.

471103-2

There is a new internal parameter: "ignore_null_in_multipart_text". When the internal parameter is set, a null in request violation is not issued when a null appears in the request. If the parameter is defined as file upload in the security policy, no violation is issued. If the parameter is defined as something else, the violation "null in multipart request" is issued. If the parameter is not defined in the security policy, the violation "null in request" is issued.

476179-2

Brute force reporting: The brute force reported operation mode (Transparent or Blocking) is now the same when the attack starts and ends. Previously, sometimes the system would change the operation mode logged when the attack ended.

476191-2

To enable you to bypass unicode validation on XML and JSON profiles, we added two internal parameters: - relax_unicode_in_xml: The default is 0 which is the current behavior. When the value is changed to 1, a "bad unicode character" does not produce an XML malformed violation. A "bad unicode character" might be a legal unicode character that does not appear in the mapping of the system's XML parser. - relax_unicode_in_json: The default is 0 which is the current behavior. When the value is changed to 1, a "bad unicode character" does not produce a JSON malformed violation. A "bad unicode character" might be a legal unicode character that does not appear in the mapping of the system's JSON parser.

481572-2

We fixed an issue that caused the system to not report a navigation parameter that appeared in the POST data.

481792-2

We fixed an issue of specific requests the sometimes caused the Enforcer to crash.

476621

We fixed an issue where Bot Detection in the Web Scraping feature created JavaScript errors in the web application using Internet Explorer.

483491

We fixed a memory corruption issue.


Application Visibility and Reporting Fixes

ID Number Description

481541-2

Memory leak in the monpd daemon that occurred in some situations has been resolved.

486327-1

Web Application Security Administrator added to the list of allowed administrators.


Access Policy Manager Fixes

ID Number Description

337178-4

BIG-IP Edge Client falls back to TLS from DTLS if http-proxy is used.

398657-7

The active session count graphs no longer becomes significantly large at times due to a counter underflow.

403660-4

Application icons (Finder, Spotlight, Launchpad, Notification Center, Dock, Menu Bar) have been updated for retina displays.

418850-2

AD may now be the last auth agent in the VMWare view access policy. Username/password/domain preserved and then passed to the backend.

420989-3

When using an access policy with Windows Logon Integration, if you are denied access once, you can try again.

420990-3

Support for smart cards was added to Client Cert Inspection and On Demand Cert Inspection with Windows Logon Integration.

421901-1

showrestorebutton:i:0 can be specified in RDP Custom Parameters. Users just won't see this 'Restore down' button anymore.

422818-4

"Store information about client software in session variables" setting is removed from the Visual Policy Editor for these Endpoint Security (Client-Side) software checks: Antivirus, Anti-Spyware, Firewall, Hard Disk Encryption, Patch Management, Peer-to-peer, and Windows Health Agent.

426623-13

Improved PAC file download mechanisms

427830-6

Network Access connection will not be established if PAC file specified in NA resource cannot be downloaded within 30 seconds.

429362-7

EDGE Client properly reconnects when network connectivity is restored. Previously full reconnection was done in this case and the previous session was not removed.

430531-3

Computer group policy settings are updated after establishing VPN connection with Windows Logon Integration.

431810-4

Processing is now provided for exceptions that could occur when using a Kerberos auth agent in a multi-domain SSO configuration.

432333-13

Java Application Tunnels now work when Microsoft Internet Explorer 11 runs with Enhanced Protected Mode. However, the tunnel is bound to 127.0.0.1 due to limitations of this mode.

433243-5

BIG-IP IdP subtracts three minutes from the NotBefore timestamp in an assertion to accommodate Service Providers whose clocks might be behind.

436177-5

Fixed arbitrary commands execution: check cab file and webpage are located on same server.

436180-6

Edge Client will only install controls from trusted hosts.

436183-5

Check if critical section object was initialized before deleting it.

438292-8

Resolved issue of Web AppTunnel re-using wrong existing loopback for different backend server IP.

438730-3

Fixed BSOD caused by DNS relay filtering driver in very specific condition on Windows XP SP3.

439280-14

When installing VPN driver on Windows 8.1 with partially uninstalled VPN driver, BSOD no longer occurs.

440792-6

Client proxy settings specified in a Network Access resource are applied without an occasional miss now.

441318-2

The special character "." can now be used for a user name.

441355-2

Improved VMWare View native client error reporting and prompting for the new password.

441507-4

SWF parser now correctly rewrites a compressed object when the compressed body is followed by data.

441830-8

Incorrect overriding of VPN driver was causing BSOD. Old driver is now uninstalled before new one is installed.

442598-1

Do not close session if session timeout check request fails.

447013-3

Browser detection JavaScript improved to support Internet Explorer 11

447302-2

APM correctly supports 'redirect' ending in an access policy for web browser clients when deployed for Citrix Web Interface in proxy mode.

449141-4

Notifications to the user when the BIG-IP Edge Client must reboot to complete updates have been improved.

450155-5

Fixed incorrect handling of component installer which was resulting in a MSI installer to believe that installation had failed.

451213-2

Added logs to distinguish static ip allocation from dynamic ip allocation.

451864-4

Always preserve locally configured DNS suffixes when establishing VPN connection.

452614-5

Edge client now contains RSA SecurID software token support for OS X

452618-4

LDAP servers in a pool will now timeout correctly if a node can not be reached

452621-4

Logon page changes for integrating RSA Soft token SDK with edge client.

452625-7

Edge client cannot automatically retrieve RSA SecurID software token if configured on Logon page

453188-2

Custom Dialer no longer stays in an Authenticated state for 40 seconds to negotiate the IPv6 protocol when IPv6 is not enabled.

454322-3

When Allow Local DNS Servers option is enabled, DNS servers from interfaces which are down, won't be added to VPN exclusion list.

456911-2

A certain scenario in GTM deployement was fixed where access to certain corporate resource might be denied despite network access connection.

458167-4

Improve logging and error code checks for EAM / OAM component.

459870-3

Now BIG-IP Edge Client in Always Connected mode properly processes cancelling captive portal detection.

459953-2

When an LDAP query runs and the user password is not retrieved or necessary, a misleading error message about NULL cyphertext is no longer logged.

460265-1

apmd crashes with null tcl interpreter object. This is now fixed.

462258-4

after fix, a ldap operation times out in 3 minutes, so a thread will not block any other and service can recover as soon as connection to backend is restored.

462481-1

OAM code is fixed with proper exception handling where Oracle API calls are made.

463505-4

Added factor authentication support for to Edge Client soft token integration.

463538-4

Edge Client now correcting sends PIN for RSA Soft Token clients while in New Pin mode.

463735-4

[SecurID SDK] In case of PIN change user is prompted to input Passcode to PIN field.

463776-3

VMware View client does not freeze when APM PCoIP is used and user authentication fails against VCS 5.3

464313-2

Now dynamically created forms with absolute action path are handled correctly even with non-empty BASE tag.

464319-2

[SHP2013][IE10-IE11]: Calendar widget does not work in Announcement edit page. This is now fixed.

466605-3

JavaScript: Portal Access variable 'r' is now a local variable.

466617-2

Now routes for Exclude Addrress Space are correctly removed when NA connection is terminated if the client was switched to another network.

466797-5

Now EdgeClient shows warning about session exipartion when maximum session timeout is reached.

466898-2

Enterprise Manager reports now work correct when accessed via Portal Access.

467287-1

Previously, Policy Sync would add whitespace to Forms-based SSO configuration objects, which prevented the configuration from running. Now Forms-based SSO configuration will not have whitespace added and configuration runs as expected.

467597-5

InspectionHost plugin will now be installed to the "current user" profile (as opposed to all users) and therefore will no longer prompt for administrative password.

468478-4

When the 32k storage limit is reached, the oldest application cookie is discarded, allowing the application to continue processing new data.

469960-2

In this fix we implemented a throttling mechanism, so that when number of fds in the queue reaches a certain threshold, apd will stop accepting new requests, until the number of fds in the queue decreases to a defined level. We introduced three db-variables; - to enable/disabling throttling - to define a high water mark beyond which release of any connection handle will be stopped and - a low water mark to allow further connection from tmm.

470225-3

Machine Certificate checker now correctly works in Internet Explorer 11

471014-8

Openssl improvements.

471331-1

Fixed intermittent resets when access policy execution in progress simultaneously from multiple browser tabs.

471452-1

When URLs from multiple browser tabs starts access policy, the landing URL is set to the URL from the browser which finished the access policy execution.

471714-2

The APM Email agent now generates emails using CRLF at the end of the header and as a separator between the header and the email body, conforming to RFC 5322.

471825-2

The Email agent was updated to comply with RFC 5322 to include the "Date:" header.

471893-3

A problem in which the BIG-IP system when, configured as a SAML IdP , might reboot tmm when executing SLO protocol in certain conditions has been fixed.

472040-5

TMM with BZ 455113 is no longer crash when using ACCESS::session iRule comamnd.

472216-1

Fixed alignment of connection duration counter for customized Edge Clients

472825-3

Dashboard no longer displays a dip in active session count when primary blade is comes back from a reboot

473377-4

Fixed to accept NameID format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

473386-3

Improved Machine Certificate Checker matching criteria for FQDN case

473697-5

HD Encryption check now provides a way to check encryption status of all drives or system drive only.

473728-2

Now absolute action path for any form in HTML page is rewritten correctly at submit time.

474392-5

Code signing of executables (app, plugin and installer) have been updated to Apple's latest (v2) signature requirement.

474532-4

Proper validation was added to check correct messages were received on proper URL. Logging was added for failing cases.

474730-4

Now forms with absolute action path and tag with id=action inside are handled correctly.

474757-3

OpenSSL Security Advisory 8/6/14 (1.0.1i Update).

475163-4

Now HTML forms without action attribute are handled correctly.

475262-2

Resolved issue when APM configured with URL ("https://....") Edge Client for Windows does not resolve APM hostname while reconnecting.

475360-5

Resolved issue when Edge client remembers specific VS URI after it is redirected.

475650-4

Issue is fixed that caused tmm to occasionally restart when processing SLO messages.

475682-5

EAM used to send multiple cookies headers in HTTP message. Multiple HTTP headers like this are treated as comma-separated by some receivers. Now EAM adds a single Cookie header with the cookies delimited by semi-colon.

475770-2

Improved routing table managment for 2 and more network interfaces

475847-2

Now tag end is determined correctly in case of dynamically created content.

476133-2

_lastUseTime in OAM ObSSOCookie is updated on successful authentication and authorization process.

477445-2

Client modified to restore routing table state and select active interface (on a system connected to the same network segment through multiple interfaces).

477474-1

HTML Attributes with names using '-' are now handled correctly in Portal Access.

477540-2

apmd no longer crashes with null tcl interpreter object when used with ACCESS::policy valuate irule command..

477642-4

In Portal Access assignment of empty string to location.hash property no longer causes page reload loop in Firefox.

477841-2

Safari 8 will now properly use the admin-defined proxy settings if available.

477966-1

User can restart bigip to fix custom report error. Make sure the table apm.log_param_metadata_ui is created in mysql db.

478115-4

The action attribute value of a form HTML tag is now properly rewritten in the Minimal Content Rewriting mode when it starts with a "/"

478222-2

Seven new categories and one category name changed category in URL Filter DB.

478285-1

An issue with routing table not being restored correctly in multi-homed environment when server settings disallow local subnet access is now fixed.

479524-4

Portal Access no longer crashes if URL in a "Refresh" header matches the a Portal Access bypass list entry.

479715-1

The errant behavior is caused by an improper URL being presented by the error page. When APM checks the improper URL, it causes it to issue the same error page. This has now been corrected.

480047-2

BIG-IP EdgeClient now allows to generate CTU report.

480247-4

Edge client doesn't update its application directory anymore, instead it uses /Libarary/Application\ Support/ directory.

480360-4

MAC edge client was fixed so that it doesn't block textexpander's functionality.

480995-2

APM client components are now using extended logging by default.

481020-2

Resolved intermittent routing table issue that caused Traffic not to flow through tunnel if proxy server is load balanced

481046-4

Wrapper for scriptTag.text='source script' is fixed to rewrite 'source script' for all browsers.

481203-1

While creating memcache entry, we no normalize the username into utf8 lowerecase. This makes sure, there is only one entry for all combination of usernames.

481257-4

CTU report now includes information on "OPSWAT Integration Libraries V3".

481663-4

If customer doesn't need optimized tunnels, app tunnels, remote desktop then he can safely disable run disable the db variable "isession.ctrl.apm" which disables isession. Then do "bigstart restart tmm apd" so that the db variable takes effect.

483113-2

A cosmetic issue with the server selection menu showing white background is now fixed.

483379-3

An issue with Edge Client consuming high CPU and having unresponsive menu icon is now fixed.

484315-1

Security patches applied to krb5 library.

485304-2

Fixed root cause of crash - improper memory managment.

485465-5

Issue causing tmm core is fixed.

486661-2

This is an RFE feature.

487472-2

An issue with Java installer failing to install the InspectionHost plugin and creating a zero byte file under ~/Library/Internet Plug-Ins/ is fixed.


WebAccelerator Fixes

ID Number Description

467633-2

Extra spaces are no longer added to the minified CSS.


Wan Optimization Manager Fixes

ID Number Description

426482-2

The Octeon now properly handle decompressing large files on 2100/2150 blades without any failures.

479889-4

This release resolves memory leaks that occurred when iSession and iControl were configured.

480305-2

Fixed icontrol / isession memory leak issue; set proper log level to prevent log flooding.


Service Provider Fixes

ID Number Description

472376-2

Drop processing the message if the ingress pcb is not present anymore.

478442

Core in sip filter no longer occurs when sending HUDEVT message while processing of HUDCTL message.


Advanced Firewall Manager Fixes

ID Number Description

429885-3

When operating in firewall (AFM) mode i.e. default deny, BigIP will now count and log (if enabled) any traffic that does not match a Virtual or SelfIP and is being dropped/rejected.

478816-1

An enhancement that allows logging the TCP events and errors on fastL4 virtual.

480194-1

Perform VS DWBL lookup after accept-decisive firewall rule match at global level

481189-1

The load factor controls the minimum percentage of fullness that need to be reached before the table is expanded to a larger size. Setting it to 25 by default prevent the firewall rule compiler from growing the table size too aggressively and results in big firewall BLOB.

481706-1

Improved security logging to reduce incorrect messages.

484013-1

This fixes a memory leak when tmm is overloaded and forwards flows to the peer, and packet classification is enabled with "log translation fields" in the logging profile.

478462

Whitelist counts now increment appropriately

480125

100+ rules may now be displayed in the active rules page.


Policy Enforcement Manager Fixes

ID Number Description

476904-1

Adjusted Logging levels to remove potentialy confusing messages.


Carrier-Grade NAT Fixes

ID Number Description

456963-2

TMM now gracefully handles this rare condition.


Global Traffic Manager Fixes

ID Number Description

482442-1

State changes for wideips should be updated correctly when the "Update" button is clicked in the GUI wideip properties page.


Cumulative fixes from BIG-IP v11.5.1 Hotfix 5 that are included in this release


TMOS Fixes

ID Number Description

365764-3

It is now possible to run a UCS load even if there are partitions still containing GTM objects.

376120-1

tmrouted no longer restarts when reconfiguring a previously deleted route domain.

404716-6

Decapsulated tunnel packets are correctly handled by packet filter.

405067-2

The system no longer adds the active bonus when the HA group score is 0 (zero). This is correct behavior.

413689-3

TMM no longer crashes with certain combinations of profiles.

421317-4

Virtual servers now correctly display a red status when its default pool's status is red, regardless of whether or not a connection or rate limit for the virtual server have been reached.

429871-4

F5 improvement of the integration of latest epsec packages

431985-5

Monitor instance is now correctly re-enabled, if it was previously user-down, on all devices after an incremental sync. In earlier versions it would only update properly on the source device of the sync.

438159-3

Users can now use pre-shared key with anonymous IKE peer for IKEv1 negotiation.

440179-2

Fixed memory leak in creating a wildcard DS-Lite tunnel.

441063-3

Adding DNS name-servers via tmsh no longer causes a momentary loss of access to tmsh.

441174-1

Do not handle fragmented packets in Round Robin DAG.

445924-5

Changed code to allow IP multicast packets to be delivered to all blades so that OSPF failover can occur.

446352-4

IKE negotiation is now successful and the IPsec tunnel comes up properly and passes traffic with NAT-T and floating tunnel end point address.

447266-8

Took steps to ensure that MCP would not attempt to modify an object that has been both created and deleted in the same transaction.

448054-2

Secondary blades are now sent the sync status information from primary blades, so the sync status will not be reset if the primary blade fails over.

450089-5

Add diagnostic code to the request_group to abort when it is being deleted while actively processing.

450129-10

LOP (Lights Out Processor) firmware version 2.08 for VIPRION B2100, B2150 resolves the following issues: (ID446907) Alarm LED may be Red upon powering up VIPRION B2100, B2150 blades (ID439435) AOM Command Menu no longer reports failure when successfully powering up VIPRION B2100 or B2150 blades.

450458-1

Resolved build creation issue due to the dependency of various objects that need to be built before compiling sources that use them.

450684-1

Corrected an internal report used for QA/testing.

450693-1

F5 Internal: Correction to internal firmware report.

450694-1

F5 Internal: Correction to internal firmware report.

450794-3

An issue with handling DHCP information in virtual environments has been corrected.

451424-1

This release corrects a condition that could cause snmpd or SNMP subagent daemons to generate a core and restart.

451458-1

fix leasepool stat to return data only for primary blade

451602-4

Changed the interface match to look up host interface instead of vlan interface.

453256-2

The save mechanism in TMSH has been updated to save the monitor parameter fields in correct format for a subsequent load.

453432-1

Fixed a number of NVGRE config cleanup issues that were causing the crash.

453700-2

Changed JVM default settings to use less memory and allow TMM to acquire needed memory during its startup.

453951-2

The sys db security.commoncriteria setting value no longer reverts.

455138-1

Fixed a memory leak that occurred when the route for the remote endpoint of a tunnel was misconfigured.

456064-1

Added code to allow MCP to continue processing profiles when it encounters this configuration.

456735-2

Tunnel objects are now properly freed after deletion.

456848-2

LBH firmware v4.08 for BIG-IP 2000-/4000-series appliances resolves the following issues: ID455728: PSU status/changes reported incorrectly ID450177: AOM controller resets when it has no IP configured ID451493: Fan speed higher than expected ID453493: Change fan control set points for less noise

457130-3

Configuration loads correct virtual-address icmp-echo values

457326-3

Make leasepool stats data structure consistent with leasepool stats table definition.

458198-2

ip6ip4 tunnel with fixed MTU passes traffic as expected.

459123-1

Updated name validation to throw an error when invalid characters are included in the name.

460593-1

The user can create multiple VXLAN tunnels with same local endpoint address when flooding type is multipoint or none.

461581-1

In the existing behavior, tunnel objects are config synced automatically to a standby device. The DB variable "iptunnel.configsync" can be set to "disable" in order to disable the automatic config sync of tunnel objects. The default value of the DB variable is "enable". Please note that before creating any tunnel objects, the DB variable should be set accordingly if needed, and toggling its value subsequently could lead to an unexpected behavior.

461592-1

The device can process inbound VXLAN packets even if it is in a standby mode.

462045-2

This release has a longer timeout for activating the new HSB bitfile after reboot, so the HSB bitfile-quarantined issue does not occur, and you can successfully boot from 11.5.x to 11.4.x or 11.3.x.

463603-4

IPv6 any address "::/0" is saved properly in configuration file.

464024-2

Ensure that all pipes are closed when a TMSH command is completed.

466034-2

Treat VxLAN packets as UDP packets by default in HW.

466752-2

Monitor instance is now correctly enabled or disabled after an incremental sync.

468021-4

"wom-default-clientssl" and "clientssl-insecure-compatible" were added to two fixup scripts, and code to prevent infinite recursion was added to another script.

471496-1

Standby node sends LSA summary for the default route with a value of 16777215. The ospf routers in the stub area pick active node as the gateway for the default route.

472613-4

Power supply status changes are now reported correctly on BIG-IP 5000/7000 Series platforms after power supply removal or insertion. LBH no longer watchdogs without a network address set.

474166-2

The ConfigSync operation completes successfully, and the sFlow error no longer occurs.

474465-1

Average system CPU and busiest CPU calculation is now based on the critical data plane processing.

477031-1

No TMM restart when deleting multiple VXLAN tunnels with flooding type multipoint.

479681-1

Run rsync-cmi in background so that we don't block (and slow down mcpd)

480248-1

Resolved DB 13 error while uploading the UCS.

480931-4

ShellShock bash vulnerability has been fixed with upstream patches for CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187.

451446

Restored missing slot status and sensor tables.

460863

Changed the label to the right text as "Failover".

461580

Resolved intermittent kernel panic that causes crash using telnet with external monitor.

474332

F5 will start releasing "base installable" VM images as part of hotfix release. The VM images will consist of base RTM + installed hotfix on top of it. Such images are going to be ready for deployment without the need to apply hotfix as an additional step.

476126

The latest Emulex NIC driver was included in 11.5.1-HF5. It supports SR-IOV and VLAN tagging when Emulex NICs are used.

476815

We fixed a scenario that could lead to a crash in the logmysqld daemon.

479302

Remove the seldom used internal debug table which eliminates the periodic accesses.


Local Traffic Manager Fixes

ID Number Description

348194-5

Allow configuration of FIN_WAIT2 timeout

411101-5

Resolved an issue found in F5 testing for ability to tcpdump mgmt_bp_* and loopback. Also added vm_tap_* for guests.

416250-3

Added timeout to cancel incomplete SSL handshakes and retry

418889-5

A TMM crash bug has been fixed.

421964-5

BIG-IP system now correctly aggregates an LACP-enabled link.

435652-8

The timing differences in the Nitrox crypto accelerator have been eliminated: CVE-2014-4024

437612-5

Resolved issue when changing HTTP::uri in an HTTP_PROXY_REQUEST iRule doesn't take effect by adding HTTP::proxy command, allowing disabling of fwd-proxy functionality (enables proxy-chaining).

437905-4

Add db-var so the buffer size multiplier can be changed via tmsh.

439653-4

Long-lived connections consistently use policy settings from the beginning of the connection, and for the lifetime of that connection, regardless of any virtual server and policy configuration changes that occur in the interim.

439712-6

Single SSL transfers will perform much better on 4200/2200.

442410-6

Resolved TMM error message 'HUDEVT_EXPIRED (Connection expired) bad pcb magic (0x00585858)' and TMM core on standby member of HA configuration with connection mirroring and connection pooling (OneConnect) enabled.

442584-5

Making configuration changes, such as adding/removing a profile, to the targeted virtual will not adversely affect policy execution.

445411-2

The Nitrox crypto accelerator will no longer hang when performing RSA verification.

445571-3

Support Connection Mirroring with BigTCP.

446820-4

TMM no longer crashes due to a poorly formatted log call.

447091-9

Ensured that packet filters with orders greater than 32767 are able to be deleted.

447390-3

Loose-close no longer causes issues with traffic on FastL4 virtual servers.

448327-6

Prevent memory leak when iRule suspends or aborts an DNS command.

448606-2

The listener ref count no longer overflows and causes a TMM core and crash.

449636-4

'tmsh load sys config' now loads policy actions correctly, so some actions are no longer ineffective.

449845-6

DNS filter now formally enters framework.

450101-2

Option code 0x0008 to the client-subnet of the EDNS0 record is now recognized.

450202-2

Fix MSS calculation when using fastl4.

450584-3

Safenet HA is now supported

450640-1

Improved performance found by F5 internal testing with ssl.

450689-1

The statistic is now properly displayed.

450713-3

Out-of-order segments received after FIN will be forwarded as expected.

451340-1

Enable faster performing software client authentication and disable ec cert/keys.

451889-3

Made changes to once again allow the attr_type to be optional for all forms of RADIUS::avp.

452232-3

iRule no longer uses stale qname.

452264-1

A new iRule command [HTTP::proxy disable] has been added so (explicit) proxy request handing can be turned off and the request can be forwarded to another proxy.

452387-3

HTTP::header is_redirect now works correctly again.

452439-2

TMM will not crash when enabling DOS sweep/flood detection feature regardless of threading.

452579-2

Corrected calculation of server-side MSS.

454463-5

A memory leak when executing a suspended DNS iRule many times has been fixed.

454853-3

An LTM policy with incorrect http-header name or http-cookie name no longer causes a crash.

455361-3

Fixed improper handling of ICMP (Internet Control Message Protocol) 'Fragmentation Required' messages from routers. Bug resulted in extremely inefficient behavior by BIG-IP TCP segmentation offload if path MTU (Maximum Transmission Unit) was smaller than what TCP endpoints negotiated.

455553-1

No multiple retransmission of the entire send queue when the MSS size is improperly large.

456753-3

TMM no longer may restart on Virtual Edition systems when receiving an incoming packet on a tagged VLAN that need to be forwarded to a different TMM (e.g. a CMP-demoted virtual server).

456942-1

After the fix, if the domain name in the iRule is invalid or memory allocation failure happens when modifying the RR owner name using the DNS:name iRule, TMM will not crash.

458480-3

TCP Segmentation Offload (TSO) no longer causes the Traffic Management Microkernel (TMM) to restart during high memory usage.

458597-3

Now there is no memory leak when transfer a zone to zxfrd.

459001-1

PVA statistics for each flow are tracked in hardware and software. The software copy of the hardware flow statistics was not correctly reset when flows were evicted from the PVA hardware and then subsequently reloaded back into the hardware. This eventually resulted in a numeric underflow in the statistics counters that were then displayed with very large positive values.

460197-8

active_requests is updated when a flow using hardware acceleration is reset.

465866-6

The current tag file only indexes the sources for tmm. This makes it difficult when debugging customer issues that reference code within libraries, primary tmjail (xbuf/xfrags) and tmm_tcl. The fix is simple: index libraries that are commonly used, along with tmm.

466260-1

This release fixes a crash bug where TMM asserts 'we always have room in tx ring'.

467986-1

TMM no longer cores when running the command 'tmsh show ltm dns cache records key cache myCache' on a cache with stored DNS key records.

470715-2

A new db variable vlan.backplane.mtu is added to configure tmm_bp vlan mtu size, default to 1640.

472532-1

cipher id 0x006b (dhe-rsa-aes256-sha256) has been added

473396-1

TSO no longer leaks xfrags.

475231-4

Connection remains open after dispatching CLIENTSSL_CLIENTCERT iRule event, which prevents accessing invalid memory.

476386-1

Resolved issue found by f5 testing DHE-RSA-AES256-SHA256 and DHE-RSA-AES128-SHA256 to be supported for tls1.

467507

Use decrypted CCS flag instead of CCS flag. In renegotiation, sp->rxccs is set when encrypted CCS is received. Decrypted Client Key Exchange message could be received after encrypted CCS message is received. So BIGIP should use decrypted CCS flag instead of encrypted CCS flag.

474459

Resolved duplicate line issue found by F5 testing to ensure correct building of release.

479372

 


Performance Fixes

ID Number Description

447250-1

A TMM crash bug involving PEM under high load has been fixed.


Global Traffic Manager Fixes

ID Number Description

439854-5

An additional attempt is made to match virtual servers by addr:port, even if there is an LTM Name that does not match.

440284-2

The LTM big3d now correctly identifies and monitors 10.2.4 or earlier LTM virtual servers.

442133-4

Disabling Synchronize on one GTM no longer disables Sync on all GTMs in the sync group.

451985-1

We delay sending the configuration timestamp until the end transaction message has been received. This fixes the problem with sync becoming disabled

463369-2

Fix problem found by F5 testing that prevents GTM sync issues when changing configurations.


Application Security Manager Fixes

ID Number Description

438809-4

To improve brute force mitigation, we made the following changes: -We added a new internal parameter: bf_num_sec_per_value. This defines how many seconds is a single measure unit for a failed login. For example, if you want to configure 7 failed logins per 5 seconds, in the Configuration utility configure "7" as the threshold value (the "Failed Login Attempts Rate reached" setting in the Detection Criteria area of the Brute Force Protection Configuration screen), and from the command line configure "5" as the value of this internal parameter. If this value is configured, the system will detect an attack only by the threshold (and not by the increase). If this value is configured, all traffic from suspicious IP addresses are blocked. The default value for the internal parameter is 1 second. -In the Configuration utility, we removed the validation for all the threshold and minimal values. You can put now very low values such as 1 or 2 in the detection and suspicious criteria.

440057-1

We corrected how the system logs requested URLs that contain navigation parameters configured in the security policy.

449946-2

The Enforcer correctly sends information to the Policy Builder about specific value and name meta characters that were previously mishandled.

453568-6

The client side challenge mechanism now correctly reconstructs the referrer header.

460514-4

To prevent the system from running out of memory, the system requests a configuration sync 5 minutes after a failed one, and not sooner.

469798-1

We prevented a deadlock that occurred when sending synchronization events.

469825-1

We fixed an issue where rarely the Enforcer crashed when trying to match signatures on the body of a re-constructed POST request.


Access Policy Manager Fixes

ID Number Description

225651-5

The installation path for the BIG-IP Edge Client was updated to avoid collision with third-party software installations.

398134-1

Now APM supports non-ascii usernames and passwords when performing NTLM Front-end Authentication and NTLM Back-end SSO.

419809-1

An error message formatting issue was fixed.

425070-4

The HTML profile code was improved for security reasons.

425507-5

An issue in which logd could start to consume 99% of CPU after table rotation has been fixed.

425731-6

A TCP reset is not longer sent to a client during access policy execution.

431512-4

Now APM validates the origin header of the WebSocket handshake and accepts connections with correct origin only.

436569-1

Now icons are displayed for Citrix applications on an APM webtop when Kerberos SSO is used.

437326-6

Now APM supports Citrix Receiver for HTML5 version 2.1

437881-4

In an HA configuration, any users deleted from the localDB on the current unit are now deleted from the standby unit also.

438278-1

The Access Profile which is associated with one or more AAA server objects can be deleted with the fix provided.

439463-4

Now Citrix Receiver for Mac and iOS gets the correct config.xml file when working through a Wi-Fi router and APM is integrated with Citrix Web Interface.

439518-1

User now can sync over the changes to all the location specific configuration such as optimized-app in network-access or pool item in pool once that 'Use Source Configuration on Target' is set to YES in policy sync dialog.

440290-4

APM now prevents the retransmission of policy sync requests that caused status messages to fluctuate.

440385-4

Support of Internet Explorer 10 (without compatibility mode) for machine certificate checker was added.

441210-1

The tmm process provides more robust handling for PCoIP traffic.

441553-5

A Network Access client can now connect successfully after one or more failovers.

441659-4

Fixed User-mode installer service: it does not require admin rights for limited users anymore.

441681-2

You can now use the Firefox browser to successfully edit these actions from the Visual Policy Editor: Advanced Resource Assign, LDAP Group Mapping, AD Group Mapping, and BWC Resource Assign.

442393-4

APM will now attempt to terminate Citrix session when user logs out of APM Webtop.

442656-5

Fixed race condition of multiple establishments/teardown of PPP tunnels lead to loss of availability of leasepool addresses.

445399-5

Support was added for Network Access over PPPoE.

445970-8

[Java][Mac][NA][EPS] NA and EPS auto installation is now working with Java 7 update 51

448896-4

An HTML page with base URI (HREF attribute of the BASE tag) is rewritten correctly.

450033-1

Windows View client 2.3 can consistently launch desktops via APM

450298-8

Logging on to Outlook Web App 2013 (SP1) using portal access with Firefox browser now works without producing an error.

450360-4

Now Citrix Session Sharing works correctly for any version of XenApp.

450728-1

Now APM correctly handles VMware View client requests with empty body.

450845-2

Under logging stress, logd no longer writes duplicate fd errors in the log.

451260-2

After upgrading directly from 11.4.0 to 11.6.0, the configuration loads successfully now even if it contains "citrix-client-package" files that were uploaded (and unzipped) using the GUI.

451387-3

Support of button-less logon pages is added to BIG-IP Edge Client.

451588-4

Portal access renders the data correctly when creating a new item on Sharepoint 2013.

451777-3

If a connection issue or a database problem occurs the first time that a user tries to create a custom report, an error message displays now.

452182-4

Flash ActionScript 3 rewriter now correctly rewrites URLs containing "../".

452344-4

HexToBinReverse() is now ncorrectly converts unicode strings.

453164-6

Routes are restored after disconnecting from the Network Access connection.

453514-1

A problem in memcached causing intermittent failures was fixed.

453531-1

Multidomain SSO no longer resets on secondary authentication domains.

453722-1

Alleviate issues such as GUI unresponsiveness or even disconnect when policy sync is applied to a device group that contains 5 or more members.

454010-3

APM now recognizes Internet Explorer in compatibility mode on Windows 8.1 correctly.

454248-4

Fixed unnecessary localdbmgr messages logged in /var/log/apm every minute at the notice level.

454369-1

The URLDB plugin comes up properly now and traffic proceeds normally.

454370-4

The messages that communicate status of PolicySync between devices can arrive unordered. This is now fixed.

454547-1

Forms - Client Initiated SSO authentication handles decryption failure correctly.

454759-4

Now APM reports http error 500 when View Connection Server response is not 200 OK and writes an error log message.

454899-5

Guest user will get access denied response when use the token of admin user request to create/delete/modify local db user.

455039-1

Now Citrix HTML5 Receiver v.1.3 available with Storefront 2.5 can be hosted in APM Sandbox and launched from APM Full Webtop.

455113-4

ACCESS::session data get has been extended to return configuration variables: ACCESS::session data get [-sid ] [-secure] [-config] [-ssid ]

455284-2

Firewall rules no longer incorrectly interfere with TCP monitor traffic generated by the BIG-IP system on port 54321.

455426-4

Now user with apostrophe in the name can log in with Citrix Receiver successfully.

455892-1

Now APM support AGEE SSO to new Citrix StoreFront 2.5 backends.

456098-7

Remove the logic for specific internal requestID in XUI

456714-4

Fixed for cases when Assertion does not contain SessionIndex and SLO is configured.

457925-2

When BIG-IP as SAML SP, IdP initiated authentication now works with the first attempt.

458199-1

Resource delete handler should check for the reference by psync-dynamic-resource.

458211-6

The EAM module now continues to function correctly when the size of a cookie in the HTTP request is greater than 4095.

458447-4

An issue in Network access; where customer would see "IPv4 Addr collision" in logs has been fixed.

458485-1

The code is updated so that APD no longer crashes on certain VPE expressions, such as Date Time check or 'encoding' command due to a change introduced by fixing 424938.

459780-3

Added [APM] Network Access option: "Do not enforce IP scopes in Proxy-Auto-Configuration".

459977-2

If there is a space in value for radio or select type input, logon page does not show the input elements. This is now fixed.

460062-4

Access policy export works correctly even when a resource with a long name has been assigned in the policy.

460272-3

Additional logging included for troubleshooting captive portal detection.

460645-3

Users can now close logon window in "Locked Client" mode.

460715-3

Fixed using F5 captive portal probe URL in BIG-IP EDGE client for Windows instead of default Microsoft captive portal detection URL.

460762-2

Citrix apps consistently start from APM Webtop when using Kerberos SSO to XML Broker.

460939-1

Additional exception processing (for ObAccessException from the SDK) was added to the EAM module. The module now handles this exception by displaying an error.

460958-2

Cannot Start built-in PAC file server after multiple connecting/disconnecting edge client multiple times. This is now fixed.

461087-4

Fixed [APM] Crash in ActiveXDialer if proxy address is missing.

461624-1

A problem with APD in chassis that resulted in the portal access connection terminating has been fixed.

462143-3

Show main EDGE client UI when user click on Connect, Disconnect or Auto-Connect button in a system tray.

462669-2

For Windows Phone clients in BIG-IP APM 11.6 session.client.platform value changed from "WinP8" to "WindowsPhone".

463508-1

The slowness is due to an unnecessary sleep of 1 second even when creating configuration snapshot is successful. The fix is to re-factor the retry logic such that sleep is performed when creating configuration snapshot has failed.

464159-2

JavaScript: Now isolated submit() calls are handled correctly and form action paths are rewritten at such calls. The situation when a submit() call refers to a separate function is also supported.

464748-4

In portal access, a cookie with an empty or wrong expires field no longer causes a JavaScript failure.

465338-1

The curl-apd component (curl7.25.0) no longer enables SSL_MODE_RELEASE_BUFFERS; it is no longer affected by OpenSSL vulnerability CVE-2010-5298.

465339-1

The curl-apd component (curl7.25.0) no longer enables SSL_MODE_RELEASE_BUFFERS and is no longer affected by OpenSSL vulnerability CVE-2014-0198.

466317-8

The following OpenSSL vulnerabilities have been addressed in APM clients: CVE-2014-0221, CVE-2014-0224, CVE-2014-0195, CVE-2014-3470

466325-5

Continuous policy checks now doesn't kill the session if some configuration, configured to be ignored, changes on client side.

466488-4

Under high load conditions when the HTTP auth agent is configured in the access policy, now the access policy daemon (APD) continues to respond.

466877-5

Issue with signature validation is fixed

467849-2

Split tunnel is improved when connecting to a FirePass with a APM build of the edge client.

468889-2

Issue is now fixed when AFM is enabled with Optimized Tunnel and traffic is no longer dropped.

469100-4

Javascript index expressions with list of values are now correctly rewritten by Portal Access

469335-2

Validation is improved to ensure that a custom URL category includes at least one URL.

469754-1

Users deleted from the local user database are now prohibited from logging on using invalid credentials.

470382-1

Location-specific objects display correctly in the Policy Sync GUI whether the Location Specific check box is cleared or selected on the Static Resources screen.

470414-3

Portal Access no longer crashes when rewriting some incorrect flash files.

470675-3

Improved security found by internal F5 testing.

471125-1

Resolved rare condition that causes Edge-Client to work improperly when Client uses proxy to connect to BIG-IP.

473286-1

Resolved error deleting folder: Cannot remove directory with symlink to sandbox for partition

474657-1

Edge-Client stops after authenticating thru Captive Portal.

438117

OLH is now updated to reflect changes in Machine Certificate Auth certificate selection criteria.

455735

[OLH] "APM Access Profile Log - 404 ERROR" added.


WebAccelerator Fixes

ID Number Description

450030-2

The Vary on user-agent header is properly generated whenever WebP content is served.


Enterprise Manager Fixes

ID Number Description

449988-3

Values returned by big3d are now escaped so special characters do not create parse errors.


Service Provider Fixes

ID Number Description

450001-3

Flow control in SIPP filter no longer blocks flow improperly.

450019-3

LB::prime or mblb_connect now executes outside of the TCL execution. Priming will actually happen after one event cycle later.

450055-2

When the HTTP terminates its connection, BigIp receives an SSL encryption alert along with a FIN from the server (close SSL from the server), BigIP completes the HTTP response before closing the client connection.

452440-1

TMM CPU/Memory grows in accordance with the connections. If the SIP connections remains steady the resource utilization will be steady.

454348-1

BIG-IP delays closing the internal connection to the IVS after the final chuck of the ICAP response has been received, until all the payload has been transmitted to the HTTP destination.

455006-2

Invalid UDP datagrams that interfered with SIP processing are now dropped.


Advanced Firewall Manager Fixes

ID Number Description

462266-1

The issue is fixed now to clean up the memory associated with the old AFM policy on a SelfIP context when the context is modified to have a new AFM policy.

472801

This issue is now fixed so TMM will not be restarted if AFM is provisioned and 'tmsh load sys conf default' is done.

477769

TMM crash (panic) is fixed now and TMM no longer panics scenarios with SPDY or HTTP Prefetching enabled.


Policy Enforcement Manager Fixes

ID Number Description

426934-2

The max number of BWC categories per PEM subscriber has been increased to 32. This applies to the dynamic policies only, i.e. the policies defined within Gx provisioning messages.

441554-2

PEM can now handle a large number of new subscribers even when Gx connection is down.

442548-2

A TMM crash bug has been fixed. BIGIP/PEM will now work with PEM + fastL4 use cases with http profile enabled.

444770-1

This issue is fixed that a Rating Group can be assigned to different PEM rules without extra MSCC in CCR

449862-2

Fixed a crash bug involving the handling of RAR messages.

453548-1

A new PEM session will be created and replace any old existing session in an inconsistent state due to fail-over.

460006-5

Added support of numeric characters in PEM rule/policy names.

461089-2

This issues is fixed now. All subscribers are loaded properly after TMM restart.

464841-1

The max length of the Gy redirect address has been increased from 64 bytes to 256 bytes to accommodate the majority of the use case in real world.

464850-1

The issue has been fixed that BIGIP/PEM will handle a new flow that has no session created when quota management is specified in global policy.

466002-1

BIGIP/PEM will now properly handle the case when 2 or more policies from PCRF refer to the same existing rating group.

468123-2

Custom attributes will now be added and will be returned when session is queried.

468809-1

TMM no longer crashes during subscriber provisioning testing when the Gx connection is re-established.

470690-2

Session cleaning priority has been lowered and CPU will not spike when sessions are deleted or replaced with Gx enabled.

470850-1

PEM will now clean up the session if CCA-T received with 5002 error code.

471867-1

A memory leak when the CCR-I is dropped by iRule has been fixed.

471910-2

DB variable Tmm.pem.diameter.application.silentDelete.prov.error.sessions is available. It should be set to enabled if sessions need to be silently deleted.

472860-2

The session statistics for sessions created by RADIUS is now incremented whenever the user runs an irule on the RADIUS virtual, that creates a new session.

474638-2

Custom attribute for create or update no longer harms the policy list.


Global Traffic Manager Fixes

ID Number Description

448914-1

Object name field now has a correct input validation and escapes javascript.


Cumulative fixes from BIG-IP v11.5.1 Hotfix 4 that are included in this release


TMOS Fixes

ID Number Description

441573-3

The ultimate fix will involve some low-level changes in the UI framework to ensure that the proper query context (in MCP) is set when selecting [All].

442648-3

Modify UI to properly query for the interfaces in All [Read Only] view.

449017-2

F5 found potential data inconsistency between tmsh and icrd in date formats in testing and resolved to prevent customer issues.

453332-3

Fixed an issue with iControl REST calls timing out.

457300-4

Improved IControl REST resources to allow naming with spaces to meet customer requirements.

458109-1

Prevent icrd crashed on the BIG-IP while the BIG-IP was being discovered by BIG-IQ

463655

Fixes MCPd crash during certain iControl REST transactions.


Local Traffic Manager Fixes

ID Number Description

406649-2

Installing a hotfix will no longer cause apd to continuously restart.


Performance Fixes

ID Number Description

455733-1

Fixed crash in dwbld daemon.

432080

Data-plane (traffic) performance for Application Security Manager workloads is significantly improved.


Application Security Manager Fixes

ID Number Description

439758-5

We improved how the Policy Builder handles requests with multiple learning suggestions.

440378-1

Added tmctl stats for dcc, bd_agent, and correlation daemons. This allows visibility into internal state/processing of the daemons to provide external visibility into their internal state/processing to assist diagnostics/debugging.

441213-2

You can now modify a security policy created from iApps (iApps > Application Services).

450241-1

EM can now discover ASM devices.

455389-1

We improved how the system decides on the content profile when there is a request with multiple content-type headers.

455391-1

We improved how the system parses query strings in absolute URLs.

459255-2

We raised the limit of the Explicit File Type Name length from 8 characters to 255 characters.


Application Visibility and Reporting Fixes

ID Number Description

440763-1

We fixed an issue that caused TMM and avrd to core if you assign an Application Security policy, Analytics profile, and DoS Layer 7 Protection profile on a virtual server.

447693-3

We corrected an issue where some reports generated from the Configuration utility and/or from TMSH commands did not work.

448585-1

We fixed an issue when Throughput and Latency were reported incorrectly in cases of incomplete transactions when sampling is enabled.

457982-4

/var/avr/loader will no longer get filled with files that are written by avrd.

462561-5

We fixed a case that caused avrd to crash when external logging of traffic capturing is used.

462968-1

Subnet statistics are now migrated after a version upgrade.

464238-2

AVR profiles with identical names on different partitions can now be created.

466922-1

Now Max TPS and Throughput are displayed properly in HTTP Analytics (if configured in Analytics profile) when drilling down from virtual server to pool members.

464287

When an iRule with HTTP::respond command and Analytics profile are attached to the virtual server, HTTP responses from BIG-IP will not contain redundant chunk headers (at the end) anymore.


Access Policy Manager Fixes

ID Number Description

451777-4

If a connection issue or a database problem occurs the first time that a user tries to create a custom report, an error message displays now.


Advanced Firewall Manager Fixes

ID Number Description

440817-2

Sweeper would no longer reap a flow that would have matched a rule in either global or corresponding route-domain classifier with action = Accept Decisive in the scenario when this particular classifier did not change (and there are no matching rules in the corresponding VIP/SelfIP classifier and VIP/SelfIP default action is set to Drop or Reject).

442988-2

Previously, when searching the event logs using the drag-and-drop custom search, inserting a value from one of the existing timestamp columns triggered an error. This has been fixed.

443300-2

A new field, "Referencing Rule," displays the actual name of the rule that references a rule-list. If the rule is a regular, non referencing rule, the same rule name is displayed in the "Referencing Rule" field.

453377-3

Previously, when a network firewall rule was configured on a Self IP context, and an iRule was specified in the configuration, an error occurred. This configuration now processes traffic correctly.

453779-2

The commands place-before and place-after are now handled correctly in transactions that contain changes to multiple rules.

454435-1

Setting an iRule in a firewall rule attached to the virtual server using the iControl method Local.VirtualServer.set_fw_rule_irule no longer fails when the iRule name does not start with the folder name. The framework automatically prepends the folder name to the iRule name.

454953-2

self-ip and virtual server FW rules can't be converted from a regular rule to a reference to a rule-list with PUT

455744-2

Fixed a management IP firewall rules compilation failure.

456107-1

This behavior is being fixed to make AFM rule matching action consistent with logging for EPHEMERAL connections.

459719-1

Pccd BF Hash table changes to reduce pccd BLOB size

459758-1

Restart pccd to avoid blob-size growth (pccd always starts from scratch)

461582-1

AFM previously matched firewall and IP Intelligence rules against the first TCP packet of a new flow, even if that packet would later be dropped by LTM,for example a FIN or RST packet. AFM no longer matches these packets, and LTM continues to drop them.

462903-1

TMM getting aborted by SOD due to heartbeat miss (when trying to load huge firewall policies) is being fixed.

464774-1

A new db variable, pccd.rule.debug, was added to display micro-rules and micro-rule numbers for each firewall rule. This is a new debugging facility to help troubleshooting issues in configurations with very large firewall rule sets. The outputs collected can be used to analyze the firewall rules to help us make suggestions on how a configuration can be optimized for better compilation performance.

464916-1

Previously, in the active rules or security page, when the user was trying to view the second page of staged rules, the display showed the first page of enforced rules instead. This has been fixed.

464990-1

Previously, sometimes an error would occur when reordering a rule list. This has been fixed.

465963-1

Previously, tmsh reset-stats did not work when the policy rule was made up of rule lists. Now, reset-stats works with such policy rules.

468194-1

On some versions, an iRule would be run on a staged policy, and could drop traffic. Now iRules only run on enforced policies.

469129-1

Fixed a bug where the a crash could occur when compiling a firewall policy with a large number of IP addresses. Compiling such a policy can take several hours; to reduce compilation time set the variable pccd.hash.load.factor value to 25.

469507-1

Previously, when the db variable pccd.alwaysfromscratch was set to true, management port context rules did not always stop processing traffic when they were removed from the configuration. This has been fixed.

469512-1

TMM getting aborted by SOD due to heartbeat miss (when trying to load huge firewall policies) is being fixed.

469729-2

Automated the value for pccd.alwaysfromscratch to save customers from having to manually set.

470366-1

Fixed the regression issue introduced due to fix for BZ 469512

430237

add db variable that allows to define action for global default rule

458433

Compress empty blob spaces to reduce blob size and transient memory usage.

459716

Prevent pccd from using FBC as a compilation backend.

461411

Created a db variable to block IPv4 in IPv6 mapped addresses coming in from the wire.

461602

Fixes for icrd.conf file to support the iControl response for the newly added "Referencing Rule" field in TMSH show firewall policy commands.

463115

A new field "Referencing Rule" displays the actual name of the rule that references a rule-list. If the rule is a regular, non referencing rule, same rule name is displayed in the "Referencing Rule" field.

470820

Fixed the issue that overlapping checks for firewall rules may take several minutes if a rule with 'any' is inserted in the middle of the rule list.


Cumulative fixes from BIG-IP v11.5.1 Hotfix 3 that are included in this release


TMOS Fixes

ID Number Description

416496-6

TMM and mcpd now throttle the amount of data flowing through them for 'show sys connection' commands, so the processes do not run out of memory.

441512-1

Sync now completes successfully, without sflow error.

445919-4

Issuing the command "tmsh show sys connection" when you have over one million connections no longer causes TMM or MCPD to core.

446549-7

During a config sync, steps were taken to ensure that mcpd objects are not deleted until after they have been fully processed.

451507-6

When entering standby due to a failover condition, the BIG-IP system no longer incorrectly responds to ARP requests.

458676-6

Corrected possible internal Rsync port exposure.

459723-4

CMI rsync daemon will always restart now when necessary.

462191-4

Rsync security fix is updated to work in cluster environment.

465799-1

OpenSSL has been upgraded to eliminate the man in the middle attack.


Local Traffic Manager Fixes

ID Number Description

354161-3

DNS Express expires zones according to the expire value contained in the zone SOA record.

449903-1

Resolved intermittent issue under heavy DNS cache traffic for a timing issue that could cause a crash.

449920-3

A memory leak using compression on BIG-IP 2000-series and 4000-series appliances was resolved.

450698-4

Use a consistent method for storing external datagroups in TMM.

455267-1

When forwarding proxy requests to an IP address that results from a DNS resolution, the route-domain parameter is now used correctly and it now is possible to use the HTTP explicit proxy (or SWG) when the target of the connection is not in route-domain 0.

457598-2

Improved potential ssl security in LTM F5 testing.

459495-1

The HTTPS monitor has been improved to automatically attempt SSLv3/SSLv2-compatible protocol negotiation if TLSv1 protocol negotiation fails.

465908-1

BIG-IP TLS virtual servers will now reject the connection when an early CCS message is received.


Carrier-Grade NAT Fixes

ID Number Description

452225-2

Resolved when the BIGIP is configured to use SP DAG (src-ip on inbound/subscriber vLAN and dst-ip on outbound/internet VLAN) and LSN is under configured on outbount/internet VLAN (in this case, only one IP address), the unexpected teardown or deletion of a PPTP GRE serverside flow will cause TMM to core dump.


Cumulative fixes from BIG-IP v11.5.1 Hotfix 2 that are included in this release


TMOS Fixes

ID Number Description

442199-2

Ensure correct set up of system to prevent error messages and failure of HA pairing.

451917-3

Prevented leak in large traffic groups for secure mode for Common Criteria.

454562-2

Prevented memory leak in secure mode for Common Criteria and updated documentation for recommended system configuration.

450028

Updated documentation to match naming conventions for build identification.

469032

Improved security for F5 services.


Local Traffic Manager Fixes

ID Number Description

454053-2

Improved security with Secure state-mirroring SSL profiles requiring peer cert.


Access Policy Manager Fixes

ID Number Description

357360-1

Mac network access client now supports static host entries.

424008-3

APM now supports smart card logon on Windows-based systems with APM Windows Logon Integration.

438595-4

There is now backward compatibility with FirePass for EPS, so the rowser on the FirePass system no longer freezes on 'Checking running processes'.

454550-6

Proxy auto configuration now works with Internet Explorer when a URL cannot be resolved on a client.

455783-2

Low speed of ppp interface has been fixed.

456302-6

APM clients heartbeat read overrun issue is now fixed.

437820

The machine certificate check on Mac OS X now correctly lets clients, for which only a certificate and not the key are found, go through the "found" branch.


Policy Enforcement Manager Fixes

ID Number Description

465893

The action to drop was not applied as it is a delayed action. Adjusted the flag to apply the action.


Cumulative fixes from BIG-IP v11.5.1 Hotfix 1 that are included in this release


TMOS Fixes

ID Number Description

456033-5

Resolved potential openssl heartbleed issue with patch from openssl to make the system more secure.






Known Issues in BIG-IP v11.5.x


TMOS Issues

ID Number Severity Description
535806-5 1-Blocking Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE
493275-2 1-Blocking Restoring UCS file breaks auto-sync requiring forced sync.
477218-3 1-Blocking Simultaneous stats query and pool configuration change results in process exit on secondary.
475829-2 1-Blocking AWS - VE is locked out after live install on 2nd slot.
468175-3 1-Blocking IPsec interop with Cisco systems intermittent outages
467022-2 1-Blocking 11050 platform will not go active citing error 01071335:3: Invalid logical_disk (0) for application volume (mysqldb_.2).
465142-1 1-Blocking iControl LocalLB::ProfileClientSSL::create and create_v2 methods result in crash when not in /Common
456239-1 1-Blocking icrd and icrd_child processes crash when being shutdown
452656-1 1-Blocking NVGRE tunnel traffic might stall if the sys db variable tm.tcplargereceiveoffload is set to 'enable'
600396-4 2-Critical iControl REST may return 404 for all requests in AWS
596603-10 2-Critical AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.
593536-4 2-Critical Device Group with incremental ConfigSync enabled can report "In Sync" when devices have differing configurations
583936-2 2-Critical Removing ECMP route from BGP does not clear route from NSM
570663-4 2-Critical Using iControl get_certificate_bundle_v2 causes a memory leak
568889-6 2-Critical Some ZebOS daemons do not start on blade transition secondary to primary.
563064-3 2-Critical Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory
561814-2 2-Critical TMM Core on Multi-Blade Chassis
530903-3 2-Critical HA pair in a typical Active/Standby configuration becomes Active/Active after a software upgrade
529141-1 2-Critical Upgrade from 10.x fails on valid clientssl profile with BIGpipe parsing error
523434-2 2-Critical mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object
520380-2 2-Critical save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory
511559-1 2-Critical Virtual Address advertised while unavailable
511006-1 2-Critical Virtual address is advertised to ZebOS (as visible via imi shell) while unavailable.
510559-2 2-Critical Add logging to indicate that compression engine is stalled.
509503-1 2-Critical tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration
509276-5 2-Critical VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on standby device
507487 2-Critical ZebOS Route not withdrawn when VAddr/VIP down and no default pool
506199-5 2-Critical VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles
505071-4 2-Critical Delete and create of the same object can cause secondary blades' mcpd processes to restart.
504508-3 2-Critical IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled
504496-1 2-Critical AAA Local User Database may sync across failover groups
501343-6 2-Critical In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle
495335-5 2-Critical BWC related tmm core
487567-2 2-Critical Addition of a DoS Profile Along with a Required Profile May Fail
484733-2 2-Critical aws-failover-tgactive.sh doesn't skip network forwarding virtuals
479460-1 2-Critical SessionDb may be trapped in wrong HA state during initialization
479374-2 2-Critical Setting appropriate TX driver settings for 40 GB interfaces.
472202-1 2-Critical Potential false positive report of DMA RX lockup failure
470214-3 2-Critical Missing APM (or other module) sessions
469296-1 2-Critical MCPD config validation error resulting in error: requested integer (0) is invalid
467196-2 2-Critical Log files limited to 24 hours
466266-5 2-Critical In rare cases, an upgrade (or a restart) can result in an Active/Active state
464870-4 2-Critical Datastor cores and restarts.
464413-1 2-Critical Descriptor shortage might cause packet loss and/or tmm crash
460833-10 2-Critical MCPD sync errors and restart after multiple modifications to file object in chassis
460730-5 2-Critical On systems with multiple blades, large queries can cause TMM to restart
456461-2 2-Critical Creating a vlan-group after sflow receiver causes TMM sigsegv's (loop).
452293-2 2-Critical Tunneled Health Monitor traffic fails on Standby device
450699 2-Critical Configure member IP addresses on VIPRION before downgrading
449989-1 2-Critical Unable to save UCS when using iControl REST
445633 2-Critical Config sync of SecurID config file fails on secondary blades
438674-3 2-Critical When log filters include tamd, tamd process may leak descriptors
435555-2 2-Critical Cannot load UCS from different BIG-IP system using Secure Vault
430323-1 2-Critical VXLAN daemon may restart when 8000 VXLAN tunnels are configured
422460-6 2-Critical TMM may restart on startup/config-load if it has too many objects to publish back during config load
420107-4 2-Critical TMM could crash when modifying HTML profile configuration
418734-2 2-Critical vCMP guest unit_key empty
412160-2 2-Critical vCMP provisioning may cause continual tmm crash.
394236-1 2-Critical MCP unexpectedly exits, "failure has occurred, There is no active database transaction, status: 0 -
613415-6 3-Major Memory leak in ospfd when distribute-list is used
606540-2 3-Major DB variable changed via GUI does not sync across HA group
598039-1 3-Major MCP memory may leak when performing a wildcard query
596826-3 3-Major Don't set the mirroring address to a floating self IP address
596814-1 3-Major HA Failover fails in certain valid AWS configurations
595773-2 3-Major Cancellation requests for chunked stats queries do not propagate to secondary blades
591708 3-Major HSB may drop off of PCI bus
587821-3 3-Major vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
584583-5 3-Major Timeout error when attempting to retrieve large dataset.
583754-3 3-Major When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
583475-4 3-Major The BIG-IP may core while recompiling LTM policies
579284-3 3-Major Potential memory corruption in MCPd
576305-6 3-Major Potential MCPd leak in IPSEC SPD stats query code
575735-7 3-Major Potential MCPd leak in global CPU info stats code
575726-7 3-Major MCPd might leak memory in vCMP interface stats.
575716-7 3-Major MCPd might leak memory in VCMP base stats.
575708-7 3-Major MCPd might leak memory in CPU info stats.
575671-7 3-Major MCPd might leak memory in host info stats.
575619-7 3-Major Potential MCPd leak in pool member stats query code
575608-7 3-Major MCPd might leak memory in virtual server stats query.
575587-6 3-Major Potential MCPd leak in BWC policy class stats query code
574045-1 3-Major BGP may not accept attributes using extended length
571210-5 3-Major Upgrade, load config, or sync might fail on large configs with large objects.
571019-5 3-Major Topology records can be ordered incorrectly.
565534-6 3-Major Some failover configuration items may fail to take effect
560510-2 3-Major Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down.
560429 3-Major LTM iRule table set command cannot always set value of record with extremely short timeout
559080-1 3-Major High Speed Logging to specific destinations stops from individual TMMs
557155 3-Major BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
554340 3-Major IPsec tunnels fail when connection.vlankeyed db variable is disabled
553795-1 3-Major Differing certificate/key after successful config-sync
552585-1 3-Major AAA pool member creation sets the port to 0.
551927-5 3-Major ePVA snoop header's transform vlan should be set properly under asymmetric routing condition
549971-2 3-Major Some changes to virtual servers' profile lists may cause secondary blades to restart
547942-4 3-Major SNMP ipAdEntAddr indicates floating vlan IP rather than local IP
547532-4 3-Major Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades
545214-1 3-Major OSPF distance command does not persist across restarts.
544888-10 3-Major Idle timeout changes to five seconds when using PVA full or Assisted acceleration.
542860-3 3-Major TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event
533813-1 3-Major Internal Virtual Server in partition fails to load from saved config
531986-4 3-Major Hourly AWS VE license breaks after reboot with default tmm route/gateway.
530242 3-Major SPDAG on VIPRION B2250 blades might cause traffic imbalance among TMMs
529977 3-Major OSPF may not process updates to redistributed routes
529524-4 3-Major IPsec IKEv1 connectivity issues
528295-3 3-Major Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.
524490-1 3-Major Excessive output for tmsh show running-config
524333-1 3-Major iControl command pkcs12_import_from_file_v2 may fail if httpd is restarted or session times out.
523922-2 3-Major Session entries may timeout prematurely on some TMMs
523527-5 3-Major Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.
522304-3 3-Major Some password policy changes are not reflected in /etc/shadow when synced in a CMI device group
522024 3-Major Config sync of SecurID config file fails on secondary blades
519394-4 3-Major Sync when licensed for ASM/AFM fails to sync pool with "Load balancing feature not licensed" error
517580-1 3-Major OPT-0015 on 10000-series appliance may cause bcm56xxd restarts
517209-1 3-Major tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable
514726-3 3-Major Server-side DSR tunnel flow never expires
514450-1 3-Major VXLAN: Remote MAC address movement does not trigger ARL updates across TMMs.
512954-4 3-Major ospf6d might leak memory distribute-list is used
512485-1 3-Major Forwarding of flooded VXLAN-encapsulated unicast frames may introduce additional forwarding
512130 3-Major Remote role group authentication fails with a space in LDAP attribute group name
510580-2 3-Major Interfaces might be re-enabled unexpectedly when loading a partition
510381-6 3-Major bcm56xxd might core when restarting due to bundling config change.
510119-1 3-Major HSB performance can be suboptimal when transmitting TSO packets.
509782 3-Major TSO packets can be dropped with low MTU
509600-3 3-Major Global rule association to policy is lost after loading config.
509504-2 3-Major Excessive time to save/list a firewall rule-list configuration
507853-3 3-Major MCP may crash while performing a very large chunked query and CPU is highly loaded
507461 3-Major Net cos config may not persist on HA unit following staggered restart of both HA pairs.
507331-3 3-Major Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be enabled.
506041-6 3-Major Folders belonging to a device group can show up on devices not in the group
504572 3-Major PVA accelerated 3WHS packets are sent in wrong hardware COS queue
503604-1 3-Major Tmm core when switching from interface tunnel to policy based tunnel
502238-5 3-Major Connectivity and traffic interruption issues caused by a stuck HSB transmit ring
501517-3 3-Major Very large configuration can cause transaction timeouts on secondary blades
501371 3-Major mcpd sometimes exits while doing a file sync operation
500234-1 3-Major TMM may core during failover due to invalid memory access in IPsec components
499538 3-Major Fragmented ESP packets were getting dropped in BIgIP with MTU = 576
498992-3 3-Major Troubleshooting enhancement: improve logging details for AWS failover failure.
497304-2 3-Major Unable to delete reconfigured HTTP iApp when auto-sync is enabled
496679-2 3-Major Configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.
495862 3-Major Virtual status becomes yellow and gets connection limit alert when all pool members forced down
494367 3-Major HSB lockup after HiGig MAC reset
491894 3-Major Sync status may temporarily go red during full sync
491556-3 3-Major tmsh show sys connection output is corrected
490537-7 3-Major Persistence Records display in GUI might cause system crash with large number of records
489750-1 3-Major Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config
489113-1 3-Major PVA status, statistics not shown correctly in UI
488374-1 3-Major Mismatched IPsec policy configuration causes racoon to core after failed IPsec tunnel negotiation
488262-3 3-Major moving VLAN from route-domain being deleted in the same transaction can cause errors
486512-6 3-Major audit_forwarder sending invalid NAS IP Address attributes
485833-6 3-Major The mcpd process may leak memory when using tmsh to modify user attributes
485352-3 3-Major TMM dumps core file when loading configuration or starting up
485232-3 3-Major Disabling and re-enabling an active blade in a HA group may result in the blade becoming standby
484861-3 3-Major A standby-standby state can be created when auto failback acts in a CRC disagreement scenario
484706-3 3-Major Incremental sync of iApp changes may fail
483683-2 3-Major MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error
483228 3-Major The icrd_child process generates core when terminating
483219-1 3-Major Guest secondary blade config load failure after vdisk reinstall
482434-2 3-Major Possible performance degradation in AWS cloud
481696-3 3-Major Failover error message 'sod out of shmem' in /var/log/ltm
481647 3-Major OSPF daemon asserts and generates core
481089 3-Major Request group incorrectly deleted prior to being processed
481082-1 3-Major Software auto update schedule settings can be reset during a full sync
477859-2 3-Major ZebOS config load may fail if password begins with numeric character
477789-1 3-Major SSL Certificate can accommodate & (ampersand) in the Common Name, Organization Name, Division and SAN.
476708-3 3-Major ZebOS using BGP ECMP may not correctly update the ECMP paths when one of the paths goes down and comes back up
473200 3-Major Renaming a virtual server causes unexpected configuration load failure
473088-5 3-Major Virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile
472365-2 3-Major The vCMP worker-lite system occasionally stops due to timeouts
471901-1 3-Major Log publishers with failed HSL destinations continue to accept and deliver logs.
471042-4 3-Major Datastor High Velocity Traffic Pattern Changes
470788-5 3-Major Creating static ARP entry with unreachable IP address causes BIG-IP to be unreachable after reboot
468837-3 3-Major SNAT translation traffic group inheritance does not sync across devices
468517-3 3-Major Multi-blade systems can experience active/standby flapping after both units rebooted
468514-2 3-Major Receiving several ConfigSync requests in a short period of time may cause the mcpd process to restart and produce a core file
468235-1 3-Major The worldwide City database (City2) does not contain all of the appropriate Proxy strings.
464442-2 3-Major User cannot update SNAT pools that contains resolved hostname as a member
464225-1 3-Major 'tmsh list ltm message-routing' and 'tmsh show ltm message-routing' fail for non-admin users
464132 3-Major Serverside SSL cannot be disabled if Rewrite profile is attached
463715-2 3-Major syscalld logs erroneous and benign timeout messages
463652-1 3-Major Inconsistent Certificate/Key/Chain listing for child Client SSL profile when parent profile is modified.
463468-6 3-Major failed tmsh command generate double logs
462351-1 3-Major Error when resetting stats
462187-1 3-Major 'tmsh list net tunnels' and GUI tunnel access fail for non-admin users
460178-2 3-Major oamd may generate core during shutdown
460020-2 3-Major Rewrite profile might cause tmm core when trying to rewrite set cookie in HTTP response header
459096-4 3-Major GUI: Modifying Self IP Port lockdown from Allow All to Allow Default results in error
456573-2 3-Major Sensor read faults with DC power supply
455980-3 3-Major Home directory is purged when the admin changes user password.
455651-3 3-Major Improper regex/glob validation in web-acceleration and http-compression profiles
452689-2 3-Major Tunnels built over IPsec tunnel interface does not work
449453 3-Major Loading the default configuration may cause the mcpd process to restart and produce a core file.
447272-1 3-Major Chassis with MCPD audit logging enabled will sync updates to device group state
446493-1 3-Major foreign key index error on local traffic-only group
445968 3-Major Update traffic priority option appears for non-authorized users in GUI.
442993-2 3-Major An unexpected gateway may be selected for the management interface
442191-4 3-Major HTTP Class profiles globs are upgraded to a contains condition when it should be equals
440526 3-Major When collecting support information, log messages might appear in /var/log/ltm
440346-2 3-Major Monitors removed from a pool after sync operation
439343-5 3-Major Client certificate SSL authentication unable to bind to LDAP server
437773-6 3-Major Some LACP trunk members are missing after rebooting primary blade
435953-1 3-Major In the GUI, the search fails to return results for the Wide IP list
434730-5 3-Major Auto-sync may fail with many synchronizations in rapid succession
434573-5 3-Major Tmsh 'show sys hardware' displays Platform ID instead of platform name
433055-1 3-Major BFD GTSM IMI shell commands don't work
431634-5 3-Major tmsh: modify gtm server 'xxx' virtual-servers replace-all-with 'yyy' fails
427924-4 3-Major ipport hash type is not programmed in new blade
427357-2 3-Major Virtual address icmp-echo and arp properties get reset to disabled for network prefixes on config load
420204-1 3-Major FIPS key deletion by-handle does not post an error if corresponding key object exists but the keyname is more than 32 characters long
419664-3 3-Major SNMP sysIfxStat stats availability on 2000/4000 platforms
416292-2 3-Major MCPD can core as a result of another component shutting down prematurely
410398-4 3-Major sys db tmrouted.rhifailoverdelay does not seem to work
405752-6 3-Major Monitors sourced from specific source ports can fail
402115-2 3-Major System does not report tmm memory with consideration of threading
382157-6 3-Major Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats
378967-3 3-Major Users are not synchronized if created in a partition
369352-6 3-Major No verification prompt when executing 'load sys config default' for resource administrator role
337934-3 3-Major remoterole: attributes ending in 'role' or 'deny' will be parsed incorrectly


Local Traffic Manager Issues

ID Number Severity Description
500303 1-Blocking Virtual Address status may not be reliably communicated with route daemon
471644-2 1-Blocking BIG-IP system total throughput stats two times higher than expected stats
442613 1-Blocking After applying a data group for FIX profile tag map, modifying datagroup may cause tag mapping function to be inconsistent
420341-7 1-Blocking Connection Rate Limit Mode when limit is exceeded by one client also throttles others
575011-7 2-Critical Fix memory leak.
565409-2 2-Critical Invalid MSS with HW syncookies and flow forwarding
559973-4 2-Critical Nitrox can hang on RSA verification
552151-3 2-Critical Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected
537988-2 2-Critical Buffer overflow for large session messages
534795-2 2-Critical Swapping VLAN names in config results in switch daemon core and restart.
533388-4 2-Critical tmm crash with assert "resume on different script"
521556-5 2-Critical Assertion "valid pcb" in TCP4 with ICAP adaptation
521548-4 2-Critical Possible crash in SPDY
521336 2-Critical pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core
520105-1 2-Critical Possible segfault during hardware accelerated compression.
514108-4 2-Critical TSO packet initialization failure due to out-of-memory condition.
511924-4 2-Critical LTM Policy rule names are more strictly validated
511782-5 2-Critical The HTTP_DISABLED event does not trigger in some cases
509310 2-Critical Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances
507611-2 2-Critical On BIG-IP 2000- and 4000-series platforms BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors.
505222-1 2-Critical DTLS drops egress packets when traffic is large
503652 2-Critical Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit.
503620-5 2-Critical ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later
503343-3 2-Critical TMM crashes when cloned packet incorrectly marked for TSO
502443 2-Critical After enabling a blade/HA member, pool members are marked down because monitoring starts too soon.
497299-2 2-Critical Thales install fails if the BIG-IP system is also configured as the RFS
495875-4 2-Critical Connection limit on nodes causes TMM infinite loop and heartbeat failure with heavy traffic
493558 2-Critical TMM core due to SACK hole value mismatch
492352-1 2-Critical Mismatch ckcName between GUI and TMSH can cause upgrade failure
491771-6 2-Critical Parking command called from inside catch statement
491030-4 2-Critical Nitrox crypto accelerator can sometimes hang when encrypting SSL records
490225-2 2-Critical Duplicate DNSSEC keys can cause failed upgrade.
489451-1 2-Critical TMM might panic due to OpenSSL failure during handshake generation
489217-5 2-Critical "cipher" memory can leak
486450 2-Critical iApp re-deployment causes mcpd on secondaries to restart
485189 2-Critical TMM might crash if unable to find persistence cookie
480370-4 2-Critical Connections to virtual servers with port-preserve property will cause connections to leak in TMM
479171-1 2-Critical TMM might crash when DSACK is enabled
478592-2 2-Critical When using the SSL forward proxy feature, clients might be presented with expired certificates.
476683 2-Critical Suspended DNS_RESPONSE events are not resumed
476599 2-Critical TMM may panic when resuming DNS_REQUEST iRule event
475460-3 2-Critical tmm can crash if a client-ssl profile is in use without a CRL
474974-1 2-Critical Fix ssl_profile nref counter problem.
472831-3 2-Critical FIPS-enabled DNSSEC can cause TMM core
472157-2 2-Critical Large file uploads abort for SPDY/3 and SPDY/3.1
470191 2-Critical Virtual with FastL4 with loose initiation and close enabled might result in TMM core
469139-3 2-Critical Fix for ID 429124 working but GUI statistics showing PVA connections not PVA'd
469071-1 2-Critical TMM segfault in mpctp_switch_conns
468375-1 2-Critical TMM crash when MPTCP JOIN arrives in the middle of a flow
462025 2-Critical SQL monitors do not handle route domains properly
459994-2 2-Critical tmm may crash if default gateway pool contains members that it cannot route to
459266-1 2-Critical SSL profile memory increases when SSL connection goes to disabled
459100-3 2-Critical TMM may crash when offloading one-way UDP FastL4 flow
457034-1 2-Critical Multipath TCP (MPTCP): TMM crash in stockpile management
456853-1 2-Critical DTLS cannot handle client certificate when client does not send CertVerify message.
454583-3 2-Critical SPDY may cause the TMM to crash if it aborts while there are stalled streams.
451059-3 2-Critical SSL server does not check and validate Change Cipher Spec payload.
451035-4 2-Critical On a 11050-FIPS BIG-IP, TMM may reset when loading a large number of FIPS keys
450814-7 2-Critical Early HTTP response might cause rare 'server drained' assertion
449770 2-Critical Using "CRYPTO::keygen -alg rsa" outside of RULE_INIT can cause TMM to time out
449526-1 2-Critical LB::prime iRule with SIP filter can result in a core
448787-5 2-Critical Monitors in non-default route domains may flap when large number of connections are originiated from that route-domain
434258-1 2-Critical SSL Forward Proxy versions prior to 11.6.0 do not fully support passthrough.
428467-1 2-Critical max-concurrent-udp/max-concurrent-tcp maximum values
426328-4 2-Critical Updating iRule procs while in use can cause a core
417068-2 2-Critical Key install or deletion failure on FIPS key names longer than 32 chars on some platforms
602329-1 3-Major syncookie header of HA channel mirror packets is not cleared
598874-6 3-Major GTM Resolver sends FIN after SYN retransmission timeout
597089-2 3-Major Connections are terminated after 5 seconds when using ePVA full acceleration
592784-6 3-Major Compression stalls, does not recover, and compression facilities cease.
591659-7 3-Major Server shutdown is propagated to client after X-Cnection: close transformation.
591476-4 3-Major Stuck nitrox crypto queue can erroneously be reported
589400-6 3-Major With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
588572-1 3-Major Unnecessary re-transmission of packets on higher ICMP PMTU.
588569-1 3-Major Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
587705 3-Major Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
586621-1 3-Major SQL monitors 'count' config value does not work as expected.
582234 3-Major When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.
582207-2 3-Major MSS may exceed MTU when using HW syncookies
576296-7 3-Major MCPd might leak memory in SCTP profile stats query.
575626-3 3-Major Minor memory leak in DNS Express stats error conditions
575612-6 3-Major Potential MCPd leak in policy action stats query code
570617-3 3-Major HTTP parses fragmented response versions incorrectly
569288-1 3-Major Different LACP key may be used in different blades in a chassis system causing trunking failures
566361-4 3-Major RAM Cache Key Collision
563419-1 3-Major IPv6 packets containing extended trailer are dropped
560405-1 3-Major Optional target IP address and port in the 'virtual' iRule API is not supported.
559554-4 3-Major CHD congestion control can have erroneous very large cwnd.
554977 3-Major TMM might crash on failed SSL handshake
554761-7 3-Major Unexpected handling of TCP timestamps under syncookie protection.
552385-1 3-Major Virtual servers using an SSL profile and two UDP profiles may not be accepted
543993-1 3-Major Serverside connections may fail to detach when using the HTTP and OneConnect profiles
537964-2 3-Major Monitor instances may not get deleted during configuration merge load
534890-1 3-Major When using session tickets, the session id sent might be incorrect
533966-1 3-Major Double loopback nexthop release might cause TMM core.
530812-3 3-Major Legacy DAG algorithm reuses high source port numbers frequently
530795-2 3-Major In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number.
528407-2 3-Major TMM may core with invalid lasthop pool configuration
528007-7 3-Major Memory leak in ssl
527742-3 3-Major The inherit-certkeychain field of a clientSSL profile is not synchronized correctly on the standby bigip
525958-5 3-Major TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop.
521813-2 3-Major Cluster is removed from HA group on restart
521774-1 3-Major Traceroute and ICMP errors may be blocked by AFM policy
521538-1 3-Major Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known
521522-1 3-Major Traceroute through BIG-IP may display destination IP address at BIG-IP hop
521408-1 3-Major Incorrect configuration in BigTCP Virtual servers can lead to TMM core
520604-3 3-Major Route domain creation may fail if simultaneously creating and modifying a route domain
518086 3-Major Safenet HSM Traffic failure after system reboot/switchover
517790-5 3-Major When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped
517124-1 3-Major HTTP::retry incorrectly converts its input
516598-2 3-Major Multiple TCP keepalive timers for same Fast L4 flow
516280 3-Major bigd process uses a large percentage of CPU
515759-7 3-Major Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time
515482-2 3-Major Multiple teardown conditions can cause crash
515139-2 3-Major Active FTP session with inherit profile and address translation disabled may not decrement pool member current connections statistics
515072-8 3-Major Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased
514975 3-Major Reset packet after connflow idle timout contains seq number 0 in nPath mode.
514604-4 3-Major Nexthop object can be freed while still referenced by another structure
514419-3 3-Major TMM core when viewing connection table
513530-2 3-Major Connections might be reset when using SSL::disable and enable command
513319-1 3-Major Incorrect of failing sideband connections from within iRule may leak memory
513243-2 3-Major Improper processing of crypto error condition might cause memory issues.
513213 3-Major FastL4 connection may get RSTs in case of hardware syncookie enabled.
512885 3-Major https monitor fails to work with MD5 with RSA as signature hash algorithm
512490-1 3-Major Increased latency during connection setup when using FastL4 profile and connection mirroring.
512383 3-Major Hardware flow stats are not consistently cleared during fastl4 flow teardown.
511517-5 3-Major Request Logging profile cannot be configured with HTTP transparent profile
511324-8 3-Major HTTP::disable does not work after the first request/response.
511130-1 3-Major TMM core due to invalid memory access while handling CMP acknowledgement
511057-1 3-Major Config sync fails after changing monitor in iApp
510720-4 3-Major iRule table command resumption can clear the header buffer before the HTTP command completes
510588 3-Major Cross blade trunk with balanced trunk.cluster.distribution has issues with re-enabling the only local trunk working member
510395 3-Major Disabling some events while in the event, then running some commands can cause tmm to core.
510264-4 3-Major TMM core associated with smtps profile.
508797 3-Major Clarification regarding differences in GARPs on different versions.
508067 3-Major Packet drop on 5200 platforms due to delayed MPI communication
507109-2 3-Major inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade
506702-3 3-Major TSO can cause rare TMM crash.
506290-1 3-Major MPI redirected traffic should be sent to HSB ring1
505964-1 3-Major Invalid http cookie handling can lead to TMM core
505056-1 3-Major BIG-IP system might send an egress packet with a priority different from that of ingress packet on the same flow.
504827 3-Major Use of DHCP relay virtual server might result in tmm crash 'top filter'.
504633-6 3-Major DTLS should not update 'expected next sequence number' when the record is bad.
504396-1 3-Major When a virtual's ARP or ICMP is disabled, the wrong mac address is used
504306-8 3-Major https monitors might fail to re-use SSL sessions.
503741-12 3-Major DTLS session should not be closed when it receives a bad record.
503257-9 3-Major Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST
503214-5 3-Major Under heavy load, hardware crypto queues may become unavailable.
503118-4 3-Major clientside and serverside command crashes TMM
502747-7 3-Major Incoming SYN generates unexpected ACK when connection cannot be recycled
502683-4 3-Major Traffic intermittently dropped in syncookie mode, especially when hardware syncookie is on
502174-2 3-Major DTLS fragments do not work for ClientHello message.
502149-1 3-Major Archiving EC cert/key fails with error 'EC keys are incompatible for Webserver/EM/iQuery.'
501984 3-Major TMM may experience an outage when an iRule fails in LB_SELECTED.
501690-2 3-Major TMM crash in RESOLV::lookup for multi-RR TXT record
501516 3-Major If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted.
500786-1 3-Major Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile
500003-5 3-Major Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP
499946-1 3-Major Nitrox might report bad records on highly fragmented SSL records
499615-5 3-Major RAM cache serves zero length documents.
499430-4 3-Major Standby unit might bridge network ingress packets when bridge_in_standby is disabled
499150-1 3-Major OneConnect does not reuse existing connections in VIP targeting VIP configuration
497742-4 3-Major Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address
497584 3-Major The RA bit on DNS response may not be set
496758-1 3-Major Monitor Parameters saved to config in a certain order may not construct parameters correctly
496588-3 3-Major HTTP header that is larger than 64K can be analyzed incorrectly, leading to TMM crash
495574-1 3-Major DB monitor functionality might cause memory issues
495443-2 3-Major ECDH negotiation failures logged as critical errors.
495253-2 3-Major TMM may core in low memory situations during SSL egress handling
494322-1 3-Major The HTTP_REQUEST iRule event may cause the TMM to crash if the explicit proxy is used
494084-1 3-Major Certain rapidly-terminating UDP virtuals may core on standby
493140-4 3-Major Incorrect persistence entries are created when invoking cookie hash persistence within an iRule using offset and length parameters.
493117-4 3-Major Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted
491518-1 3-Major SSL persistence can prematurely terminate TCP connection
491454-2 3-Major SSL negotiation may fail when SPDY profile is enabled
490817-4 3-Major SSL filter might report codec alerts repeatedly
490740-5 3-Major TMM may assert if HTTP is disabled by another filter while it is parked
490713-4 3-Major FTP port might occasionally be reused faster than expected
490480-2 3-Major UCS load may fail if the UCS contains FIPS keys with names containing dot
490121 3-Major Incorrect reporting of PVA current and maximum connection with SERVER_CONNECTED event
488876-1 3-Major SSL persistence uses noticeably more memory
488193-1 3-Major iRule nexthop is not considered after failover with IP forwarding virtual server.
487757-1 3-Major Hybrid higig/front panel port packet discard (Ingress back-pressure v.s. Egress queue discard) counts can be expected during bursty or severe MMU traffic congestion on B4300/B2200/10000/12000-family platforms.
487554 3-Major System might reuse TCP source ports too quickly on the server side.
487211 3-Major WOM IP fragmentation in v11.5.0 HF4
486724-1 3-Major After upgrading from v10 to v11 in a FIPS HA setup, config-sync fails
485472-1 3-Major iRule virtual command allows for protocol mismatch, resulting in crash
484305-4 3-Major Clientside or serverside command with parking command crashes TMM
483539 3-Major With fastL4, incorrect MSS value might be used if SYN has options without MSS specified
483157-1 3-Major Server-side flow uses 0 as TCP source port
481880-1 3-Major SASPD monitor cores
481844-2 3-Major tmm can crash and/or use the wrong CRL in certain conditions
481216-2 3-Major Fallback may be attempted incorrectly in an abort after an Early Server Response
480982-2 3-Major pkcs11d with a high thread count can result in high CPU utilization
480686-5 3-Major Packet loop in VLAN Group
479872-1 3-Major Corresponding protocol profiles must exist on both clientside/serverside
478617-11 3-Major Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
478439-11 3-Major Unnecessary re-transmission of packets on higher ICMP PMTU.
478257-11 3-Major Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed
478195-1 3-Major Installation of FIPS .exp key files sets incorrect public exponent.
477742-1 3-Major DTLS message sequence number is off by one
477394-5 3-Major LTM might reset and cause out-of-ports
477375 3-Major SASP Monitor may core
476281-2 3-Major tmm crash on uninitialized variable
475791-2 3-Major Ramcache profile may dispatch internal messages out-of-order leading to assert
475677-1 3-Major Connections may hang until timeout if a LTM policy action failed
475322-1 3-Major cur_conns number different in tmstat and snmp output.
475125-1 3-Major Use of HTTP::retry may cause TMM crash
474771 3-Major bigtop global statistics not including pva statistics for BIG-IP row
474584-4 3-Major igbvf driver leaks xfrags when partial jumbo frame received
474226 3-Major LB_FAILED may not be triggered if persistence member is down
474002-2 3-Major Server SSL profile unable to complete SSL handshake when server selects DHE-based key exchange, and is configured with 2048-bit or larger DH keys
473759 3-Major Unrecognized DNS records can cause mcpd to core during a DNS cache query
472944 3-Major SMTPS race condition after STARTTLS may cause incorrect SMTP responses
472571-3 3-Major Memory leak with multiple client SSL profiles.
472148-6 3-Major Highly fragmented SSL records can result in bad record errors on Nitrox based systems
471821-3 3-Major Compression.strategy "SIZE" is not working
471625-2 3-Major After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM
471288-3 3-Major TMM might crash with session-related commands in iRules.
469361-1 3-Major Unexpected tmm restart, no core - beta tmm version
469115-1 3-Major Management client-ssl profile does not support multiple key/cert pair.
468542 3-Major Virtual servers with a SPDY profile ignore SNAT none setting
468472-4 3-Major Unexpected ordering of internal events can lead to TMM core.
465607-1 3-Major TMM cores with TMM log error 'Assertion "flow in use" failed.' when isuing FastHTTP.
465590-5 3-Major Mirrored persistence information is not retained while flows are active
464499-1 3-Major client-ssl profile loses cert-key-object When the cert-key-chain object exists in partition other than /Common
462714-5 3-Major Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server
461818-1 3-Major Occasional extreme large value reported for tmm-info five-min-avg-usage-ratio
461587-4 3-Major TCP connection can become stuck if client closes early
460945-4 3-Major Memory leak when changing a policy that is in use by a virtual server
458348-1 3-Major RESOLV:: iRule commands and sFlow don't function correctly when using non-default CMP hashing.
457934-2 3-Major SSL Persistence Profile Causing High CPU Usage
457293-4 3-Major Clustered Multiprocessing (CMP) peer connection is not removed in certain race conditions.
456763-1 3-Major L4 forwarding and TSO can cause rare TMM outages
456378 3-Major On a virtual server with the ipother profile assigned, iRule firing on CLIENT_ACCEPTED with discard or reject action may cause TMM to core
455840-2 3-Major EM analytic does not build SSL connection with discovered BIG-IP system
454954-6 3-Major Messages dropped by iRULE DIAMETER::drop will be retransmitted
454209-2 3-Major TMM crash on UDP DNS virtual without datagram-load-balancing enabled
454018-4 3-Major Nexthop to tmm0 ref-count leakage could cause TMM core
453720-2 3-Major clientssl profile validation fails to detect config with no cert/key name and no cert/key
453171-2 3-Major High CPU usage leading to tmm/apd cores/restart
452643-6 3-Major Pool member's lb_value is not updated when transistioning from disabled to enabled
452516-4 3-Major Excessive memory consumption after extended use
452454-3 3-Major A RST will not be forwarded for a IP forwarding Virtual server with a fastL4 profile with loose initialization configured as well as an idle timeout that is less than the server idle timeout value.
452315-3 3-Major Connection rate limit is not working when pool is not configured for the virtual server.
451534 3-Major TMM SIGSEGV event with SSL forward proxy in PassThrough Mode
451319-3 3-Major HTTP CONNECT request with 4xx response with body results in RST
450087-7 3-Major Unacknowledged segments may fail to be retransmitted
449891-5 3-Major Fallback source persistence entry is not used when primary SSL persistence fails
448476-3 3-Major 10G SFP interfaces cannot be part of the same trunk.
447874-3 3-Major TCP zero window suspends data transfer
447080-6 3-Major VLAN tagged/untagged configuration change requires tmm restart
447043-7 3-Major Cannot have 2 distinct 'contains' conditions on the same LTM policy operand
446526-3 3-Major TCP virtual server/UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules might cause TMM crash.
445335 3-Major Unlicensed LTM can be configured with Policy that requires license
444710-5 3-Major Out-of-order TCP packets may be dropped
444178-4 3-Major HTTP header replace always inserts header
442455-1 3-Major Hardware Security Module (HSM) CSR and certificate fields constraints: 15 characters and no spaces.
442391-7 3-Major Unsolicited neighbor advertisement cannot pass through VLAN group
442020-4 3-Major Neighbor discovery might not work correctly with VLAN group
441985-1 3-Major In client-ssl profile outside ckc key/cert/chain/passphrase and RSA pair inside ckc
441146 3-Major Delays with flooding on forwarding ports following STP blocked state changes.
441058-3 3-Major TMM can crash when a large number of SSL objects are created
440431-5 3-Major Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands.
439773-1 3-Major The TMM process may restart and produce a core file when a connection flow is in an invalid TCP state
438877-1 3-Major If the SASP monitor receives an unexpected message from the GWM server containing an expected message id then the monitor stops processing any further messages.
438792-7 3-Major Node flapping may, in rare cases, lead to inconsistent persistence behavior
437703-4 3-Major LTM policies do not accept special characters in HTTP header names
437627-6 3-Major TMM may crash if fastl4 vs has fragmeneted pkt
435335-4 3-Major SSL proxy session ID cache does not respect limit set by tmm.proxyssl.cachesize
435106-2 3-Major Message: notice panic: ../modules/hudfilter/hudnode.c:741: Assertion 'valid proxy failed.
434517-13 3-Major HTTP::retry doesn't work in an early server response
434400-4 3-Major tmm might core with rate-limiting on virtual server
434356-1 3-Major Data-group update doesn't propagate to SSL forward proxy configuration
433323-4 3-Major Ramcache handling of Cache-Control: no-cache directive in Response
429011-9 3-Major No support for external link down time on network failover
422107-6 3-Major Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set
419217-2 3-Major LTM policy fails to decompress compressed http requests
401852-3 3-Major csyncd will intentionally dump core when the kernel event queue is full
384451-3 3-Major Duplicated cert/keys/chain might cause SIGABRTs and low-memory conditions
375887-2 3-Major Cluster member disable or reboot can leak a few cross blade trunk packets
374339-7 3-Major HTTP::respond/redirect might crash TMM under low-memory conditions
364994-10 3-Major TMM may restart or disabled connections may be reused when a OneConnect profile is configured and OneConnect reuse is disabled be an iRule.
352925-3 3-Major Updating a suspended iRule and TMM process restart
348000-5 3-Major HTTP response status 408 request timeout results in error being logged.
336255-6 3-Major OneConnect Connection Limits with Narrow Source Address Masks


Performance Issues

ID Number Severity Description
476144-2 1-Blocking TMM generates a core file when dynamically loading a shared library.
489259-1 2-Critical [AFM] packets from good ip's are being dropped by DoS Sweep & Flood logic
473485-2 2-Critical Fixed a few issues in HTTP Auth module
454949-1 2-Critical AFM Optimizations to improve run-time and memory usage.
496998-1 3-Major Update offenders more aggressively. Increase batch size for Dwbld processing.
426939-6 3-Major APM Polices does not work in VIPRION 4800 chassis if there is no slot1


Global Traffic Manager Issues

ID Number Severity Description
533658-1 2-Critical DNS decision logging can trigger TMM crash
515797-5 2-Critical Using qos_score command in RULE_INIT event causes TMM crash
469033-2 2-Critical Large big3d memory footprint.
442980-5 2-Critical GTM pool statistics incorrect if max-address-returned not set to 1 and r
442226-3 2-Critical Link Controller fails to auto-create a self-server
437025-7 2-Critical big3d might exit during loading of large configs or when a connection to mcpd is dropped.
526699-3 3-Major TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port.
496775 3-Major [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for bigip monitor
479142-4 3-Major Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD)
473577-3 3-Major Changes not synced or received by GTMd for GTM Wide IP Alias Items
473139-4 3-Major IMAP monitor works for LTM fails for BIG-IP DNS
468519-3 3-Major BIG-IP DNS configuration load failure from invalid bigip_gtm.conf file.
466756-1 3-Major Automating input to gtm_add script rather than running it interactively can result in script failure
420440-3 3-Major Multi-line TXT records truncated by ZoneRunner file import


Application Security Manager Issues

ID Number Severity Description
478674-2 1-Blocking ASM internal parameters for high availability timeout was not handled correctly
515728-3 2-Critical Repeated BD cores.
489705-4 2-Critical Running out of memory while parsing large XML SOAP requests
487420-2 2-Critical BD crash upon stress on session tracking
481476-4 2-Critical MySQL performance
477432-3 2-Critical Roll forward from 11.3.0 with iApp configured fails to load correctly and causes bd to core
476616-2 2-Critical Set active fails after accept learning suggestion for illegal metachar Policy with encoding iso-8859-1
468387-1 2-Critical Enforcer core related to specific error condition in the session db
451384-1 2-Critical "Differentiate between HTTP and HTTPS URLs" can't be disabled when Security Policy contains https URLs
451257-2 2-Critical ASM BD process may crash on missing cookie protection config data when traffic is being passed.
442153-1 2-Critical "Enforce" and "Accept" buttons do not work in Redirection Domains section
226473-5 2-Critical Apply Policy failures due to Null characters in entity names
535904-5 3-Major BD crashes when attempting to access a closed connection
529610-3 3-Major On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db
514061-2 3-Major False positive scenario causes SMTP transactions to hang and eventually reset.
513787-1 3-Major CSRF doesn't apply web application callback registered as XMLHttpRequest.onload in IE8-10
508519-3 3-Major Performance of Policy List screen
507905-2 3-Major Saving Policy History during UCS load causes DB deadlock/timeout
507289-2 3-Major User interface performance of Web Application Security Editor users
504973-3 3-Major Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead
502852-1 3-Major Deleting an in-use custom policy template
498189-2 3-Major ASM Request log does not show log messages.
497769-3 3-Major Policy Export: BIG-IP does not export redirect URL for "Login Response Page"
496011-5 3-Major Resets when session awareness enabled
490284-2 3-Major ASM user interface extremely slow to respond (e.g. >2 minutes to render policy list)
485764-1 3-Major WhiteHat vulnerability assessment tool is configured but integration does not work correctly
484079-6 3-Major Change to signature list of manual Signature Sets does not take effect.
482915-2 3-Major Learning suggestion for the maximum headers check violation appears only for blocked requests
475819-2 3-Major BD crash when trying to report attack signatures
465927-2 3-Major Response is halted or reset when the request has an ignore profile
465181-2 3-Major Unhandled connection error in iprepd causes memory leak in iprepd or merged
458295-3 3-Major Memory leaks while connecting to the IP reputation database server using a proxy.
451705-2 3-Major Illegal metachar override can be added to policy which prevents Apply Policy
449622-1 3-Major Issue while importing policy with customer violation conflict.
441601-5 3-Major Response is truncated in the log
441500-5 3-Major Fails over upon receiving updates from the IP reputation database.
441075-7 3-Major Newly added or updated signatures are erroneously added to Manual user-defined signature sets.
440263-1 3-Major HTTP profile gets set to http-transparent by ASM deployment wizard


Application Visibility and Reporting Issues

ID Number Severity Description
464366-2 2-Critical Devices are out of Sync when new analytics profile is created and assigned to a virtual server
461715-1 2-Critical AVR: Collecting geolocation IDs
441214-2 2-Critical monpd core dumps in case of MySQL crash
596945 3-Major AVR DNS record lost after upgrade.
574160 3-Major Publishing DNS statistics if only Global Traffic and AVR are provisioned
559060 3-Major AVR reads BIG-IP system's cookie incorrectly in multiple BIG-IP configuration.
535246-1 3-Major Table values are not correctly cleaned and can occupy entire disk space.
530952-2 3-Major MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'
528031-4 3-Major AVR not reporting the activity of standby systems.
493825-3 3-Major Upgrade failure from version 11.4.0 due to incorrect configuration being saved
489682-2 3-Major Configuration upgrade failure due to change in an ASM predefined report name
479334-6 3-Major monpd/ltm log errors after Hotfix is applied
468874-4 3-Major Monpd errors appear when AVR loads data to MySQL
467945-2 3-Major Error messages in AVR monpd log
458823-3 3-Major TMM Crash can lead to crash of other processes
438604-4 3-Major AVR JavaScript injection takes place regardless of content-type value


Access Policy Manager Issues

ID Number Severity Description
553330-5 1-Blocking Unable to create a new document with SharePoint 2010
488986-3 1-Blocking Access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and edge client.
488736-3 1-Blocking Fixed problem with iNotes 9 Instant Messaging
446881-3 1-Blocking OPSWAT library now needs scpt.dat file on MAC OS X
580817-6 2-Critical Edge Client may crash after upgrade
575609-2 2-Critical Zlib accelerated compression can result in a dropped flow.
572563-6 2-Critical PWS session does not launch on Internet Explorer
537227-4 2-Critical EdgeClient may crash if special Network Access configuration is used
525562-3 2-Critical Debug TMM Crashes During Initialization
520145-1 2-Critical [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy
516075-2 2-Critical Linux command line client fails with on-demand cert
514220-3 2-Critical New iOS-based VPN client may fail to create IPv6 VPN tunnels
507782-2 2-Critical TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data
507681-3 2-Critical Window.postMessage() does not send objects in IE11
505101 2-Critical tmm may panic due to accessing uninitialized memory
497118-1 2-Critical Tmm may restart when SAML SLO is triggered
495901-1 2-Critical Tunnel Server crash if probed on loopback listener.
494098-3 2-Critical PAC file download mechanism race condition
493360-3 2-Critical Fixed possible issue causing Edge Client to crash during reconnect
489328-6 2-Critical When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash.
487399-1 2-Critical VDI plugin crashes when View client disconnects prematurely
484454-1 2-Critical Users not able to log on after failover
480272-4 2-Critical During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID
476736-1 2-Critical APM IPv6 Network Access connection may fail in some cases
475049-5 2-Critical Missing validation of disallowing empty DC configuration list
474058-4 2-Critical When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions
471874-3 2-Critical VDI plugin crashes when trying to respond to client after client has disconnected
468908-2 2-Critical Session timeout settings doesn't work properly
458928-3 2-Critical APMD cores in Kerberos authentication, when the agent tries to derefence a null authparam session variable.
452163-2 2-Critical Cross-domain functionality is broken in AD Query
451469-2 2-Critical APM User Identity daemon doesn't generate core
450136-1 2-Critical Occasionally customers see chunk boundaries as part of HTTP response
447565-1 2-Critical Renewing machine-account password does not update the serviceId for associated ntlm-auth.
446187-3 2-Critical If manually started, bigip service(s) may consume 100% and become not functional
431980-3 2-Critical SWG Reports: Overview and Reports do not show correct data.
615522 3-Major VDI crashes while responding to clients with multiple VDI threads running
586718-7 3-Major Session variable substitutions are logged
586006-7 3-Major Failed to retrieve CRLDP list from client certificate if DirName type is present
580421-6 3-Major Edge Client may not register DLLs correctly
570064-6 3-Major IE gives a security warning asking: "Do you want to run ... InstallerControll.cab"
563135-1 3-Major SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt
558870-8 3-Major Protected workspace does not work correctly with third party products
558631-7 3-Major APM Network Access VPN feature may leak memory
554228-6 3-Major OneConnect does not work when WEBSSO is enabled/configured.
544992-1 3-Major Virtual server profile changes are ignored if it has /Common/remotedesktop and /Common/vdi assigned (Citrix/Vmware View iApp)
541622-5 3-Major APD/APMD Crashes While Verifying CAPTCHA
525429-5 3-Major DTLS renegotiation sequence number compatibility
523222-3 3-Major Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.
521506-5 3-Major Network Access doesn't restore loopback route on multi-homed machine
520849 3-Major [PolicySync] Access Profile with "default-log-setting" fails
519415-2 3-Major apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual )
519198-1 3-Major [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user
519059-1 3-Major [PA] - Failing to properly patch webapp link, link not working
518583-4 3-Major Network Access on disconnect restores redundant default route after looped network roaming for Windows clients
517441-3 3-Major apd may crash when RADIUS accounting message is greater than 2K
516462-6 3-Major Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines
514912-1 3-Major Portal Access scripts had not been inserted into HTML page in some cases
513969-5 3-Major UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running
513953-5 3-Major RADIUS Auth/Acct might fail if server response size is more than 2K
513706-4 3-Major Incorrect metric restoration on Network Access on disconnect (Windows)
513165 3-Major SAML Service Provider generated SLO requests do not contain 'SessionIndex' attribute
513098-5 3-Major localdb_mysql_restore.sh failed with exit code
512345-3 3-Major Dynamic user record removed from memcache but remains in MySQL
512245-4 3-Major Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname
511961-5 3-Major BIG-IP Edge Client does not display logon page for FirePass
511854-1 3-Major Rewriting URLs at client side does not rewrite multi-line URLs
511648-1 3-Major On standby TMM can core when active system sends leasepool HA commands to standby device
510709-2 3-Major Websso start URI match fails if there are more than 2 start URI's in SSO configuration.
510337-1 3-Major Page-not-found result for APM uses the incorrect stylesheet, resulting in incorrect page formatting (404 response).
509758-6 3-Major EdgeClient shows incorrect warning message about session expiration
509677-3 3-Major Edge-client crashes after switching to network with Captive Portal auth
508719-3 3-Major APM logon page missing title
508630-7 3-Major The APM client does not clean up DNS search suffixes correctly in some cases
507318-1 3-Major JS error when sending message from DWA new message form using Chrome
507116-2 3-Major Web-application issues and/or unexpected exceptions.
506349-1 3-Major BIG-IP Edge Client for Mac identified as browser by APM in some cases
505755-5 3-Major Some scripts on dynamically loaded html page could be not executed.
504606-1 3-Major Session check interval now has minimum value
503319-1 3-Major After network access is established browser sometimes receives truncated proxy.pac file
502441-3 3-Major Network Access connection might reset for large proxy.pac files.
502016-1 3-Major MAC client components do not log version numbers in log file.
501498-3 3-Major APM CTU doesn't pick up logs for Machine Certificate Service
499620-3 3-Major BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated.
499427-5 3-Major Windows File Check does not work if the filename starts with an ampersand
498469-2 3-Major Mac Edge Client fails intermittently with machine certificate inspection
497436-1 3-Major Mac Edge Client behaves erratically while establishing network access connection
497325-4 3-Major New users cannot log in to Windows-based systems after installing BIG-IP EDGE client in certain deployment
496817-6 3-Major Big-IP Edge client for Windows fails to connect to Firepass server if tunnel is established through a proxy
495702-5 3-Major Mac Edge Client cannot be downloaded sometimes from management UI
495319-1 3-Major Connecting to FP with APM edge client is causing corporate network to be inaccessible
495265-2 3-Major SAML IdP and SP configured in same access profile not supported
495128-4 3-Major Safari 8 continues using proxy for network access resource in some cases when it shouldn't
494284-1 3-Major Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status.
494176-4 3-Major Network access to FP does not work on Yosemite using APM Mac Edge Client.
494088-2 3-Major APD or APMD should not assert when it can do more by logging error message before exiting.
494008-1 3-Major tmm crash while initializing the URL filter context for SWG.
493487-1 3-Major Function::call() and Function::apply() wrapping does not work as expected
493164-1 3-Major flash.net.NetConnection::connect() has an erroneous security check
493023-2 3-Major Export of huge policies might ends up with 'too many pipes opened' error
492701-1 3-Major Resolved LSOs are overwritten by source device in new Policy Sync with new LSO
492238-4 3-Major When logging out of Office 365 TMM may restart
492153-6 3-Major Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated.
491478-2 3-Major EAM is a CMP plugin and spins up one thread per TMM.
491233-4 3-Major Rare deadlock in CustomDialer component
490844-1 3-Major Some controls on a web page might stop working.
490811-3 3-Major Proxy configuration might not to be restored correctly in some rare cases
490681-3 3-Major Memcache entry for dynamic user leaks
490675-2 3-Major User name with leading or trailing spaces creates problems.
489382-4 3-Major Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert
488892-1 3-Major JavaRDP client disconnects
487170-2 3-Major Enahnced support for proxy servers that resolve to multiple IP addresses
486597-4 3-Major Fixed Network Access renegotiation procedure
486268-2 3-Major APM logon page missing title
485948-4 3-Major Machine Info Agent should have a fallback branch
484582-1 3-Major APM Portal Access is inaccessible.
483792-7 3-Major when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources
483601-2 3-Major APM sends a logout Bookmarked Access whitelist URL when session is expired.
482699-1 3-Major VPE displaying "Uncaught TypeError"
482260-2 3-Major Location of Captive portal configuration registry entry in 64 bit windows is incorrect
480761-3 3-Major Fixed issue causing TunnelServer to crash during reconnect
480242-1 3-Major APD, APMD, MCPD communication error failure now reported with error code
478751-4 3-Major OAM10g form based AuthN is not working for a single/multiple domain.
478333-2 3-Major Edge-Client client shows an error about corrupted config file, when User's profile and temp folders located on different partitions
476038-4 3-Major Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name
476032-3 3-Major BIG-IP Edge Client may hang for sometime when disconnecting from Firepass server
475735-1 3-Major Failed to load config after removing peer from sync-only group
475505-5 3-Major Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system.
475363-4 3-Major Empty or invalid configuration, or during exception in NTLM, handling might not work as expected.
474779-7 3-Major EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails.
474698-1 3-Major BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions.
474231-3 3-Major RAM cache evictions spikes with change of access policy which may lead to slow webtop rendering
473488-4 3-Major In AD Query agent, resolving of nested groups may cause apd to spin
473344-4 3-Major Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.
473255-1 3-Major Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement.
473129-4 3-Major httpd_apm access_log remains empty after log rotation
472446-8 3-Major Customization group template file might cause mcpd to restart
472256-5 3-Major tmsh and tmctl report unusually high counter values
472062-1 3-Major Unmangled requests when form.submit with arguments is called in the page
471421-3 3-Major Ram cache evictions spikes with change of access policy leading to slow webtop rendering
471117-1 3-Major iframe with JavaScript in 'src' attribute not handled correctly in IE11
470205-3 3-Major /config/.../policy_sync_d Directory Is 100% Full
469986 3-Major Drive mapping paths lose backslash when entered using the GUI
469824-6 3-Major Mac Edge client on Mac mini receives settings for iOS Edge Client
468395-1 3-Major IPv4 Allocation failure ... is out of addresses
465863 3-Major Error: Object doesn't support property or method 'trim'
463651-3 3-Major PPP tunnels remain open after session gets closed
463230-7 3-Major Aced service does not recover if child process dies.
461189-3 3-Major Generated assertion contains HEX-encoded attributes
458770-1 3-Major [Mac][Edge] Edge client doesn't handle ending redirects to the same box if second access policy assumes interaction
456927 3-Major iOS Edge Client is not able to establish per-app VPN connections with APM when it has VPE with On-Demand certificate authentication or iRule event agent without assigned webtop resource.
456608-2 3-Major Direct links for frame content, with 'Frame.src = url'
455493-1 3-Major Cancel button remains enabled
454306-3 3-Major HTML style attribute with HTML entities need to be fixed
452527-4 3-Major Machine Certificate Checker Agent always works in "Match Subject CN to FQDN" mode
452464-3 3-Major iClient does not handle multiple messages in one payload.
452416-2 3-Major tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values
452010-1 3-Major RADIUS Authentication fails when username or password contain non-ASCII characters
451867 3-Major Adobe Flash (SWF) parser should patch the flash object even if compressed body is followed by some data
451806-1 3-Major Preserve Source Port Strict has moved from Client Settings (Advanced) to General Settings
451233-3 3-Major Radius authentication fails if the NAS IP address is configured with route domain
451083-2 3-Major Citrix Wyse clients when working with StoreFront in integration mode
449793-3 3-Major Edge client doesn't use new Oesis SDK libraries unless it is restarted
449225-3 3-Major Fixed APM client crash caused by regression introduced with ID430962
446573 3-Major Username shown as "(anonymous)"
442038-2 3-Major Symantec AV 12.1.x fails to be detected on Mac OS X 10.9
441913-4 3-Major Empty Webtop when large number of resources assigned to access policy.
440505-6 3-Major Default port should be removed from Location header value in http redirect
440488-3 3-Major Inadvertent Dissociation of Sandbox and APM Access Profile
439461-3 3-Major Citrix Receiver for Linux is unable to receive full applications list.
437744-5 3-Major SAML SP service metadata exported from APM may fail to import.
437743-4 3-Major Import of Access Profile config that contains ssl-cert is failing
436616-3 3-Major Now CTU correctly enables logs for 64bit services on Windows.
436201-4 3-Major JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11
433972-11 3-Major New Event dialog widget is shifted to the left and Description field does not have action widget
433847-3 3-Major APD crashes with a segmentation fault.
433752-7 3-Major Web applications might rewrite their event handlers
432900-1 3-Major APM configurations can fail to load on newly-installed systems
432469-9 3-Major State of Microsoft Windows Firewall is not detected
432102-4 3-Major HTML reserved characters not supported as part of SAML RelayState
431149-4 3-Major APM config snapshot disappears and users see "Access Policy configuration has changed on gateway"
428387-3 3-Major SAML SSO could fail if SAML configuration contains special XML characters (&,<,>,",')
426209-5 3-Major exporting to a CSV file may fail and the Admin UI is inaccessible
421446-4 3-Major Fixed bug in APM which doesn't allow InstallerService to update.
415299-2 3-Major Recurring check failures not logged
412138-2 3-Major If there's resource that has acl order 0 and it's been used by profile, that has been exported, you'd not be able to import it back
409323-1 3-Major OnDemand cert auth redirect omits port information
405348-5 3-Major ActiveSync POST fails when body is larger than 64k.
404141-2 3-Major Standby system offers option to Apply Access Policy even though it has been synced
389328-6 3-Major RSA SecurID node secret is not synced to the standby node


WebAccelerator Issues

ID Number Severity Description
446248 2-Critical Memory leak seen with WAM when ICC enabled without inlining
575631-7 3-Major Potential MCPd leak in WAM stats query code
562644-2 3-Major TMM may crash when AAM receives a pipelining HTTP request while shutting down the connection
551010-4 3-Major Crash on unexpected WAM storage queue state
522231-1 3-Major TMM may crash when a client resets a connection
521455-3 3-Major Images transcoded to WebP format delivered to Edge browser
517551-3 3-Major Assembly Can Create Response Stalls
511534-3 3-Major A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load,
506315-3 3-Major WAM/AAM is honoring OWS age header when not honoring OWS maxage.
476476-5 3-Major Occasional inability to cache optimized PDFs and images
459851-7 3-Major Connection aborted when using GET request If-Match header in Policy Node with No-Proxy(request)/Always_Proxy(response) setting.
443262 3-Major When ICC is enabled, content gets inlined even though it exists in client's local storage
421791-5 3-Major Out of Memory Error


Wan Optimization Manager Issues

ID Number Severity Description
445330 2-Critical Incorrect values are displayed for iSession profile optimized bits
485182-1 3-Major wom_verify_config does not recognize iSession profile in /Common sub-partition


Service Provider Issues

ID Number Severity Description
516057-2 2-Critical Assertion 'valid proxy' can occur after a configuration change with active IVS flows.
421612-5 2-Critical CGNAT traffic through SIP-ALG will not have outbound connections and addresses logged
421611-1 2-Critical SIP messages through the SIP-ALG may be hairpinned when the destination address is not inside the NAT
550434-3 3-Major Diameter connection may stall if server closes connection before CER/CEA handshake completes
512054-2 3-Major CGNAT SIP ALG - RTP connection not created after INVITE
511326-4 3-Major SIP SUBSCRIBE message not forwarded by BIG-IP when configured as SIP ALG with translation.
500365-2 3-Major TMM Core as SIP hudnode leaks
499701 3-Major SIP Filter drops UDP flow when ingressq len limit is reached.
480311-2 3-Major ADAPT should be able to work with OneConnect
476886-2 3-Major When ICAP cuts off request payload, OneConnect does not drop the connection
474069-2 3-Major ICAP can assert "valid node" on resumption after long-running iRule
472092-2 3-Major ICAP loses payload at start of request in response to long execution time of iRule
466761-3 3-Major Heartbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss.
466281-2 3-Major Internal virtual does not inherit traffic-group from parent virtual server
464116-3 3-Major HTTP responses are not cached when response-adapt is applied
453705-1 3-Major iRule command "SIP::header insert Via <index>" does not respect specified index
448493-2 3-Major SIP response from the server to the client get dropped


Advanced Firewall Manager Issues

ID Number Severity Description
550926-4 2-Critical AFM rule with "unknown" source Geo-entity stops functioning when another entity (geolocation or otherwise) is added to the same list of addresses in the rule
534343 2-Critical Sync of sync-only device group removes global policy
513403-2 2-Critical TMM asserts when certain ICMP packets (e.g multicast echo) are classified by AFM and match rules at Global and Route Domain context with logging enabled for these rules and also log-translations is enabled in AFM Logging configuration.
503541 2-Critical Use 64 bit instead of 10 bit for Rate Tracker library hashing.
501480 2-Critical AFM DoS Single Endpoint Sweep and Flood Vectors crash TMM under heavy traffic.
500925 2-Critical Introduce a new sys db variable to control number of merges per second of Rate Tracker library.
498227-3 2-Critical Incorrect AFM firewall rule counter update after pktclass-daemon restarts.
497342-3 2-Critical TMM crash while executing FLOW_INIT event (with multiple commands that abort the connection) in an iRule attached to an AFM firewall rule.
480903-2 2-Critical AFM DoS ICMP sweep mitigation performance impact
421016-1 2-Critical AFM + APM configurations and traffic drop
575582-6 3-Major MCPd might leak memory in FW network attack stats.
575571-5 3-Major MCPd might leak memory in FW DOS SIP attack stats query.
575569-5 3-Major MCPd might leak memory in FW DOS DNS stats query.
575565-5 3-Major MCPd might leak memory in FW policy rule stats query.
575564-5 3-Major MCPd might leak memory in FW rule stats query.
575557-5 3-Major MCPd might leak memory in FW rule stats.
575321-6 3-Major MCPd might leak memory in firewall stats.
541836 3-Major GUI disconnect when we try to access last hour request report in ASM
532189 3-Major CIDR masks for blacklist classes lacks validation for /0
515187-4 3-Major Certain ICMP packets are evaluated twice against Global and Route Domain ACL rules.
515112-3 3-Major Delayed ehash initialization causes crash when memory is fragmented.
510728-6 3-Major Create and Delete buttons should be disabled for Security :: Protocol Security : Security Profiles : DNS when accessed as Firewall Manager.
507493 3-Major Cannot reset counter for rules of Management Port and Global
504384 3-Major ICMP attack thresholds
503085 3-Major Make the RateTracker threshold a constant
502414 3-Major Make the RateTracker tier3 initialization number less variant.
497732-3 3-Major Enabling specific logging may trigger other unrelated events to be logged.
497667-3 3-Major Configuring of ICMPv4/ICMPv6 ip-protocol in mgmt port ACL Rules generated error
497263 3-Major Global whitelist count exhausted prematurely
496498-2 3-Major Firewall rule compilation will fail in certain scenario when there are multiple scheduled AFM rules and one of the non scheduled AFM rule is modified.
496278-3 3-Major Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name
495928-2 3-Major APM RDP connection gets dropped on AFM firewall policy change
495698-2 3-Major iRule can be deleted even though it exists in a rule-list
495390-3 3-Major An error occurs on Active Rules page after attempting to reorder Rules in a Policy
493234 3-Major Device version in AFM log message could be empty
485787-2 3-Major Firewall ACL counters for staged policy attached to a Virtual/SelfIP are not incremented when a policy with a similar rule to drop/reject packets is enforced by the Global or Route Domain context
472125 3-Major IP Intelligence report data is not roll-forwarded between installations as it should
464972-1 3-Major Wrong parsing of Country Code (Geo) from address region list if Country name contains parentheses.
442535-2 3-Major Time zone changes do not apply to log timestamps without tmm restart
441597 3-Major Statistics of IP intelligence network category are always 0.


Policy Enforcement Manager Issues

ID Number Severity Description
469702 2-Critical Steering should be allowed with performace Layer 4 and classification disabled.
469519-2 2-Critical tmm assert "l4hdr set"
577814-1 3-Major MCPd might leak memory in PEM stats queries.
526295-1 3-Major BigIP crashes in debug mode when using PEM irule to create session with calling-station-id and called-station-id
495913-1 3-Major TMM core with CCA-I policy received with uninstall
485176-2 3-Major RADIUS::avp replace command cores TMM when only two arguments are passed to it
484278-1 3-Major BIG-IP crash when processing packet and running iRule at the same time
478399-1 3-Major PEM subscriber sessions are created without PEM licensed, if "radiusLB-subscriber-awre" profile is configured.
472565 3-Major Gx session "Created" and "Terminated" counters are increased on subscriber discovery when Gx is disabled
458286 3-Major Adding called_station_id and calling_station_id attributes to PEM::session create/info iRule commands


Carrier-Grade NAT Issues

ID Number Severity Description
521329 2-Critical CGNAT - Rare TMM core with Deterministic NAT
515646-2 2-Critical TMM core when multiple PPTP calls from the same client
494743-3 2-Critical Port exhaustion errors on VIPRION 4800 when using CGNAT
494280-1 2-Critical TMM crashes when PPTP finds a redirected flow when checking for an existing tunnel
494122-4 2-Critical Deterministic NAT state information from HSL is not usable on VIPRION B4300 blades
493807-6 2-Critical TMM might crash when using PPTP with profile logging enabled
490893-1 2-Critical Determinstic NAT State information incomplete for HSL log format
477232-3 2-Critical CGNAT translations have a higher chance of port reuse when address persistence is enabled
471292-1 2-Critical Deterministic NAT: incorrect mapping on platforms with PDE trunk size greater than 1
470175-1 2-Critical DNAT utility (dnatutil) does not support rfc5424 structured log format
468388-2 2-Critical Connection flows leak when service provider DAG is configured and/or under-provisioned LSN pools are configured
467706-2 2-Critical Deterministic NAT: incorrect mapping for VIPRION C4800/C4800N
465133-1 2-Critical SIP-ALG: When Proxy authentication is enabled, SIP-ALG will not set up media flows
464148 2-Critical Deterministic NAT: incorrect mapping on htsplit platforms
449896-1 2-Critical CGNAT DNAT connection failures with ECMP or route pools
448533-5 2-Critical Poor source port selection in CGNAT deterministic mode
431240-4 2-Critical RTSP ALG when used with CGNAT, the media connections do not have the data session translation address:port logged as LSN translations
431239-2 2-Critical RTSP established media connections do not honor LSN pool translation port ranges or configuration
394278-2 2-Critical SIP-ALG does not use translation ports consistent with a subscriber's Deterministic mappings when LSN "Deterministic Mode" is configured
500424-1 3-Major dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error
487660 3-Major LSN translation failures when persistence is enabled, cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN and using a small port range
463470-1 3-Major Active Translation Mappings count is too high
453328-1 3-Major Dnatutil logs must be grouped by TMM number issuing the logs
453239-2 3-Major lsndb application can only be run on primary blade in chassis.
450091-1 3-Major Log state information when the TMM is ready for traffic can appear incorrect.
429368-4 3-Major SIP RTP/RTCP connections do not honor LSN pool translation port ranges
429365-3 3-Major FTP data connections do not honor LSN pool translation port ranges
422094-7 3-Major Data connections created through FTP Active-mode transactions through the CGNAT do not have the data session translation address:port logged as LSN translations


Global Traffic Manager (DNS) Issues

ID Number Severity Description
499719 3-Major Order Zones statistics would cause database error


Device Management Issues

ID Number Severity Description
462827-5 1-Blocking Headers starting with X-F5 may cause problems if not X-F5-REST-Coordination-Id
479773-1 2-Critical SR C1800930 - GUI crashs - and SQL errors
463380-2 3-Major URIs with space characters may not work properly in ODATA query
428071 3-Major REST framework must be installed on each blade of a VIPRION

 

Known Issue details for BIG-IP v11.5.x

615522 : VDI crashes while responding to clients with multiple VDI threads running

Component: Access Policy Manager

Symptoms:
VDI crash dump is seen in bigip/var/core/ directory while accessing VDI resources.

Conditions:
VDI profile is attached to Virtual server and VDI resources are being used from webtop or from native client

Impact:
VDI access is interrupted

Workaround:
None.


613415-6 : Memory leak in ospfd when distribute-list is used

Component: TMOS

Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv2 and the Routing Information Base (RIB). The leak may lead to a the daemon being terminated via the oom-killer.

Conditions:
OSPFv2 in use with a distribute-list, and Link State Advertisements (LSAs) in the database whose prefixes will be filtered by the distribute-list.

Impact:
ospfd may leak memory until the system terminates the process via the oom-killer.

Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.


606540-2 : DB variable changed via GUI does not sync across HA group

Component: TMOS

Symptoms:
If a configuration change is made in the BIG-IP GUI which is backed by a DB variable, the change is not synced to other devices in the same sync-failover device group.
If the same db variable change is made using the Traffic Management Shell (tmsh), the db variable change will be synced to other devices in the same sync-failover device group.

Note that db variable changes are never synced to devices in sync-only device groups.

Conditions:
1. BIG-IP systems in HA group, provisioned with modules (in addition to LTM) which create their own device groups (for example, ASM).
2. Original sync-failover device group replaced by a different sync-failover device group.
3. Using the GUI to change a configuration item which is backed by a DB variable.
Examples include:
failover.standby.linkdowntime (GUI: Device Management :: Device Groups : <fodg_name> : Failover : Link Down Time on Failover )
statemirror.clustermirroring (GUI: Device Management :: Devices : <device_name> : Cluster Options )

Impact:
Configuration of devices within a sync-failover device group may not be synchronized as expected.

Workaround:
To force synchronization of a db variable change made via the GUI, a tmsh command of the following form may be used:

tmsh modify cm device-group <sync-failover device group name> devices modify { <device name> { set-sync-leader } }

If the sync-failover device group is not automatically synced, manually sync the device group:

tmsh run cm config-sync to-group <sync-failover device group name>


To avoid creating a db variable change that will not be synchronized across sync-failover device group members, change the configuration or db variable using tmsh:

tmsh modify sys db <variable name> value <new value>

If the sync-failover device group is not automatically synced, manually sync the device group:

tmsh run cm config-sync to-group <sync-failover device group name>


602329-1 : syncookie header of HA channel mirror packets is not cleared

Component: Local Traffic Manager

Symptoms:
You notice that L7 connections on the standby unit are increasing and may not be cleared until the tcp timeout.

Conditions:
This can occur when using mirroring when syn cookies are enabled. It is more severe with hardware syn cookies but still occurs with software syn cookies.

Impact:
Connections increase unnecessarily on the standby unit.

Workaround:
Although it does not completely clear the condition, you can disable hardware syncookies to work around this problem.

In tmsh:
modify /ltm profile tcp <profile_name> hardware-syn-cookie disable


600396-4 : iControl REST may return 404 for all requests in AWS

Component: TMOS

Symptoms:
iControl REST queries may fail against specific versions of BIG-IP in AWS. When this issue is encountered, all queries fail for the entirety of the BIG-IP uptime. An error message mentioning "RestWorkerUriNotFoundException" will be returned. For instance, this basic query will always return 404:

curl -k -u admin:ADMINPASSWORD -sv -X GET https://1.2.3.4/mgmt/tm/ltm

* Trying 1.2.3.4...
* Connected to 1.2.3.4 (1.2.3.4) port 443 (#0)
* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* Server certificate: localhost.localdomain
* Server auth using Basic with user 'admin'
> GET /mgmt/tm/ltm HTTP/1.1
> Host: 1.2.3.4
> Authorization: Basic ....
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Date: 20 Jun 2016 17:49:39 UTC
< Server: com.f5.rest.common.RestRequestSender
...
{ [1093 bytes data]
* Connection #0 to host 1.2.3.4 left intact
{
   "errorStack" : [
      "com.f5.rest.common.RestWorkerUriNotFoundException: http://localhost:8100/mgmt/tm/ltm",
      "at com.f5.rest.workers.ForwarderPassThroughWorker.cloneAndForwardRequest(ForwarderPassThroughWorker.java:293)",
      "at com.f5.rest.workers.ForwarderPassThroughWorker.onForward(ForwarderPassThroughWorker.java:211)",
      "at com.f5.rest.workers.ForwarderPassThroughWorker.onGet(ForwarderPassThroughWorker.java:370)",
      "at com.f5.rest.common.RestWorker.callDerivedRestMethod(RestWorker.java:1009)",
      "at com.f5.rest.common.RestWorker.callRestMethodHandler(RestWorker.java:976)",
      "at com.f5.rest.common.RestServer.processQueuedRequests(RestServer.java:850)",
      "at com.f5.rest.common.RestServer.access$000(RestServer.java:43)",
      "at com.f5.rest.common.RestServer$1.run(RestServer.java:147)",
      "at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)",
      "at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)",
      "at java.lang.Thread.run(Thread.java:722)\n"
   ],
   "restOperationId" : 8827,
   "code" : 404,
   "referer" : "4.3.2.1",
   "message" : "http://localhost:8100/mgmt/tm/ltm"
}

Conditions:
It is not known what triggers this, it intermittently affects new BIG-IP instances running in Amazon Web Services (AWS EC2) cloud environments.

Impact:
All iControl REST queries (GETs, PUTs, POSTs, DELETEs) will fail always until the BIG-IP is restarted.

Workaround:
Restart the BIG-IP.


598874-6 : GTM Resolver sends FIN after SYN retransmission timeout

Component: Local Traffic Manager

Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.

Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.

Impact:
Firewalls may log the FIN as a possible attack.


598039-1 : MCP memory may leak when performing a wildcard query

Component: TMOS

Symptoms:
MCP's umem_alloc_80 cache (visible using tmctl -a) increases in size after certain wildcard queries. Accordingly, the MCP process shows increased memory usage.

Conditions:
Folders must be in use, and the user must execute a wildcard query for objects that are in the upper levels of the folder hierarchy (i.e. not at the very bottom of the folder tree).

Impact:
MCP loses available memory with each query. MCP could eventually run out of memory and core, resulting in an outage or failover (depending on whether or not the customer is running in a device cluster).

Workaround:
Do not perform wildcard queries.


597089-2 : Connections are terminated after 5 seconds when using ePVA full acceleration

Component: Local Traffic Manager

Symptoms:
When using a fast L4 profile with ePVA full acceleration configured, the 5-second handshake timeout is not being updated to the idle timeout after the handshake is completed. The symptom is an unusually high number of connections getting reset in a short period of time.

Conditions:
It is not known all of the conditions that trigger this, but it is seen when using the fast L4 profile with pva-acceleration set to full

Impact:
High number of connections get reset, performance issue

Workaround:
Disabling the pva resolves the issue.


596945 : AVR DNS record lost after upgrade.

Component: Application Visibility and Reporting

Symptoms:
After upgrading to 11.5.1 through 11.6.0, you are unable to view DNS stats in AVR.

Conditions:
AVR enabled, DNS statistics visible in a version prior to 11.5.1, then upgrade to versions 11.5.1 through 11.6.0.

Impact:
You will be unable to view the DNS statistics.


596826-3 : Don't set the mirroring address to a floating self IP address

Component: TMOS

Symptoms:
Using tmsh, you can configure the mirroring IP address using the command tmsh modify cm device devicename mirror-secondary-ip ip_address

It is possible to set ip_address to a floating self IP address when using tmsh, but BIG-IP can't mirror to a floating self IP address.

Conditions:
Accidentally setting the mirroring IP address to the floating self IP address using tmsh.

Impact:
Mirroring does not work in this case.

Workaround:
Change the mirroring address to a non floating self IP address. The GUI will only present non floating self IP addresses.

For more information about mirroring, see SOL13478: Overview of connection and persistence mirroring at https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13478.html


596814-1 : HA Failover fails in certain valid AWS configurations

Component: TMOS

Symptoms:
Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Conditions:
AWS deployments where there are multiple coincidences for the provided IP address (corresponding to other Amazon VPCs in the same Availability Zone containing unrelated instances but having the same IP address as the BIG-IP's floating IP address.

Impact:
Potential traffic disruption. Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Workaround:
Do not have AWS deployments with multiple VPCs sharing the same IP address as the BIG-IP's floating IP address.


596603-10 : AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.

Component: TMOS

Symptoms:
When deploying BIG-IP VE in AWS with c4.8xlarge instance type, the system never boots and remains in "Stopped" state after briefly trying to start-up.

Conditions:
BIG-IP VE is deployed with c4.8xlarge instance type in AWS.

Impact:
c4.8xlarge instance type are not supported for BIG-IP VE in AWS.

Workaround:
Choose c4.4xlarge or other instance types in AWS.


595773-2 : Cancellation requests for chunked stats queries do not propagate to secondary blades

Component: TMOS

Symptoms:
Canceling a request for a chunked stats query (e.g. hitting ctrl-c during "tmsh show sys connection") does not stop data flowing from secondary blades.

Conditions:
A chassis-based system with multiple blades. Users must execute a chunked stats query (e.g. "tmsh show sys connection") and then cancel it before it finishes (e.g. with ctrl-c in tmsh).

Impact:
Unnecessary data will be sent from TMM to secondary mcpd instances, as well as from secondary mcpd instances to the primary mcpd instance. This could cause mcpd to restart unexpectedly.


593536-4 : Device Group with incremental ConfigSync enabled can report "In Sync" when devices have differing configurations

Component: TMOS

Symptoms:
Devices do not have matching configuration, but system reports device group as being "In Sync".

Conditions:
Device Service Cluster Device Group with incremental sync enabled. A ConfigSync occurred where a configuration transaction failed validation, and then a subsequent (or the final) configuration transaction was successful.

Impact:
BIG-IP incorrectly reports configuration is in-sync, despite the fact that it is not in sync. All sorts of failures or odd behavior or traffic impact can result from this.

Workaround:
Turn off incremental sync (by enabling "Full Sync" / "full load on sync") for affected device groups.


592784-6 : Compression stalls, does not recover, and compression facilities cease.

Component: Local Traffic Manager

Symptoms:
Compression stalls, does not recover, and compression facilities may cease.

Conditions:
A device error of any kind, or requests that result in the device reporting an error (for example, attempting to decompress an invalid compression stream).

Impact:
In general, compression stops altogether. Under some circumstances, compression requests may end up routed to zlib (software compression), but generally the SSL hardware accelerator card does not correctly report that it is unavailable when it stalls.

Workaround:
Select the softwareonly compression provider by running the following tmsh command: tmsh modify sys db compression.strategy value softwareonly.


591708 : HSB may drop off of PCI bus

Component: TMOS

Symptoms:
The HSB may drop off of the PCI bus. This results failure to read the HSB registers, which is indicated by the following log entries in the tmm logfile:

Device error: hsb_lbb1 hde1_crc_errs count 65535.
Device error: hsb_lbb1 hde2_crc_errs count 65535.

This is usually followed by SIGABRT. The subsequent TMM reload fails to load the HSB device.

Querying the PCI bus (using lspci), shows that the HSB device is unavailable:

03:00.0 Ethernet controller: F5 Networks Inc. Device 0006 (rev ff) (prog-if ff)
!!! Unknown header type 7f

Conditions:
Unknown.

Impact:
Disruption of traffic. Request unit reboot.

Workaround:
Reboot unit.


591659-7 : Server shutdown is propagated to client after X-Cnection: close transformation.

Component: Local Traffic Manager

Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.

Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.

Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.

Workaround:
None.


591476-4 : Stuck nitrox crypto queue can erroneously be reported

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Nitrox systems (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The message "Device error: crypto codec cn-crypto-0 queue is stuck." will appear in the ltm log file.

Conditions:
Nitrox based system performing SSL under heavy load.

Impact:
Device errors reported in logs and crypto HA action is taken, possibly resulting in failing over.


589400-6 : With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Component: Local Traffic Manager

Symptoms:
With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Conditions:
Congestion window is small relative to message size; abc is enabled; also might manifest when serverside MTU is greater than clientside MTU.

Impact:
Additional connection latency.

Workaround:
Enabling proxy-mss on the serverside TCP profile significantly reduces incidence of this problem in observed cases.

If init-cwnd is low, raising it might also help.

Disabling abc can also reduce the problem, but might have other negative network implications.


588572-1 : Unnecessary re-transmission of packets on higher ICMP PMTU.

Component: Local Traffic Manager

Symptoms:
LTM re-transmits TCP segments even when ICMP Path maximum transmission unit (PMTU) is higher than existing MTU.

Conditions:
ICMP PMTU is higher than existing MTU. User enables MPTCP, Rate Pacing, or any of the following congestion controls:
Vegas, Illinois, Woodside, CHD, CHG

Impact:
Burst traffic generated.

Workaround:
Disable Path MTU Discovery by entering the command: tmsh modify sys db tm.enforcepathmtu value disable.


588569-1 : Don't include maximum TCP options length in calculating MSS on ICMP PMTU.

Component: Local Traffic Manager

Symptoms:
TCP segment size is 40 bytes less.

Conditions:
ICMP implementation using Path MTU (PMTU). User enables MPTCP, Rate Pacing, or any of the following congestion controls:
Vegas, Illinois, Woodside, CHD, CHG

Impact:
The impact of this issue is less data per TCP segment.

Workaround:
Disable Path MTU Discovery by doing the following,

"tmsh modify sys db tm.enforcepathmtu value disable"


587821-3 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.

Component: TMOS

Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.

In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.

Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.

Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.

Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.

Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.


587705 : Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.

Component: Local Traffic Manager

Symptoms:
Persist lookups fail for source_addr with match-across-virtual servers when multiple entries exist for the client, but pointing to different pools.

Conditions:
'Match_across_virtual' enabled. Multiple persistence entries for a client address exist, and some of these persistence entries point to poolmembers from different pools. Some of these poolmembers do not belong to any of the current virtual server's pools.

Impact:
Source address persistence fails for this client, even though there is a valid persistence entry that can be used.

Workaround:
None.


586718-7 : Session variable substitutions are logged

Component: Access Policy Manager

Symptoms:
With the log level set to debug, session variable substitutions are logged, including the encrypted password if you are substituting the password variable. You may see the following logs: debug apmd[3531]: 01490000:7: Util.cpp func: "ScanReplaceSessionVar()" line: 608 Msg: data: '%{session.logon.last.password}' start_pos: 0, count: 30 on 'session.logon.last.password' with the encrypted password logged

Conditions:
APM Access Policy log level set to debug, and session variable substitution is performed.

Impact:
Session variable substitution should not be logged, even if it is secure.

Workaround:
Set log level to informational or notice for normal operations. Logging at debug level is not recommended unless absolutely needed for specific troubleshooting as it adversely affects system performance.


586621-1 : SQL monitors 'count' config value does not work as expected.

Component: Local Traffic Manager

Symptoms:
SQL monitors 'count' config value does not work as expected.

Conditions:
SQL monitor in use with the 'count' config value specified. The 'count' value is intended to record the number of times the connection to the back-end database is re-used before it is disconnected. However, the value is not correctly recording the number in this release.

Impact:
SQL monitor might use a 'count' value that is incorrect.

Workaround:
Add 101 to the desired value. For example, if the desired count is '5', use '106' instead.


586006-7 : Failed to retrieve CRLDP list from client certificate if DirName type is present

Component: Access Policy Manager

Symptoms:
Client certification revocation check will fail.

Conditions:
Two conditions will trigger this problem:
1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND
2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.

Impact:
Users may fail access policy evaluation when client certification is used.

Workaround:
Configure an LDAP server for the CRLDP object. It need not return a valid CRL.


584583-5 : Timeout error when attempting to retrieve large dataset.

Component: TMOS

Symptoms:
The Rest API can timeout when attempting to retrieve large dataset, such as a large GTM pool list. The error signature when using the Rest API looks like "errorStack":["java.util.concurrent.TimeoutException: remoteSender:127.0.0.1, uri:http://localhost:8110/tm/gtm/pool, method:GET "

Conditions:
Configuration containing a large number of GTM pools and pool members (thousands).

Impact:
If using the Rest API to retrieve the pool list, you may receive timeout errors.


583936-2 : Removing ECMP route from BGP does not clear route from NSM

Component: TMOS

Symptoms:
When configured to install multiple routes into the routing table, ZebOS does not withdraw BGP routes when a neighbor is shut down and it has more than two routes already installed for the same route prefix.

Conditions:
ECMP routing must be enabled and in-use.

Impact:
ECMP routes are not properly removed from the main routing table.


583754-3 : When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.

Component: TMOS

Symptoms:
Executing 'show ltm persist persist-records' results in a blank error message.

Conditions:
TMM must be down.

Impact:
Non-obvious / unhelpful error message is generated, leading to customer confusion.

Workaround:
N/A


583475-4 : The BIG-IP may core while recompiling LTM policies

Component: TMOS

Symptoms:
In some rare and still unknown situations the BIG-IP Mcpd process may core when creating or modifying LTM policies. While the root cause of the crash is not fully understood at this time, one of the symptoms points to a nonexistent or invalid LTM policy.

Conditions:
Creating or modifying LTM policies.

Impact:
The BIG-IP control plane services restart thus affecting both, control plane and data plane functionality.

Workaround:
A possible workaround could be to attempt re-creating the LTM policy producing the crash under a different name. Avoid any special characters (or spaces) in the name of the LTM policy.


582234 : When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.

Component: Local Traffic Manager

Symptoms:
When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.

Conditions:
A monitored pool member is initially disabled, and a config merge re-enables it

Impact:
Monitoring does not resume when pool member is re-enabled via config merge.

Workaround:
You can re-enable monitoring by running the following commands:

tmsh save sys config
tmsh load sys config


582207-2 : MSS may exceed MTU when using HW syncookies

Component: Local Traffic Manager

Symptoms:
Packets larger than the interface's MTU can be transmitted.

Conditions:
A SYN packet is received with an MSS that exceeds the interface's MTU.

Impact:
Potential packet loss.

Workaround:
Disable HW syncookie mode.


580817-6 : Edge Client may crash after upgrade

Component: Access Policy Manager

Symptoms:
The Edge client may crash after upgrading to 11.4.1 through 12.0.0.

Conditions:
Access Policy with Firewall Checker
Update BIG-IP to 12.1.0

Impact:
Users are unable to use the Edge client


580421-6 : Edge Client may not register DLLs correctly

Component: Access Policy Manager

Symptoms:
After an end-user confirms that they want to install InstallerControll.cab, the browser gets stuck in 'Checking client'.

Conditions:
Client is using Internet Explorer

Impact:
Clients are unable to install the Edge client components


579284-3 : Potential memory corruption in MCPd

Component: TMOS

Symptoms:
Memory in mcpd could get corrupted. The effect of this is unpredictable.

Conditions:
Varies. One way (but not the only way) this could be seen is by cancelling a chunked stats query (e.g. hitting ctrl-c during "show sys connection").

Impact:
Varies. Sometimes nothing will happen; other times MCP could start acting unpredictably. In one case it closed its connection to TMM, which caused all TMMs to restart.


577814-1 : MCPd might leak memory in PEM stats queries.

Component: Policy Enforcement Manager

Symptoms:
System may be unresponsive or crash due to being out of memory.

Conditions:
Can occur when a PEM stats query is processed.

Impact:
System may be unresponsive or crash due to being out of memory.

Workaround:
None.


576305-6 : Potential MCPd leak in IPSEC SPD stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IPSEC SPD stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


576296-7 : MCPd might leak memory in SCTP profile stats query.

Component: Local Traffic Manager

Symptoms:
The memory allocation for mcpd might grow by a small amount if SCTP profile stats are queried. In order to begin to impact the performance of the system, the stats would have to be queried many thousands of times.

Conditions:
An SCTP profile is configured, and the stats are displayed in TMSH or the GUI.

Impact:
Performance may be degraded.

Workaround:
None.


575735-7 : Potential MCPd leak in global CPU info stats code

Component: TMOS

Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.

Conditions:
In some cases, querying global CPU information stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575726-7 : MCPd might leak memory in vCMP interface stats.

Component: TMOS

Symptoms:
MCPd might leak memory in vCMP interface stats.

Conditions:
The memory leak occurs when viewing VCMP interface statistics.

Impact:
Over time this can cause MCPd to run out of memory and core.

Workaround:
None.


575716-7 : MCPd might leak memory in VCMP base stats.

Component: TMOS

Symptoms:
MCPd might leak memory in VCMP base stats.

Conditions:
This occurs when looking at VCMP base statistics.

Impact:
Over time this might cause MCPd to run out of memory and core.

Workaround:
None.


575708-7 : MCPd might leak memory in CPU info stats.

Component: TMOS

Symptoms:
MCPd might leak memory in CPU info stats.

Conditions:
In some cases, querying CPU information stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575671-7 : MCPd might leak memory in host info stats.

Component: TMOS

Symptoms:
MCPd might leak memory in host info stats.

Conditions:
In some cases, querying host information stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575631-7 : Potential MCPd leak in WAM stats query code

Component: WebAccelerator

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying WAM stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575626-3 : Minor memory leak in DNS Express stats error conditions

Component: Local Traffic Manager

Symptoms:
A minor memory leak might occur in certain error conditions relating to DNS Express statistics.

Conditions:
There are no known DNS Express configurations that lead to this issue. The problem was detected through standard code review practices.

Impact:
Memory leaks might eventually lead to system reboots.

Workaround:
None.


575619-7 : Potential MCPd leak in pool member stats query code

Component: TMOS

Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.

Conditions:
In some cases, querying pool member stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575612-6 : Potential MCPd leak in policy action stats query code

Component: Local Traffic Manager

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying policy action stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575609-2 : Zlib accelerated compression can result in a dropped flow.

Component: Access Policy Manager

Symptoms:
Some compression requests would fail when the estimated compression output block was too small. Such errors deposit an error in the log similar to: Device error: n3-compress0 Zip engine ctx eviction (comp_code=2): ctx dropped.

Conditions:
A block that will not compress can generate a compression output that exceeds the estimated output block size.

Impact:
The flow that encounters the error is dropped.

Workaround:
Disable hardware accelerated compression.


575608-7 : MCPd might leak memory in virtual server stats query.

Component: TMOS

Symptoms:
MCPd might leak memory in virtual server stats query.

Conditions:
In some cases, querying virtual server stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575587-6 : Potential MCPd leak in BWC policy class stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying BWC policy stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.


575582-6 : MCPd might leak memory in FW network attack stats.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW network attack stats.

Conditions:
This occurs when looking at firewall network attack statistics.

Impact:
Over time this can cause MCPd to run out of memory and core.


575571-5 : MCPd might leak memory in FW DOS SIP attack stats query.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW DOS SIP attack stats query.

Conditions:
This occurs when looking at firewall DOS SIP stats.

Impact:
Over time this can cause MCPd to run out of memory and core.


575569-5 : MCPd might leak memory in FW DOS DNS stats query.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW DOS DNS stats query.

Conditions:
This occurs when looking at firewall DOS DNS statistics.

Impact:
Over time this can cause MCPd to run out of memory and core.


575565-5 : MCPd might leak memory in FW policy rule stats query.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW policy rule stats query.

Conditions:
This occurs when looking at firewall policy rule stats.

Impact:
Over time this can cause MCPd to run out of memory and core.


575564-5 : MCPd might leak memory in FW rule stats query.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW rule stats query.

Conditions:
This occurs when looking at firewall rule statistics.

Impact:
Over time this can cause MCPd to run out of memory and core.


575557-5 : MCPd might leak memory in FW rule stats.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in FW rule stats.

Conditions:
This occurs when looking at firewall rule statistics.

Impact:
Over time this can cause MCPd to run out of memory and core.


575321-6 : MCPd might leak memory in firewall stats.

Component: Advanced Firewall Manager

Symptoms:
MCPd might leak memory in firewall stats.

Conditions:
This occurs when looking at firewall stats.

Impact:
Over time this can cause MCPd to run out of memory and core.


575011-7 : Fix memory leak.

Component: Local Traffic Manager

Symptoms:
System exhausts available memory due to compression memory leak. Prior to running out of memory, repeatedly logs "Nitrox3 Hang Detected".

Conditions:
Compression device unavailable during creation of a new context.

Impact:
System can run out of memory.

Workaround:
Disable hardware compression using tmsh:

% tmsh modify sys db compression.strategy softwareonly


574160 : Publishing DNS statistics if only Global Traffic and AVR are provisioned

Component: Application Visibility and Reporting

Symptoms:
AVR does not publish DNS statistics if LTM is not provisioned.

Conditions:
LTM is not provisioned.

Impact:
The DNS chart does not show statistics.


574045-1 : BGP may not accept attributes using extended length

Component: TMOS

Symptoms:
If a BGP peer sends a path attribute using the "extended length" flag and field, the attribute may be rejected and the BGP connection terminated.

Conditions:
Neighbor sends path attributes using extended length.

Impact:
The BGP adacency will repeatedly bounce and the RIB will never converge.


572563-6 : PWS session does not launch on Internet Explorer

Component: Access Policy Manager

Symptoms:
Internet Explorer (IE) gets stuck entering Protected Work Space (PWS).

Conditions:
One of the DLLs provided by APM, vdeskctrl.dll, provides COM services. Internet Explorer (IE), consumes the COM services. The DLL is loaded by IE during upgrade of PWS components. For some reason (especially on slow systems), IE does not unload the the old DLL promptly after upgrading PWS. When COM services are invoked to initialize PWS after upgrade, old DLL provides the service. Due to the recent renewal of our signing certificate, old DLL can't certify the integrity of the new PWS components. We have researched the issue, but we have not found a way to instruct IE to unload the old DLL after upgrade.

Impact:
PWS session does not launch.

Workaround:
After upgrade, if Internet Explorer(IE) does not enter into PWS within 60 seconds, close IE and start a new session. This is an one time event.


571210-5 : Upgrade, load config, or sync might fail on large configs with large objects.

Component: TMOS

Symptoms:
Attempting to load a large config with large objects may result in the following error message:

err mcpd[7366]: 01070710:3: Database error (52), Can't write blob data, attribute:implementation status:52 - EdbBlobData.cpp, line 57

Attempting to synchronize a large change may result in the following error messages and a crash of the MCPD process:

err mcpd[8210]: 01071693:3: Incremental sync: Caught an exception while adding a transaction to the incremental config sync cache: unexpected exception.

err mcpd[8210]: 01070734:3: Configuration error: MCPProcessor::processRequestNow: Can't write blob data, attribute:msgs status:52

err mcpd[8210]: 01070596:3: An unexpected failure has occurred, request_group destroyed while processing, exiting...

Conditions:
The config must be approximately 19.75 MB (slightly less) prior to processing a large object in the config that exceeds 256 KB.

Or, once config exceeds 19.75 MB and 2 MB of additional memory has been allocated, processing config objects that exceed 256 KB (the larger, the more likely to occur) lead to the error.

Impact:
Upgrade, load config, or sync might fail, and a system crash and restart might occur.

Workaround:
Stagger the load, or reduce the size of particularly large objects within a config.


571019-5 : Topology records can be ordered incorrectly.

Component: TMOS

Symptoms:
Topology records can contain missing order numbers, duplicate order numbers, and differences in the ordering of topology records on BIG-IP's in a sync group.

Conditions:
When adding or deleting topology records or modifying the order of existing topology records, the resulting ordering of the topology records can be inconsistent. This can lead to ordering issues including differences in the ordering of topology records on BIG-IP's in a sync group.

Impact:
It is difficult to manage the order of topology records. Topology records are evaluated in different orders on different BIG-IP's in a sync group.

Workaround:
None.


570663-4 : Using iControl get_certificate_bundle_v2 causes a memory leak

Component: TMOS

Symptoms:
Using iControl call get_certificate_bundle_v2() causes a memory leak. iControlPortal memory use grows unbounded every time the method is called.

Conditions:
This occurs anytime the method is invoked; BIG-IP devices managed by Enterprise Manager can be especially impacted.

Impact:
Eventually iControlPortal will run out of memory and crash.


570617-3 : HTTP parses fragmented response versions incorrectly

Component: Local Traffic Manager

Symptoms:
When a fragmented response is parsed by HTTP, the version field may be incorrectly bounded. HTTP correctly determines the version of the response. However, other filters that re-scan the version field might see a truncated value. The filters then miss-parse the HTTP version.

Conditions:
A fragmented response where the HTTP version field appears in multiple packets. Another filter, for example VDI, re-scans the HTTP version field.

Impact:
The detected version of HTTP may be incorrect. Typically, the response is detected as a HTTP/0.9 response rather than the 1.0 or 1.1 response it actually uses.

Workaround:
None.


570064-6 : IE gives a security warning asking: "Do you want to run ... InstallerControll.cab"

Component: Access Policy Manager

Symptoms:
When logging into a VPN connection using Internet Explorer, Internet Explorer may prompt "Do you want to run ... InstallerControll.cab"

Conditions:
BIG-IP APM configured and is accessed by Internet Explorer. This can happen after an upgrade of BIG-IP.

Impact:
The prompt should not occur.


569288-1 : Different LACP key may be used in different blades in a chassis system causing trunking failures

Component: Local Traffic Manager

Symptoms:
In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch.

Conditions:
This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation.

Impact:
Non aggregated trunk members won't be able to pass traffic.

Workaround:
Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd"


568889-6 : Some ZebOS daemons do not start on blade transition secondary to primary.

Component: TMOS

Symptoms:
In some specific cases the standby unit's secondary blade ZebOS daemons might not get started when it becomes active.

Conditions:
If the failover occurs as a result of the primary blade's mcpd restarting

Impact:
The new primary blade does not start some ZebOS daemons resulting in ospf not working as expected on the standby unit.

Workaround:
Run the following tmsh command on the new active unit: bigstart restart tmrouted.


566361-4 : RAM Cache Key Collision

Component: Local Traffic Manager

Symptoms:
Intermittent tmm SIGSEGV when RAM Cache is enabled

Conditions:
This occurs when RAM cache is enabled in certain circumstances.

Impact:
Invalid response format, and/or serving the wrong object from cache, and/or tmm crash, interruption of service.

Workaround:
None.


565534-6 : Some failover configuration items may fail to take effect

Component: TMOS

Symptoms:
These symptoms apply to version 12.0.0 and higher:

When only multicast failover is configured, traffic-groups are active on all devices in the device-group. If unicast failover is also configured, the traffic-group unexpectedly switches to a different device.

These symptoms can occur on all versions:

When the unicast address list is changed at the same time as other device properites, sod (the failover daemon) may fail to recognize one of the other changes.

Conditions:
For version 12.0.0 and higher:

Multicast failover is configured and the system loads the configuration from the configuration files. For example during the first boot of a new boot location or after performing the procedure in Sol13030.

For all versions:

A change is made to the cm device configuration that includes a unicast-address change along with something else.

Impact:
When only multicast failover is configured, traffic-groups may become active on all devices in the device-group. If unicast failover is also configured, the traffic-group might switch to a different device.

Workaround:
Mitigation for v12.0.0 symptom:

To restore multicast failover, disable and re-enable multicast failover.

CLI:
This must be done on the the local device:
Determine which interface is being used for multicast failover:
tmsh> list cm device bigip1 multicast-interface
Disable and re-enable multicast failover.
tmsh> modify cm device bigip1 { multicast-interface none }
tmsh> modify cm device bigip1 { multicast-interface eth0 }


Mitigation for all versions symptoms:
Do not make cm device unicast-address changes simultaneously with changes to other cm device properties.


565409-2 : Invalid MSS with HW syncookies and flow forwarding

Component: Local Traffic Manager

Symptoms:
A packet may have an MSS set to 65536 when using HW syncookies and flow forwarding.

Conditions:
The conditions which cause this are not fully known.

Impact:
TMM core/reboot.

Workaround:
Disable HW syncookies or TSO.


563419-1 : IPv6 packets containing extended trailer are dropped

Component: Local Traffic Manager

Symptoms:
Some IPv6 packets are dropped

Conditions:
IPv6 packet contains trailing bytes after payload

Impact:
Packet loss


563135-1 : SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt

Component: Access Policy Manager

Symptoms:
When the SWG Explicit Proxy is configured to perform a 407 Authentication Request, if the client accesses a non-standard HTTP port (e.g. http://www.example.com:8080) the first request after authentication will fail.

Conditions:
SWG Explicit Proxy configured
HTTP 407 Authorization configured in Per-Request Policy for authentication
Client requests a non-standard HTTP port in request

Impact:
The first request after authentication will fail.

Workaround:
If the user refreshes their browser request, subsequent requests will work as expected.


563064-3 : Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory

Component: TMOS

Symptoms:
Cipher memory initialized when an IPsec tunnel is created is not cleaned up when IPsec tunnel is removed.

Conditions:
Every time an IPsec tunnel is established and then removed will leave the allocated cipher memory in the system.

Impact:
Slowly leak TMM memory


562644-2 : TMM may crash when AAM receives a pipelining HTTP request while shutting down the connection

Component: WebAccelerator

Symptoms:
In rare conditions when a client sends pipelining HTTP requests and AAM is configured it may incorrectly process a consequent request resulting in crashing of TMM.

Conditions:
AAM and ASM licensed and provisioned
HTTP compression profile configured on a virtual server

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


561814-2 : TMM Core on Multi-Blade Chassis

Component: TMOS

Symptoms:
TMM core.

Conditions:
On a multi-blade chassis with WAM caching in use, where the datastor daemon is stopped and restarted, and where traffic is being cached by datastor.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


560510-2 : Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down.

Component: TMOS

Symptoms:
When MCPD is not in the running state, dhclient directly writes domain-name-server information into /etc/resolv.conf. If multiple domain-name-servers are given by DHCP server, they are written in the incorrect format with multiple domain-name-servers in a single line comma-separated. Each domain-name-servers entry should be written in a single line with "nameserver" prefix.

Conditions:
- MCPD is not in the running state.
 - DHCP is enabled.
 - DHCP server has provided multiple domain-name-server entries in the lease.

Impact:
Domain name resolution doesn't work.

Workaround:
Bring up MCPD which would write the resolv.conf in the correct format. Alternatively, user can manually modify /etc/resolv.conf to write multiple nameserver entry one per line.


560429 : LTM iRule table set command cannot always set value of record with extremely short timeout

Component: TMOS

Symptoms:
If you have a record with an extremely low timeout value and you attempt to constantly set/reset the value, you may intermittently attempt to access the record while it is expired, in which case the value you attempt to set it to is not accepted.

Conditions:
Using table set command with a timeout of less than 8 seconds.

Impact:
iRule operates incorrectly

Workaround:
Refresh the timeout on the entry before attempting to set it, via table lookup.


560405-1 : Optional target IP address and port in the 'virtual' iRule API is not supported.

Component: Local Traffic Manager

Symptoms:
In certain scenarios there is a need to redirect an HTTP request through a given virtual server to a another virtual server (or remote endpoint). Such an operation is also known as 'vip-to-vip' forwarding. The available iRule API (specifically, the 'virtual' command) does not currently support this functionality.

Conditions:
Using an iRule to forward a request through a given virtual server to another virtual server or remote endpoint.

Impact:
Cannot implement HTTP Forward Proxy plus Transparent redirection to Web-Cache Pool.

Workaround:
None.


559973-4 : Nitrox can hang on RSA verification

Component: Local Traffic Manager

Symptoms:
With certain signatures, RSA verification can hang the Nitrox crypto accelerator chip. Errors in the ltm log show crit tmm[11041]: 01010260:2: Hardware Error(Co-Processor): n3-crypto2 request queue stuck

Conditions:
RSA verification with certain signatures.

Impact:
Nitrox crypto accelerator can hang.


559554-4 : CHD congestion control can have erroneous very large cwnd.

Component: Local Traffic Manager

Symptoms:
At times, CHD congestion control can store a very large congestion window, resulting in release of data well beyond that warranted by network conditions.

Conditions:
The client advertises a receive window less than 1 MSS, and CHD tries to decrease the window.

Impact:
Possible network congestion.

Workaround:
Change congestion control algoirhtm from CHD.


559080-1 : High Speed Logging to specific destinations stops from individual TMMs

Component: TMOS

Symptoms:
High Speed Logging to specific destinations stops from individual TMMs. The flows appear to have very large idle times. Attempts to delete the flows sets the idle time to zero, but does not kill the flow.

Conditions:
This appears to be the result of a failure on the part of the log destination (for example, a log server) wherein the server's TCP stack ACKs a FIN request from the TMM, but does not follow through with a matching FIN or RST. The logging code expects another timeout (essentially a FIN-WAIT2 timeout), but never receives one because the flow has already been marked as expired. As a result, the flow goes into a state in which it appears to be viable but is not actually delivering.

Impact:
Logs are silently lost.

Workaround:
Create an additional virtual server to act as a proxy for the log server, and sent the logs to this virtual server. This essentially uses the TMM itself as a sanitizing proxy.


559060 : AVR reads BIG-IP system's cookie incorrectly in multiple BIG-IP configuration.

Component: Application Visibility and Reporting

Symptoms:
AVR presents incorrect data in the GUI statistics (for example, unexpected pool members, and so on, with hitcount 0).

Conditions:
Multiple BIG-IP systems are configured, one is acting as server for the other and both have 'collect client latency' enabled.

Impact:
Invalid data is presented in the statistics.

Workaround:
Turn off 'collect client latency' in the AVR profile on the BIG-IP system that is acting as the server.


558870-8 : Protected workspace does not work correctly with third party products

Component: Access Policy Manager

Symptoms:
1) Internet Explorer and Firefox cannot be launched in Windows protected workspace if Norton Internet Security 22.x is present on user's machines.
2) Microsoft OneDrive does not work correctly inside protected workspace.

Conditions:
Norton Internet Security 22.x is installed on user's desktop.
Protected workspace is used.

Impact:
User cannot launch Internet Explorer or Firefox inside protected workspace.
Files cannot be synced to OneDrive.

Workaround:
There is no workaround.


558631-7 : APM Network Access VPN feature may leak memory

Component: Access Policy Manager

Symptoms:
VPN connections may cause memory usage to increase with the memory never being reclaimed.

Conditions:
The APM Network Access feature is configured and VPN connections are being established.

Impact:
Slow memory leak over time with eventual out-of-memory condition, performance degradation, and traffic outage.

Workaround:
No workaround short of not using the APM Network Access feature.


557155 : BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.

Component: TMOS

Symptoms:
BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.

Conditions:
Sustained high packet rate with a very small payload.

Impact:
Traffic through the guest stops until the guest/BIG-IP system is reset. However, this issue is reproduced during a test that over provision a 2-vCPU guest and is unlikely to happen in normal operation.

Workaround:
Try ones of the following workarounds (first on is the most preferred and so ):
1. Increase guest memory.
2. Significantly reduce the value of the content in '/sys/module/unic/rx_queue_size'. For example running the following command substantially decreases throughput: echo 1048576 > /sys/module/unic/rx_queue_size.
3. Set panic on OOM. Try this as the last option.
   sysctl vm.panic_on_oom=1


554977 : TMM might crash on failed SSL handshake

Component: Local Traffic Manager

Symptoms:
SSL handshake failures may crash in ssl_verify().

Conditions:
Certain types of failed SSL handshakes in versions 11.5.0 through 11.5.4.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Modifying serverssl cipher string to exclude ECDHE_RSA and ECDHE_ECDSA might help prevent the crash.


554761-7 : Unexpected handling of TCP timestamps under syncookie protection.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system experiences intermittent packet drops.

Despite being negotiated during TCP handshake, the BIG-IP system fails to present timestamp option in subsequent segments.

The BIG-IP system calculates invalid round trip time immediately after handshake, which might result in delayed retransmissions.

Conditions:
This occurs when the following conditions are met:
- Virtual server configured with a TCP profile with timestamps enabled.

- The syncookie mode has been activated.

- Clients that support timestamps.

Impact:
Connection might be reset by remote TCP stack (e.g., NetBSD and FreeBSD), which requires timestamps to be maintained once negotiated.

Retransmission timeout (RTO) value may be skewed. Segments that are subject to RTO might take up to 64 segments to retransmit.

Workaround:
Choose or create a TCP profile that has timestamps disabled.


554340 : IPsec tunnels fail when connection.vlankeyed db variable is disabled

Component: TMOS

Symptoms:
When connection.vlankeyed db variable is disabled, if the data traffic coming out of IKEv1 tunnels that needs to be secured using IKEv2 tunnels lands on tmm's other than tmm0, it will be dropped. The system establishes the IKEv2 tunnel but the data traffic will not be secured.

Conditions:
This issue is seen when the interesting data traffic lands on tmm's other than tmm0. The reason for this issue is due to incorrectly creating a flow on another TMM that is the owner of the outbound SA (IKEv2 tunnel).

Impact:
The system drops the data traffic to be secured using IPsec and connections fail.

Workaround:
Disable the cmp in the virtual server configuration.


554228-6 : OneConnect does not work when WEBSSO is enabled/configured.

Component: Access Policy Manager

Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and doesn't reuse pooled connections.

Conditions:
WEBSSO and OneConnect.

Impact:
Idle serverside connections that should be eligible for reuse by the virtual server are not used. This might lead to build-up of idle serverside connections, and may result in unexpected 'Inet port exhaustion' errors.

Workaround:
None.


553795-1 : Differing certificate/key after successful config-sync

Component: TMOS

Symptoms:
1) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with the same name as the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip will retain a copy of the original key.

2) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with a different name from the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer's client-ssl profile will still use the original certificate/key instead of the new one.

Conditions:
1) High Availability failover systems with FIPS configured with Manual Sync.

2) High Availability failover systems configured with Manual Sync.

Impact:
1) An abandoned FIPS key is left behind.

2) The systems claim to be synced, but one system's client-ssl profile uses one certificate/key pair, while the other system(s)' same client-ssl profile uses a different certificate/key pair.

Workaround:
1) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
   Workaround #2: Delete the FIPS key by-handle on the peer system(s).

2) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
   Workaround #2: Manually update the client-ssl profile then delete the old certificate/key on the peer system(s).


553330-5 : Unable to create a new document with SharePoint 2010

Component: Access Policy Manager

Symptoms:
VPN users are unable to create a new document with SharePoint 2010

An error is given: "The Internet address https://ip:port/shared documents/forms/template.dotx" is not valid

Conditions:
Create a new document using the"New Document button".

Impact:
User cannot create a new document with SharePoint 2010.

Workaround:
none


552585-1 : AAA pool member creation sets the port to 0.

Component: TMOS

Symptoms:
When the AAA server pool member is created (for Radius mode BOTH and for AD), the port is set to 0 (Any) as there are more than one ports for that pool member.

Conditions:
Create AAA pool member while creating an AAA RADIUS server or Active Directory server. The created pool member does not support the ability of having multiple port numbers and for that reason is updated with 0 (Any) as the port number for the pool member. If the user continues to modify using the Admin UI, the port changes made using tmsh will be overwritten again to 0.

Impact:
AAA pool member port is set to 0 (Any) rather than the port specified in the GUI. This is correct as the pool member does not support more and 1 port number.


552385-1 : Virtual servers using an SSL profile and two UDP profiles may not be accepted

Component: Local Traffic Manager

Symptoms:
Error message:
01070711:3: Found disallowed profile: Not Profile profile_clientssl
or
01070711:3: Found disallowed profile: Not Profile profile_serverssl

Conditions:
Create a virtual server with a client-ssl profile and/or a server-ssl profile and two different UDP profiles (one on the server side and one on the client side).

Impact:
When using either a client-ssl profile or a server-ssl profile, depending on the sort order of the UDP profiles, the configuration may not be accepted.

When using both a client-ssl profile and a server-ssl profile, the configuration is not accepted.

Workaround:
When using either a client-ssl profile or a server-ssl profile, either use a common UDP profile for both client and server side or try renaming one of the UDP profiles to alter the sort order.

When using both a client-ssl profile and a server-ssl profile, try using one UDP profile for both the client and server side.


552151-3 : Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected

Component: Local Traffic Manager

Symptoms:
Hardware compression slowly and progressively fails to handle compression operations. The system posts the following errors in ltm.log: crit tmm3[14130]: 01010025:2: Device error: n3-compress0 Nitrox 3.

Conditions:
This occurs when the system encounters errors during hardware compression handling. This occurs on the BIG-IP 5000-, 7000-, 10000-, and 12000-series platforms, and on VIPRION B22xx blades.

Impact:
Compression is (eventually) performed by software. This can result in high CPU utilization.

Workaround:
Disable compression if CPU usage is too high.


551927-5 : ePVA snoop header's transform vlan should be set properly under asymmetric routing condition

Component: TMOS

Symptoms:
On ePVA capable platform with fastl4 profile and asymetric routing on client side, ltm sends packets to the client with wrong vlan/correct mac address (or correct vlan and wrong mac-address) and undecremented ttl.

Conditions:
fastl4 profile and asymetric routing on client side

Impact:
Return traffic could use the wrong vlan

Workaround:
none


551010-4 : Crash on unexpected WAM storage queue state

Component: WebAccelerator

Symptoms:
In rare circumstances WAM may enter an unexpected queue state and crash.

Conditions:
WAM configured on virtual with request queuing enabled

Impact:
Crash

Workaround:
none


550926-4 : AFM rule with "unknown" source Geo-entity stops functioning when another entity (geolocation or otherwise) is added to the same list of addresses in the rule

Component: Advanced Firewall Manager

Symptoms:
When an AFM rule is configured to "unknown" geographic location, the rule stops functioning when another entity (geolocation or IP address) is added to the same list of addresses in the rule.

Conditions:
Configure an address list of AFM rule with "unknown" source Geo-entity and at least one other entity (geolocation or IP address).

Impact:
Confusing, inconsistent, and apparently broken behavior.

Workaround:
Do not configure "unknown" geographic locations as one of the entities in an address list. Known geographic locations work correctly.


550434-3 : Diameter connection may stall if server closes connection before CER/CEA handshake completes

Component: Service Provider

Symptoms:
Serverside connection stalls. Connection is not torn down and packets are not forwarded to serverside.

Conditions:
Selected pool member closes (via FIN) connection before sending CEA as part of Diameter handshake.

Impact:
Connection stalls until handshake timeout and then it is reset.

Workaround:
none


549971-2 : Some changes to virtual servers' profile lists may cause secondary blades to restart

Component: TMOS

Symptoms:
If a virtual server's ip-protocol is not set, then some changes to the list of attached profiles may cause a validation error on secondary blades. This will cause those blades to restart.

Conditions:
This may happen in some cases when changing the list of profiles attached to a virtual server, but does not happen if 'ip-protocol' was explicitly set by the user.

Impact:
mcpd will restart on secondary blades. This will cause most other daemons on those blades to restart as well, including the TMM. Traffic will be lost.

Workaround:
You should explicitly set the ip-protocol when changing the profiles of a virtual server. Then this bug will not occur.


547942-4 : SNMP ipAdEntAddr indicates floating vlan IP rather than local IP

Component: TMOS

Symptoms:
An SNMP query response for ipAdEntAddr would sometimes return floating IPs rather than local IPs. This was due to the supporting software returning the first found IP address for a given vlan.

Conditions:
Problem started after upgrading to v11.5.1 Eng-HF7, from v10.2.4.

Impact:
No impact to Big-IP services, but the returned information to the SNMP query is sometimes incorrect.

Workaround:
None.


547532-4 : Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades

Component: TMOS

Symptoms:
Error messages similar to this are present in the ltm log:

-- err mcpd[9369]: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.
-- err mcpd[9369]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.

Conditions:
A chassis-based system with multiple blades. A monitor is attached to an object that is configured in a partition that uses a non-default route domain, but the address of the monitor is explicitly using the default route domain (e.g. %0).

Impact:
Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades. mcpd restarts.

Workaround:
Move the monitor to the /Common/ partition and do not specify %0 in the Alias Address.


545214-1 : OSPF distance command does not persist across restarts.

Component: TMOS

Symptoms:
When ospfd is restarted, the value configured for the OSPF distance command is lost.

Conditions:
The distance command is configured in OSPF and the ospfd process is restarted.

Impact:
The distance command does not function as configured, which affects OSPF behavior.

Workaround:
None.


544992-1 : Virtual server profile changes are ignored if it has /Common/remotedesktop and /Common/vdi assigned (Citrix/Vmware View iApp)

Component: Access Policy Manager

Symptoms:
Changes to the profiles that are assigned to a virtual server are ignored if the /Common/remotedesktop and /Common/vdi profiles are already assigned to it. Some iApps that F5 provides to create Citrix or VMware View configurations assign those profiles to a virtual server.

Conditions:
/Common/remotedesktop and /Common/vdi profiles are assigned to a virtual server.

Impact:
Changes to the profiles assigned to a virtual server (adding a new new profile, deleting a profile, changing existing profiles) have no effect until either of these occurs: The /Common/vdi profile is removed from the virtual server or tmm is restarted.

Workaround:
Use tmsh to remove /Common/vdi from the profiles for the virtual server.
(There is no option in the GUI that allows you to do this.)


544888-10 : Idle timeout changes to five seconds when using PVA full or Assisted acceleration.

Component: TMOS

Symptoms:
When FastL4 performs hardware acceleration during the TCP handshake, the FastL4 handshake timeout is not updated to match the profile timeout value after the connection is established.

Conditions:
Accelerated, established TCP flows with no traffic for more than five seconds.

Impact:
TCP flows in the established state are dropped if they have more than five seconds of inactivity.

Workaround:
Disable embedded Packet Velocity Acceleration (ePVA) acceleration.


543993-1 : Serverside connections may fail to detach when using the HTTP and OneConnect profiles

Component: Local Traffic Manager

Symptoms:
Serverside connection does not detach when using OneConnect profile

Conditions:
An HTTP/1.1 response without Content-Length header is received in response to an HTTP/1.0 HEAD request

Impact:
HTTP requests on the same connection are not LB'ed across pool members.

Workaround:
Remove OneConnect profile


542860-3 : TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event

Component: TMOS

Symptoms:
TMM can crash when IPsec SA's are deleted using TMSH or racoonctl utility during HA Active to Standby or vice versa.

Conditions:
During the HA Active to standby or vice versa event, Use of TMSH or racoonctl utility to delete IPsec SA's can cause TMM crash. This is a race condition and can occur rarely.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


541836 : GUI disconnect when we try to access last hour request report in ASM

Component: Advanced Firewall Manager

Symptoms:
GUI times out when database query takes too long

Conditions:
Database query takes too long.

Impact:
GUI becomes unusable.

Workaround:
Increasing the timeout value for the GUI can reduce the number of disconnections but might have other side effects.


541622-5 : APD/APMD Crashes While Verifying CAPTCHA

Component: Access Policy Manager

Symptoms:
APD (pre v12.0.0) or APMD (v12.0.0) crashes in libcurl function when verifying CAPTCHA

Conditions:
This issue shows up when multiple sessions are being verified for CAPTCHA at SimpleLogonPageAgent.

Impact:
Authentication service will be disrupted until APD/APMD is up again.


537988-2 : Buffer overflow for large session messages

Component: Local Traffic Manager

Symptoms:
System with multiple blades may crash when when configured with functionality that utilizes SessionDB.

Conditions:
On a multi-blade machine, send an MPI message larger than 64K between blades (typically a session message).

Impact:
Core or potential data corruption.

Workaround:
None.


537964-2 : Monitor instances may not get deleted during configuration merge load

Component: Local Traffic Manager

Symptoms:
After performing a configuration merge load (for example, "tmsh load sys config merge ...") that changes an existing pool's monitor, old monitor instances may not get deleted.

This can result in a system generating monitor requests that are no longer part of the configuration. It can also result in the system logging messages such as the following:

err mcpd[8793]: 01070712:3: Caught configuration exception (0), Can't find monitor rule: 42.

Conditions:
Pools with monitors configured must exist. The merge load must replace the pool's monitor.

Impact:
Multiple monitor instances may be active on some pool members. This may result in incorrect monitoring status.

Workaround:
Once a system is affected by this issue, the misbehavior can be resolved by doing the following:

1. Save and re-load the configuration to correct the incorrect information in mcpd:

    tmsh save sys config partitions all && tmsh load sys config partitions all

2. Restart bigd:

    On an appliance:
    bigstart restart bigd

    On a chassis:
    clsh bigstart restart bigd


537227-4 : EdgeClient may crash if special Network Access configuration is used

Component: Access Policy Manager

Symptoms:
EdgeClient crashes during connect or disconnect process. Exact time may differ from time to time.

Conditions:
EdgeClient may crash if Network Access contains configuration which includes:
Full-tunnel
Allow DHCP or Allow Local subnets is used
There is a proxy between client and APM

Impact:
EdgeClient crashes prevent Access Network to work

Workaround:
Remove on of conditions causing crash to happen


535904-5 : BD crashes when attempting to access a closed connection

Component: Application Security Manager

Symptoms:
The Enforcer Application system generates a BD core file to the /shared/core directory.

Conditions:
One or more of these features is turned on - Session tracking, web scraping, ICAP, ASM irules. The client side or the server side pre-maturely closes the connection.
Some load happens on this traffic.

Impact:
The Enforcer Application system may temporarily fail to process traffic.

Workaround:
N/A


535806-5 : Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE

Component: TMOS

Symptoms:
Not enough free disk space for live install of 12.0.0.

Conditions:
Initial install of BIG-IP VE GOOD 11.5.3. Upgrade to 12.0.0

Impact:
Unable to install 12.0.0 on 2nd slot.

Workaround:
Grow the virtual disk before installing 12.0.0.


535246-1 : Table values are not correctly cleaned and can occupy entire disk space.

Component: Application Visibility and Reporting

Symptoms:
AVR data in MySQL might grow to fill all disk space.

Conditions:
This might occur when DNS table receives a large number of entries that are not being evicted when they are no longer needed.

Impact:
MySQL stops responding. Site might experience down time due to full disk.

Workaround:
If monitoring disk space and AVR data takes more than 70% of the space, reset AVR data by running the following commands sequentially: -- touch /var/avr/init_avrdb. -- bigstart restart monpd.


534890-1 : When using session tickets, the session id sent might be incorrect

Component: Local Traffic Manager

Symptoms:
Under some circumstances, when SSL session is resumed using session tickets, the BIG-IP system might send an incorrect session id.

Conditions:
Session tickets are enabled.

Impact:
The session id sent might be incorrect

Workaround:
Do not enable session tickets.


534795-2 : Swapping VLAN names in config results in switch daemon core and restart.

Component: Local Traffic Manager

Symptoms:
Changing names of configured VLANs directly in the configuration file and reloading results in a bcm56xxd switch daemon core and restart.

Conditions:
Applies to all switch based platforms, when modifying the VLAN names directly in the configuration file and reloading.

Impact:
Switch daemon drops core, restarts, and reconfigures the switch.

Workaround:
First delete any existing VLANs, and then recreate then with new names.


534343 : Sync of sync-only device group removes global policy

Component: Advanced Firewall Manager

Symptoms:
Sync of sync-only device group removes global firewall policy on device being synced to.

This problem does not manifest on sync-failover groups.

Conditions:
Sync-only device group.

Impact:
Loss of global firewall policy on device being sync'd to.

Workaround:
None


533966-1 : Double loopback nexthop release might cause TMM core.

Component: Local Traffic Manager

Symptoms:
TMM might restart after logging an 'Assertion "nexthop ref valid" failed' message.

Conditions:
Traffic is sent from one tmm to a tunnel in another tmm, but the tunnel does not exist.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


533813-1 : Internal Virtual Server in partition fails to load from saved config

Component: TMOS

Symptoms:
Loading a successfully configured internal Virtual Server from the config fails with the following message:

-- 01070712:3: Values (/part2/0.0.0.0%2) specified for Virtual Server (/part2/ICAP_request): foreign key index (name_FK) do not point at an item that exists in the database.

Conditions:
This occurs when the following conditions are met:
-- You are running a BIG-IP system with no configuration.
-- You have created an external VLAN with an interface.
-- You have created a non-default route domain, and associated it with a newly created VLAN.
-- You have created a virtual server, and configured a pool in a partition other than /Common.
-- You have saved the configuration.

Here is an example of how this might occur. Run the following commands.

- tmsh
- create net vlan external interfaces add { 1.2 }
- create net route-domain 2 vlans add { external }
- create auth partition part2 default-route-domain 2
- cd ../part2
- create ltm pool icap_pool members add { 10.10.10.10:8080 }
- create ltm virtual ICAP_request destination 0.0.0.0:0 mask 0.0.0.0 internal ip-protocol tcp profiles add { tcp } pool icap_pool
- save sys config
- load sys config partitions all verify.

Impact:
The operation creates a virtual server but cannot load it from saved config.

Workaround:
To work around this issue, you can use the Common partition to complete the configuration.


533658-1 : DNS decision logging can trigger TMM crash

Component: Global Traffic Manager

Symptoms:
Applying load balance decision logging to the DNS profile can cause TMM to crash when a query is load balanced to a last resort pool that is unavailable.

Conditions:
-- DNS load balance decision logging is enabled on the DNS profile,
A Wide IP is configured with a last resort pool.
-- The last resort pool is unavailable.
-- A query is load balanced to the last resort pool.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable decision logging for the DNS profile, or discontinue use of the last resort pool feature.


533388-4 : tmm crash with assert "resume on different script"

Component: Local Traffic Manager

Symptoms:
In a rare race condition involving stalled server-side TCP connections on which a RST is received and a asynchronously executing client-side iRule for event CLIENT_CLOSED the tmm can crash with assert "resume on different script".

Conditions:
The conditions under which this assert/crash is triggered are hard to reproduce.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid asynchronously executing CLIENT_CLOSED iRules (e.g. those that use 'after' or 'table' or 'session' commands - this is not an exhaustive list).


532189 : CIDR masks for blacklist classes lacks validation for /0

Component: Advanced Firewall Manager

Symptoms:
IP Intelligence will accept Feed List entries with a CIDR mask of /0, which is all addresses. If an IP Intelligence policy drops traffic for that blacklist category, all traffic will be dropped.

Conditions:
A feedlist entry with a CIDR mask of /0

Impact:
Every address will match the blacklist category, causing all traffic to be blocked.

Workaround:
None


531986-4 : Hourly AWS VE license breaks after reboot with default tmm route/gateway.

Component: TMOS

Symptoms:
In AWS Hourly instances, if a default gateway is added, the hourly license may fail, causing BIG-IP to fail to come up to a running state. Error messages will resemble the following:

Jul 6 19:26:14 ip-10-0-0-104 err mcpd[22186]: 01070734:3: Configuration error: MCPProcessor::check_initialization:
Jul 6 19:26:17 ip-10-0-0-104 err mcpd[22186]: 010717ff:3: [Licensing]: Failure in establishing instance identity.

Conditions:
Hourly instance in AWS with default tmm route added.

Impact:
BIG-IP VE will fail to fully start, rendering the instance unusable.

Workaround:
Temporary removal of default tmm route resolves this problem. The tmm route can be added back once MCPD is in the running state.


530952-2 : MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'

Component: Application Visibility and Reporting

Symptoms:
MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'. Errors in monpd.log similar to the following:

[DB::mysql_query_safe, query failed] Error (error number 1615) executing SQL string ...

Conditions:
This is due to a MySql bug. For information, see 'Prepared-Statement fails when MySQL-Server under load', available here: http://bugs.mysql.com/bug.php?id=42041

Impact:
Monpd loses functionality

Workaround:
Restart monpd.


530903-3 : HA pair in a typical Active/Standby configuration becomes Active/Active after a software upgrade

Component: TMOS

Symptoms:
HA pair should remain in active/standby state after the software upgrade but instead goes into an active/active state.

Conditions:
Occurs in an active/standby HA pair which has a medium size configuration of pools and virtual servers (at least 30 objects total). The standby device is upgraded first and then it is rebooted. After reboot, the HA pair goes into an Active/Active state. Upgrades to 11.5.0 through 11.5.3 as well as to 11.6.0 are impacted.

Impact:
Active/Standby configuration is lost.

Workaround:
Reconfigure the HA pair back to active/standby.


530812-3 : Legacy DAG algorithm reuses high source port numbers frequently

Component: Local Traffic Manager

Symptoms:
A service on a pool member will receive connections frequently with a source port number above 65400, especially when the incoming connections to the Virtual IP listener are generated by test tools that increment their source port numbers sequentially. This could lead to premature SNAT port exhaustion, if SNAT is also being used.

Conditions:
The issue appears to be limited to the legacy DAG algorithm on the VIPRION PB100 and PB200 blades. All supported versions of BIG-IP will exhibit this issue on this hardware when this DAG algorithm is used. The problem is not exhibited when the incoming sessions' source port numbers have a reasonable amount of entropy (as one would normally see with real Internet traffic); however, the use of test tools, or even intentional malicious traffic may cause this issue to be seen.

Impact:
The issue could result in resource contention (such as SNAT pool port exhaustion), or problems with the pool member services distinguishing between sessions. A notable exception: Port reuse before TIME_WAIT expires is specifically NOT an impact of this issue.

Workaround:
To work around SNAT pool port exhaustion, increase the pool size, or change to auto-map. An iRule may be used to help pool member services better distinguish incoming sessions.


530795-2 : In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may send ICMP messages that contain an incorrect tcp seq ack number in the embedded msg body.

Conditions:
FastL4 TCP virtual servers. Syncookie mode.

Impact:
The TCP connflow might be aborted if an ICMP message (such as More fragment) is received.

Workaround:
None.


530242 : SPDAG on VIPRION B2250 blades might cause traffic imbalance among TMMs

Component: TMOS

Symptoms:
When SPDAG is turned on VIPRION B2250 blades, the traffic imbalance among TMMs might be observed.

Conditions:
Enable SPDAG on VIPRION B2250 blades.

Impact:
The traffic imbalance can lower the throughput of VIPRION B2250 blades.

Workaround:
Adding or removing B2250 blades might mitigate the imbalance.


529977 : OSPF may not process updates to redistributed routes

Component: TMOS

Symptoms:
When routes redistributed into OSPF are rapidly added and removed, OSPF may not reflect all of the updates in its LSA database.

Conditions:
External routes, such as kernel or static, redistributed into OSPF being rapidly added and removed. This my happen when using Route Health Injection and enabling/disabling a virtual address.

Impact:
The OSPF may have stale or missing LSAs for redistributed routes.

Workaround:
Identify the OSPF process ID for the affected route domain using "ps | grep ospfd" and terminate it using the kill command.

This disrupts dynamic routing using OSPF.


529610-3 : On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db

Component: Application Security Manager

Symptoms:
When session tracking actions are enabled in ASM policy, an HTTP request may be blocked based on HTTP session or username and illegal traffic that has been sent from this session. The blocked request is reported in the security events log, but there is no option to release the username using the Configuration utility.

Conditions:
High availability (HA) setup, and ASM with Session tracking actions enabled.

Impact:
Usernames and HTTP sessions are blocked by ASM without an option to release them from the Configuration utility.

Workaround:
Stop and start tmm on all devices in the HA group by running the following commands:
-- bigstart stop tmm
-- bigstart start tmm


529524-4 : IPsec IKEv1 connectivity issues

Component: TMOS

Symptoms:
IPsec IKEv1 tunnels do not come up and IKE negotiations is not initiated/ or does not complete.

Conditions:
1. Configure the BIG-IP system with IPsec IKEv1 tunnel.
2. Send traffic to match the selectors, and it fails. Although it may succeed intermittently.

The following chassis scenario might also cause the issue:
1. Configure the VIPRION chassis with IPsec IKEv1 tunnel.
2. Send traffic to match the selectors, and the intended traffic is secured. IPsec IKEv1 tunnels are established.
3. Perform bigstart restart on the secondary blade.
4. Observe Traffic does not pass, and shows IKE negotiation failures.

Impact:
IPsec IKEv1 tunnels do not get established and the intended traffic is not secured. Traffic does not pass, and shows IKE negotiation failures.

Workaround:
There is a workaround for the chassis platform: Perform bigstart restart of tmm on all blades. There is no workaround for non-chassis platforms.


529141-1 : Upgrade from 10.x fails on valid clientssl profile with BIGpipe parsing error

Component: TMOS

Symptoms:
Upgrade from 10.x fails with the error 'emerg load_config_files: '/usr/libexec/bigpipe load' - failed. -- BIGpipe parsing error (/config/bigpipe/bigip.conf Line 67): 012e0020:3: The requested item (myclientssl {) is invalid (profile_arg ` show ` list ` edit ` delete ` stats reset) for 'profile'."

Conditions:
Attempting to upgrade from 10.x to 11.x (prior to 11.5.4 HF2) or 11.6.0 or 11.6.1 with custom Certificate and Key in clientssl profile.

Impact:
Unable to upgrade successfully.

Workaround:
Comment out the following line in bigip.conf: inherit-certkeychain false.


528407-2 : TMM may core with invalid lasthop pool configuration

Component: Local Traffic Manager

Symptoms:
In certain circumstances, TMM may core if the unit is configured with an invalid, non-local lasthop pool,

Conditions:
1) BIG-IP system with VIP and lasthop pool with non-local pool member.
2) Sys db tm.lhpnomemberaction set to 2.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure lasthop pool to use local members/addresses.


528295-3 : Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.

Component: TMOS

Symptoms:
A 10.x UCS containing LTM virtual servers with ARP set to disable. Loading the 10.x UCS on 11.4.x or later system leads to the ARP and ICMP echo setting value being flipped each time the load occurs.

Conditions:
Reloading a 10.x UCS containing virtual servers on 11.4.x or later system.

Impact:
ARP and ICMP echo setting value being flipped each time the load occurs. Note that the ICMP echo virtual field will be flipped even if ARP is enabled.

Workaround:
Delete the LTM virtual servers on the 11.x/12.x version system prior to re-loading the 10.x UCS.


528031-4 : AVR not reporting the activity of standby systems.

Component: Application Visibility and Reporting

Symptoms:
When working in Active/Standby configurations, the standby system is completely ignored when generating an AVR report. The standby system might have been an active system in the past, so its statistics should also be counted.

Conditions:
Configuration with Active and Standby systems.

Impact:
Some historical activity might not be reported by AVR.

Workaround:
None.


528007-7 : Memory leak in ssl

Component: Local Traffic Manager

Symptoms:
An intermittent memory leak was encountered in SSL

Conditions:
This can occur under certain conditions when using Client SSL profiles

Impact:
The amount of memory leaked is quite small, but over time enough memory would leak that TMM would have to reboot.

Workaround:
none


527742-3 : The inherit-certkeychain field of a clientSSL profile is not synchronized correctly on the standby bigip

Component: Local Traffic Manager

Symptoms:
When creating a clientSSL profile at the active big-ip, its inherit-certkeychain field is true by default, however, it appears to be false on the standby big-ip.

Conditions:
Bigips are deployed as HA pair.

Impact:
A HA pair is supposed to have the same configuration and the same behavior. Mismatching configuration on a HA pair could lead to unexpected mismatching behavior.


526699-3 : TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port.

Component: Global Traffic Manager

Symptoms:
A BIG-IP DNS system configured with an iRule that makes use of the command nodes_up in its ip_address :: port version might lead to a crash.

Conditions:
- BIG-IP DNS iRule processing traffic with nodes_up IP/Port command.
 - IP/Port references an invalid LTM virtual server.
 - Client sends requests to the BIG-IP DNS wide IP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Specify correct IP/Port in the nodes_up iRule command


526295-1 : BigIP crashes in debug mode when using PEM irule to create session with calling-station-id and called-station-id

Component: Policy Enforcement Manager

Symptoms:
When using PEM irule to create session with calling-station-id and called-station-id, BigIP will crash in debug mode

Conditions:
1. PEM is provisioned.
2. Bigip is running in debug mode
3. PEM iRule is used to create session with calling-station-id and called-station-id

Impact:
Causing the bigip to crash

Workaround:
Creating PEM session with irules that do not have calling-station-id and called-station-id. And add the two attributes using separately using PEM info iRule


525958-5 : TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop.

Component: Local Traffic Manager

Symptoms:
In a specific combination of events TMM may core.

Conditions:
This occurs when the following conditions are met:
  - Load balancing a flow to an ip_tuple (e.g., the Tcl 'node' command).
  - That address is not directly connected.
  - The matched route is a gateway pool that contains a pool member that is not reachable.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure correct routing to all destinations with reachable next hops.


525562-3 : Debug TMM Crashes During Initialization

Component: Access Policy Manager

Symptoms:
Debug version of TMM (tmm.debug) generates core file and fails to start up.

Conditions:
This issue happens when running debug version of TMM on a multi-blade chassis/vCMP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Revert to use default version of TMM (tmm.default)


525429-5 : DTLS renegotiation sequence number compatibility

Component: Access Policy Manager

Symptoms:
OpenSSL library was modified to keep it compatible with RFC 6347 complaint DTLS server renegotiation sequence number implementation.

Conditions:
The old OpenSSL library is not compatible with RFC6347, the new OpenSSL library is modified to be compatible with RFC6347.
The current APM client is compatible with old OpenSSL library, not the new OpenSSL library.

Impact:
The current APM client is not compatible with new OpenSSL libary.


524490-1 : Excessive output for tmsh show running-config

Component: TMOS

Symptoms:
The tmsh show running-config displays many default configuration items. Although the output does display the user-configuration items as expected, it is not expected to include default configuration items in the output.

Conditions:
tmsh show sys running-config.

Impact:
The presence of excessive default configuration items makes the tmsh show running-config output parsing difficult.

Workaround:
None.


524333-1 : iControl command pkcs12_import_from_file_v2 may fail if httpd is restarted or session times out.

Component: TMOS

Symptoms:
When pkcs12_import_from_file_v2 is used immediately after httpd is restarted, or when pkcs12_import_from_file_v2 is used after the session-timeout period, an 'Internal error' response is received.

This issue is not seen if another iControl call is made and pkcs12_import_from_file_v2 is tried after that.

Conditions:
pkcs12_import_from_file_v2 is used immediately after httpd is restarted, or when pkcs12_import_from_file_v2 is used after the session-timeout period.

Impact:
iControl command may fail if httpd is restarted or session times out.

Workaround:
None.


523922-2 : Session entries may timeout prematurely on some TMMs

Component: TMOS

Symptoms:
In certain scenarios, session entries may not be refreshed when the TMM that owns the entry is used to process the connection.

Conditions:
When the TMM owning the session entry is a different one to the TMM handling the connection and the entry is retrieved, for example via irule, "session lookup uie"; the timeout will be extended.

When the TMM owning the entry and the one handling the connection is the same, then the entry may not have its timeout changed and lead to premature removal.

Impact:
Different TMMs may behave differently and cause confusion when using the session table.

Workaround:
None


523527-5 : Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.

Component: TMOS

Symptoms:
If you are directly upgrading from version 10.x to version 11.2.0 or later with a working dynamic routing protocols configuration may encounter that the routing protocol is disabled on upgrade to 11.2.0 or later.

Conditions:
- Upgrade from 10.x to 11.2.0 or later.
- Routing protocol enabled in tmrouted dbkeys.
- No route domain 0 (zero) (RD0) configuration, that is defaults of all VLANs in RD0, no comment, leading to no existing configuration in bigip_base.conf

Impact:
Routing protocol information is missing from RD0, ZebOS is not running (although configured).

Workaround:
There are several workarounds to this issue:
  - Causing the RD0 configuration to exist by adding a comment to the 10.x description field and saving prior to upgrade.
  - Re-adding the routing protocol to the RD0 configuration after the upgrade.
  - Perform an intermediate upgrade from 10.x to 11.0.0 or 11.1.0 prior to upgrading to an 11.2.0 or later version.


523434-2 : mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object

Component: TMOS

Symptoms:
mcpd on secondary blades may restart and log an error of the following form: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_http_virtual_data_source) object ID (44). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_http_virtual_data_source status:13)... failed validation with error 17237812.

Conditions:
The exact conditions under which this occurs are not well understood. The immediately triggering event is a change in the cluster's primary blade.

Impact:
All services on an affected blade restart.

Workaround:
None.


523222-3 : Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.

Component: Access Policy Manager

Symptoms:
Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.

If an access policy has Redirect ending, the Citrix HTML5 client will fail to start with HTTP 400 error.

Conditions:
Citrix Storefront configured in integration mode through APM.

Impact:
HTML5 client not usable for this sort of integration


522304-3 : Some password policy changes are not reflected in /etc/shadow when synced in a CMI device group

Component: TMOS

Symptoms:
Some password policy settings (maximum and minimum durations, expiration warning) are reflected in /etc/shadow when a user's password is changed. In a CMI device group, changes to password policy are correctly synced, but the settings reflected in /etc/shadow are not.

Conditions:
CMI device group configured; maximum or minimum duration, or expiration warning, settings of password policy are used; user password is changed.

Impact:
Password policy may not be enforced consistently across all devices.

Workaround:
None.


522231-1 : TMM may crash when a client resets a connection

Component: WebAccelerator

Symptoms:
When a client resets a connection while AAM is preparing to serve a response from cache TMM may crash causing failover and restart of AAM. A profile on a virtual from another BIG-IP module (other than AAM and LTM) may contribute to the issue.

Conditions:
1) AAM must be provisioned.
2) A response to the requested URL must be cached and fresh.
3) Client resets a connection immediately after the request is done and the response has not started to serve.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Install the fix.


522024 : Config sync of SecurID config file fails on secondary blades

Component: TMOS

Symptoms:
After uploading a new SecurID config file using the GUI, mcpd restarts and fails to sync the file to the secondary.

Conditions:
If APM is provisioned, and upload a new SecurID config file via the GUI. This can also happen on device group peers.

Impact:
The secondary blade restarts mcpd, which in turn restarts several other daemons. The secondary blade never receives the config file, so if it becomes primary, it does not have the correct configuration.

Workaround:
Use tmsh: tmsh modify apm aaa securid secureid-name config-files modify { sdconf.rec { local-path /path/to/sdconf.rec } }.


521813-2 : Cluster is removed from HA group on restart

Component: Local Traffic Manager

Symptoms:
When the system is rebooted (or "bigstart restart" is executed), any HA groups with clusters in them will have those clusters removed.

Conditions:
Chassis-based system with an ha-group and ha-group-cluster configured. All blades have to reboot, since if a single blade is rebooted it pulls the running-config from the primary slot.

Impact:
HA cluster configuration is missing every time all the blades are rebooted.


521774-1 : Traceroute and ICMP errors may be blocked by AFM policy

Component: Local Traffic Manager

Symptoms:
ICMP error packets for existing connections can be blocked by AFM policy. Diagnostics that use ICMP error messages, such as traceroute, may fail to display information beyond the AFM device.

Conditions:
The AFM policy has a rule to drop or reject that can match the IP header of ICMP messages going from a router IP address back to the client or server IP address that sent the original packet.

Impact:
Network diagnostics such as traceroute through an AFM device will not display information from routers between the AFM device and the destination IP address.

Workaround:
If possible and allowed, create an AFM rule matching the affected ICMP packets with an action of accept-decisively.


521556-5 : Assertion "valid pcb" in TCP4 with ICAP adaptation

Component: Local Traffic Manager

Symptoms:
TMM crashes with assertion "valid pcb" in tcp4.c

Conditions:
Virtual server with request-adapt or response-adapt profile.
Congested client or TCP small window (flow-control is active).
Multiple HTTP requests in a single client connection.
More likely with iRules that park.

Impact:
Intermittent crash under load.


521548-4 : Possible crash in SPDY

Component: Local Traffic Manager

Symptoms:
In very rare circumstances related to SPDY protocol handling together with a compression profile a crash may occur.

Conditions:
This is very rare and the exact circumstances are unclear, It involves SPDY, a compression profile and a congested client connection and a stream being reset by the browser (using a RST_STREAM frame).

Impact:
Very rarely a crash may occur.

Workaround:
Don't apply the compression profile.


521538-1 : Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known

Component: Local Traffic Manager

Symptoms:
After failover of an L4 flow that is using keep-alive, the keep-alive transmissions do not resume after traffic has flowed through the BIG-IP system.

Conditions:
Using HA mirroring of L4 connections, with keep-alive enabled on the profile for TCP. After a failover, there was traffic before the flow timed out, then the traffic becomes idle. If there is no traffic after failover, the correct sequence numbers are unknown, then this is expected behavior: the flow times out due to inactivity. If there is traffic after failover, the correct TCP sequence numbers are known; if there is traffic after failover, and then the flow becomes idle, keep-alive transmissions should resume.

Impact:
Flows after failover with TCP keep-alive age out and expire even if traffic is available to set the sequence numbers. Depending on the configuration options, subsequent packets may reset or transparently create a new flow (if TCP loose initiation is enabled).

Workaround:
None.


521522-1 : Traceroute through BIG-IP may display destination IP address at BIG-IP hop

Component: Local Traffic Manager

Symptoms:
When performing traceroute through a BIG-IP device, the traceroute utility may display the destination IP in place of the hop where BIG-IP is located, instead of a Self IP address of the BIG-IP device at that hop.

Conditions:
No return route for the client IP address exists on the BIG-IP device.

Impact:
There is no impact to the performance of traffic through the BIG-IP device. The impact occurs only when reading and interpreting the results of a traceroute utility.

Workaround:
If possible and allowed, add route entry for the traceroute client subnet.


521506-5 : Network Access doesn't restore loopback route on multi-homed machine

Component: Access Policy Manager

Symptoms:
Network Access on Windows doesn't restore loopback route for one adapter on multi-homed (Ethernet + Wi-Fi) machine.

Conditions:
This issue happens if:
1. Network Access was established via Ethernet
2. Ethernet cable was unplugged
3. Network Access reconnects using Wi-Fi
4. Ethernet cable is plugged in back

Impact:
Minor routing issues may occur if one special loopback is removed. To restore this route affected adapter should be disabled and enabled.


521455-3 : Images transcoded to WebP format delivered to Edge browser

Component: WebAccelerator

Symptoms:
The Microsoft Edge browser does not support, and cannot render WebP format images. The AAM image optimization framework improperly classifies the Edge browser as being capable of supporting WebP and delivers WebP-transcoded images to such clients.

Conditions:
The AAM system's image optimization as well as the "optimize for client" setting must both be enabled, and the associated acceleration policy and application associated with one or more virtual servers.

Impact:
Some images will fail to render on the Edge browser.

Workaround:
Disable the "optimize for client" attribute in the applicable policies' acceleration assembly settings.


521408-1 : Incorrect configuration in BigTCP Virtual servers can lead to TMM core

Component: Local Traffic Manager

Symptoms:
An incorrect configuration on an irule associated to a BigTCP virtual server can lead to TMM to core.

Conditions:
The following circumstances are needed:
   - BigTCP Virtual server
   - FastL4 profile with syncookies enabled.
   - Invalid iRule that will fail to execute, on LB_FAILED
   - Syncookie currently activated in that moment.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Correct or remove the irule event and coring will no longer occur.


521336 : pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core

Component: Local Traffic Manager

Symptoms:
The retry of pkcs11d initialization might post misleading error messages and eventually result in a pkcs11d core.

Conditions:
When pkcs11d retries to wait for other services such as tmm or mcpd.

Impact:
After the system reboots, the /var/log/ltm shows initialize errors and the /var/log/daemon.log shows pkcs11_initialize messages: -- err pkcs11d[6247]: 01680002:3: Pkcs11 Initialize error (this is misleading; pkcs11d is actually retrying). -- err pkcs11d[6247]: Nethsm: pkcs11_initialize C_GetSlotList error 0x00000000, number of slots 0.

Workaround:
Retry pkcs11d restart when tmm and mcpd are both ready.


521329 : CGNAT - Rare TMM core with Deterministic NAT

Component: Carrier-Grade NAT

Symptoms:
Under some circumstances TMM may core when using deterministic NAT due to a divide by zero error.

Conditions:
CGNAT using deterministic NAT mode and persistence enabled. This error only occurs if a previous connection created an address persistence entry using the second address.

This crash is dependent on both the configuration and the traffic.

When the number of subscriber addresses that disaggregates to a TMM is not evenly divided by the number of translation addresses that disaggregates to the same TMM, connections from one or more subscribers may be assigned to blocks from two translation addresses. Depending on the exact address ratio, there may be only one port using the second address.

Due to an off-by-one error, the number of ports available for the second address may be set to zero when it should be set to one. This causes the divide by zero fault.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


520849 : [PolicySync] Access Profile with "default-log-setting" fails

Component: Access Policy Manager

Symptoms:
Policy Sync failed with profile configured with "default-log-setting"

Conditions:
Config "default-log-setting" for profile then do a policy sync

Impact:
Policy Sync fails.

Workaround:
"default-log-setting" is actually not supposed to be configured for APM profile, it's supposed to be used by SWG. Just do not config it.


520604-3 : Route domain creation may fail if simultaneously creating and modifying a route domain

Component: Local Traffic Manager

Symptoms:
Failure trying to create and modify a route domain in a single operation.

Conditions:
Performing create and modify operations in the same transactions, as can be done using tmsh and iControl.

Impact:
Transaction fails. Even though an ID is passed in with the create method, the system posts an error similar to the following: 01070734:3: Configuration error: route-domain Name /Common/test_rd_200 is non-numeric, so an ID must be specified.

Workaround:
Perform create and modify operations in different transactions.


520380-2 : save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory

Component: TMOS

Symptoms:
Unit demonstrates behaviors consistent with out-of-memory condition. 'top' and 'ps' may show multiple tmsh processes waiting to run.

Conditions:
Enable auto-sync and save-on-auto-sync.

Impact:
Low memory condition may result in system instability.

Workaround:
None.


520145-1 : [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy

Component: Access Policy Manager

Symptoms:
Policy sync fails with out-of-memory error on target device with big and complex policy.

Conditions:
Profile of big size, for example, excessive use of ACL resource.

Impact:
Policy Sync fails.


520105-1 : Possible segfault during hardware accelerated compression.

Component: Local Traffic Manager

Symptoms:
Segfault and core-dump of tmm when using gzip, deflate, or zlib hardware accelerated compression compress or decompress operations.

Conditions:
Requests for compression on the hardware accelerator might cause a segfault.

Impact:
Tmm restarts when the issue is encountered.

Workaround:
Disable hardware accelerated compression.


519415-2 : apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual )

Component: Access Policy Manager

Symptoms:
If you want to change timeout values for server-side initiated flows inside Network Access tunnels, ephemeral listeners ignore irules.
There seems to be a workaround for this through tmsh (not ui) by attaching iRules (related-rules) to main virtual that gets run on ephemeral listeners. (These ephemeral listeners are created by Network Access tunnels for lease-pool IPs.) The command for this is (for example):
 tmsh modify ltm virtual vs_dtls related-rules { idle_time }

The problem here was APM Network Access used to ignore the related-rules on main virtual and the rules weren't triggered.

Conditions:
APM Network access use case.

Impact:
Related rules on main virtual are not applied to ephmeral listeners; (these ephemeral listeners are created by Network Access tunnels for lease-pool IPs).

Workaround:
none.


519394-4 : Sync when licensed for ASM/AFM fails to sync pool with "Load balancing feature not licensed" error

Component: TMOS

Symptoms:
When adding a single pool member to a pool associated to a virtual server, the sync fails with error message 'Load balancing feature not licensed.' from peer.

Conditions:
ASM/AFM licensed, a pool assigned to a virtual server, a single pool member is added.

Impact:
Sync fails.

Workaround:
Perform a sync between the creation of the pool and the pool members.


519198-1 : [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user

Component: Access Policy Manager

Symptoms:
Failed to sync a policy in non-Common partition as a non-default admin user.

Conditions:
Log in as different admin user than the default "admin".
Sync a policy that was created in a non-Common partition..

Impact:
Policy Sync fails

Workaround:
Log in as default "admin" user.


519059-1 : [PA] - Failing to properly patch webapp link, link not working

Component: Access Policy Manager

Symptoms:
Any attribute URL in a HTML content is rewritten as "javascript:location=..." if is <base> tag is situated before the tag with the attribute, a content hint is not set in the HTML rules for the attribute and it's not the cookieless mode.

Conditions:
Webapp link is not properly patched.

Impact:
Rewritten links are not accessible.


518583-4 : Network Access on disconnect restores redundant default route after looped network roaming for Windows clients

Component: Access Policy Manager

Symptoms:
Windows Network Access restores redundant default route if client roaming from networks in loop e.g.:
NetworkA -> NetworkB -> NetworkA.

Conditions:
* Connect NIC to NetworkA
* Connect to VPN
* Roam to another wifi network SSID (NetworkB)
* Roam back to the original wifi SSID in step #1 (NetworkA)

Impact:
Incorrect default route may cause routing issues on client machine if metric of interfaces connected to NetworkB is lower than metric of interfaces connected to NetworkA

Workaround:
N/A


518086 : Safenet HSM Traffic failure after system reboot/switchover

Component: Local Traffic Manager

Symptoms:
SafeNet hardware security module (HSM) Traffic failure after system reboot/switchover.

Conditions:
Restart of services on primary or secondary blade.

Impact:
Now traffic will fail. There will be no pkcs11 connection on new primary blade.

Workaround:
The workaround is to restart pkcs11d on the secondary blade.


517790-5 : When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped

Component: Local Traffic Manager

Symptoms:
Non-HTTP traffic can have the server-side send data outside the usual request-response pairing. (Either before a request, or extra data after a response is complete.)

If so, HTTP will reject the connection as the server state is now unknown. However, if HTTP is acting as a Transparent proxy, switching to pass-through mode and disabling HTTP may be a better course of action.

Conditions:
Non-HTTP data sent to the server-side not belonging to a response.

Impact:
Banner protocols, where the a server will respond before seeing any data will not pass through the Transparent HTTP proxy.

Non-HTTP protocols that start with a pseudo-HTTP response, followed by extra data will reject the connection when the extra data is seen.

Workaround:
It may be possible to use HTTP::disable to disable the HTTP filter when some signature of the non-HTTP protocol is seen.


517580-1 : OPT-0015 on 10000-series appliance may cause bcm56xxd restarts

Component: TMOS

Symptoms:
Changing configuration (enable/disable/auto-negotiation) on copper SFPs on 10000-series appliance might cause an internal bus to hang. Symptoms are bcm56xxd process restarts, and the interfaces may show as unknown.

Conditions:
Only copper SFPs OPT-0015 on 10000-series appliances exhibit this problem.

Impact:
The bcm56xxd process restarts, and the interfaces may show as unknown.

Workaround:
To work around this issue, follow these steps:
1) Force the system offline.
2) Reboot the system.
3) Release the system's offline status.


517551-3 : Assembly Can Create Response Stalls

Component: WebAccelerator

Symptoms:
In some rare cases, if a document is 'assembled', it can stall, giving little or no response to the client.

Conditions:
This might occur when the original document is smaller than the small object cache size limit, but grows to be larger than the small object cache size limit during assembly. In rare cases, this can cause the document to be unservable.

Impact:
Requests for that document results in client timeouts.

Workaround:
Create a policy node for that specific document, and set to 'proxy always.'


517441-3 : apd may crash when RADIUS accounting message is greater than 2K

Component: Access Policy Manager

Symptoms:
If the RADIUS Acct agent is configured for an access policy, and there are a lot of attributes with total size greater than 2K, apd may crash.

Conditions:
RADIUS Acct agent is configured and an AP
with numerous attributes in RADIUS Acct request

Impact:
service becomes unavailable while restarting apd process


517209-1 : tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable

Component: TMOS

Symptoms:
The tmsh save sys config file /var/tmp or /shared/tmp or a relative path to these directories (for example, /config/../shared/tmp) saves the scf with the specified real path. However, since the /var/tmp directory is used internally by BIG-IP daemons, some functionality may be rendered unusable till the /var/tmp symlink to /shared/tmp is restored.

Conditions:
Saving the sys config file /var/tmp or /shared/tmp (or a relative patch to one of these directories).

Impact:
Some system functionality may be rendered unusable.

Workaround:
Use the following commands to delete the scf and restore the symlink: -- rm -f /var/tmp. -- ln -s /shared/tmp /var/. -- bigstart restart.


517124-1 : HTTP::retry incorrectly converts its input

Component: Local Traffic Manager

Symptoms:
The HTTP::retry iRule converts its input into UTF8. If the input is a bytearray using some other locale, then bytes with the high-bit set may be corrupted.

The resulting corrupted request will then be sent to the server as the retried request.

Conditions:
The input to HTTP::retry is a TCL bytearray rather than a TCL string. The output from some commands i.e. HTTP::payload is a bytearray. Strings are in the UTF8 format, Bytearrays are not.

Impact:
Non-ascii characters may be corrupted when HTTP::retry is used.


516598-2 : Multiple TCP keepalive timers for same Fast L4 flow

Component: Local Traffic Manager

Symptoms:
Multiple TCP keepalive timers for same Fast L4 flow.

Conditions:
Fast L4 profile with TCP Keepalive option enabled.

Impact:
TMM core.

Workaround:
Disable TCP Keepalive option from the Fast L4 profile.


516462-6 : Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines

Component: Access Policy Manager

Symptoms:
Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines.

Conditions:
Client Windows machine roams between different networks (Wi-Fi or Ethernet) when the BIG-IP system has configured split-tunneling.

Impact:
Excluded address space routes are not applied.


516280 : bigd process uses a large percentage of CPU

Component: Local Traffic Manager

Symptoms:
With a very large number of monitors, the bigd process can consume more than 80% CPU when a slow HTTP server returns an error.

Conditions:
~8000 HTTP/HTTPS monitors, and a slow HTTP server returns a 500 error.

Impact:
bigd process uses a large percentage of CPU.

Workaround:
None.


516075-2 : Linux command line client fails with on-demand cert

Component: Access Policy Manager

Symptoms:
Linux command line client fails with On-Demand Cert Auth.

Conditions:
End user needs to be running Linux command line client and the On-Demand Cert Auth agent.

Impact:
Depending upon the access policy, the user might fail to log in and establish a Network Access connection.

Workaround:
none


516057-2 : Assertion 'valid proxy' can occur after a configuration change with active IVS flows.

Component: Service Provider

Symptoms:
When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), and a new connection is initiated during the update, the TMM can assert 'valid proxy' and crash.

If there were are no preexisting active connections, the assertion does not occur, but connections initiated during the configuration update might be in a bad state and cause unpredictable effects.

Conditions:
1. Active flows exist on an internal virtual server (IVS). Necessary to trigger the assertion.
2. A configuration update or sync affecting that IVS is in
progress.
3. A new connection is initiated to that IVS during the update.

Impact:
This is intermittent and rarely encountered. When all preexisting connection flows on this IVS tear down, a 'valid proxy' assertion can trigger and cause a TMM crash and restart, resulting in lost connections across the BIG-IP system or blade. New IVS connection flows initiated during the configuration update might be in a bad state and exhibit unpredictable effects, even if there is no crash.

Workaround:
Try to avoid configuration changes affecting any IVS while connections are active. This is intermittent so most likely will not manifest, even with active connections.


515797-5 : Using qos_score command in RULE_INIT event causes TMM crash

Component: Global Traffic Manager

Symptoms:
TMM crashes when the iRule with qos_score command in RULE_INIT event is added to a wide IP.

Conditions:
Configured iRule with qos_score command in RULE_INIT event that is added to a wide IP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Mitigation: Do not use qos_score command in RULE_INIT event.


515759-7 : Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time

Component: Local Traffic Manager

Symptoms:
tmm memory growth over time.

Conditions:
Conditions leading to this issue include: one or more virtual servers, NATs, SNATs, or LSNs with more than four VLANS in a vlan allow or vlan deny list.

Impact:
tmm memory usage can grow over time eventually causing memory exhaustion.

Workaround:
Mitigation: Minimize the number of VLANs in the VLAN list for virtual servers, NATs, SNATs and LSNs. Minimize the number of configurations changes to Self-IPs, virtual servers, NATs, SNATs and LSNs.


515728-3 : Repeated BD cores.

Component: Application Security Manager

Symptoms:
The bd process crashes and produces a core file in the /var/core directory.

Conditions:
It is not known what conditions trigger the crash.

Impact:
Traffic disrupted while bd restarts.


515646-2 : TMM core when multiple PPTP calls from the same client

Component: Carrier-Grade NAT

Symptoms:
TMM can core when there are multiple PPTP calls arrive from the same client.

Conditions:
PPTP ALG VS with CGNAT.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


515482-2 : Multiple teardown conditions can cause crash

Component: Local Traffic Manager

Symptoms:
When iRules direct the teardown of a TCP connection after some delay, another event might tear down the connection during the delay. When the iRule-directed abort finally arrives, the system crashes.

Conditions:
(1) An iRule or other cross-layer message can trigger a ABORT after teardown.

(2) The TCP profile has settings that invoke the correct TCP implementation:
(a) 11.5.x: mptcp is enabled
(b) 11.6.x: mptcp, rate-pace, or tail-loss-probe are enabled, OR TCP uses Vegas, Illinois, Woodside, CHD, CDG, Cubic, or Westwood congestion control.

Impact:
TMM crashes.

Workaround:
Suspend iRules with this behavior.


515187-4 : Certain ICMP packets are evaluated twice against Global and Route Domain ACL rules.

Component: Advanced Firewall Manager

Symptoms:
Certain ICMP packets (such as ICMPv6 Destination Unreachable) match twice against Global and Route-Domain ACL rules.

Conditions:
AFM provisioned and licensed.

Create a Global and/or Route Domain ACL policy with a rule matching ICMP traffic. Send ICMP packet such as Destination Unreachable.

Impact:
Global and Route-Domain ACL rules are evaluated twice under conditions specified above. This causes the rule counters to be incremented by 2 (instead of 1) and may cause double logging if enabled.

Workaround:
None


515139-2 : Active FTP session with inherit profile and address translation disabled may not decrement pool member current connections statistics

Component: Local Traffic Manager

Symptoms:
Current connections seen in the poolmember statistics via tmsh might show a non-decremented number over time.

Conditions:
This occurs when the following conditions are met: - FTP virtual server with address translate disabled. - FTP profile with inherit parent profile. - Active FTP session. Running the command: tmsh show ltm pool pool_name.

Impact:
The current connections statistics value does not decrement upon data connection closure. While this is primarily cosmetic, it might impact connections when used in combination with limit calculations.

Workaround:
Disable inherit parent profile in the FTP profile.


515112-3 : Delayed ehash initialization causes crash when memory is fragmented.

Component: Advanced Firewall Manager

Symptoms:
When first using a new feature (fpm, firewall) under memory fragmentation conditions, if the feature uses an ehash table, TMM may crash.

Conditions:
Severe memory fragmentation, where contiguous allocations are not satisfied, combined with initial use of a new feature.

Impact:
TMM crashes.

Workaround:
Utilize all features shortly after TMM comes up, so all initial allocations are performed.


515072-8 : Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased

Component: Local Traffic Manager

Symptoms:
When a virtual server has priority groups and connection limit configured, if the connection limit is reached and is increased while the member is limited, then subsequent connections will be reset rather than allowed.

Conditions:
Using priority groups and a non-zero connection limit, with one of the following load balancing methods: least-connections-member, least-sessions, ratio-member, ratio-least-connections-member, ratio-session. The issue occurs when the connection limit is adjusted higher when the connection limit is reached on the high-priority pool.

Impact:
New connections are reset without being able to send traffic.

Workaround:
If it is feasible to adjust the priorities, adjust the connection limit to its initial value, and adjust the priority groups so that the traffic currently on the limited pool drains out. When the pool has no connections, increase the limit to restore the correct priorities.


514975 : Reset packet after connflow idle timout contains seq number 0 in nPath mode.

Component: Local Traffic Manager

Symptoms:
When a reset is triggered after the connflow idle timeout expiry, the packet contains the sequence number 0 to the client side. Due to this, client rejects it as an invalid packet.

Conditions:
Fast L4 profile with loose init and loose close enabled for nPath mode.

Impact:
The client connection is left idle.

Workaround:
None.


514912-1 : Portal Access scripts had not been inserted into HTML page in some cases

Component: Access Policy Manager

Symptoms:
If HTML page contains forms with absolute action paths, Portal Access scripts must be inserted into this page. But if there are no other reasons to include them, these scripts were not included.

Conditions:
HTML page which consists of the form with absolute action path, for instance:

<form action='/cgi-bin/a.gci">
</form>

Impact:
The form can not be submitted because browser fires JavaScript error.

Workaround:
It is possible to use iRule to insert Portal Access scripts into rewritten HTML page.


514726-3 : Server-side DSR tunnel flow never expires

Component: TMOS

Symptoms:
TMM cores and memory exhaustion using Direct Server Return (DSR). DSR establishes a one-way tunnel between the BIG-IP system and the back-end servers using the clients' IP addresses as the tunnel local-address on the BIG-IP system. These flows never expire.

Conditions:
BIG-IP virtual servers using DSR tunnels to send client traffic to the server.

Impact:
Server-side DSR tunnel flow never expires. Because the DSR tunnels use client's IP address as the tunnel local-address and the server's IP address as the tunnel remote-address, a single DSR setup might introduce as many tunnels as the clients' requests. When these tunnels do not expire, the BIG-IP system memory resource might be used up eventually, causing TMM cores.

Workaround:
None.


514604-4 : Nexthop object can be freed while still referenced by another structure

Component: Local Traffic Manager

Symptoms:
Use after free of the Nexthop object may cause memory corruption or tmm core.

Conditions:
This can happen if the proxy connection takes some time to complete, creating a large enough time window where the nexthop object might be freed.

Impact:
The BIG-IP system might crash. This is a very timing/memory-usage dependent issue that is rarely encountered.

Workaround:
None.


514450-1 : VXLAN: Remote MAC address movement does not trigger ARL updates across TMMs.

Component: TMOS

Symptoms:
In a VXLAN tunnel, a remote MAC address movement from one endpoint to another does not trigger ARL updates across all TMMs. As a result, some TMMs may contain stale ARL entries which can impact traffic forwarding. Also, when using 'tmsh show net fdb tunnel', there is a duplicated MAC address associated with different endpoints in the same tunnel.

Conditions:
When a remote MAC address is moved from one endpoint to another. For example, when a BIG-IP system in an HA setup configured with a masquerading MAC address changes its state from 'standby' to 'active'.

Impact:
This issue could impact traffic forwarding in VXLAN tunnels.

Workaround:
Although there is no complete workaround, you can mitigate the situation by making sure that the network is properly configured so that every device uses a unique MAC address. For example, in a network with an HA setup, try not to use masquerading MAC addresses.


514419-3 : TMM core when viewing connection table

Component: Local Traffic Manager

Symptoms:
In very rare conditions tmm may core on viewing the connection table.

Conditions:
This occurs only when a configuration meets all of the following conditions: - A NAT. - An AFM reject rule for ICMP. The user views the connection table on the system.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not view the connection table when this configuration combination exists.


514220-3 : New iOS-based VPN client may fail to create IPv6 VPN tunnels

Component: Access Policy Manager

Symptoms:
Newer iOS-based VPN client does not provide MAC address during IPCP negotiation. This prevents the IPv6 VPN tunnel from getting established.

Conditions:
It affects only iOS-based IPv6 VPN connection requests.

Impact:
This impacts only IPv6 VPN tunnel requests from iOS-based devices.

Workaround:
None.


514108-4 : TSO packet initialization failure due to out-of-memory condition.

Component: Local Traffic Manager

Symptoms:
TCP Segmentation Offload (TSO) packet initialization failure due to out-of-memory condition with the message: packet is locked by a driver.

Conditions:
This is related to tmm running out of memory while configured with TSO, on BIG-IP or VIPRION platforms which implement the HSB (High Speed Bridge) device in hardware.

This problem may occur on all currently-supported BIG-IP or VIPRION platforms EXCEPT the following:
BIG-IP 2000-/4000-series appliances.
BIG-IP 1600, 3600 appliances.

Impact:
TMM posts the assert message: packet is locked by a driver, then crashes.

Workaround:
Disable TSO (for more information, see SOL15609: Overview of TCP Segmentation Offload, available here: https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15609.html):

To enable or disable TSO functionality, you can use the following command syntax:

tmsh modify sys db tm.tcpsegmentationoffload value <enable | disable>

Note: After modifying the tm.tcpsegmentationoffload database variable, you must restart the TMM daemon by running the bigstart restart tmm command. Restarting TMM temporarily interrupts traffic processing. F5 recommends running this command only during a maintenance window.


514061-2 : False positive scenario causes SMTP transactions to hang and eventually reset.

Component: Application Security Manager

Symptoms:
Upon specific SMTP traffic, connection hangs and eventually resets.

Conditions:
SMTP profile with 'protocol security' turned on is attached to the virtual server, and the response is processed in bulk.

Impact:
Connection hangs and eventually resets.

Workaround:
None.


513969-5 : UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running

Component: Access Policy Manager

Symptoms:
UAC prompt is shown for machine cert check for non-limited users, even if Machine Cert Check service is running on client Windows machine.

Conditions:
Current user is non-limited.
Machine Cert Check service is running.
User tries to pass Access Policy.

Impact:
Non-limited user has to press 'ok' in UAC window.


513953-5 : RADIUS Auth/Acct might fail if server response size is more than 2K

Component: Access Policy Manager

Symptoms:
RADIUS authentication or accounting fails when a response from the backend server is bigger than 2048 bytes

Conditions:
Response from backend server is bigger than 2048 bytes

Impact:
RADIUS Auth/Acct agent failed.


513787-1 : CSRF doesn't apply web application callback registered as XMLHttpRequest.onload in IE8-10

Component: Application Security Manager

Symptoms:
Since Javascript is executed on client side. When it comes to page render, javascript errors might break your page.

Conditions:
Using Internet Explorer 8-10 with CSRF ASM enabled.

Impact:
Since Javascript is executed on client side. When it comes to page render, javascript errors might break your page.

Workaround:
N/A


513706-4 : Incorrect metric restoration on Network Access on disconnect (Windows)

Component: Access Policy Manager

Symptoms:
The metric after Network Access disconnect differs from metric before Network Access for default route.

Conditions:
Using Network Access on Windows systems.

Impact:
A multi-home environment might experience routing issues after disconnecting Network Access, for example, by default traffic might go through Wi-Fi instead of wired networks.

Workaround:
Disable and enable the network adapter.


513530-2 : Connections might be reset when using SSL::disable and enable command

Component: Local Traffic Manager

Symptoms:
Enable/disable of SSL filter in quick succession might cause connection reset.

Conditions:
SSL filter is disabled then quickly re-enabled.

Impact:
Connection is unexpectedly reset/lost.

Workaround:
Do not re-enable SSL filter immediately after disabling it.


513403-2 : TMM asserts when certain ICMP packets (e.g multicast echo) are classified by AFM and match rules at Global and Route Domain context with logging enabled for these rules and also log-translations is enabled in AFM Logging configuration.

Component: Advanced Firewall Manager

Symptoms:
TMM asserts when certain ICMP packets are classified by AFM and match rules at the Global and Route Domain context with logging and log-translations enabled.

Conditions:
This might occur in the following configurations: -- AFM Rule Logging is enabled and Log Translations is enabled in Log Profile, -- Server side AVR Statistics collection is enabled under Security :: Reporting. -- Certain ICMP packets (such as multicast ICMP echo) are classified and match AFM rules at Global and Route Domain contexts.

Impact:
TMM crashes (assert). Traffic disruption due to TMM process crashing.

Workaround:
Disabling log-translations in AFM Logging Profile configuration can prevent the TMM crash for these types of ICMP packets.


513319-1 : Incorrect of failing sideband connections from within iRule may leak memory

Component: Local Traffic Manager

Symptoms:
When using sideband connections within iRules, the internal TMM memory structures might leak if the sideband destination is not reachable (routing, etc.).

Conditions:
Unreachable sideband destination that lead to failures of the sideband connection creation, e.g. destination is not reachable via routing.

Impact:
Gradual memory usage in TMM, which can lead to aggressive memory sweeper and eventual failover/outage. This might manifest in gradual increment of TMM memory usage in graphs, particularly, the following: -- High number of connfails in tmctl sb_stats. -- High number of allocated memory in tmctl sb_cache.

Workaround:
Correct possible reachability issues to the sideband destination.


513243-2 : Improper processing of crypto error condition might cause memory issues.

Component: Local Traffic Manager

Symptoms:
Improper processing of a crypto error condition might cause memory issues.

Conditions:
Error when processing certain crypto commands.

Impact:
The error might cause TMM to crash.

Workaround:
None.


513213 : FastL4 connection may get RSTs in case of hardware syncookie enabled.

Component: Local Traffic Manager

Symptoms:
Occasionally, ACK is sent to server without SYN, connection get RST.

Conditions:
1) FastL4 virtual server.
2) Hardware syncookie enabled.
3) Might more commonly occur with forwarding virtual servers.
4) Often happens when egress router has ARP timeout.

Impact:
Some connections will be dropped.

Workaround:
Configure a static ARP to all neighbors (routers) to avoid most issues.


513165 : SAML Service Provider generated SLO requests do not contain 'SessionIndex' attribute

Component: Access Policy Manager

Symptoms:
When the BIG-IP system is used as SAML Service Provider, and SP-initiated Single Logout (SLO) is executed, the SLO request message does not contain the 'SessionIndex' attribute'. As a result, the external IdP might not be able to terminate the user's session.

Conditions:
BIG-IP is configured as SP. SLO is initiated by SP.

Impact:
External IdP may not be able to terminate user's session.


513098-5 : localdb_mysql_restore.sh failed with exit code

Component: Access Policy Manager

Symptoms:
In certain scenarios, deleting a dynamic user entry from memory does not clear the entry from the underlying table.

Conditions:
This might occur when a dynamic user record is marked for deletion but has not yet been removed when the dynamic user representing that record is re-authenticated.

Impact:
Over time, the table grows in size due to stale records.


512954-4 : ospf6d might leak memory distribute-list is used

Component: TMOS

Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv3 and the Routing Information Base (RIB). The leak may lead to a crash unrelated to memory exhaustion.

Conditions:
OSPFv3 in use with a distribute-list, and LSAs in the database whose prefixes will be filtered by the distribute-list.

Impact:
ospf6d crashes interrupt all dynamic routing using OSPFv3.

Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.


512885 : https monitor fails to work with MD5 with RSA as signature hash algorithm

Component: Local Traffic Manager

Symptoms:
https monitor fails to work with server that has MD5 with RSA as signature hash algorithm

Conditions:
https monitor, server using MD5 with RSA.

Impact:
https monitor fails

Workaround:
configure the back end server to use another cipher


512490-1 : Increased latency during connection setup when using FastL4 profile and connection mirroring.

Component: Local Traffic Manager

Symptoms:
Connection setup when using FastL4 profile and connection mirroring takes longer than previous versions.

Conditions:
FastL4 profile with connection mirroring.

Impact:
Slight delay during connection setup.

Workaround:
Disable tm.fastl4_ack_mirror. Optionally, enable tm.fastl4_mirroring_taciturn for signal to noise ratio improvements. This helps resolve connection setup latency.


512485-1 : Forwarding of flooded VXLAN-encapsulated unicast frames may introduce additional forwarding

Component: TMOS

Symptoms:
In VXLAN overlays, unicast frames are flooded (via multicast or unicast replication) when the destination MAC address is known and the remote endpoint is unknown. Upon receiving a flooded unicast frame, the BIG-IP system might forward the frame again to yet another endpoint. Eventually an additional L2 hop might be introduced between the sender and the receiver. This applies to both the multicast and the multipoint (unicast replication) configurations of VXLAN.

Conditions:
This affects deployments with three or more VXLAN endpoints.

Impact:
The introduction of an additional hop adds unnecessary latency.


512383 : Hardware flow stats are not consistently cleared during fastl4 flow teardown.

Component: Local Traffic Manager

Symptoms:
The PVA stat curr_pva_assist_conn is not being updated properly for certain Fast L4 flows.

Conditions:
1) Fast L4 virtual server.
2) PVA-acceleration enabled.

This occurs when the connection flow is not created because UDP traffic arrives at an undefined port on the virtual server. The curr_pva_assist_conn value is incremented though there are no active PVA flows.

This can also occur when LTM gets ICMP unreachable messages from the serverside.

Impact:
Stats counts for Fast L4 virtual server, curr_pva_assist_conn value and 'Current SYN Cache', show invalid counts. If the hardware SYN cookie protection is on, the SYN cookie protection may be activated when it is not supposed to.

Workaround:
None.


512345-3 : Dynamic user record removed from memcache but remains in MySQL

Component: Access Policy Manager

Symptoms:
When the system fetches a dynamic user record from MySQL and places the record into memcache, the record might remain there in an unmodified state for ten days.

Conditions:
This occurs when a dynamic user record is removed from memcache but remains in MySQL, due to an intermittent race condition between apmd/memcache and localdbmgr.

Impact:
Dynamic user, if locked out, remains in memcache for ten days. During this interval, the dynamic user record is unusable.

Workaround:
The Admin can remove the user by deleting the associated memcache record.


512245-4 : Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname

Component: Access Policy Manager

Symptoms:
Machine certificate agent checker on client might extract wrong certificate based on LocalHostName if it is not same as hostname. Machine certificate agent checker might fail.

Conditions:
BIG-IP APM with machine certificate agent.

Impact:
Machine certificate check might fail


512130 : Remote role group authentication fails with a space in LDAP attribute group name

Component: TMOS

Symptoms:
Remote role group authentication fails if there is a space in attribute name of remote-role role-info.

Conditions:
This occurs when the auth remote-role role-info attribute name contains a space character.

Impact:
LDAP authentication fails.

Workaround:
Remove space characters from LDAP attribute group name.

Another option is to use '\20' in place of spaces in the remote-role's role-info member-of attribute, for example:

memberOf=CN=Some Big Group,CN=Users,DC=DOMAIN,DC=COM

becomes:

memberOf=CN=Some\20Big\20Group,CN=Users,DC=DOMAIN,DC=COM


512054-2 : CGNAT SIP ALG - RTP connection not created after INVITE

Component: Service Provider

Symptoms:
The client has no audio when it makes a call.

Conditions:
This occurs when a client initiates a call with a CSeqID value greater than 64 KB.

Impact:
The BIG-IP system fails to create a media channel for audio/video traffic.

Workaround:
None.


511961-5 : BIG-IP Edge Client does not display logon page for FirePass

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client cannot display FirePass logon page: "Connecting..." status; instead, Edge Client displays blank pages. As a result, clients cannot use the latest BIG-IP Edge Client for Mac with FirePass.

Conditions:
Firepass and APM-supplied build of BIG-IP Edge Client for Mac.

Impact:
User cannot log in to Firepass if using BIG-IP Edge Client for Mac.

Workaround:
Update to latest client


511924-4 : LTM Policy rule names are more strictly validated

Component: Local Traffic Manager

Symptoms:
In version 12.0, a more strict validation is being applied to LTM Policy rule names. Rule names must consist of a specific set of allowed characters.
Allowed characters are:
a-z A-Z 0-9 _ . / : % -

Conditions:
Pre-12.0 LTM Policies with names that have characters outside of the allowed set.

Impact:
During upgrade from a pre-12.0 versions to 12.0 or beyond, pre-existing LTM Policy names which contained disallowed characters will have each disallowed character automatically changed to an underscore (_).

Workaround:
Migration will occur automatically.


511854-1 : Rewriting URLs at client side does not rewrite multi-line URLs

Component: Access Policy Manager

Symptoms:
Exception posted when rewriting multi-line URLs on the client side.

Conditions:
Using multi-line URLs in client-side JavaScript code.

Impact:
Web-application logic might not work as expected. The system might post a message similar to the following: Unable to get property '2' of undefined or null reference.

Workaround:
None.


511782-5 : The HTTP_DISABLED event does not trigger in some cases

Component: Local Traffic Manager

Symptoms:
HTTP_DISABLED is not triggered by the HTTP::disable iRule command, requests using the CONNECT method, and Web-sockets traffic.

Conditions:
If the HTTP filter is switched into pass-through mode by the HTTP::disable command, CONNECT requests, or via Web-sockets traffic.

Impact:
The HTTP_DISABLED event does not trigger.

Workaround:
This issue has the following workaround: -- For HTTP::disable, add the logging code within HTTP_DISABLED after that iRule command. -- For CONNECT, use an iRule to match the method in HTTP_REQUEST, and check that 200 Connected is returned as the status in HTTP_RESPONSE. If so, invoke the logging code within HTTP_DISABLED. -- For Web-sockets, use an iRule to match the 101 Switching Protocols status code in HTTP_RESPONSE. If this happens invoke the logging code that is also within HTTP_DISABLED.


511648-1 : On standby TMM can core when active system sends leasepool HA commands to standby device

Component: Access Policy Manager

Symptoms:
On standby system TMM can core after it comes up when the active system sends leasepool HA commands to the standby device.

Conditions:
This occurs on standby systems when the active system sends it leasepool HA commands.

Impact:
Traffic disrupted while tmm restarts.


511559-1 : Virtual Address advertised while unavailable

Component: TMOS

Symptoms:
An unavailable virtual address is advertised after a load sys config.

Conditions:
The configuration contains a virtual-address with 'enabled' set to 'yes', 'route-advertisement' set to 'enabled', and the 'server-scope' set to 'any'. The BIG-IP system already has the same virtual-address configured with 'server-scope' as 'any'.

Impact:
Routes appear available on the route table when they are not, which might result in traffic being routed to unavailable servers.

Workaround:
Modify the virtual-address' 'server-scope' from the current value to another value and then back to the original value.


511534-3 : A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load,

Component: WebAccelerator

Symptoms:
When loading an AAM policy, the tmm compiles the rules to an internal structure that is efficient for execution. Some conditions however may cause this process to take too long and the tmm gets halted before the system has finished compiling the policy.

Conditions:
The compilation time increases dramatically when regular expressions are used on more than one or 2 operands.

Since you can have conditions on many different path-segments (e.g. the 1st, 2nd, 3rd, etc), using regular expression on path-segments are a likely way to trigger this condition.

Impact:
The compilation time increases dramatically when regular expressions are used on more than one or two operands.

Since conditions might exist on many different path-segments (e.g., the 1st, 2nd, 3rd, etc.), using regular expression on path-segments is a likely way to trigger this condition.

Workaround:
None.


511517-5 : Request Logging profile cannot be configured with HTTP transparent profile

Component: Local Traffic Manager

Symptoms:
Cannot configure both a Request Logging profile and an HTTP transparent profile on the same virtual server.

Conditions:
HTTP transparent profile is attached to a virtual server.

Impact:
Request Logging profile cannot be configured on the same virtual server.


511326-4 : SIP SUBSCRIBE message not forwarded by BIG-IP when configured as SIP ALG with translation.

Component: Service Provider

Symptoms:
The BIG-IP system does not forward messages when configured as SIP ALG with translation.

Conditions:
The BIG-IP system is configured as SIP ALG with translation, and the subscriber sends a SUBSCRIBE message to receive a notification.

Impact:
The Subscriber does not receive any notification regarding the subscribed events.

Workaround:
None.


511324-8 : HTTP::disable does not work after the first request/response.

Component: Local Traffic Manager

Symptoms:
The HTTP::disable command does not work correctly after the first request is complete. If called during the second request (or response), then the connection is reset with an error message.

Conditions:
HTTP::disable is called in a request after the first. The pass-through data reaches the server-side before the server-side HTTP filter expects it.

Impact:
The connection is reset.

Workaround:
None.


511130-1 : TMM core due to invalid memory access while handling CMP acknowledgement

Component: Local Traffic Manager

Symptoms:
Rarely, TMM might core due to invalid memory access while handling a CMP acknowledgement.

Conditions:
Memory is not validated before handling a CMP acknowledgement.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


511057-1 : Config sync fails after changing monitor in iApp

Component: Local Traffic Manager

Symptoms:
Unable to modify a pool monitor and delete it in the same transaction.

Conditions:
A pool must have the monitor associated with it before the tmsh transaction, and must be the same as the monitor being deleted in the transaction.

Impact:
Unable to submit multiple changes in a single transaction.

Workaround:
Modify the pool monitor and delete it in separate transactions.


511006-1 : Virtual address is advertised to ZebOS (as visible via imi shell) while unavailable.

Component: TMOS

Symptoms:
OSPFv2 does not advertise Virtual Addresses upon monitor state changes.

Conditions:
Dynamic routing must be configured. Virtual address is not associated with a virtual server.

Impact:
Route availability inappropriately advertised. The virtual address shows is advertised in ZebOS as available when it is not.

Workaround:
None.


510728-6 : Create and Delete buttons should be disabled for Security :: Protocol Security : Security Profiles : DNS when accessed as Firewall Manager.

Component: Advanced Firewall Manager

Symptoms:
Create and Delete buttons should be disabled for Security :: Protocol Security : Security Profiles : DNS when accessed as Firewall Manager.

Conditions:
User with role of Firewall Manager and accessing
Security :: Protocol Security : Security Profiles : DNS

Impact:
Firewall Manager has extra abilities not considered in scope for the role. Therefore a validation error will be thrown similar to the following: "01070822:3: Access Denied: user (username) does not have create access to object (dns_security)"


510720-4 : iRule table command resumption can clear the header buffer before the HTTP command completes

Component: Local Traffic Manager

Symptoms:
iRule table command resumption can clear the header buffer before the HTTP command completes.

Conditions:
An HTTP request was attempted with an iRule table command that resumed after parking.

Impact:
Results in a SIGABRT. The header names might intermittently output incorrectly, and report empty names and/or parts of the request line.

Workaround:
This issue has no workaround at this time.


510709-2 : Websso start URI match fails if there are more than 2 start URI's in SSO configuration.

Component: Access Policy Manager

Symptoms:
If more than 2 start URIs are configured, start URI parsing does not work correctly. This results in no start URI match and websso failure.

Conditions:
SSO error happens only if there are more than 2 start URIs configured in the SSO configuration.

Impact:
SSO V1(websso) fails for configured start URI due to start URI mismatch.

Workaround:
No workaround


510588 : Cross blade trunk with balanced trunk.cluster.distribution has issues with re-enabling the only local trunk working member

Component: Local Traffic Manager

Symptoms:
When using the non-default trunk.cluster.distribution mode, with a cross blade trunk and the only remaining trunk member for the slot disabled, results in trunk errors when re-enabling this (non favor local) trunk member interface.

Conditions:
trunk.cluster.distribution mode has been configured for multi-blade trunking in a VIPRION. See https://support.f5.com/kb/en-us/solutions/public/1000/600/sol1689

Impact:
Re-enabled local trunk member interface of a balanced cross blade trunk (i.e. using non favor local members) may not function correctly.

Workaround:
A restart of the bcm56xxd daemon may be required to re-add all the trunk members of a balanced cross blade trunk.


510580-2 : Interfaces might be re-enabled unexpectedly when loading a partition

Component: TMOS

Symptoms:
Loading of a set of partitions not including Common might re-enable interfaces that were previously disabled.

Conditions:
Loading of a set of partitions not including Common.

Impact:
Interfaces might be unexpectedly reenabled. (It is expected that 'load sys config partitions { anotherpartition }' will only affect objects in the /anotherpartition folder.)

Workaround:
None.


510559-2 : Add logging to indicate that compression engine is stalled.

Component: TMOS

Symptoms:
Hardware compression slowly and progressively fails to handle compression operations. The system posts the following errors in ltm.log: crit tmm3[14130]: 01010025:2: Device error: n3-compress0 Nitrox 3. If the compression engine stalls, there is no logging-trail to indicate there is a problem.

Conditions:
This occurs when the system encounters errors during hardware compression handling and the compression engine stalls.

Impact:
Compression completely stalls, or CPU can be driven up by software-based compression. No indication of what the issue is.

Workaround:
Disable compression, or select 'software only' compression.


510395 : Disabling some events while in the event, then running some commands can cause tmm to core.

Component: Local Traffic Manager

Symptoms:
If an event is disabled inside the event itself, and then a Tcl command that executes asynchronously is executed, TMM can core.

Conditions:
An event is disabled from inside the event, and then a parking command is issued.
Example:
when HTTP_REQUEST {
   if { $a == $b } {
       event disable HTTP_REQUEST
   }
   after 100
   log local0. "foo"
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable events as the last command before exiting the event. For example:

when HTTP_REQUEST {
   if { $a == $b } {
       event disable HTTP_REQUEST
       return
    }

}


510381-6 : bcm56xxd might core when restarting due to bundling config change.

Component: TMOS

Symptoms:
A race condition exists where bcm56xxd might core while restarting due to a bundling configuration change if it is still processing other config messages from MCP. This affects all platforms that support interface bundling.

Conditions:
Interface bundling change requiring a restart while still processing configuration messages.

Impact:
Unnecessary core file produced since the daemon is restarting anyway.

Workaround:
None.


510337-1 : Page-not-found result for APM uses the incorrect stylesheet, resulting in incorrect page formatting (404 response).

Component: Access Policy Manager

Symptoms:
The page-not-found result for APM uses the incorrect stylesheet, resulting in incorrect page formatting (404 response).

Conditions:
This can happen when user enters an invalid URL suffix after the BIG-IP system management address.

Impact:
Inconsistent page appearance for the 404 response page.

Workaround:
Modify the file main.css to apm.css.


510264-4 : TMM core associated with smtps profile.

Component: Local Traffic Manager

Symptoms:
tmm can core when the smtps profile is enabled.

Conditions:
This is an intermittent core seen when the smtps profile is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
n/a


510119-1 : HSB performance can be suboptimal when transmitting TSO packets.

Component: TMOS

Symptoms:
For heavily fragmented TSO packets, it is possible to populate a high percentage of the HSB's transmit ring.

Conditions:
This can happen when transmitting large fragmented TSO packets.

Impact:
Suboptimal behavior might be seen when transmitting large fragmented TSO packets. There is a rare chance it can lead to a full or stuck transmit ring.

Workaround:
Disable TSO.


509782 : TSO packets can be dropped with low MTU

Component: TMOS

Symptoms:
If an interface is configured with a low MTU, it is possible for the system to drop TSO packets. This can be observed looking at the tx_drop_tso_bigpkt stat in the tmm/hsb_internal_fsc table.

Conditions:
The interface is configured with a low MTU, usually 750 or lower. If TMM then attempts to use TSO for a packet, there is a chance this packet will be dropped.

Impact:
Large TSO packets are dropped.

Workaround:
Increase the MTU or disable TSO.

If TSO is not disabled, three related fixes are needed to fully address the issue:

-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:

-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html


509758-6 : EdgeClient shows incorrect warning message about session expiration

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client shows an incorrect warning message once a network access connection is established.

Conditions:
Access Policy has disabled Maximum Session timeout (set to 0) and
Network Access webtop is used.

Impact:
Versions that have session expiration timeout display all zeroes instead of the timeout value. This is a cosmetic issue that does not indicate incorrect system functionality.

Workaround:
None.


509677-3 : Edge-client crashes after switching to network with Captive Portal auth

Component: Access Policy Manager

Symptoms:
When switching to a network with Captive Portal authentication, the Edge-client becomes unresponsive.

Conditions:
- Captive Portal uses https logon page
- Network switching done by unplugging network cable from NIC or disconnecting from wireless network (not disabling network
interface).

Impact:
Edge-client crashes

Workaround:
N/A


509600-3 : Global rule association to policy is lost after loading config.

Component: TMOS

Symptoms:
The association of a global rule to a policy appears to be lost after loading a config by directly loading, saving, upgrading, and config syncing. As a result of this issue, you may encounter the following symptom:

After re-enabling a global policy and waiting for an unspecified period of time, you observe that the policy is disabled again.

Conditions:
This occurs when you associate a global rule with a policy, and then initiate an operation that causes config load.

Impact:
Policies are removed from enforcement in the global context.

Workaround:
To work around this issue, you can add back the rules manually, or, if you have not configured a route domain, you can apply route domain rules to Route Domain 0, which is effectively the same as the global rule context when no other route domains are configured.

Impact of workaround: If you have other route domains configured, Route Domain 0 is no longer usable as a global context.


509504-2 : Excessive time to save/list a firewall rule-list configuration

Component: TMOS

Symptoms:
A configuration containing a large number of firewall rule-list::rules might take an excessively long time to save. Similarly, excessive times are seen for listing the firewall configuration.

Conditions:
Large number of AFM rules.

Impact:
A long time to save or list the configuration. While this issue was noticed for a firewall rule-list::rules configuration, the same issue might occur for deeply nested configurations.


509503-1 : tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration

Component: TMOS

Symptoms:
For certain configurations with deeply nested structures in it ex: some of the firewall rule rule-list configuration, requires excessive time for the tmsh load config file merge operation.

Conditions:
Configurations containing deeply nested structures.

Impact:
The time for the merge is significantly more than the time needed for load operation.

Workaround:
If you are affected of long load times during merging a configuration file into existing one, you can instead append the config file to the respective bigip_base.conf or bigip.conf file manually.


509310 : Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances

Component: Local Traffic Manager

Symptoms:
The egress VxLAN traffic on VIPRION chassis and 5000 series appliances has bad UDP checksum in its outer UDP header. The BIG-IP hardware does not support UDP checksum offload for VxLAN traffic if the outer UDP header is IPv4. The BIG-IP hardware uses UDP destination port 4789 to identify VxLAN traffic.

Conditions:
The outer UDP header of egress VxLAN traffic on VIPRION chassis and 5000 series appliances is IPv4 and has destination port equal to 4789.

Impact:
The egress VxLAN traffic is dropped due to bad UDP checksum.

Workaround:
Set db variable iptunnel.vxlan.udpport to 0. So the BIG-IP system hardware does not classify UDP destination port equal to 4789 as VxLAN traffic.


509276-5 : VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on standby device

Component: TMOS

Symptoms:
VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on the standby device.

Conditions:
A VXLAN tunnel with a floating local address on the standby device.

Impact:
Incorrect gratuitous ARPs are generated on the standby device.


508797 : Clarification regarding differences in GARPs on different versions.

Component: Local Traffic Manager

Symptoms:
The Gratuitous ARP (GARP) behavior when a virtual is disabled varies quite a lot of between the different versions.

This request is for more information about:

1. Explanation of the differences in behavior between 11.2.1 or 11.3.0 and 11.5.0 or 11.0.0, and 10.2.4

2. Is the GARP behavior supposed to be the same for different 'active' scenarios for the VS, such as VS disable/enable, fail-over, unreachable/reachable pool etc.?

3. Are GARPs supposed to be sent for the different kinds of addresses like floating/non-floating IP addresses, VIP whose state changes, other VIPs, etc.?

4. Is there a 'correct' or 'expected' behavior for GARPs under these scenarios and for the different IP addresses?

The intent is to provide an authoritative summary of the differences.

The current behavior summary is as follows:

-- 11.5.0: Same behavior as 11.0.0.
-- 11.3.0: Same behavior as 11.2.1.
-- 11.2.1: Disabling a VIP sends GARPs for non-floating and floating IP addresses, and for other VIPs, but NOT for the VIP being disabled. -- Enabling a VIP sends a GARP only for the VIP being enabled.
-- 11.0.0: Disabling a VIP sends GARPs for non-floating and floating IP addresses, for other VIPs, and for the VIP being disabled. -- Enabling a VIP sends GARPs for non-floating and floating IP addresses, for other VIPs, and for the VIP being enabled.
-- 10.2.4: Disabling or enabling a VIP produces no GARPs at all, neither for the VIP being toggled, nor for others.

Conditions:
Following is a summary of the minimally-correct behavior for GARPs:

-- On startup or after failover, send out GARPs for all /32 IP addresses. (The system does not send out GARPs for a listener on a subnet, for example.)

-- When a virtual server is disabled, there should not be any GARPs. Although there is no issue with a GARP in this instance, they are not necessary.

-- When a VIP is added, a GARP is required only if the IP address is not already being used.

-- When a VIP is removed, there should be no GARPs.

-- When a pool is unreachable or reachable, there should be no GARPs.

-- When a virtual server is disabled/enabled, there should be no GARPs in most cases. The only case in which there should be a GARP is when a system is brought online with a disabled virtual server that is then enabled, but the system has never sent a GARP for that IP address.

-- On failover, the new active system should GARP for all virtual addresses. When using mac masquerading, this would not be necessary, except that the system must inform the switch of the new location, and that is done via GARP. In this case there is a need for only one packet for anything; there is no need for GARPs for every IP address: In fact, there is no need for GARPs at all; if there is a packet sent, that should be sufficient for the switch.

-- GARPs should only be sent for fully-qualified ID addresses. State changes do not require GARPs. Floating IP addresses are only GARPd in order to inform the switch of the new location to send the packets. The system uses GARP for this, but what the BIG-IP system sends does not have to be the GARP.

Impact:
Extra GARPs are sent on some versions.


508719-3 : APM logon page missing title

Component: Access Policy Manager

Symptoms:
The title might be missing from a logon page.

Conditions:
Logon page uses field filled with dynamically assigned session variable.

Impact:
No title displays on the logon page.

Workaround:
Modify page logon.inc using customization panel.

*Add function:
function getSoftTokenPrompt()
{
    if ( softTokenFieldId != "" && edgeClientSoftTokenSupport()) {
        var div = document.getElementById("formHeaderSoftToken");
        if (div) {
            return div.innerHTML;
        }
    }
    return null;
}



*Replace code:
function OnLoad()
{
    var header = document.getElementById("credentials_table_header");
    var softTokenHeaderStr = getSoftTokenPrompt();
    if ( softTokenHeaderStr ) {
        header.innerHTML = softTokenHeaderStr;
    }

By:
function OnLoad()
{
    var header = document.getElementById("credentials_table_header");
    var softTokenHeaderStr = "<? echo $formHeaderSoftToken; ?>"
    if ( softTokenFieldId != "" && softTokenHeaderStr != "" && edgeClientSoftTokenSupport()) {
        header.innerHTML = softTokenHeaderStr;
    } else {
        header.innerHTML = "<? echo $formHeader; ?>";
    }

* Replace code
<td colspan=2 id="credentials_table_header" ></td>
By
<td colspan=2 id="credentials_table_header" ><? echo $formHeader; ?></td>

* Add code before </body> tag:
<div id="formHeaderSoftToken" style="overflow: hidden; visibility: hidden; height: 0; width: 0;"><? echo $formHeaderSoftToken; ?></div>


508630-7 : The APM client does not clean up DNS search suffixes correctly in some cases

Component: Access Policy Manager

Symptoms:
The APM client does not clean up DNS search suffixes correctly when the DNs suffixes configured on a client contain names configured in an APM Network Access resource.

Conditions:
The problem occurs when a suffix name that is configured in a Network Access resource matches the suffix configured locally on the user's machine.

Impact:
As a result, DNS suffixes are not restored correctly.


508519-3 : Performance of Policy List screen

Component: Application Security Manager

Symptoms:
There is a performance issue with the Policy List/Import Policy/PCI report configuration utility screens.

Conditions:
20+ active security policies in the system

Impact:
With 160 active security policies it took about 10 second to load Policy List/Import Policy/PCI report configuration utility screens.

Workaround:
There is no workaround at this time.


508067 : Packet drop on 5200 platforms due to delayed MPI communication

Component: Local Traffic Manager

Symptoms:
When incoming traffic is not well distributed and being directed to a single TMM, packets are lost instead of being processed by other TMMs.

Conditions:
Incoming network traffic on 5200 platforms is not well distributed and being directed to a single TMM, while the other TMMs do not have incoming external traffic.

Impact:
Network traffic might be dropped or delayed.

Workaround:
Insert the following line into /config/tmm_init.tcl:
  realtime busypoll yes


507905-2 : Saving Policy History during UCS load causes DB deadlock/timeout

Component: Application Security Manager

Symptoms:
Loading a UCS from an older version for upgrade can cause DB timeouts. /var/log/ltm has this error signature: DBD::mysql::db do failed: Lock wait timeout exceeded; try restarting transaction at /usr/lib/perl5/site_perl/F5/DbUtils.pm

Conditions:
This is a rare issue that occurs when two devices with different versions installed on them are in a CMI device group. It seems to be triggered if a sync is triggered from the device running the older version. This occurs while a device group is in the middle of an upgrade, the newer version being pre 11.6.0 HF5 or 11.5.2 HF1

Impact:
UCS load fails and multiple error messages are logged.

Workaround:
Do not have BIG-IP devices with different versions in the same DSC device group


507853-3 : MCP may crash while performing a very large chunked query and CPU is highly loaded

Component: TMOS

Symptoms:
MCP crashes while performing a chunked query (such as 'tmsh show sys connection) that returns a large result if a connection to a TMM is severed (due to a zero-window timeout).

Conditions:
CPU is highly loaded.

Impact:
Failover (in a device cluster) or temporary outage (in a standalone system). A core file is generated that has a stack trace that includes a message similar to the following: error reading variable: Cannot access memory at address 0x1.

Workaround:
None.


507782-2 : TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data

Component: Access Policy Manager

Symptoms:
TMM crashes on an attempt to open Citrix connection

Conditions:
Unpatched/malformed ICA file received by the client

Impact:
Traffic disrupted while tmm restarts.


507681-3 : Window.postMessage() does not send objects in IE11

Component: Access Policy Manager

Symptoms:
Websites are broken if they use postMessage to send objects in Internet Explorer 11. There could or could not be error in JavaScript console based on web application.

Conditions:
Web-Application that uses Window.postMessage() with Portal Access working in Internet Explorer 11.

Impact:
Web-Application can't use Window.postMessage() to send non-string data with Portal Access in Internet Explorer 11.

Workaround:
No


507611-2 : On BIG-IP 2000- and 4000-series platforms BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors.

Component: Local Traffic Manager

Symptoms:
BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors.

Conditions:
BGP, TCP-MD5 on BIG-IP 2000- and 4000-series platforms.

Impact:
BGP session is not established.

Workaround:
Disable TCP-MD5 for neighbor.


507493 : Cannot reset counter for rules of Management Port and Global

Component: Advanced Firewall Manager

Symptoms:
Cannot reset counter for rules of Management Port and Global

Conditions:
Firewall rules for Global context and for Management port

Impact:
Users unable to reset counters for these rules.


507487 : ZebOS Route not withdrawn when VAddr/VIP down and no default pool

Component: TMOS

Symptoms:
The BIG-IP system continues announcing RHI routes when Virtual Servers and Virtual Addresses are down.

Conditions:
The issue occurs in the following case: -- Have a VIP with pool selection via iRule. -- Configure RHI on the VAddr corresponding to the VIP. -- Down the pools (for example, toggling between HTTP monitor (up) and UDP monitor (down)). -- VIP, VAddr, and pools are red. -- Run the imish command.

Impact:
The kernel route still is announced, which might cause other network devices to be confused on the network status, so the impact varies.

Workaround:
Configure virtual server with default pool instead of iRule.


507461 : Net cos config may not persist on HA unit following staggered restart of both HA pairs.

Component: TMOS

Symptoms:
The net cos global-settings may be cleared on a HA unit, as a result of a HA pair configuration sync.

Conditions:
With fully synced pair of HA chassis, restart active chassis blade and then restart standby chassis blade.

Impact:
Portion of cos config information on active chassis blade is missing, resulting in incongruent cos behavior between active and standby.

Workaround:
None.


507331-3 : Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be enabled.

Component: TMOS

Symptoms:
If a saved configuration from an earlier version is used when launching an instance of BIG-IP v11.5.2 on AWS, then SSLv3 may be enabled on the management interface.

Conditions:
Using configuration saved with version 11.5.2 (and earlier) on AWS.

Impact:
There are known security vulnerabilities with SSLv3 and the BIG-IP software disables it by default with v11.5.2 on AWS. An enabled SSLv3 on the management interface might make the instance vulnerable to an attack, so after upgrading, configurations in which SSLv3 is enabled should be disabled before deploying.

Workaround:
Disable SSLv3 as documented here: https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip, and in and in SOL15702: https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15702.html.


507318-1 : JS error when sending message from DWA new message form using Chrome

Component: Access Policy Manager

Symptoms:
When using Chrome to send a new message on DWA, a JavaScript 'toString' error occurs.

Conditions:
If user clicks on the Send button on the new message form, then JavaScript errors appear: -- cache-fm.js:5 Uncaught TypeError: Cannot read property 'toString' of undefined
?. -- OpenDocument&Form=l_ScriptFrame&l=en&CR&MX&TS=20140915T180028,72Z&charset=UTF-8&charset=UTF-8&KIC&…:37 Uncaught TypeError: Cannot read property 'EgI' of undefined.

Impact:
The message is sent, but the tab is not closed.

Workaround:
None.


507289-2 : User interface performance of Web Application Security Editor users

Component: Application Security Manager

Symptoms:
Slow GUI performance for Web Application Security Editor users

Conditions:
At least 100 active security policies in the system

Impact:
Most ASM pages takes more than 5 seconds to load for Web Application Security Editor users

Workaround:
There is no workaround at this time.


507116-2 : Web-application issues and/or unexpected exceptions.

Component: Access Policy Manager

Symptoms:
Web-application issues and/or unexpected exceptions.

Conditions:
Undisclosed conditions related to web-applications.

Impact:
Unexpected web-application functionality.

Workaround:
None.


507109-2 : inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade

Component: Local Traffic Manager

Symptoms:
The inherit-certkeychain attribute of a child Client SSL profile can unexpectedly change after upgrade.

Conditions:
This issue occurs when all of the following conditions are met:

-- You create a Client SSL profile that does not inherit the certificate, key, and chain certificate settings from the parent profile.
-- You upgrade to BIG-IP 11.5.1 (HF6 or later), 11.5.2, 11.5.3, or 11.6.0.

Impact:
An incorrect cert key chain is used in the profile.

Workaround:
Manually fix the Client SSL profile.


506702-3 : TSO can cause rare TMM crash.

Component: Local Traffic Manager

Symptoms:
TSO can cause rare TMM crash.

Conditions:
When TSO is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


506349-1 : BIG-IP Edge Client for Mac identified as browser by APM in some cases

Component: Access Policy Manager

Symptoms:
APM sometimes determines that BIG-IP Edge Client for Mac is a browser. This can happen if user connects again using the link on the logout page that says "Click here to open new session"

Conditions:
APM, MAC Edge client

Impact:
Impact depends upon access policy but user might not be able to connect.

Workaround:
Click the Disconnect/Connect buttons on BIG-IP Edge Client instead of clicking the links on the logout page.


506315-3 : WAM/AAM is honoring OWS age header when not honoring OWS maxage.

Component: WebAccelerator

Symptoms:
WAM/AAM policy is configured to ignore OWS maxage header values, but the policy does not ignore the OWS Age header.

Conditions:
BIG-IP system with AAM provisioned, content matching a policy node not honoring OWS headers maxage and or s-maxage, and a large 'Age' value.

Impact:
This results in WAM/AAM improperly reducing the lifetime of OWS responses by the amount of the Age header, and more frequent WAM/AAM revalidation of the affected content (possibly on every request if the Age header is larger than the policy-specified cache lifetime).

Workaround:
You can use any one of the following as a workaround:
-- Honor OWS lifetime headers (s-maxage and max-age).
-- Use an iRule to delete OWS Age header.
-- Increase cache AAM/WAM cache lifetime for that content to compensate.


506290-1 : MPI redirected traffic should be sent to HSB ring1

Component: Local Traffic Manager

Symptoms:
The MPI redirected traffic is the traffic between two TMMs. It is currently sent to HSB ring0. HSB ring0 has small packet buffers and is used to handle the traffic of highest priority. Large amount of MPI redirect traffic can cause packet drops on HSB ring0.

Conditions:
Large amount of MPI redirect traffic.

Impact:
Potential packet drops on HSB ring0.

Workaround:
None.


506199-5 : VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles

Component: TMOS

Symptoms:
When multiple VCMP guests are configured on a VDAG platform, It is possible through cycles of provisioning and deprovisioning the guests to cause switch rules that play a role in disaggregation to be programmed in an order that causes packets to reach the wrong TMM in a guest, thus causing lower dataplane performance.

Conditions:
On a configuration with at least two VCMP guests that share at least one blade on a VDAG-based platform, change the vCMP state to provisioned, then to configured, then to provisioned, and so on.

Impact:
The potential for decreased dataplane performance. In addition to potentially lower performance, the guest's tmm flow redirect statistics increment quickly in conjunction with traffic. To determine these stats, run a command similar to the following: config # tmctl -d blade tmm/flow_redir_stats. This presents results similar to the following:
pg pu redirect_pg redirect_pu packets
-- -- ----------- ----------- -------
 0 0 0 1 636991

Also, VDAG statistics on the host might show an imbalance in destination port hits for those assigned to a single guest. To determine these stats, run a command similar to the following: config # tmctl -d blade switch/vdag_dest_hits -w 200. This presents results similar to the following:
slot dst_mod dst_port dst_trunk hits red_hits
---- ------- -------- --------- ------ --------
   1 1 0 0 0 0
   1 7 0 0 0 0
   1 13 0 0 0 0
   1 19 0 0 0 0
   1 0 0 0 0 0
   1 1 5 0 509100 0
   1 1 6 0 0 0

Workaround:
During a window in which a brief traffic interruption is acceptable, restart bcm56xxd on each effected blade in the host. On the host, run a command similar to the following: clsh bigstart restart bcm56xxd


506041-6 : Folders belonging to a device group can show up on devices not in the group

Component: TMOS

Symptoms:
All folders and partitions always get synced regardless of whether they are in the device group. If a user wants to utilize the same folder/partition scheme across multiple devices, this can lead to conflicts. In particular it can clobber the default route domain on a partition or rewrite the device group of a folder.

Conditions:
This only occurs during a full sync.

This can occur if two different device groups use the same folder or partition names. For example, if there are two separate failover-sync groups in the same trust and they both sync a different set of objects in /MyHAFolder.

This can also occur if a device has a local folder or partition with the same name as one in a device group.

Impact:
If a conflicted partition uses different default route domains, they will be overridden and may result in a sync error.

Conflicted folders will inherit the configuration of the source of the config sync. This can override the device group, traffic group, and iApp reference of the folder.

Workaround:
Use unique partition and folder names across all devices in the trust group.


505964-1 : Invalid http cookie handling can lead to TMM core

Component: Local Traffic Manager

Symptoms:
If an http cookie is invalid, then subsequent modifications to http cookie entries can result in a TMM core.

Conditions:
This issue can occur with an HTTP virtual server that performs cookie processing (either via an iRule, profile configuration, or as a result of persistence) and also performs header manipulation.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


505755-5 : Some scripts on dynamically loaded html page could be not executed.

Component: Access Policy Manager

Symptoms:
Some scripts on dynamically loaded HTML page might not execute.

Conditions:
Dynamically loaded HTML page

Impact:
Web application accessed via Portal Access does not work as expected.

Workaround:
None.


505222-1 : DTLS drops egress packets when traffic is large

Component: Local Traffic Manager

Symptoms:
DTLS drops egress packets when traffic is large

Conditions:
DTLS has egress queue with maximum elements 127(default).
When traffic is large enough, the queue reaches the maximum limit and some packets are dropped.

Impact:
DTLS drops egress packets.

Workaround:
We can change the maximum elements from 127 to some bigger value by DB variable.


505101 : tmm may panic due to accessing uninitialized memory

Component: Access Policy Manager

Symptoms:
tmm panics with the message "memory owned by current process"

Conditions:
SAML plugin encounters an internal error and attempts to free an uninitialized memory region.

Impact:
tmm restarts

Workaround:
none


505071-4 : Delete and create of the same object can cause secondary blades' mcpd processes to restart.

Component: TMOS

Symptoms:
A single transaction containing both a delete and a create of the same object can, for certain types of objects, cause the secondary blades' mcpd processes to restart because of validation failure. The validation error appears similar to the following: 01020036:3: The requested object type (object name) was not found.

Conditions:
This has been seen to occur when an APM policy agent logon page is modified, and the error reports that its customization group cannot be found.

In BIG-IP v11.6.0 HF6 and BIG-IP v11.5.4 and BIG-IP v11.5.4 HF1, this can also occur when an iApp creates a virtual server.

Impact:
mcpd restarts on every secondary blade, causing most other system services to restart as well. This might result in a temporary loss of traffic on all secondary blades. After mcpd restarts, the new configuration is accepted and the system returns to normal operation.

Workaround:
None.


505056-1 : BIG-IP system might send an egress packet with a priority different from that of ingress packet on the same flow.

Component: Local Traffic Manager

Symptoms:
When the hardware COS queue feature is enabled, in some cases the BIG-IP system sends an egress packet with a priority different from that of ingress packet on the same flow.

Conditions:
Hardware COS queue feature is enabled.

Impact:
Egress packets are sent with an incorrect packet priority and delivered on the incorrect switch COS queues, resulting in lower performance.

Workaround:
None.


504973-3 : Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead

Component: Application Security Manager

Symptoms:
When creating a policy using a route domain and a full 32 bit subnet mask, the ASM saves it as a 128 bit mask.

Conditions:
Provisioned ASM

Impact:
Wrong 128 bit subnet mask is saved instead of the configured 32 bit mask.


504827 : Use of DHCP relay virtual server might result in tmm crash 'top filter'.

Component: Local Traffic Manager

Symptoms:
tmm crash with panic string 'top filter' appearing in tmm log.

Conditions:
Configure DHCP relay virtual server that conflicts with other virtual server address/port.

Impact:
A rarely encountered tmm crash, which might result in network outage. The system posts a message similar to the following: notice panic: ../modules/hudfilter/hudnode.c:310: Assertion 'top filter' failed.

Workaround:
Avoid configuring virtual servers that share address:port with DHCP relay virtual server.

In releases prior to version 11.6.0, use regular IP forwarding virtual servers if the virtual server is not for Relay but just for 'forwarding'. When the virtual server destination is not 255.255.255.255, it is typically for forwarding, not for Relay.


504633-6 : DTLS should not update 'expected next sequence number' when the record is bad.

Component: Local Traffic Manager

Symptoms:
DTLS updates the 'expected next sequence number' even if the record is bad. This might cause the unexpected sequence number of good records dropping.

Conditions:
DTLS receives a bad record with a very large sequence number.

Impact:
DTLS might drop the good records that have smaller sequence number packets than the bad records.

Workaround:
None.


504606-1 : Session check interval now has minimum value

Component: Access Policy Manager

Symptoms:
Session check interval can be changed or turned off completely for debug purposes.

Conditions:
Using the session check interval.

Impact:
Session check interval may be set to excessively short value.

Workaround:
None.


504572 : PVA accelerated 3WHS packets are sent in wrong hardware COS queue

Component: TMOS

Symptoms:
Under full ePVA acceleration, 3WHS (3-way handshake) packets from VIP to node will always egress on hardware COS queue 3, regardless of COS queue mapping configured on the system.

Conditions:
The packets needs to be fully accelerated by ePVA.

Impact:
Potential performance downgrade.

Workaround:
None.


504508-3 : IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled

Component: TMOS

Symptoms:
When establishing IPsec tunnel from the BIG-IP system to some Cisco devices enabled with an older Dead Peer Detection (DPD) implementation, IPsec tunnel does not stay up because of a mismatched Cookie field in the DPD message.

Conditions:
An IPsec tunnel connection from a BIG-IP system to certain Cisco ASA configurations does not stay up when DPD is enabled

Impact:
IPsec tunnel goes down, traffic stops.

Workaround:
Disable Dead Peer Detection for the Ike Peer configuration to the Cisco devices exhibiting this issue.


504496-1 : AAA Local User Database may sync across failover groups

Component: TMOS

Symptoms:
APM units that are not in the same BIG-IP Sync-Failover group are sharing local user entries. The system may possibly also experience higher management CPU load as a result of frequently syncing the local user database.

Conditions:
There is at least one sync-failover group in the Device Management :: Device Groups list, and there are devices listed in Device Management :: Devices list that are not members of that sync-failover group (either standalone or members of another device group), and those devices are provisioned with APM.

Impact:
Unwanted sharing of local user database between sync-failover groups and/or standalone devices. The system may also experience higher management CPU load as a result of frequently syncing the local user database. Under severe conditions where the database is synced multiple times per minute continually for hours or days, the rapid syncing of the database may result in unexpected failover.


504396-1 : When a virtual's ARP or ICMP is disabled, the wrong mac address is used

Component: Local Traffic Manager

Symptoms:
When we use tmsh to modify icmp_enabled or arp_enabled property of a virtual address object from true to false, tmm does not reset internal state properly. This results in a tmm using the VLAN's true mac as the source mac instead of the traffic group's mac masquerade address.

Conditions:
Using mac masquerading in a HA traffic group.

Impact:
Packets may be dropped by switches or routing tables improperly updated.

Workaround:
None.


504384 : ICMP attack thresholds

Component: Advanced Firewall Manager

Symptoms:
ICMP flood protection triggers at an earlier than expected threshold if all of the ICMP attack traffic contains the same ID. This is because all traffic is sent to the same tmm when it contains the same ID but the threshold takes into account the number of tmms.

Conditions:
When ICMP traffic is sent with the same ICMP id, and the DoS threshold was configured assuming the ICMP traffic would be spread across all tmms.

Impact:
The forwarded ICMP traffic has higher priority that regular traffic causing normal traffic to potentially get dropped sooner as compared to forwarded traffic.

Workaround:
None


504306-8 : https monitors might fail to re-use SSL sessions.

Component: Local Traffic Manager

Symptoms:
SSL handshakes for https monitors might fail to correctly re-use SSL session IDs.

Conditions:
A configuration that utilizes https monitors to servers that implement an SSL session cache. More servers utilizing the same https monitor make the problem more likely to occur.

For the monitor flapping or false negative symptom in 11.5.0 or higher, a monitor must be configured for a combination of TLS 1.0 and TLS 1.2 servers.

Impact:
The bigd process might consume more CPU than necessary because it might always be performing complete SSL handshakes with monitored servers.

BIG-IP version 11.5.0 or higher in environments with both TLS 1.0 and TLS 1.2 servers that perform SSL session caching may experience monitor flapping or servers that are marked down unexpectedly.

Workaround:
None.


503741-12 : DTLS session should not be closed when it receives a bad record.

Component: Local Traffic Manager

Symptoms:
According to RFC6347: 4.1.2.7. Handling Invalid Records:
'Unlike TLS, DTLS is resilient in the face of invalid records (e.g., invalid formatting, length, MAC, etc.). In general, invalid records SHOULD be silently discarded, thus preserving the association; however, an error MAY be logged for diagnostic purposes. Implementations which choose to generate an alert instead, MUST generate fatal level alerts to avoid attacks where the attacker repeatedly probes the implementation to see how it responds to various types of error. Note that if DTLS is run over UDP, then any implementation which does this will be extremely susceptible to denial-of-service (DoS) attacks because UDP forgery is so easy. Thus, this practice is NOT RECOMMENDED for such transports.'

In the BIG-IP implementation, DTLS chooses to disconnect the session when it receives invalid record.

Conditions:
DTLS receives a bad record packet.

Impact:
DTLS disconnects the session.

Workaround:
None.


503652 : Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit.

Component: Local Traffic Manager

Symptoms:
When a blade is enabled on a cluster while it is actively processing SIP UDP traffic, some packets might be lost.

Conditions:
This occurs in an Active HA cluster containing VIPRION B2100 blades with the udp.hash value set to 'ipport' and client-side round robin TMM disaggregation enabled.

Impact:
Some SIP UDP traffic packets might be lost.

Workaround:
Do not enable a blade in a cluster while the blade is processing SIP UDP traffic.


503620-5 : ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later

Component: Local Traffic Manager

Symptoms:
BIG-IP SSL when using ciphers ECDHE_ECDSA and DHE_DSS does not work consistently with OpenSSL clients using OpenSSL versions 1.0.1k or later.

Conditions:
When the ciphers used are ECDHE_ECDSA or DHE_DSS, and the OpenSSL clients have versions later than OpenSSL 1.0.1k.

Impact:
SSL handshake failed. The OpenSSL clients might encounter a decryption error while reading the server key exchange.

Workaround:
Use OpenSSL versions earlier than OpenSSL 1.0.1k.


503604-1 : Tmm core when switching from interface tunnel to policy based tunnel

Component: TMOS

Symptoms:
When the configuration is changed from interface tunnel to policy based tunnel, tmm crashes.
Most likely this is a timing issue where the pnh is not updated while the policy was updated. So the policy_type (policy_interface vs policy_ipsec) mismatched.

Conditions:
Traffic passing in the background and change the configuration from interface tunnel to policy based tunnel.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround


503541 : Use 64 bit instead of 10 bit for Rate Tracker library hashing.

Component: Advanced Firewall Manager

Symptoms:
Rate Tracker 10 bit hashing may cause inaccurate rate-limits by the Sweep & Flood DoS vectors.

Conditions:
When Sweep and Flood vector is enabled in AFM module.

Impact:
Impact to Sweep and Flood detection rate accuracy.

Workaround:
None.


503343-3 : TMM crashes when cloned packet incorrectly marked for TSO

Component: Local Traffic Manager

Symptoms:
TMM cores

Conditions:
1. Clone pool configured

2. Clone MTU > Client or Server MTU

3. tm.tcpsegmentationoffload db var in "disable" state

4. TSO enabled in client or server side interface

5. TSO disabled in clone interface

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove the configured clone pool


503319-1 : After network access is established browser sometimes receives truncated proxy.pac file

Component: Access Policy Manager

Symptoms:
On MAC OSX platform, After network access is established, poxy.pac received by the browser is truncated.

Conditions:
This occurs if proxy.pac file is larger than 65535 bytes (~65 KB).

Impact:
Large proxy.pac file might not be downloaded or might be truncated.

Workaround:
Reduce proxy.pac file size so that merge file is less than ~65 KB.


503257-9 : Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST

Component: Local Traffic Manager

Symptoms:
Client connections to a virtual server with persistence, connection limits, and an iRule that issues an HTTP response may receive a RST with a cause of "pmbr enqueue failed" even though connection queuing is not enabled.

Conditions:
This can happen if the connection makes an HTTP request and an iRule directly responds to the first request on the connection. A future request on that TCP connection would be reset if it is persisted to a pool member that is at its connection limit. The iRule would use HTTP::respond (without "connection close") or HTTP::redirect.

Impact:
Clients may receive a RST and fail to connect to an available pool member under some traffic patterns.

Workaround:
If using HTTP::respond or HTTP::redirect in an iRule, change to HTTP::respond with the "Connection close" option in order to force the connection to terminate and the client to start a new connection after the redirect is sent.


503214-5 : Under heavy load, hardware crypto queues may become unavailable.

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system is under heavy load, it may erroneously determine that the hardware crypto queues are unavailable and trigger an HA failover event.

Conditions:
BIG-IP system under heavy load and using hardware crypto.

Impact:
HA failover. You might see messages similar to the following:
 -- crit tmm2[22560]: 01010025:2: Device error: crypto codec cn-crypto-2 queue is stuck.
 -- warning sod[6892]: 01140029:4: HA crypto_failsafe_t cn-crypto-2 fails action is failover.
 -- notice sod[6892]: 010c0052:5: Standby for traffic group /Common/traffic-group-1.

Workaround:
None.


503118-4 : clientside and serverside command crashes TMM

Component: Local Traffic Manager

Symptoms:
When parking command is used inside clientside or serverside, tmm crashes.

Conditions:
Parking command, e.g., the table command, is used inside clientside or serverside command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Move the parking command outside clientside or serverside command.


503085 : Make the RateTracker threshold a constant

Component: Advanced Firewall Manager

Symptoms:
Dynamic detection threshold may impact Sweep and Flood detection rate accuracy under high traffic conditions.

Conditions:
When Sweep and Flood is enabled in AFM module.

Impact:
Some Sweep and Flood functionality might not provide sufficient detection rate accuracy.


502852-1 : Deleting an in-use custom policy template

Component: Application Security Manager

Symptoms:
If a user tries to delete a custom policy template while there are still security policies in the system that were created from that template, the delete will fail. This also leaves the custom template in an unusable state that can neither be used to create further Policies nor can it ever be deleted.

Conditions:
A security policy exists on the system that was created from a custom template. The user then tries to delete the template before removing the policy from the system.

Impact:
The custom template becomes unusable for creating new policies, and cannot be deleted even after there are no longer any policies created from it left on the system.

Workaround:
Contact support for a script that will disassociate all user defined policy templates from existing policies.
This will allow any user defined template to be successfully deleted.


502747-7 : Incoming SYN generates unexpected ACK when connection cannot be recycled

Component: Local Traffic Manager

Symptoms:
Incoming SYN causes the BIG-IP system to generate ACK instead of SYN-ACK.

Conditions:
This can occur when the following conditions are met:
 - IP addresses and ports of SYN match an existing connection;
 - Sequence number of the SYN is greater than 2^31+ from previously sent FIN;
 - Existing connection is in TIME_WAIT state;
 - Virtual server has time_wait_recycle enabled.

Impact:
Client will generate RST and connection must be re-tried.

Workaround:
Set time-wait-timeout to 1 millisecond per SOL12673.


502683-4 : Traffic intermittently dropped in syncookie mode, especially when hardware syncookie is on

Component: Local Traffic Manager

Symptoms:
In certain corner cases, BIG-IP software rejects valid SYN-Cookie responses due to incorrect hardware algorithm masking on the software side.

Conditions:
This issue appears only on hardware-SYN-Cookie-capable platforms when running the hardware SYN-Cookie algorithm.

Impact:
Intermittent connection failures.

Workaround:
Run software SYN-Cookie algorithm. Use the DB variable.
This makes sure software is running correct generation and validation algorithm.


502443 : After enabling a blade/HA member, pool members are marked down because monitoring starts too soon.

Component: Local Traffic Manager

Symptoms:
The external monitoring daemon (bigd) sends monitoring traffic before tmm is ready to receive those responses. The response traffic is routed to a tmm on another blade/HA member. This tmm responds to the server with an ICMP "Unreachable" message. Meanwhile, the originating tmm on the new blade/HA member marks the pool member "down" because it never received the server's response.

Conditions:
Start with at least 1 blade enabled in a chassis or one HA member configured, and pass traffic constantly through a virtual server with a monitor-enabled pool attached. Then, enable a new blade in the cluster or a new HA member.

Impact:
Some packets are lost for several seconds. It can be longer depending on the total number of pool members.

Workaround:
Before adding a new blade to a chassis or a member to the HA configuration that is actively processing traffic, temporarily remove the monitor(s) from the pool. Once the new blade/HA member is up, manually add the monitor(s) back to the pool.


502441-3 : Network Access connection might reset for large proxy.pac files.

Component: Access Policy Manager

Symptoms:
Network Access connection might reset when large proxy.pac files are configured in the access policy.

Conditions:
MAC Edge client, browsers, Network Access, large proxy.pac file.

Impact:
Network Access connection might reset.

Workaround:
Reduce the proxy.pac file size to be less than 10 KB.


502414 : Make the RateTracker tier3 initialization number less variant.

Component: Advanced Firewall Manager

Symptoms:
Sweep and Flood vectors may exceed configured rate limit values by 10%-30$.

Conditions:
When Sweep and Flood vector is enabled in AFM module.

Impact:
Sweep and Flood attack detection at higher than configured levels.

Workaround:
None.


502238-5 : Connectivity and traffic interruption issues caused by a stuck HSB transmit ring

Component: TMOS

Symptoms:
BIG-IP can experience sudden and permanent traffic interruption, impacting all traffic through TMM.

Conditions:
With TCP Segmentation Offload (TSO) enabled, it is possible to fill up the High-Speed Bridge (HSB) transmit ring, resulting in a stuck transmit ring.

The exact conditions under which this occurs is unknown, but it requires sudden transmission of a number of large packets that require TSO in order to result in a full transmit ring.

Impact:
The HSB's transmit ring becomes stuck. This requires a TMM restart in order to clear.

Workaround:
Disable TSO. This can be done using the following steps:
1. tmsh modify sys db tm.tcpsegmentationoffload value disable
2. bigstart restart tmm.

If TSO is not disabled, three related fixes are needed to fully address the issue:

-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:

-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html


502174-2 : DTLS fragments do not work for ClientHello message.

Component: Local Traffic Manager

Symptoms:
DTLS fragments do not work for ClientHello message.

Conditions:
DTLS ClientHello splits into multiple fragments.

Impact:
Both first handshake and renegotiation are affected.


502149-1 : Archiving EC cert/key fails with error 'EC keys are incompatible for Webserver/EM/iQuery.'

Component: Local Traffic Manager

Symptoms:
When archiving cert/key via GUI, the following error message is displayed : 'EC keys are incompatible for Webserver/EM/iQuery.'

Conditions:
When archiving cert/key via GUI.

Impact:
Intermittently, an error is received when trying to archive key or certificates via GUI.

Workaround:
None.


502016-1 : MAC client components do not log version numbers in log file.

Component: Access Policy Manager

Symptoms:
Some client components do not log version numbers in the log file.

Conditions:
Mac client components.

Impact:
Lack of version numbers in the log file.

Workaround:
None.


501984 : TMM may experience an outage when an iRule fails in LB_SELECTED.

Component: Local Traffic Manager

Symptoms:
When an iRule fails in LB_SELECTED, it is possible for TMM to crash. The TMM failure is an intermittent, timing-related issue..

Conditions:
Using iRules with a rule for when LB_SELECTED is operating on a node/pool member.

Impact:
TMM outage resulting in brief loss of service or HA failover.

Workaround:
None.


501690-2 : TMM crash in RESOLV::lookup for multi-RR TXT record

Component: Local Traffic Manager

Symptoms:
TMM crashes with a specific ASSERT-based backtrace.

Conditions:
Requires an LTM listener with an iRule that has a RESOLV::lookup command querying for a TXT record and receiving multiple RRs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


501517-3 : Very large configuration can cause transaction timeouts on secondary blades

Component: TMOS

Symptoms:
Messages with 'end_transaction message timeout on connection 0x5ea9a9c8 (user mcpd-primary)' in them in the ltm log after a secondary blade is inserted or restarted.

Conditions:
A multi-bladed system with a very large configuration that takes more than a minute to transfer to secondary blades.

Impact:
mcpd's transaction does not complete and the configuration is not loaded properly.

Workaround:
None.


501516 : If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted.

Component: Local Traffic Manager

Symptoms:
When using a very large number of monitors, bigd may run out of file descriptors when it is restarted.

Conditions:
A system with a large number of monitors configured.

Impact:
bigd cores and gets into a restart loop; monitors no longer work properly. The ltm log might contain error messages similar to the following: socket error: Too many open files.

Workaround:
Reduce the number of monitors on the system.


501498-3 : APM CTU doesn't pick up logs for Machine Certificate Service

Component: Access Policy Manager

Symptoms:
CTU report does not contain logs from Machine Certificate Service.

Conditions:
When the CTU report is run, it does not contain data in the logs.

Impact:
Logs are not available to technical staff

Workaround:
You can pick up logs manually from C:\Windows\Temp\logterminal.txt.


501480 : AFM DoS Single Endpoint Sweep and Flood Vectors crash TMM under heavy traffic.

Component: Advanced Firewall Manager

Symptoms:
With AFM DoS Single Endpoint Sweep and Flood Vectors configured, TMM might crash while processing a huge amount of the configured attack traffic.

Conditions:
AFM DoS Single Endpoint Sweep and Flood attack vector is enabled in the AFM module.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not configure the AFM DoS Single Endpoint Sweep and Flood Vector.


501371 : mcpd sometimes exits while doing a file sync operation

Component: TMOS

Symptoms:
mcpd exits randomly. If mcpd debug logging is enabled, the system might post an operation similar to the following: Received request message from connection 0x5fe47008 (user %cmi-mcpd-peer-/Common/LNJDCZ-VPN1.example):
query_all {
   sync_file {
      sync_file_file_to_sync "/var/apm/localdb/mysql_bkup.sql"
      sync_file_target_dg "/Common/HA_Rhodes_APM"
      sync_file_postprocess_action "/usr/libexec/localdb_mysql_restore.sh"
      sync_file_originator "/Common/LNJDCZ-VPN1.example"
   }
}

Conditions:
mcpd is performing a file sync.

Impact:
Randomly, mcpd exits, triggering a failover.

Workaround:
None.


501343-6 : In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle

Component: TMOS

Symptoms:
In FIPS HA setup when the FIPS private handle of x.key on Device A is a FIPS public handle of x.key on Device B, Device B (the HA peer) gets the configuration from Device A and operates as if the handle is correct because the modulus matches, but it actually is the public-handle and not the private-handle.

Conditions:
FIPS HA setup and FIPS private handle of x.key on Device A is a FIPS public handle of x.key on Device B.

Impact:
With this configuration, when the device fails over, it can lead to traffic failure. This occurs because TMM tries to use the public-handle when it should be using the private-handle.


500925 : Introduce a new sys db variable to control number of merges per second of Rate Tracker library.

Component: Advanced Firewall Manager

Symptoms:
The accuracy of the rate limit for the Sweep and Flood vectors is affected by the number of merges per second in Rate Tracker library.

Conditions:
When sweep and flood vector is enabled in AFM module.

Impact:
No way to control number of merges per second of Rate Tracker, which could help in Rate Tracker libray accuracy.

Workaround:
None.


500786-1 : Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile

Component: Local Traffic Manager

Symptoms:
When a FastL4/BIGTCP virtual with HTTP profile is used, certain kinds of traffic may cause huge memory growth and result in out-of-memory situation.

Conditions:
If the FastL4 virtual with HTTP profile handles HTTP cloaking traffic, that starts up as HTTP and then switches over to non-HTTP data, memory growth could grow unbounded due to lack of flow control. This may lead to out of memory conditions eventually.

Impact:
Out of memory conditions affecting the availability/stability of the BIG-IP system.

Workaround:
1.) Avoid using FastL4 with HTTP profile, unnecessarily.
2.) If it could not be avoided, use FastL4 + HTTP-Transparent profile combination instead AND set http-transparent profile attribute enforcement.pipeline to "pass-through". This would allow HTTP filter to run in "passthrough" mode. Hence avoid the excessive memory consumption.


500424-1 : dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error

Component: Carrier-Grade NAT

Symptoms:
DNATutil exits with the error "dnatutil: No tmms on the blade."

Conditions:
A DNAT state log entry that is interpreted as invalid

Impact:
DNATUtil will not be able to parse the whole log file for reverse mappings

Workaround:
remove the DNAT state chunk that produces the error.


500365-2 : TMM Core as SIP hudnode leaks

Component: Service Provider

Symptoms:
There is a memory leak when using SIP in TCP/ClientSSL configurations.

Conditions:
The leak occurs when the clientside flow is torn down in response to the SSL handshake not completing.

Impact:
Because the SSL handshake is not complete, the SIP handler cannot complete the operation as expected, which results in an error and a memory leak of the SIP handler. The tmm memory increases, which eventually requires restarting tmm as a workaround.

Workaround:
Although there is no workaround to prevents the issue, you can recover from the memory-leak condition by restarting tmm.


500303 : Virtual Address status may not be reliably communicated with route daemon

Component: Local Traffic Manager

Symptoms:
Occasionally, when the Virtual Server status changes, the Virtual Address status may not me communicated to the routing services (that is, the tmrouted service).

This can result in incorrect routes.

Conditions:
Exact conditions unknown, but it can occur when the Virtual Server status changes.

Impact:
Virtual Addresses may have advertised routes when they are down, or vice versa.

Workaround:
None.


500234-1 : TMM may core during failover due to invalid memory access in IPsec components

Component: TMOS

Symptoms:
TMM cores when transitioning from standby to active.

Conditions:
This might occur when the following conditions are met: -- An IPsec tunnel is enabled. -- The BIG-IP system is a member of an HA pair. -- The BIG-IP system transitions from standby to active.

Impact:
Traffic disrupted while tmm restarts.


500003-5 : Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP

Component: Local Traffic Manager

Symptoms:
When incoming NTP packets from the configured NTP server arrive for a non-local IP on a BIG-IP system that is either a Virtual Edition (VE) guest, an appliance, or a vCMP guest on an appliance host, an iptables rule is triggered that results in further outgoing packets to the NTP server to have their destination IP addresses changed to 127.3.0.0, which is not routable and thus causes NTP time syncs to stop.

Conditions:
An NTP server is configured on a BIG-IP system that is either a VE, an appliance, or a vCMP guest on an appliance host, and packets arrive from the configured NTP server destined for an IP address belonging to another machine on the network. This can happen for several reasons:

1) The customer has a device on the same management network doing very low-to-zero volume of traffic over its management port. NTP syncs time less often than the L2 FDB expiration time.

2) The customer is using a L2 topology that uses redundant switches with NIC teaming / bonding, and one of the hosts cuts over to the other switch. This also causes transmits of packets that have no valid L2 FDB entry.

3) An STP topology change occurs in a given network, causing switches to drop L2 FDB entries for relevant hosts and flood unknown unicast destination traffic to all ports of a given VLAN.

4) Any unicast misdirection of NTP traffic to the management port not covered above.

Impact:
NTP time syncing stops on affected BIG-IP systems.

Workaround:
To remove the iptables rule that is causing the problem:

# iptables -t nat -D bpnet-in -p udp --dport 123 -j DNAT --to-destination 127.3.0.0.

Comment out the following line in the function setup_virtual_backplane() in the file /etc/init.d/cluster to prevent the rule from coming back upon reboot:

iptables -t nat -A bpnet-in -p udp --dport 123 -j DNAT --to-destination $int_mgmtip.


499946-1 : Nitrox might report bad records on highly fragmented SSL records

Component: Local Traffic Manager

Symptoms:
When using an AES-GCM cipher on highly fragmented SSL records, platforms with Cavium Nitrox cards might report Bad records.

Conditions:
The negotiated cipher is one of the AES-GCM ciphers, and the MTU is such that the SSL records are highly fragmented.

Impact:
The BIG-IP system disconnects Client SSL connections prematurely. The SSL profile shows a number of Bad records.

Workaround:
None.


499719 : Order Zones statistics would cause database error

Component: Global Traffic Manager (DNS)

Symptoms:
'General database error retrieving information' error in GUI.

Conditions:
This occurs when using the GUI to view Statistics for DNS zones.

Impact:
Not able to view Statistics from GUI for DNS zones.

Workaround:
Use tmsh to view Statistics for DNS zones.


499701 : SIP Filter drops UDP flow when ingressq len limit is reached.

Component: Service Provider

Symptoms:
UDP stats shows increase in the number of flows and valid SIP messages are dropped.

Conditions:
This occurs when an iRule processing delay occurs (session db operations) combined with increase in the SIP incoming flow.

Impact:
SIP UDP flows are dropped.

Workaround:
None.


499620-3 : BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated.

Component: Access Policy Manager

Symptoms:
The BIG-IP Edge Client for Mac shows the wrong SSL protocol version in Details; it does not display the protocol version that was negotiated.

Conditions:
BIG-IP Edge Client for Mac.

Impact:
The BIG-IP Edge Client for Mac displays the incorrect SSL protocol version now in Details.

Workaround:
None.


499615-5 : RAM cache serves zero length documents.

Component: Local Traffic Manager

Symptoms:
RAM cache serves zero length documents.

Conditions:
Forcing caching in an iRule.

Impact:
RAM Cache will cache a HEAD response, if an iRule is configured to force it to do so. This causes RAM cache to serve zero length documents.

Workaround:
If the HTTP operation is a HEAD request, do not cache the response.


499538 : Fragmented ESP packets were getting dropped in BIgIP with MTU = 576

Component: TMOS

Symptoms:
The issue was that the db variable tm.minipfragsize was set to 576 by default on the image 11.5.1-hf6. What this means is that BigIP will not process packets with payload length less than 576 bytes. When MTU is set to 576, the payload length will be 576 - ip header length (20 bytes typically). So the 576 bytes fragmented packets were getting dropped. The workaround for this issue is to set db variable value to 552 so that it passes the ip min size check.

Conditions:
MTU set to 576 on the interface of an intermediate node before BigIP. The value of this db variable tm.minipfragsize set to anything greater than 552. Let ESP packets reach BigIP as fragmented with size 576 bytes. Then we will see the packet drops in BigIP

Impact:
Data traffic is not passing BigIP if ESP is fragmented.

Workaround:
Set the db variable tm.minipfragsize to 552 when the MTU is set to 576 on any node previous to BigIP.


499430-4 : Standby unit might bridge network ingress packets when bridge_in_standby is disabled

Component: Local Traffic Manager

Symptoms:
On a standby unit with a vlangroup configured with multiple VLAN members and bridge_in_standby attribute set to false, the unit might still bridge network ingress packets across the vlangroup, if those packet happen to match the host monitor traffic flows.

Conditions:
This occurs when the following conditions are met: Configure a vlangroup with multiple VLAN members in HA configuration and set vlangroup's bridge_in_standby attribute to false. Configure monitors to use non-default monitor rules (ICMP, etc.).

Impact:
This results in a traffic bridging loop among active and standby unis. Excessive traffic load might take down monitors on the BIG-IP system.

Workaround:
None.


499427-5 : Windows File Check does not work if the filename starts with an ampersand

Component: Access Policy Manager

Symptoms:
Windows File Check does not work if the filename starts with an ampersand.

Conditions:
Run Windows file check and add a file name that starts with an ampersand.

Impact:
Depends upon access policy, but in the worst case a user might be allowed to log in.


499150-1 : OneConnect does not reuse existing connections in VIP targeting VIP configuration

Component: Local Traffic Manager

Symptoms:
Significant increase in Active Connections and Connections per Second for virtual servers that receive connections from another virtual server with the Policy action 'virtual' or iRule command 'virtual' and the client virtual server has a OneConnect profile. The connections per second will match the rate of HTTP requests sent to the server virtual server.

A packet capture would reveal that OneConnect is not reusing previously opened connections, and previously opened connections remain idle until timeout.

Conditions:
This occurs when either of the following conditions are met:

-- Virtual-to-virtual configuration with OneConnect profile.
-- iRule contains the following command: node <ip> <port>.

Impact:
An increase in CPU and memory resources occurs due to the increase in connections established and connections that remain in memory.

Workaround:
If not required, remove the OneConnect profile from the client virtual server.


498992-3 : Troubleshooting enhancement: improve logging details for AWS failover failure.

Component: TMOS

Symptoms:
Logging information on BIG-IP VE for Failover on AWS was inadequate and did not provide the reason for failures in Failover.

Conditions:
Traffic-group failover sometimes failed without providing specific reason for the failure.

Impact:
The lack of logging messages that could pin-point the mis-configuration or connectivity issues on AWS makes it difficult to determine what is causing the Failover to fail.

Workaround:
None


498469-2 : Mac Edge Client fails intermittently with machine certificate inspection

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac fails intermittently with machine certificate inspection when "Match CN with FQDN" setting is configured.

Conditions:
The problem occurs with BIG-IP Edge Client for Mac and machine certificate agent when in the access policy "Match CN with FQDN" is set.

Impact:
Edge ClienT fails to pass machine certificate inspection.


498227-3 : Incorrect AFM firewall rule counter update after pktclass-daemon restarts.

Component: Advanced Firewall Manager

Symptoms:
Incorrect firewall rule counters are updated upon classifying traffic when rules are re-ordered AND pktclass-daemon is also restarted.

Conditions:
pktclass-daemon restarts and there are active firewall rules present (at any context).

Impact:
While there is no incorrect behavior in matching/classifying traffic, updating incorrect rule counter may lead to impression that traffic is being classified incorrectly.

Workaround:
None


498189-2 : ASM Request log does not show log messages.

Component: Application Security Manager

Symptoms:
The request log does not show log messages related to ASM.

Conditions:
This occurs when first assigning the application logging profile, and then assigning the DOS logging profile on the same virtual server.

Impact:
There will not be log messages related to ASM.

Workaround:
Remove the ASM logging profile, apply and re-add the application logging profile.


497769-3 : Policy Export: BIG-IP does not export redirect URL for "Login Response Page"

Component: Application Security Manager

Symptoms:
ASM does not export redirect URLs in "Login Response Page" for XML policies.

Conditions:
Redirect URL in "Login Response Page" is used in ASM security policy.

Impact:
We fixed an issue with XML policy export where the redirect response page was missing from the security policy.

Workaround:
Use binary policy export for exporting redirection response pages for login url.


497742-4 : Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address

Component: Local Traffic Manager

Symptoms:
Some packets re-transmitted as part of a full-proxy, non-SNAT'd TCP virtual server on a translucent-mode vlangroup do not correctly have the translucent-mode bit-flip applied.

Conditions:
This occurs with a translucent vlangroup and full virtual server with no SNAT.

Impact:
Egressing traffic with the source-MAC of another host can potentially lead to traffic loops.

Workaround:
Enable SNAT on the virtual server.


497732-3 : Enabling specific logging may trigger other unrelated events to be logged.

Component: Advanced Firewall Manager

Symptoms:
When logging is enabled for TCP events some internal traffic like UDP could be logged.

Conditions:
When logging is enabled in AFM for TCP events.

Impact:
Some unwanted log messages with show up

Workaround:
There is no work around.


497667-3 : Configuring of ICMPv4/ICMPv6 ip-protocol in mgmt port ACL Rules generated error

Component: Advanced Firewall Manager

Symptoms:
PCCD gives error exhausted; causes inability to activate new mgmt port rules.

Conditions:
The mgmt port is configured as an IPV4 interface and an ICMPv6 protocol rule is applied with the action set to reject or vice-versa.

Impact:
error: resources exhausted; causes inability to activate new mgmt port rules


497584 : The RA bit on DNS response may not be set

Component: Local Traffic Manager

Symptoms:
Under some circumstances, the recursion available (RA) bit may be unset in responses from DNS cache.

Conditions:
If the system caches a message from the authoritative server without the rd bit, and subsequent queries with rd set find that message, the first message will not be used because the rd bit is not set. In this case, the operation falls back to the rrset cache and composes a message, but leaves the RA bit unset. This is appropriate for the transparent cache, but not the non-transparent cache.

Impact:
The impact of this issue is that recursion available is not signaled to clients so they may not treat the DNS cache as an available resolver.

Workaround:
To work around this issue, write an iRule to set the RA bit when the cache is a resolver. Must also check origin for CACHE.


497436-1 : Mac Edge Client behaves erratically while establishing network access connection

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac does not establish a network access connection, or if it can establish a connection, then it drops the connection. A user might see a cycle of connect/re-connect again.

Conditions:
OS X Yosemite, network access, BIG-IP Edge Client for Mac.

Impact:
User cannot establish network access connection.

Workaround:
None.


497342-3 : TMM crash while executing FLOW_INIT event (with multiple commands that abort the connection) in an iRule attached to an AFM firewall rule.

Component: Advanced Firewall Manager

Symptoms:
Critical system failure due to TMM process restarting.

Conditions:
Following conditions will trigger the TMM crash:

i) AFM rule match triggers an iRule execution.
ii) iRule has one (or more) FLOW_INIT event with 2 (or more) commands that result in aborting the connection (e.g. 'drop' followed by 'reject')

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None


497325-4 : New users cannot log in to Windows-based systems after installing BIG-IP EDGE client in certain deployment

Component: Access Policy Manager

Symptoms:
New users cannot log in to Windows-based systems after installing BIG-IP Edge client in certain deployments.

Conditions:
This is a rare, environment-based issue.

Impact:
New users cannot log in to Windows-based systems

Workaround:
Remove \F5 Networks\VPN\client.f5c file.


497304-2 : Unable to delete reconfigured HTTP iApp when auto-sync is enabled

Component: TMOS

Symptoms:
When deleting an HTTP iApp, the system posts errors similar to this in the LTM log, along with similar sync errors in the GUI:

-- err mcpd[6629]: 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16).
-- err mcpd[6629]: 01071488:3: Remote transaction for device group /Common/HA_Group to commit id 895 6070871290648001573 /Common/cr-ltm-bb2.ns.uwaterloo.ca 0 failed with error 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16).

Conditions:
Auto-sync must be enabled. HTTP iApp must have been reconfigured prior to deleting the iApp.

Impact:
Sync failure. Cannot delete the iApp manually after the error occurs.

Workaround:
Do not use auto-sync. If the sync failure has already occurred, refer to SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) for information on how to restore configuration sync.


497299-2 : Thales install fails if the BIG-IP system is also configured as the RFS

Component: Local Traffic Manager

Symptoms:
Thales install fails.

Conditions:
This occurs when the BIG-IP system is also configured as the RFS.

Impact:
Cannot use Thales HSM with the BIG-IP system.

Workaround:
In the following procedure, when running nethsm-thales-rfs-install.sh, the script returns the IP address used by the RFS server. Use that IP address when running the 'rfs-setup' command. When prompted with: Did you successfully run the above 'rfs-setup' command on the RFS server? (Yes/No), perform the following steps: 1. Open a new SSH connection to the BIG-IP system. 2. Run the following command: /opt/nfast/bin/rfs-setup --force -g --write-noauth x.x.x.x. 3. Return to nethsm-thales-install.sh SSH screen and answer 'Yes'. The script should now exit with a success message.


497263 : Global whitelist count exhausted prematurely

Component: Advanced Firewall Manager

Symptoms:
You receive an error message with this signature: error 0107181d:3: Cannot create white list entry, maximum limit 8 entries reached.

Conditions:
This can occur when configuring entries on both BIG-IP's in a sync group and syncing them. The whitelist count may be less than 8 but the error is still generated.

Impact:
You may receive an error message while creating a whitelist telling them they've exceeded the global whitelist count limit.

Workaround:
None


497118-1 : Tmm may restart when SAML SLO is triggered

Component: Access Policy Manager

Symptoms:
Tmm restarts when SLO is executed.

Conditions:
BIG-IP is used as SAML SP or IdP, single logout is configured on appropriate objects.

Impact:
tmm may restart

Workaround:
Disable SAML SLO


496998-1 : Update offenders more aggressively. Increase batch size for Dwbld processing.

Component: Performance

Symptoms:
Offenders are not blacklisted fast enough.

Conditions:
DoS configured with auto-blacklisting

Impact:
When DoS doesn't track offenders aggressively, it doesn't report them. Once reported, Dwbld processes the offenders in smaller batches. This impacts how soon an offender is blacklisted.

Workaround:
None


496817-6 : Big-IP Edge client for Windows fails to connect to Firepass server if tunnel is established through a proxy

Component: Access Policy Manager

Symptoms:
In a reconnect scenario, Big-IP Edge Client cannot connect to a FirePass server if the tunnel was established through a proxy server.

Conditions:
Proxy is used to create VPN tunnel.
The server is FirePass.

Impact:
The client fails to restore the VPN connection to the FirePass server.

Workaround:
Restart client.


496775 : [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for bigip monitor

Component: Global Traffic Manager

Symptoms:
[GTM] [big3d] Unable to mark LTM virtual server up if there is another virtual server with same ltm_name for bigip monitor.

Conditions:
LTM (running BIG-IP software older than v11.2.X) with a virtual server: /Common/http_vip with destination /Common/192.168.10.34:80.

GTM (running BIG-IP software newer than v11.5.0) with this LTM as a BIG-IP Server. Two virtual servers on LTM: One with the original LTM virtual server address, and the other with the translated address: 1. name ltm_http_vip :: destination 192.168.10.34:80 :: monitor /Common/bigip. 2. name ltm_http_trans_vip :: destination 10.10.10.34:80 :: translation-address 192.168.10.34:80 :: monitor /Common/bigip.

Impact:
Both virtual servers are marked up for a brief interval. After a few minutes, one of them is marked down.

Workaround:
You can use either of the following workarounds: -- Use a monitor other than bigip. -- Replace /shared/bin/big3d on the LTM system with a copy of a version v11.2.1 big3d.


496758-1 : Monitor Parameters saved to config in a certain order may not construct parameters correctly

Component: Local Traffic Manager

Symptoms:
When configuring both a monitor and a child monitor, if the two monitors are saved in reverse order, the default monitor parameters will not be created.

For example:

ltm monitor tcp /Common/child {
    defaults-from /Common/parent
    destination *.990
    interval 5
    ip-dscp 0
    time-until-up 0
    timeout 16
}
ltm monitor tcp /Common/parent {
    defaults-from /Common/tcp
    destination *:*
    interval 5
    ip-dscp 0
    time-until-up 0
    timeout 16
}

Some of the default parameters for the above configuration will not be created upon loading config.

Conditions:
This occurs when there are at least two monitors, and the child custom monitor appears before the parent monitor. Must have a parent that derives from a root monitor, and a child that derives from the parent monitor.

Impact:
Possible undefined behavior in bigd, and failing iControl calls. On performing a 'tmsh load sys config verify' the system posts an error message similar to the following: 01070740:3: Performance monitor /Common/http-a may not have the manual resume feature. Unexpected Error: Validating configuration process failed.

Workaround:
A possible workaround involves switching the order of the monitors in the config file. This can either be accomplished manually, or by naming things in alphabetical order, such that the parent precedes the child:

ltm monitor tcp /Common/aaa_parent {
    defaults-from /Common/tcp
    destination *:*
    interval 5
    ip-dscp 0
    time-until-up 0
    timeout 16
}
ltm monitor tcp /Common/bbb_child {
    defaults-from /Common/aaa_parent
    destination *.990
    interval 5
    ip-dscp 0
    time-until-up 0
    timeout 16
}


496679-2 : Configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.

Component: TMOS

Symptoms:
After renaming a CM device object, or performing an upgrade from a version prior to 11.4.0, configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.

Conditions:
This issue occurs when one of the following conditions is met:

-- You load the BIG-IP configuration.
-- You upgrade the BIG-IP system software.
-- You perform a configuration synchronization (ConfigSync) operation for the device group.

The 'default-device' attribute has been deprecated beginning in 11.4.0 in favor of new functionality. Prior to 11.4.0, default-device was used to specify the device-group member that failback tries to make active.

From 11.4.0 and later, when auto-failback is enabled, the system uses the first member of the 'Failover Order' ('ha-order' in tmsh).

In 11.4.0 and later, this field is not used, but will fail validation if it contains a value that does not reference the name of an existing device-group member, or the value 'none'.

Impact:
Although the configuration can be saved, it fails when being loaded (for example, in response to a ConfigSync operation, during software upgrade, or when running the command: 'tmsh load sys config').

Workaround:
Modify any traffic-group default-device attributes that refer to the now-deprecated, default-device name.

Note: The system does not use this value, regardless of how you set it.

To work around this issue, you can modify the traffic-group default-device attribute to refer to default-device none. To do so, perform the following procedure:

1. Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh

2. To list the configured default device for a traffic group, use the following command syntax:
list /cm traffic-group <traffic group name>

For example, to list the configured default device for traffic-group-1, type the following command:

list /cm traffic-group traffic-group-1

3. Use none as the default device for your traffic group using the following command syntax:
modify cm traffic-group <traffic group name> default-device <default device name>.

For example, to modify your default device to none for traffic-group-1, type the following command:

modify cm traffic-group traffic-group-1 default-device none

4. Save the configuration changes by typing the following command:
save /sys config


496588-3 : HTTP header that is larger than 64K can be analyzed incorrectly, leading to TMM crash

Component: Local Traffic Manager

Symptoms:
TMM may restart

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.


496498-2 : Firewall rule compilation will fail in certain scenario when there are multiple scheduled AFM rules and one of the non scheduled AFM rule is modified.

Component: Advanced Firewall Manager

Symptoms:
Firewall rule compilation will fail and following message will appear in /var/log/ltm:

Serialization failed: No Blobs available.

pktclass-daemon will transit in the failed state and any further firewall rule modifications will be rejected till the corrective action is taken.

Conditions:
For this issue to manifest, following conditions may suffice:

i) Presence of multiple scheduled firewall rules (expiring at different intervals).
ii) Presence of non scheduled firewall rules.
iii) Modify any non scheduled firewall rules in between the time interval of expiry to any 2 scheduled rules.

Impact:
Firewall rule compilation will fail and pktclass-daemon will go into failed state causing any further firewall rule update to be ignored till user-initiated corrective action is taken.


496278-3 : Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name

Component: Advanced Firewall Manager

Symptoms:
Disabling/enabling Rule within Rule List causes disabling/enabling of a different but same-named Rule in a single Policy on the Active Rule Page in the GUI.

Conditions:
Only happens it the Rule names are the same with a single policy.

Impact:
Potentially, the incorrect Rule is disabled.

Workaround:
Make sure Rules have different names.


496011-5 : Resets when session awareness enabled

Component: Application Security Manager

Symptoms:
A connection reset may occur when a transaction takes a long time (more than 10 seconds together from the request start till the response end).

Conditions:
The session tracking feature is turned on and long transaction occurs.

Impact:
A connection reset.

Workaround:
Turn off session tracking.


495928-2 : APM RDP connection gets dropped on AFM firewall policy change

Component: Advanced Firewall Manager

Symptoms:
An active RDP connection over APM VPN tunnel gets dropped when administrator makes a change to the AFM firewall policy.

Conditions:
APM tunnel and its application connections are subject to AFM firewall policy.

Impact:
RDP session disconnects and automatically reconnects.

Workaround:
Add an Allow rule to the firewall policy for destination TCP port 3389.


495913-1 : TMM core with CCA-I policy received with uninstall

Component: Policy Enforcement Manager

Symptoms:
If a CCA-I is received with Charging-Rule-Remove AVP for the session then TMM will core.

Conditions:
CCA-I message received with charging-rule-remove AVP

Impact:
Traffic disrupted while tmm restarts.


495901-1 : Tunnel Server crash if probed on loopback listener.

Component: Access Policy Manager

Symptoms:
VPN client might disconnect and reconnect.

Conditions:
Unexpected request is sent on tunnel server loopback listener.

Impact:
Tunnel server crashes resulting in VPN disconnection and reconnection.

Workaround:
None.


495875-4 : Connection limit on nodes causes TMM infinite loop and heartbeat failure with heavy traffic

Component: Local Traffic Manager

Symptoms:
TMM might experience an infinite loop when selecting an available node for load balancing under heavy traffic conditions.

Conditions:
This occurs when the connection limit is specified for nodes, and there is heavy traffic.

Impact:
This causes a 10-second TMM heartbeat failure and a SIGABRT in TMM. The device goes offline and traffic processing is disrupted.

Workaround:
None.


495862 : Virtual status becomes yellow and gets connection limit alert when all pool members forced down

Component: TMOS

Symptoms:
Invalid display of virtual status.

Conditions:
When all pool members forced down and the pool member's connection limit has been reached.

Impact:
Virtual monitor status becomes yellow and receives the following connection limit alert: The pool member's connection limit has been reached.

Workaround:
None.


495702-5 : Mac Edge Client cannot be downloaded sometimes from management UI

Component: Access Policy Manager

Symptoms:
Sometimes BIG-IP Edge Client for Mac cannot be downloaded from the management GUI.

Conditions:
Mac Edge Client, BIG-IP management UI.

Impact:
Mac Edge Client cannot be downloaded.

Workaround:
None.


495698-2 : iRule can be deleted even though it exists in a rule-list

Component: Advanced Firewall Manager

Symptoms:
The rule-list will reference a non existent iRule.

Conditions:
Have a rule-list that contains an iRule, and then delete that iRule.

Impact:
iRule will no longer have an effect, even though it still appears to be contained in the rule-list.

Workaround:
Do not delete an iRule if it is referenced by a rule-list.


495574-1 : DB monitor functionality might cause memory issues

Component: Local Traffic Manager

Symptoms:
TMM restarts continuously.

Conditions:
DB monitors configured

Impact:
System stops responding. System posts message: notice panic: FATAL: mmap of: /dev/mprov/tmm/tmm.4 length 1480589312 offset 4441767936 failed 12 (Cannot allocate memory).

Workaround:
Either kill the DB monitor java process or issue a bigstart restart.


495443-2 : ECDH negotiation failures logged as critical errors.

Component: Local Traffic Manager

Symptoms:
When a failure occurs in an SSL negotiation involving Elliptic Curve Diffie-Hellman (ECDH) key agreement, a critical error may be logged. However, an SSL negotiation failure is not a critical issue.

Conditions:
An SSL negotiation failure involving ECDH key agreement.

Impact:
Spurious critical error logs.

Workaround:
Treat SSL ECDH negotiation failures as non-critical errors.


495390-3 : An error occurs on Active Rules page after attempting to reorder Rules in a Policy

Component: Advanced Firewall Manager

Symptoms:
An error occurs on Active Rules page after attempting to reorder Rules in a Policy: "An error has occurred while trying to process your request."

Conditions:
Attempting to reorder rules if they span more than one page

Impact:
You cannot reorder the rules, and an error message is displayed, "An error has occurred while trying to process your request."


495335-5 : BWC related tmm core

Component: TMOS

Symptoms:
tmm coredumps while BWC is processing packets.

Conditions:
BWC is being enabled on a virtual server that does not have any BWC iRules enabled. Reasons for this are being investigated.

Impact:
Traffic disrupted while tmm restarts.


495319-1 : Connecting to FP with APM edge client is causing corporate network to be inaccessible

Component: Access Policy Manager

Symptoms:
Connecting to FirePass with a BIG-IP Edge Client for Mac that was downloaded from APM might not provide complete network access.

Conditions:
APM Edge Client, Firepass server, network access connection.

Impact:
Incomplete network access.

Workaround:
None.


495265-2 : SAML IdP and SP configured in same access profile not supported

Component: Access Policy Manager

Symptoms:
SLO might not work properly under certain conditions.
When a user attempts to start SLO, the connection gets reset. The system logs messages such as the following: RST sent from x.x.x.x:433 to x.x.x.x:xxxx, [0xxxxxx:xxx] Internal error ((APM::SSO) Error in reading sp info from session db failed)

Conditions:
All conditions must be met:

1. Both BIG-IP as SP and BIG-IP as IdP are configured on the same access profile.
2. SLO is configured for both BIG-IP as IdP and BIG-IP as SP.
3. SLO is executed in multiple TCP sessions between the user's browser and the BIG-IP system.

Impact:
SLO is not properly executed; users's session might not be terminated.

Workaround:
None.


495253-2 : TMM may core in low memory situations during SSL egress handling

Component: Local Traffic Manager

Symptoms:
TMM may core in low memory situations during SSL egress handling.

Conditions:
This occurs when the following conditions are met: -- Low memory. -- SSL connections

Impact:
Traffic disrupted while tmm restarts.


495128-4 : Safari 8 continues using proxy for network access resource in some cases when it shouldn't

Component: Access Policy Manager

Symptoms:
If a client machine uses proxy and Network Access does not specify any proxy, then Safari should not use proxy for some Network Access resource after the Network Access tunnel is created. However, Safari does so.

This problem occurs with Safari 8. Other versions of Safari and other browsers work as expected in our testing.
Apple has been notified: rdar://problem/18651124

Conditions:
The problem occurs when all of these conditions exist:
1. OS = Mac OS X Yosemite.

2. Configuration = Client machine has local proxy configured and Network Access on BIG-IP system access policy does not specify any proxy.

3. Action = Accessing Network Access resource after tunnel is created.

Impact:
As a result, some Network Access resource might be unavailable.

Workaround:
There is no workaround at this time.


494743-3 : Port exhaustion errors on VIPRION 4800 when using CGNAT

Component: Carrier-Grade NAT

Symptoms:
You may see the following on a VIPRION 4800 platform configured to use LSN deterministic NAT:

crit tmm3[12240]: 01010201:2: Inet port exhaustion on ...

Conditions:
VIPRION 4800 platform with multiple blades with LSN deterministic NAT

Impact:
DNAT port exhaustion alert,

Workaround:
Change LSN Pool members for LSN deterministic NAT pools, which will trigger a deterministic NAT data rebuild.


494367 : HSB lockup after HiGig MAC reset

Component: TMOS

Symptoms:
HSB lockups can occur after a HiGig MAC reset on BIG-IP 5000-series and 7000-series platforms.

Conditions:
This occurs after a HiGig MAC reset on BIG-IP 5000-series and 7000-series platforms.

Impact:
An HSB lockup results in a NIC failsafe and reboot of the unit. The system posts messages similar to the following in the LTM log: -- bcm56xxd[8161]: 012c0015:6: Link: 4.1 is DOWN. -- bcm56xxd[8161]: 012c0012:6: Reset HSBe2 (bus 1) HGM0 MAC completed on higig2 link 4.1 down event. -- bcm56xxd[8161]: 012c0015:6: Link: 4.1 is UP. ... -- tmm2[13842]: 01230111:2: Interface 0.3: HSB DMA lockup on transmitter failure.

Workaround:
None.


494322-1 : The HTTP_REQUEST iRule event may cause the TMM to crash if the explicit proxy is used

Component: Local Traffic Manager

Symptoms:
If the flow inside a HTTP_REQUEST event raised by the explicit proxy is expired, the TMM may crash.

Conditions:
The explicit proxy is configured for HTTP, and the HTTP_REQUEST iRule event is used.

Impact:
If state-changing commands are used within the HTTP_REQUEST event raised by the explicit proxy, they may not work correctly, and TMM might crash.

Workaround:
Avoid the HTTP_REQUEST event if possible.


494284-1 : Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status.

Component: Access Policy Manager

Symptoms:
With BIG-IP Edge Client for Mac, when primary language is set to German on the Mac, the text shown under the disconnected status contains extra, unneeded text wording.

Conditions:
Edge Client for Mac, when primary language is set to German on the Mac.

Impact:
Shows the following message: 'Um eine Verbindung herzustellen, wählen Sie aus dem Menü oben einen Server aus, und klicken Sie dann auf die Schaltfläche 'Auto-Verbindung' oder 'Verbinden' sichern und Werner der Seite standen aufs Auge drücken als Schadenersatz einer Woche kein Telefonat erneute.'

Workaround:
None.


494280-1 : TMM crashes when PPTP finds a redirected flow when checking for an existing tunnel

Component: Carrier-Grade NAT

Symptoms:
TMM crashes when PPTP finds a redirected flow when checking for an existing tunnel.

Conditions:
PPTP-ALG and CGNAT on a chassis system when a blade has been added with a stale PPTP tunnel.

Impact:
Traffic disrupted while tmm restarts.


494176-4 : Network access to FP does not work on Yosemite using APM Mac Edge Client.

Component: Access Policy Manager

Symptoms:
If APM BIG-IP Edge Client for Mac on OS X Yosemite attempts to connect to FirePass, network access cannot be established.

Conditions:
APM Edge Client for Mac on OS X Yosemite connecting to FirePass.

Impact:
Network access cannot be established with FirePass.

Workaround:
None.


494122-4 : Deterministic NAT state information from HSL is not usable on VIPRION B4300 blades

Component: Carrier-Grade NAT

Symptoms:
Deterministic NAT HSL state information is not useable by dnatutil, resulting in "Unparseable line" error.

Conditions:
Deterministic NAT and HSL logging for LSN pool on a VIPRION B4300 blade.

Impact:
Cannot use the HSL logged state information for dnatutil.

Workaround:
Use LTM logged deterministic NAT state information.


494098-3 : PAC file download mechanism race condition

Component: Access Policy Manager

Symptoms:
PAC file download mechanism might encounter a race condition if /etc/hosts is patched with the static entry of the host that contains PAC file.

Conditions:
The /etc/hosts is patched with the static entry of the host that contains PAC file.

Impact:
Proxy PAC file fails to download.

Workaround:
Add delay in proxy PAC file download to avoid race condition.


494088-2 : APD or APMD should not assert when it can do more by logging error message before exiting.

Component: Access Policy Manager

Symptoms:
APD or APMD asserts and exits without logging error messages to aid in debugging the error.

Conditions:
In some rare situation apmd (for example, access 'profile not found', failure in 'loading policy object'), APD, APMD assert. This results in dumping core.

Impact:
Restarting of APD, APMD and core file.

Workaround:
None.


494084-1 : Certain rapidly-terminating UDP virtuals may core on standby

Component: Local Traffic Manager

Symptoms:
Based on an internal race condition, it is possible for certain flows to cause cores on standby BIG-IPs when using connection mirroring on layer 7 VIPs. This does not apply to use of mirroring on Performance or Performance (HTTP) virtuals.

Conditions:
Standard UDP virtual using connection mirroring.

Impact:
Restart of the standby tmm. No connections are affected, though if packets are set to require acknowledgements from the standby there may be a brief delay in processing for some or all connections.


494008-1 : tmm crash while initializing the URL filter context for SWG.

Component: Access Policy Manager

Symptoms:
tmm crash while initializing the URL filter context for SWG.

Conditions:
It is not known what triggers this crash. It may be connected to BIG-IP being unable to update the SWG database.

Impact:
Traffic disrupted while tmm restarts.


493825-3 : Upgrade failure from version 11.4.0 due to incorrect configuration being saved

Component: Application Visibility and Reporting

Symptoms:
Upgrade failure, after saving a custom filter based on a client IP address in the Requests logs, loading the configuration, or upgrading from it, might fail.

Conditions:
After saving a custom filter based on a client IP address in the Requests logs.

Impact:
Configuration is not loaded.

Workaround:
Edit /config/bigip.conf, search for the following line, and delete it: values { \? }.


493807-6 : TMM might crash when using PPTP with profile logging enabled

Component: Carrier-Grade NAT

Symptoms:
TMM might crash when using PPTP with profile logging enabled.

Conditions:
This occurs when the following conditions are met: -- PPTP-ALG with log profile enabled. -- CGNAT configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable logging from the PPTP profile.


493558 : TMM core due to SACK hole value mismatch

Component: Local Traffic Manager

Symptoms:
TMM cores with 'sack scoreboard population counts valid' assert. The TMM core occurs due to lost-packet retransmitted packet value mismatch.

Conditions:
This occurs when processing retransmitted packets configured for selective acknowledgement (SACK), when multipath TCP (MPTCP) and selective negative acknowledgement (SNACK) are enabled with a SNACK-supporting client.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are two possible workarounds: -- Disable MPTCP. -- Disable the SNACK option in the TCP profile.


493487-1 : Function::call() and Function::apply() wrapping does not work as expected

Component: Access Policy Manager

Symptoms:
Function::call() and Function::apply() wrapping does not work as expected.

Conditions:
This occurs when using an indirect method call.

Impact:
Possible Adobe Flash web application malfunction, but the symptoms can vary.


493360-3 : Fixed possible issue causing Edge Client to crash during reconnect

Component: Access Policy Manager

Symptoms:
Edge Client may rarely crash during reconnect.

Conditions:
Session reconnection using Edge Client. When APM session closes on BIG-IP (by a timeout, or by other options, for example, 'Restrict to Single Client IP') the Edge Client starts new session. Occasionally when reestablishing connection to the BIG-IP system, the Edge Client crashes.

Impact:
Rarely encountered crash.

Workaround:
None.


493275-2 : Restoring UCS file breaks auto-sync requiring forced sync.

Component: TMOS

Symptoms:
Automatic sync will temporarily not work after loading a UCS.

Conditions:
Load of a UCS on an affected hotfix.

Impact:
Until a manual sync is done, auto-sync will not occur.

Workaround:
Perform a forced manual sync and then the system will return to operation.


493234 : Device version in AFM log message could be empty

Component: Advanced Firewall Manager

Symptoms:
Device version in AFM log message could be empty

Conditions:
When a log message is generated for AFM events

Impact:
Log message will not have device version


493164-1 : flash.net.NetConnection::connect() has an erroneous security check

Component: Access Policy Manager

Symptoms:
Accessing some content in a different domain does not work as expected because of an erroneous security check.

Conditions:
This occurs when getting a URI property immediately after calling the connect() method.

Impact:
Possible Flash web application malfunction, but symptoms vary.


493140-4 : Incorrect persistence entries are created when invoking cookie hash persistence within an iRule using offset and length parameters.

Component: Local Traffic Manager

Symptoms:
When using a cookie hash persistence profile and an iRule to provide finer granularity using offset and length parameters to calculate the hash, the system creates incorrect persistence entries.

Conditions:
Cookie hash persistence profile and iRule on top of that specifies offset and length of the cookie to be used for hashing is needed.

Impact:
Incorrect persistence entries are created.


493117-4 : Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted

Component: Local Traffic Manager

Symptoms:
After changing the netmask of an advertised virtual address, the address is no longer advertised.

Conditions:
Must have an advertised virtual address, and change its netmask.

Impact:
tmrouted must be restarted whenever the netmask of an advertised virtual address is changed.

Workaround:
Restart tmrouted whenever the netmask of an advertised virtual address is changed.


493023-2 : Export of huge policies might ends up with 'too many pipes opened' error

Component: Access Policy Manager

Symptoms:
Export of huge policies might ends up with 'too many pipes opened' error. Policy must be >321 elements

Conditions:
Huge policy (300+ elements i.e. ~100 items)

Impact:
It's not possible to export access policy

Workaround:
N/A


492701-1 : Resolved LSOs are overwritten by source device in new Policy Sync with new LSO

Component: Access Policy Manager

Symptoms:
Previously resolved Location-Specific Object (LSO) on target devices are overwritten by values on source device in a new Policy Sync operation with new LSO to resolve.

Conditions:
Perform a Policy Sync on a profile with LSO, make changes to the LSO on resolution.
Perform another Policy Sync on the same profile with new LSO that requires resolution

Impact:
Previously customized values for LSO on target device are lost.

Workaround:
Config the value back on target device after the new sync.


492352-1 : Mismatch ckcName between GUI and TMSH can cause upgrade failure

Component: Local Traffic Manager

Symptoms:
Make the ckcName of clientssl_certkeychain same as TMSH.
Case 1: clientssl_certkeychain includes key/cert
TMSH uses <key-name> as ckcName
GUI uses <key-name>.key as ckcName
Case 2: clientssl_certkeychain includes key/cert/chain
TMSH uses <key-name>_<chain-name> as ckcName
GUI uses <key-name>.key as ckcName
The fix is making GUI same as TMSH.

Conditions:
Use GUI to create one SSL profile, then upgrade it.

Impact:
The upgrade failure since the mismatch ckcName between GUI and TMSH.


492238-4 : When logging out of Office 365 TMM may restart

Component: Access Policy Manager

Symptoms:
TMM may restart when a user initiates single logout (SLO) from Microsoft Office 365 configured as a SAML Service Provider (SP).

Conditions:
The problem occurs under these conditions: 1. The BIG-IP system is configured as a SAML Identity Provider (IdP) with Office 365 configured as a SAML Service Provider (SP).
2. Single logout (SLO) is configured on the BIG-IP system.
3. As a part of a SLO request, the SP sends unsupported query parameters.

Impact:
Under certain conditions TMM may restart.

Workaround:
To work around the problem, disable SLO on the BIG-IP system.


492153-6 : Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated.

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel changes to deprecated.

Conditions:
BIG-IP Edge Client monitors the state of IP address for the DTLS tunnel, so the system can react quickly to any network connectivity issues. The monitor correctly disconnects the tunnel if the adapter loses the IP address. However, there is an issue that causes the tunnel to shut down when the state of IP address is changed to deprecated.

Impact:
Tunnel processing halts.


491894 : Sync status may temporarily go red during full sync

Component: TMOS

Symptoms:
A sync group may go red and log an sync error while a full sync is still in process.

Conditions:
Unknown

Impact:
The state of the sync group goes red momentarily and a log is produced (Device group '/Common/device-group-failover-67faa25ad625' sync inconsistent,
Sync failed on one or more devices in this devicegroup, Sync status may not be consistent), however the sync eventually succeeds.

Workaround:
None.


491771-6 : Parking command called from inside catch statement

Component: Local Traffic Manager

Symptoms:
If inside a proc or control statement (if, for, while) and a parking command (like table, session, open, send, RESOLVE::lookup) which is called from catch statement followed by a command which results in TCL error (caught), TMM will core with SIGFPE panic and this message:

    panic: TclExecuteByteCode execution failure: end stack top < start stack top

Example (THIS CODE MAY CAUSE TMM TO CRASH if this procedure is called):
    proc id491771 {
        # WILL CAUSE TMM TO CRASH
        catch { [table lookup "key"] }
    }

The correct usage of "catch" is without the brackets:
    proc id491771 {
        catch { table lookup "key" }
    }

Conditions:
1) A parking command like "table"
2) The very next operation generates an error
3) Both commands are inside a "catch" block
4) And this catch block exists within a proc or control statement (e.g., if, for, while)

Impact:
TMM cores with a SIGFPE and this panic string:

    panic: TclExecuteByteCode execution failure: end stack top < start stack top

Workaround:
Any command which completes without parking after the parking command but before the error will prevent the issue. For instance

set A "a"

Another solution is to move "catch" statement outside of proc or control statement into body of script.

Alternately remove the square brackets that indicate that the result of the command should be evaluated in this specific case. The use of brackets in this way is likely a mistake in coding of the iRule.


491556-3 : tmsh show sys connection output is corrected

Component: TMOS

Symptoms:
tmsh show sys connection output is corrupted for certain user roles.

Conditions:
This occurs for users with user roles that do not have access to all partitions.

Impact:
The output from tmsh show sys connection is corrupted. After issuing this command, the output of subsequent tmsh commands might not be correct or complete.

Workaround:
Quit out of tmsh. Restart the shell. Do not use the show sys connection command for users that do not have access to all partitions. Use the GUI instead to get this information.


491518-1 : SSL persistence can prematurely terminate TCP connection

Component: Local Traffic Manager

Symptoms:
SSL [session id] persistence might prematurely close (FIN) a TCP connection before forwarding all data.

Conditions:
SSL persistence must be in use. A slow client side (WAN) exacerbates the issue.

Impact:
Premature close of TCP connection and potential data loss.

Workaround:
Disable SSL persistence.


491478-2 : EAM is a CMP plugin and spins up one thread per TMM.

Component: Access Policy Manager

Symptoms:
When OAM is enabled on a virtual, an 'eam' v1 plugin profile is added to the virtual. Due to ht-split performance changes (specifically addition of "plugin_threads" field in BZ439449the eam plugin profile claims to be a CMP-enabled plugin but forces the thread count to 1. This causes the number of MPI devices to be 0, thus no channel is spun up - all connections through the virtual result in "No plugin configuration found" error in /var/log/ltm and the connection is reset.

 SYMPTOM:

Virtuals with OAM enabled do not pass traffic - "No plugin configuration found" errors in /var/log/ltm

Conditions:
HTTP virtual with OAM enabled

Impact:
Traffic outage on OAM-enabled virtuals

Workaround:
hand-edit of /defaults/config_base.conf

        plugin_threads {
            class-name profile_eam
            container none
            instance-name eam
            value "1" <-- change this to "tmms"
        }


491454-2 : SSL negotiation may fail when SPDY profile is enabled

Component: Local Traffic Manager

Symptoms:
SSL handshake fails when SPDY profile is attached.

Conditions:
This occurs when the following conditions are met: -- Client (i.e., Chrome for Android) attempts to use SPDY protocol using Next Protocol Negotiation (NPN) during SSL handshake. -- BIG-IP system has a Cavium Nitrox card.

Impact:
SSL handshake or other connection failure.

Workaround:
Remove SPDY profile.


491233-4 : Rare deadlock in CustomDialer component

Component: Access Policy Manager

Symptoms:
Windows 7 systems hang at a black screen after a reboot. This requires a hard boot to resolve.

Conditions:
CustomDialer component.

Impact:
Cannot log in. Requires hard boot to resolve.


491030-4 : Nitrox crypto accelerator can sometimes hang when encrypting SSL records

Component: Local Traffic Manager

Symptoms:
Sometimes when encrypting certain SSL records, the Cavium Nitrox crypto accelerator can hang with the LTM log message "request queue stuck".

Conditions:
Certain SSL records on a system with a Cavium Nitrox card.

Impact:
Nitrox crypto accelerator can hang.

Workaround:
This issue has no workaround at this time.


490893-1 : Determinstic NAT State information incomplete for HSL log format

Component: Carrier-Grade NAT

Symptoms:
Deterministic NAT state information incomplete for HSL log format, could possibly result in incorrect reverse and forward map for dnatutil when using with HSL logged state information.

Conditions:
Found to affect VIPRION B2250 blades with HTSPLIT enabled, when using dnatutil with HSL logged deterministic NAT state for reverse map.

Impact:
Reverse and forward map could be incorrect when use with HSL logged deterministic NAT state information.

Workaround:
Use LTM logged deterministic NAT state information for reverse or forward map.


490844-1 : Some controls on a web page might stop working.

Component: Access Policy Manager

Symptoms:
Some controls on a web page might stop working.

Conditions:
Some events with that execute in web applications.

Impact:
Unexpected web application malfunctions.

Workaround:
Create an iRule specific to each case.


490817-4 : SSL filter might report codec alerts repeatedly

Component: Local Traffic Manager

Symptoms:
TMM cores due to Out of Memory (OOM), and xdata is the majority of the memory consumption.

Conditions:
The SSL enters a failure mode where it appears to transmit alert messages repeatedly until TMM is OOM, which causes the transmissions to stop due to lack of memory. TMM then cores due to lack of memory.

Impact:
The system might crash. (Massive xfrag usage, degraded performance, eventual TMM OOM.)


490811-3 : Proxy configuration might not to be restored correctly in some rare cases

Component: Access Policy Manager

Symptoms:
Local proxy configuration on Mac OS X might not to be restored correctly in some rare cases.

Conditions:
BIG-IP Edge Client for Mac is connected, tunnel drops for some reason, race condition happens during proxy configuration restoration which causes it to not be restored properly.

Impact:
Proxy configuration might not to be restored correctly in some rare case.

Workaround:
None


490740-5 : TMM may assert if HTTP is disabled by another filter while it is parked

Component: Local Traffic Manager

Symptoms:
If HTTP is parked in an iRule, if it is disabled by another filter on the client-side it will assert with the message:
TCL passthrough switch state only valid server-side.

Conditions:
A HTTP iRule on the client side parks. Another filter tells HTTP to disable itself.

Impact:
The impact of this issue is that the TMM will crash.

Workaround:
Avoid using HTTP::disable in iRules that can run simultaneously with with iRules triggered by the HTTP filter.

Instead, disable


490713-4 : FTP port might occasionally be reused faster than expected

Component: Local Traffic Manager

Symptoms:
FTP port is randomly selected and occasionally might be reused quickly.

Conditions:
FTP active mode. Source Port is set to change.

Impact:
FTP port might occasionally be reused faster than expected.


490681-3 : Memcache entry for dynamic user leaks

Component: Access Policy Manager

Symptoms:
A race condition causes a memcache entry to remain in memcache forever.

Conditions:
Due to a race condition between identifying dynamic users in MySQL and removing them from memcache (based on timestamp), some memcache entries remain. Although the entry is removed from MySQL, it remains in memcache.

Impact:
The user state information for the user remains unchanged. If the user is locked out in memcache, the user state remains locked out.

Workaround:
The only way to recover is to remove the user using telnet to access memcache (which is not a typical operation and is difficult to perform).


490675-2 : User name with leading or trailing spaces creates problems.

Component: Access Policy Manager

Symptoms:
User creates dynamic user with leading and trailing spaces. In the case user name will look like " user1 ". When the user entry gets created in MySQL it treats the user name " user1 " same as "user1", by eliminating the spaces at the beginning and the end. The memcache entry does not do the same.

Conditions:
Create a dynamic user with a regular name. Then retry the same username with leading and trailing spaces. There will be multiple entries for the same user (one regular and another with spaces). When the dynamic user gets deleted, the regular user name is deleted from memcache and from MySQL; the other user entry remains in memcache.

Impact:
Unnecessary memcache entries.

Workaround:
This issue has no workaround at this time.


490537-7 : Persistence Records display in GUI might cause system crash with large number of records

Component: TMOS

Symptoms:
Using the GUI to view Persistence Records statistics in GUI when there are a large number of records might crash the system. (Persistence Records are available for LTM and GTM by navigating to Statistics :: Module Statistics, clicking on Local Traffic, DNS Delivery, or DNS GSLB and then selecting 'Persistence Records' for Statistics Type.)

Conditions:
This occurs when viewing statistics in the GUI for a large number of Persistence Records (approximately 100,000 but the number might depend on system configuration and capacity)

Impact:
The system runs out of memory and fails over.

Workaround:
Use TMSH to see Persistence Records and associated statistics.
For LTM and GTM Delivery: tmsh show ltm persistence persist-records.
For GTM GSLB: tmsh show gtm persist destination | level | target-name | key | max-results | target-type.


490480-2 : UCS load may fail if the UCS contains FIPS keys with names containing dot

Component: Local Traffic Manager

Symptoms:
UCS load may fail if the UCS file contains FIPS keys with names containing dot ( . ).

Conditions:
This occurs when the configuration includes at least one FIPS key with name containing a dot ( . ).

Impact:
UCS loading fails.


490284-2 : ASM user interface extremely slow to respond (e.g. >2 minutes to render policy list)

Component: Application Security Manager

Symptoms:
ASM screens take a long time to load, MySQL spikes in usage.

Conditions:
Occurs after several thousand policy configuration changes have been made to the system.

Impact:
Slow ASM user interface pages.

Workaround:
There is no workaround at this time.


490225-2 : Duplicate DNSSEC keys can cause failed upgrade.

Component: Local Traffic Manager

Symptoms:
When DNSSEC keys are stored in HSM and the system is upgraded, config load can fail because of duplicate keys in HSM.

Conditions:
DNSSEC keys in HSM. Upgrade or UCS load of configuration that contains the same keys.

Impact:
Failed upgrade or config load.

Workaround:
None.


490121 : Incorrect reporting of PVA current and maximum connection with SERVER_CONNECTED event

Component: Local Traffic Manager

Symptoms:
PVA current and maximum stats are incorrectly reported when using a FastL4 profile with a SERVER_CONNECTED iRule event. For each connection that is established, the current connection count is incremented twice and decremented only once when the connection is terminated. This leads to a lingering connection, which skews the stats.

Conditions:
A fastL4 virtual with a SERVER_CONNECTED iRule event.

Impact:
The current and maximum PVA stats are incorrectly reported.

Workaround:
This issue has no workaround at this time.


489750-1 : Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config

Component: TMOS

Symptoms:
11.4.0 onwards, deletion of FIPS keys by-handle is expected to throw error if the BIG-IP config contains that key object. However, if the key name is different from the FIPS-label of the key, such deletion by-handle will delete key from FIPS card without checking BIG-IP config. It will not delete that key from BIG-IP config.

Conditions:
Delete FIPS key by-handle using tmsh when the key name is different from the FIPS-label of the key.

Impact:
FIPS key deletion by-handle may not throw expected error when the FIPS handle corresponds to a key in the BIG-IP config and will delete the key from FIPS card without deleting the key in the BIG-IP config.

Workaround:
First, FIPS key deletion by-handle should be used only for FIPS key handles that don't have corresponding key objects in the BIG-IP config.

If the FIPS key deletion was desired and by-handle deletion is already performed which did not delete the key from BIG-IP config, then follow the below workaround:

After executing:
'tmsh delete sys crypto fips by-handle <handle-number>'

check if the corresponding key still exists in BIG-IP config by executing:
'tmsh list sys crypto key'

If the concerned key did not get deleted, execute:
'tmsh delete sys crypto key <keyname>'


489705-4 : Running out of memory while parsing large XML SOAP requests

Component: Application Security Manager

Symptoms:
Running out of memory while parsing large XML SOAP requests.

Conditions:
System parses as XML a large multipart file upload.

Impact:
Unnecessary memory allocations which could cause the Enforcer to run out of memory. The system posts an error similar to the following: 'ASM out of memory error: event code X239 Exceeded maximum memory assigned for XML/JSON processing'.


489682-2 : Configuration upgrade failure due to change in an ASM predefined report name

Component: Application Visibility and Reporting

Symptoms:
A configuration load failure occurs after creating an ASM predefined report in a previous version and upgrading.

Conditions:
Define scheduled report on top of "Top alerted URLs" on 11.3.0 and upgrade the version.

Impact:
Version upgrade fails (the BIG-IP becomes unusable).

Workaround:
Change the "/Common/Top Alerted URLs" reference in the bigip.conf file of the UCS to "/Common/Top Alarmed URLs", and then load the modified UCS.


489451-1 : TMM might panic due to OpenSSL failure during handshake generation

Component: Local Traffic Manager

Symptoms:
TMM might panic due to OpenSSL failure during handshake generation.

Conditions:
Low memory. Software-based SSL handshake generation.

Impact:
TMM outage.


489382-4 : Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert

Component: Access Policy Manager

Symptoms:
Browser clients allow Machine Cert Auth agent to pass even if the match SubjectCN and FQDN criteria is not satisfied.
It only happens if the selected certificate is recognized by the BIG-IP system but does not fit the Machine Cert Auth selection criteria.

Conditions:
The problem occurs with a Mac and the browser client, with the Machine Cert Auth agent in the access policy, and a valid certificate.

Impact:
Browser allows network access to be established even though it should not

Workaround:
To work around the problem, add more search criteria in the Machine Cert Auth agent.


489328-6 : When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash.

Component: Access Policy Manager

Symptoms:
If a BIG-IP virtual server is accessed from multiple tabs with long initial URLs before session creation, this might cause TMM to crash.

Conditions:
Rare condition: a user opens the browser and different tabs in the browser pointing to BIG-IP APM virtual server and they cause the access policy to run from both tabs. If the length of the encoded URL falls into 4K boundary then TMM might crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


489259-1 : [AFM] packets from good ip's are being dropped by DoS Sweep & Flood logic

Component: Performance

Symptoms:
Rate tracker library is not accurate.

Conditions:
When traffic is at very low rate.

Impact:
Traffic from good IP addresses could end up being dropped.

Workaround:
None


489217-5 : "cipher" memory can leak

Component: Local Traffic Manager

Symptoms:
When performing SSL handshakes, memory usage can increase. Examining "cipher" memory in the "memory_usage_stat" may show large amounts of "cipher"memory allocated.

Conditions:
BIG-IP performing SSL handshakes.

Impact:
Memory usage increases until no more memory is available.


489113-1 : PVA status, statistics not shown correctly in UI

Component: TMOS

Symptoms:
When affected versions of BIG-IP are running on VIPRION B2250 blades, the PVA status and statistics are not displayed correctly (missing entirely) from the user interface.

Conditions:
VIPRION B2250 blades running affected versions of BIG-IP.

Impact:
PVA appears to be disabled/unavailable.
PVA statistics are not available.
PVA functionality is actually enabled and operating in the data plane.

Workaround:
Example of incorrect display:
# guishell -c 'select name,has_pva,pva_version from platform'
--------------------------------
| NAME | HAS_PVA | PVA_VERSION |
--------------------------------
| A112 | false | | <<< incorrect
--------------------------------

# tmsh show ltm virtual
------------------------------------------------------------------
Ltm::Virtual Server: vs1
------------------------------------------------------------------
Status
  Availability : unknown
  State : enabled
  Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet
  CMP : enabled
  CMP Mode : all-cpus
  Destination : 30.30.30.1:80
              <<< missing 'PVA Acceleration' item


488986-3 : Access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and edge client.

Component: Access Policy Manager

Symptoms:
An access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and Windows Edge client.

Conditions:
Internet Explorer versions 10 and 11.

Impact:
Access policy cannot enter Windows Protected Workspace.

Workaround:
Use a browser other than Internet Explorer versions 10 and 11.


488892-1 : JavaRDP client disconnects

Component: Access Policy Manager

Symptoms:
JavaRDP client disconnects user's session when user interacts before the handshake is complete.

Conditions:
The might occur when the network connection is slow but the user is fast enough to click the mouse within the client area or press a key on the keyboard. In this case the RDP client attempts to send this input event to the server.

Impact:
Because the RDP handshake is not completed at this point, the server aborts the connection.

Workaround:
Do not interact within the client area before the window fills with an image from the server. When that occurs, the connection is clearly established and all handshakes are completed.


488876-1 : SSL persistence uses noticeably more memory

Component: Local Traffic Manager

Symptoms:
In releases prior to 11.4.0, SSL persistence used very little memory. Beginning in version 11.4.0 and continuing, the amount of memory has increased.

Conditions:
This occurs when SSL persistence is enabled.

Impact:
This results in less memory being available for other flows, and might eventually result in TMM being out of memory.

Workaround:
None.


488736-3 : Fixed problem with iNotes 9 Instant Messaging

Component: Access Policy Manager

Symptoms:
iNotes 9 IM (Sametime) is not working. There are errors in JS Console.

Conditions:
User is connected to iNotes 9 through Portal Access.

Impact:
Sametime in iNotes 9 is not accessible.

Workaround:
No


488374-1 : Mismatched IPsec policy configuration causes racoon to core after failed IPsec tunnel negotiation

Component: TMOS

Symptoms:
Mismatched IPsec policy configuration causes racoon to core intermittently after failed IPsec tunnel negotiation.

Conditions:
During IPsec Tunnel negotiation, IKE Phase 1 negotiation succeeds and ISAKMP security association is created, but phase 2 (Quick mode) for IPsec security associations fails due to mismatched IPsec policy configuration. This intermittent error occurs because of a memory issue that causes heap corruption.

Impact:
Intermittently, the racoon daemon cores and crashes when there are earlier failed phase 2 negotiations.

Workaround:
Make sure IPsec policies such as encryption/authentication algorithms for the data going through IPsec tunnel on the remote device match the IPsec policy configured on the BIG-IP system for the same IPsec Tunnel.


488262-3 : moving VLAN from route-domain being deleted in the same transaction can cause errors

Component: TMOS

Symptoms:
Error can occur when removing VLAN(s) from route-domain, and deleting the said route-domain in the same transaction can cause errors.

Conditions:
In a transaction, removing the VLAN membership from route-domain, and deleting the same route-domain.

Impact:
Transactional deletion of route-domain and route-domain VLAN membership changes in the same transaction.

Workaround:
Perform route-domain VLAN changes, and route-domain deletion in different transaction.


488193-1 : iRule nexthop is not considered after failover with IP forwarding virtual server.

Component: Local Traffic Manager

Symptoms:
The iRule nexthop selection is not considered after failover with IP forwarding virtual server.

Conditions:
This occurs when using the FastL4 profile in a high availability configuration.

Impact:
Client connections disconnect after failover.

Workaround:
To work around this issue, have the nexthop as a member in a pool and use the iRule pool command.


487757-1 : Hybrid higig/front panel port packet discard (Ingress back-pressure v.s. Egress queue discard) counts can be expected during bursty or severe MMU traffic congestion on B4300/B2200/10000/12000-family platforms.

Component: Local Traffic Manager

Symptoms:
Different discard configurations as set on B4300/B2200/10000/12000-family platform interfaces, may result in different packet discard type counts, when the switch encounters bursty or severe MMU congestion.

Conditions:
Dissimilar congestion discard counts observed for switch ports supporting normal v.s. extended unicast queues.

Impact:
When switch ports encounters congestion, ports supporting extended unicast queue ports may show ingress back-pressure discard counts, as opposed to egress queue discard counts for ports supporting regular unicast queue ports.

Workaround:
None.


487660 : LSN translation failures when persistence is enabled, cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN and using a small port range

Component: Carrier-Grade NAT

Symptoms:
LSN Translation failures in persistence mode when cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN.

Conditions:
Persistence is enabled on the LSN pool, and cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN, when the lsn-pool port range is relatively small (under 1000), or a blade is added or removed. Translation mode is NAPT or PBA.

Impact:
Translation failures. The system posts an error similar to the following: debug tmm9[25268]: 01670012:7: [0.9] Translation failed client 200.200.200.101,10096.

Workaround:
Adequately provision the LSN pool.


487567-2 : Addition of a DoS Profile Along with a Required Profile May Fail

Component: TMOS

Symptoms:
Certain DoS Profiles require a preliminary profile to be attached as well. For example DNS enabled DoS profile may require DNS profile to be attached first. However in cases where both profiles are being attached at the same time, an error may be thrown telling the user that the required profile is not attached.

Conditions:
A DoS profile needs to be attached at the same time with its required profile. For example, Application DoS Profile requires HTTP profile to be attached as well.

Impact:
If you have such DoS profiles in use and attach such profiles in single transaction you may be affected (GUI operations or iControl REST api).

Workaround:
None


487554 : System might reuse TCP source ports too quickly on the server side.

Component: Local Traffic Manager

Symptoms:
System might reuse TCP source ports too quickly on server side when dag hash is ip-only and sourceport mode is set to change.

Conditions:
This occurs when the dag-cmp hash is ip-only, and the virtual server or PEM-forwarding endpoints sourceport mode is set to change. The BIG-IP system might reuse some TCP source ports on the server side.

Impact:
Conflicting flows result in connections being reset.

Workaround:
This issue has no workaround at this time.


487420-2 : BD crash upon stress on session tracking

Component: Application Security Manager

Symptoms:
An ASM bd process crash occurs in a specific scenario that involves system stress and session tracking, or the crash can be reached rarely from slow responses/servers with session tracking.

Conditions:
ASM under heavy load, session tracking is running.

Impact:
A bd process crash, failover, and/or traffic resets.

Workaround:
None.


487399-1 : VDI plugin crashes when View client disconnects prematurely

Component: Access Policy Manager

Symptoms:
VDI plugin crashes when View client disconnects prematurely

Conditions:
View client disconnects prematurely

Impact:
VDI plugin crash


487211 : WOM IP fragmentation in v11.5.0 HF4

Component: Local Traffic Manager

Symptoms:
IP fragmentation occurring within a flow between two iSession peers.

Conditions:
WOM PoC with v11.5.0 HF4

Impact:
The impact of this issue is cosmetic.

Workaround:
None.


487170-2 : Enahnced support for proxy servers that resolve to multiple IP addresses

Component: Access Policy Manager

Symptoms:
VPN might fail to connect in environments where DNS returns multiple IP address for the proxy server host name. This includes both Edge client and web client.

Conditions:
Proxy server name is resolved to multiple IP address, or the
proxy server IP address changes on a subsequent call to the DNS resolver.

Impact:
VPN connection might fail.

Workaround:
Configure DNS to persist an IP addresses for the proxy host name.


486724-1 : After upgrading from v10 to v11 in a FIPS HA setup, config-sync fails

Component: Local Traffic Manager

Symptoms:
After upgrading from TMOS v10 to TMOS v11 in a FIPS HA setup, config-sync will fail.

Conditions:
In a FIPS HA setup, upgrade from v10 to v11. After upgrade, trigger config-sync.

Impact:
HA devices will be in sync failed state

Workaround:
This issue has no workaround at this time.


486597-4 : Fixed Network Access renegotiation procedure

Component: Access Policy Manager

Symptoms:
Network Access reconnects on every SSL renegotiation attempt on Windows 7 for TLS1.2 and TLS1.1 if client cert is requested.

Conditions:
This occurs when the following conditions are met: Windows 7. -- TLS 1.1/TLS1.2. -- Client cert set to 'required' at Virtual Server's Client Cert profile.

Impact:
Reconnect on every SSL renegotiation attempt.

Workaround:
None.


486512-6 : audit_forwarder sending invalid NAS IP Address attributes

Component: TMOS

Symptoms:
Forwarded auditing messages contain the incorrect nas-ip-address attribute. It should be the local IP of the box. Instead nas-ip-address is another, random IP address.

Conditions:
This seems to work fine when the BIG-IP is a virtual machine.The issue reproduces only on the actual hardware.

Impact:
Cannot pass certification because config auditing is not working as expected (invalid NAS IP Address).

Workaround:
None.


486450 : iApp re-deployment causes mcpd on secondaries to restart

Component: Local Traffic Manager

Symptoms:
iApp redeployment causes mcpd on secondaries to restart.

Conditions:
This occurs when redeploying iApps with the locally cached files in place.

Impact:
mcpd restarts on secondaries.


486268-2 : APM logon page missing title

Component: Access Policy Manager

Symptoms:
On the BIG-IP APM logon page, a title may not appear.

Conditions:
RSA error message contains newline symbols. (For example RSA 8.1 uses such message)

Impact:
May cause usability issues.


485948-4 : Machine Info Agent should have a fallback branch

Component: Access Policy Manager

Symptoms:
Machine Info agent is not supported for legacy logon clients (for example, mobile clients and Linux CLI); it is only supported for web logon clients (browsers and BIG-IP Edge Clients). However, the Machine Info agent does not throw any error if a legacy logon client connects to APM with the Machine Info agent in it.

Conditions:
This occurs with a Machine Info agent in the access policy and legacy logon clients.

Impact:
The impact of this issue is that the Machine Info agent does not create any machine information-related session variables for legacy logon clients, neither does it indicate that it is not supported.

Workaround:
To work around the problem, use the Client Type agent to distinguish between legacy logon or web logon clients. And then only add the Machine Info agent in web logon clients branch.


485833-6 : The mcpd process may leak memory when using tmsh to modify user attributes

Component: TMOS

Symptoms:
The Master Control Program Daemon (mcpd) may leak memory when you use the Traffic Management Shell (tmsh) to modify user attributes.

Note: The mcpd process is the messenger process that allows userland processes to communicate with the Traffic Management Microkernel (TMM), and the other way around.

As a result of this issue, you may encounter one or more of the following symptoms:

-- You are unable to configure the BIG-IP system.
-- You are unable to obtain statistics, or statistics may not be accurate.
-- In the /var/log/ltm file, you may observe an error message similar to the following example:
02001018:system library:fopen:Too many open files

Conditions:
This issue occurs when the following condition is met:

-- You are using the tmsh modify auth <user> command options to modify local user accounts. Some of the options include the following:
description User description.
partition-access The administrative partition which user has access.
password Set or modify the user password.
role Specifies the user role for the user account.
shell Specifies the shell to which the user has access.

Impact:
-- You cannot obtain or update the system status.
-- You cannot configure the BIG-IP system.
-- Userland processes may not be functional.

Workaround:
There is no workaround for this issue. To restore mcpd functionality, you can restart mcpd from the command line. To do so, perform the following procedure:

Impact of procedure: Restarting the mcpd process interrupts all traffic processing on the BIG-IP system. You should perform this procedure during a maintenance window.

Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh

To restart the mcpd process, type the following command:
restart sys service mcpd


485787-2 : Firewall ACL counters for staged policy attached to a Virtual/SelfIP are not incremented when a policy with a similar rule to drop/reject packets is enforced by the Global or Route Domain context

Component: Advanced Firewall Manager

Symptoms:
Staged ACL Rule attached to VS or Self IP will never be hit if similar Rule with drop/reject action attached to an upper context as Enforced.

Conditions:
Policy should be staged at the Virtual or SelfIP context and enforced at the Global or Route Domain level. The action should be drop/reject.

Impact:
Staged policy counters are not incremented correctly.
Example:
We have 2 FW Policies (Policy1 and Policy2) with the same Rules:
security firewall policy Policy1 {
    rules {
        Rule1 {
            action reject
            destination {
                addresses {
                    10.10.10.11 { }
                }
            }
        }
    }
}

Policy1 attached to Global context as enforced:
security firewall global-rules {
    enforced-policy Policy1
}

Policy2 attached to VS as staged:
ltm virtual VS4_TCP {
    destination 10.10.10.11:any
    fw-staged-policy Policy2
    ip-protocol tcp
    ......
}

If we send traffic to hit this rule:
Policy1:Rule1 will be hit but Policy2:Rule1 will not be hit.

tmctl -w120 fw_rule_stat
context_type context_name rule_name micro_rules counter last_hit_time
------------ ------------ --------- ----------- ------- -------------
global Rule1 1 10 1413898646


tmctl -w120 fw_staged_rule_stat
context_type context_name rule_name micro_rules counter last_hit_time
------------ --------------- --------- ----------- ------- -------------
virtual /Common/VS4_TCP Rule1 1 0 0


485764-1 : WhiteHat vulnerability assessment tool is configured but integration does not work correctly

Component: Application Security Manager

Symptoms:
When the WhiteHat vulnerability assessment tool is configured on an already existing policy the proper response headers are not added to traffic that are needed for full integration.

Conditions:
The WhiteHat vulnerability assessment tool is configured on an already existing policy.

Impact:
Proper response headers are not added to traffic to integrate fully.

Workaround:
This issue has no workaround at this time.


485472-1 : iRule virtual command allows for protocol mismatch, resulting in crash

Component: Local Traffic Manager

Symptoms:
iRule 'virtual' command allows for protocol mismatch.

Conditions:
A virtual server with an iRule which leverages the 'virtual' command targeting a virtual server that differs in protocol. For example, a UDP virtual server targeting a TCP virtual server.

Impact:
tmm might crash with assert: 'Must be syncookie'. Traffic is interrupted.

Workaround:
This is the result of a misconfiguration. Modify iRules to ensure L4 protocols match between virtual servers.


485352-3 : TMM dumps core file when loading configuration or starting up

Component: TMOS

Symptoms:
TMM dumps core file when configuration file is being loaded or when TMM is starting up.

Conditions:
This error happens when there is no APM license installed.

Impact:
Traffic disrupted while tmm restarts.


485232-3 : Disabling and re-enabling an active blade in a HA group may result in the blade becoming standby

Component: TMOS

Symptoms:
Disabling and re-enabling an active blade in a HA group might result in the blade becoming standby.

Conditions:
This occurs when using HA group scoring with HA scoring weighted equally among peers. The peer must have its blades enabled.

Impact:
After re-enabling a blade, it does not go active even though its mate blade is active. The standby blade does not take traffic.

Workaround:
Fail the system over to the peer by disabling its blades, then enable them and fail back (if desired).


485189 : TMM might crash if unable to find persistence cookie

Component: Local Traffic Manager

Symptoms:
TMM might crash and generate a core if unable to find persistence cookie.

Conditions:
Although specific conditions for this issue are unknown, it is possibly due to having a virtual with cookie persistence enabled and iRules that disable persistence.

Impact:
Traffic disrupted while tmm restarts.


485182-1 : wom_verify_config does not recognize iSession profile in /Common sub-partition

Component: Wan Optimization Manager

Symptoms:
The wom_verify_config does not recognize iSession profile in /Common sub-partition.

Conditions:
iApps creates some objects (virtual, profiles) under /Common/DMZPrimary.vysbank.com.app/. These objects are invisible to wom_verify_config.

Impact:
wom_verify_config cannot verify the system configuration.


485176-2 : RADIUS::avp replace command cores TMM when only two arguments are passed to it

Component: Policy Enforcement Manager

Symptoms:
The RADIUS::avp replace iRule command will core when only two arguments are passed to it.

Conditions:
Must be running an iRule that executes a RADIUS::avp replace command with only two arguments.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


484861-3 : A standby-standby state can be created when auto failback acts in a CRC disagreement scenario

Component: TMOS

Symptoms:
A standby-standby state can occur after a failback if there is a CRC disagreement between peers.

Conditions:
HA pair using auto failback. There must be a CRC disagreement between peers. The failback preferred system must have a lower traffic group score than its peers. NOTE: CRC disagreements may lead to other issues and the customer is strongly advised to sync the devices to remove the disagreement.

Impact:
It's a site down situation as all the objects in the traffic group will become unreachable.

Workaround:
Sync devices to remove the CRC disagreement.


484733-2 : aws-failover-tgactive.sh doesn't skip network forwarding virtuals

Component: TMOS

Symptoms:
When there are forwarding virtual servers with SNATs defined in the configuration, the reassignment of IP addresses for virtual servers does not happen correctly in Amazon Web Services (AWS).

Conditions:
Forwarding virtual servers with SNATs defined.

Impact:
HA failover is impacted.


484706-3 : Incremental sync of iApp changes may fail

Component: TMOS

Symptoms:
Incremental sync of the deletion of an iApp instance may fail, with the error message indicating that certain objects owned by the application are still in use. Alternatively, child objects that should have been deleted when reconfiguring an iApp instance may remain on peer devices after incremental sync has completed.

Conditions:
Incremental sync of the deletion of an iApp instance. Incremental sync of deleting a child object, if the iApp implementation script creates the parent object without child objects, and then separately adds the replacement child objects.

Impact:
An attempt to delete an iApp may cause a sync failure. An attempt to reconfigure an iApp without a previously existing child object (pool member, etc.) may cause the object to continue to exist on peer devices.

Workaround:
Full load sync (either the 'Overwrite Configuration' option on the Device Management Overview page, or temporarily setting the device group to full load only), and then performing the sync operation completes successfully.


484582-1 : APM Portal Access is inaccessible.

Component: Access Policy Manager

Symptoms:
APM Portal Access is inaccessible.

Conditions:
One of sessions reaches 64 KB of Portal Access application cookie storage.

Impact:
Rewrite plugin crashes; APM Portal Access becomes inaccessible. Shortly after this plugin crashes with *** glibc detected *** memory-corruption-message. The rewrite daemon log contains following lines:
- notice rewrite - cookie.cpp:543 : updateCookieSessionStore : expiring cookie ...

Workaround:
None.


484454-1 : Users not able to log on after failover

Component: Access Policy Manager

Symptoms:
Users fail the access policy check after failover happens. The command 'configdump -allkeys' does not display any entry for the access profile.

Conditions:
The issue will show up after the following events:
1. The TMM on the active node restarts or crashes, the node become standby.
2. TMM and APD restart. APD re-creates config snapshots in the SessionDB.
3. The snapshots just created get deleted.
4. Failover happens again and the node becomes active.
5. Users fail to log on

Impact:
Users cannot log on

Workaround:
Run 'bigstart restart apd' to re-create config snapshots.


484305-4 : Clientside or serverside command with parking command crashes TMM

Component: Local Traffic Manager

Symptoms:
Any parking iRule command used inside clientside or serverside crashes TMM.

Conditions:
Parking command used inside clientside or serverside.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
See if you really need to run the parking command inside clientside/serverside, if not, move the command outside.


484278-1 : BIG-IP crash when processing packet and running iRule at the same time

Component: Policy Enforcement Manager

Symptoms:
The BIG-IP system sometimes crashes if it is processing packets and iRules at the same time.

Conditions:
Conditions leading to this issue include having iRule scripts and processing iRule tasks, and processing incoming traffic along with the iRule tasks.

Impact:
The impact of this issue is that the BIG-IP system goes to crash intermittently.

Workaround:
This issue has no workaround at this time.


484079-6 : Change to signature list of manual Signature Sets does not take effect.

Component: Application Security Manager

Symptoms:
When the signature list of a manual Attack Signature Set is modified, the change does not affect enforcement or remote logging.

Conditions:
The signature list of a manual Attack Signature Set is modified (with no other change to the Signature Set).

Impact:
The change does not take effect in signature enforcement or remote logging.

Workaround:
Any spurious change to the signature set (such as unchecking/checking 'Assign to Policy by Default'), or unassigning and reassigning the signature set to the affected policy.


483792-7 : when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources

Component: Access Policy Manager

Symptoms:
Customers running into iSession related issues.

Conditions:
This happens when APM has been running.

Impact:
Some of the Network Access resources may not run properly when iSession control channel is disabled.

Workaround:
None


483683-2 : MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error

Component: TMOS

Symptoms:
"Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error on secondary blades when starting up. When this happens, MCP is left in a bad state and several issues (not obviously related to this error) can occur.

Conditions:
Only occurs on a chassis system, and only on secondary blades.

Impact:
This error is the precursor to bad behavior on the system. The exact issues seen are hard to quantify, as they vary depending on what state MCP's database is in when the exception is thrown.


483601-2 : APM sends a logout Bookmarked Access whitelist URL when session is expired.

Component: Access Policy Manager

Symptoms:
Customer will see a logout page for bookmarked APM whitelist URL after session is expired.

Conditions:
This condition will occur if the user has bookmarked a APM whitelist entry and tries to access this bookmarked URL after some time (Access session is expired).

Impact:
User sees a logout page instead of a logon to revalidate themselves.

Workaround:
This issue has no workaround at this time.


483539 : With fastL4, incorrect MSS value might be used if SYN has options without MSS specified

Component: Local Traffic Manager

Symptoms:
Due to the incorrect MSS value, TMM might core because based on the MSS value the outgoing packet attempts to use TSO, which is not correct. This can result in a crash.

Conditions:
A virtual using fastL4 where a SYN packet with options is received, but the SYN packet does not contain an MSS option.

Impact:
If this issue occurs, then TMM will core resulting in a failover/reboot of the system.

Workaround:
None.


483228 : The icrd_child process generates core when terminating

Component: TMOS

Symptoms:
A race condition in the terminate handler of the icrd_child process causes it to crash and generate a core.

Conditions:
This is an intermittent issue that is caused by a race condition.

Impact:
This does not impact functionality, but the system posts messages to icrd log similar to the following: notice icrd: 5823,14414, RestServer, INFO, Connection idle too long fd:11.

Workaround:
None.


483219-1 : Guest secondary blade config load failure after vdisk reinstall

Component: TMOS

Symptoms:
A VCMP guest blade (slot2) is unexpectedly offline.

Conditions:
The guest blade has a config load failure.
The host blade in slot2 was recently re-installed via USB.

Impact:
The VCMP guest is unable to properly form a cluster.
The qkviews do not contain much data from slot2 because mcpd was offline.

Workaround:
Save the configuration to UCS. Attempt to default the configuration. Fix any error messages(*). Then load the previously saved UCS and the guest is okay.


483157-1 : Server-side flow uses 0 as TCP source port

Component: Local Traffic Manager

Symptoms:
The BIG-IP system might use 0 (zero) as the TCP source port for server-side flows.

Conditions:
This occurs when the server-side VLAN's cmp_hash is either src-ip or dst-ip (the default value is 'default') and the server-side source_port mode is set to change.

Impact:
Many network stacks use 0 as reserved port and do not treat the value as valid for TCP source ports. This might cause TCP ports to be reused too quickly.


482915-2 : Learning suggestion for the maximum headers check violation appears only for blocked requests

Component: Application Security Manager

Symptoms:
There are no learning suggestions for the Maximum headers sub-violation if the HTTP protocol compliance violation is in Alarm only (not in Blocking).

Conditions:
If the HTTP compliance is in Alarm only (not in Blocking) and the Maximum number of headers sub-violation is enabled, and there is a violation for the maximum number of headers (which is not blocking) and no other violation in the request is blocking.

Impact:
There will not be a learning suggestion for this violation and no automated learning will happen for the number of headers.

Workaround:
This issue has no workaround at this time.


482699-1 : VPE displaying "Uncaught TypeError"

Component: Access Policy Manager

Symptoms:
VPE displaying "Uncaught TypeError"

Conditions:
While editing on Chrome ver >=37

Impact:
Really hard to Edit VPE on chrome

Workaround:
Use different browser


482434-2 : Possible performance degradation in AWS cloud

Component: TMOS

Symptoms:
Throughput and new connections per/sec might be up to 4 times slower in AWS for SR-IOV enabled instances.

Conditions:
This might occur when a BIG-IP virtual server is configured with a Standard profile.

Impact:
Performance is 3-to-4 times slower than the license limit. Slow throuhgput and new connections per/second

Workaround:
If throughput performance is 3x-4x times slower than license limit for virtual servers with 'Standard' profile, consider disabling interruptible sleep. To do so, use the following commands to: 1. set the appropriate DB variable to 0 (zero), and 2. restart tmm: 1. setdb Scheduler.UnicAsleepRxLimit.LTM 0. 2. bigstart restart tmm.


482260-2 : Location of Captive portal configuration registry entry in 64 bit windows is incorrect

Component: Access Policy Manager

Symptoms:
Captive portal detection configuration in BIG-IP Edge Client does not work as intended on 64-bit Windows-based platforms.

Changing HKEY_CURRENT_USER\Software\F5 Networks\RemoteAccess\DisableCaptivePortalDetection has no impact on captive portal detection in Edge Client on 64-bit Windows.

Impact:
Windows 64-bit clients are not redirected to the custom captive portal page as the expected but instead are sent to the default URL.

Workaround:
Configuring this setting in HKEY_CURRENT_USER\Software\Wow6432Node\F5 Networks\RemoteAccess works.


481880-1 : SASPD monitor cores

Component: Local Traffic Manager

Symptoms:
SASP monitor process core dumping during a state change.

Conditions:
This occurs when the SASP monitor is configured in push mode.

Impact:
Pool member is marked down, which leads to monitor outage.


481844-2 : tmm can crash and/or use the wrong CRL in certain conditions

Component: Local Traffic Manager

Symptoms:
tmm can crash and/or use the wrong certificate revocation list (CRL) in certain conditions.

Conditions:
Several client-ssl profiles are configured with different CRLs. Then, either the CRLs are configured or the client-ssl profiles are deleted.

Impact:
tmm might crash and/or use the wrong CRL. Traffic disrupted while tmm restarts.


481696-3 : Failover error message 'sod out of shmem' in /var/log/ltm

Component: TMOS

Symptoms:
You might see a failover error message 'sod out of shmem' in /var/log/ltm.

Conditions:
The conditions under which this occurs vary based on the configured shared memory usage.

Impact:
Failover might not function fully. System posts the message 'err sod[6300]: 01140003:3: Out of shmem, increment amount' in /etc/ha_table/ha_table.conf.

Workaround:
Manually modify /etc/ha_table/ha_table.conf as follows: Change this line: 'ha segment path: /sod table pages: 2' to this: 'ha segment path: /sod table pages: 4'. Save the file and reboot the system.


481647 : OSPF daemon asserts and generates core

Component: TMOS

Symptoms:
The OSPF daemon might assert if receiving a Link Status (LS) Update header with a length greater than 255 bytes.

Conditions:
This occurs when the LSA header length is greater than 255 bytes in length.

Impact:
OSPF daemon asserts and generates a core, which might cause a service outage.

Workaround:
None.


481476-4 : MySQL performance

Component: Application Security Manager

Symptoms:
MySQL usage would spike to 100% for extended periods of time.

Conditions:
Occurs after several thousand policy configuration changes have been made to the system.

Impact:
Slow ASM GUI pages.

Workaround:
There is no workaround at this time.


481216-2 : Fallback may be attempted incorrectly in an abort after an Early Server Response

Component: Local Traffic Manager

Symptoms:
After an Early Server Response, the BIG-IP system might attempt to generate a fallback response if an error occurs. However, the response has already partially egressed, so this does not work correctly.

Conditions:
Fallback configured or enabled by an iRule. An early server response triggers an error that leads to an Abort being raised. The Abort triggers a fallback response inappropriately.

Impact:
The server-side might read HTTP data structures after they have already been freed. A fallback can be generated on the server-side, leading to a use-after-free if the client side has already aborted.


481089 : Request group incorrectly deleted prior to being processed

Component: TMOS

Symptoms:
After performing a full sync, sometimes the BIG-IP systems remain out of sync.

Conditions:
A full sync must be performed. There must be more than one active connection to mcpd, and one of them must get disconnected before the sync completes.

Impact:
The BIG-IP systems remain out of sync even after a sync operation.

Workaround:
There are 2 possible workaround: 1) Reset device trust and then re-associate peer devices. 2) Set sync-leader using the following tmsh command. (You might need to run the command more than once until the cid.id of the lagging device is equal or greater than the peer unit.) 'tmsh modify cm device-group fail_over_group_name devices modify { name_of_standby_device { set-sync-leader } }'.

Note: You can run the following command from the active device to view any cid.id mismatch, and if further set-sync-leader commands are necessary: 'tmsh run cm watch-devicegroup-device'.


481082-1 : Software auto update schedule settings can be reset during a full sync

Component: TMOS

Symptoms:
After performing a full sync, the auto update settings of the target machine are reset to defaults.

Conditions:
Perform a full sync to a system that has non-default auto update settings.

Impact:
Auto update settings can get out of sync, and be incorrect.

Workaround:
After a full sync, ensure that the auto update settings on both systems are set as desired.


480982-2 : pkcs11d with a high thread count can result in high CPU utilization

Component: Local Traffic Manager

Symptoms:
When pkcs11d is set to use a very high thread count, CPU utilization can increase dramatically.

Conditions:
The thread count for pkcs11d is set higher than the default.

Impact:
Less CPU available for other processes.

Workaround:
Do not set the db variable for pkcs11d thread count (/sys crypto fips external-hsm num-threads) higher than the default.


480903-2 : AFM DoS ICMP sweep mitigation performance impact

Component: Advanced Firewall Manager

Symptoms:
In AFM DoS, the performance of ICMP Sweep Vector Mitigation brings down the performance of the BIG-IP system.

Conditions:
ICMP Traffic levels at 4 million pps from ~100 Src IP addresses, with the AFM DoS Sweep vector enabled to mitigate ICMP traffic.

Impact:
Slower performance of the BIG-IP system. A lot of CPU is used to mitigate the AFM DoS Sweep vector.

Workaround:
Do not enable the AFM DoS Sweep vector for ICMP Traffic when the attack rate is over 4 Million pps.


480761-3 : Fixed issue causing TunnelServer to crash during reconnect

Component: Access Policy Manager

Symptoms:
TunnelServer may crash in rare conditions during reconnect.

Conditions:
Crash may happens when PC wakes up after hibernate

Impact:
User sees confusing message about crashed TunnelServer.

Workaround:
This issue has no workaround at this time.


480686-5 : Packet loop in VLAN Group

Component: Local Traffic Manager

Symptoms:
On an active VIPRION or vCMP guest with a VLAN Group configuration, the CPU usage unexpectedly rises, and traffic flowing through the device may experience high latency and packet drops. A packet capture shows packets looping internally between VLAN members of the VLAN Group.

Conditions:
This occurs when using a VLAN Group (in Translucent or Transparent mode) on VIPRION hardware (including vCMP guest of a VIPRION), and an IP address conflict exists between the BIG-IP and another device on the VLAN Group. Note: The device causing the IP conflict may be unrelated to packets that are found looping in a packet capture.

Impact:
This results in high CPU usage and potentially unresponsive GUI. Traffic flowing through the VLAN Group may experience high latency and packet drops. The Self IP on the affected VLAN becomes almost impossible to reach.

Workaround:
Disable vlangroup.flow.allocate db variable to prevent flow creation for vlangroup forwarded packets.


480370-4 : Connections to virtual servers with port-preserve property will cause connections to leak in TMM

Component: Local Traffic Manager

Symptoms:
Connections leak, exhausting the memory over time and causing TMM to re-start.

Conditions:
Virtual server with port-preserve setting. Tunneled APM connections in a CMP environment (many TMM processes).

Impact:
TMM process re-starts causing traffic disruption. Low performance is also seen due to the high number of leaked connections.

Workaround:
None.


480311-2 : ADAPT should be able to work with OneConnect

Component: Service Provider

Symptoms:
The request-adapt and response-adapt profiles are unable to work with the OneConnect profile, and so those combinations are not allowed in the same virtual server.

Conditions:
Attempt to combine request-adapt or response-adapt profile with OneConnect profile on the same virtual server.

Impact:
When adaptation is being used, the connection cannot be kept open and reused for multiple HTTP transactions.


480272-4 : During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID

Component: Access Policy Manager

Symptoms:
OAM ObConfig Initialization returns wrong accessgate ID, and that resulted in EAM setting wrong domain for the ObSSOCookie.

Conditions:
After network connection failure with backend OAM server, ObConfig initilization returned past Accessgate ID.

Impact:
The impact of this issue is that ObConfig initialization returns the wrong accessgate ID.

Workaround:
This issue has no workaround at this time.


480242-1 : APD, APMD, MCPD communication error failure now reported with error code

Component: Access Policy Manager

Symptoms:
When an unexpected error is received during communication between apd, apmd, and mcpd, it throws an exception.

Conditions:
Rarely reproducible, failed communication between apd, apmd, and mcpd.

Impact:
The system cores without an error code indicating the reason. This hampers finding the actual cause for the error.

Workaround:
None.


479872-1 : Corresponding protocol profiles must exist on both clientside/serverside

Component: Local Traffic Manager

Symptoms:
Virtual servers configured without protocol profiles on both the clientside and serverside do not pass traffic.

Conditions:
This occurs on virtual servers configured without protocol profiles on both the clientside and serverside.

Impact:
Attempts to connect to the virtual server might result in RSTs ('no local listener'), or the virtual address might not respond to ARP if there are no other functional virtual servers on the same virtual address. Virtual servers affected by this issue do not pass traffic.

Workaround:
If a protocol profile with a context (clientside or serverside) is specified when defining a virtual server, ensure that a protocol profile is specified for the peer context.


479773-1 : SR C1800930 - GUI crashs - and SQL errors

Component: Device Management

Symptoms:
The WebUI is unusable as it can take 30 seconds to a minute to load different pages. Other times the user will get the "service restarting" message. They have tried multiple browsers and changed the maximum connections to the config utility from 20 to 50 and back to 20 when that didn't help.

Conditions:
The customer says that he can get it to occur by having 3 users log into the config utility and then click around randomly until it crashes.

Impact:
GUI inaccessible

Workaround:
Work around is available by removing the following from the httpd.conf:
--------------
# If DCOEP is defined then enable the related configuration.
<IfDefine DCOEP>
...
</IfDefine>
--------------
This can be done by modifying the template /defaults/config/templates/httpd.tmpl.


479460-1 : SessionDb may be trapped in wrong HA state during initialization

Component: TMOS

Symptoms:
An error case may happen on BIG-IP if the following conditions are met:

1. There are two BIG-IPs configured as inter-cluster HA.
2. These two BIG-IPs are multi-blade chasis system.
3. Master record with independent subkeys is added to SessionDB.

The observed symptom this that you can explicitly deleted such a master record, but auto expiration mechanisms (timeout & lifetime) will not work on it, and this record will live forever until it is explicitly deleted.

Conditions:
Inter-chassis mirroring
Chassis w/ multiple blades

Impact:
an inconsistent state between systems can cause persistence entries to never timeout.

This will impact CGNAT records stored in SessionDB such as persistence records and PBA blocks.


479374-2 : Setting appropriate TX driver settings for 40 GB interfaces.

Component: TMOS

Symptoms:
In rare cases, the VIPRION C4800 chassis might experience an inability to establish some connections due to losing packets in one direction while in transit between blades.

Conditions:
VIPRION C4800 chassis.

Impact:
When the problem is due to this issue, one or more 5.x or 6.x interfaces show status as 'up' but the corresponding media as 'none'. Inability to establish some connections. The problem is consistent, depending on source and destination IP and port.


479334-6 : monpd/ltm log errors after Hotfix is applied

Component: Application Visibility and Reporting

Symptoms:
When you apply a hotfix on an already configured and working volume, many errors are logged in the monpd/ltm logs.

Conditions:
Applying a hotfix to a configured and working volume.

Impact:
None, cosmetic benign errors only.

Workaround:
Run the following commands:
1. mysql -p`perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw` AVR < /var/avr/avr_srv_code.sql
2. bigstart restart monpd


479171-1 : TMM might crash when DSACK is enabled

Component: Local Traffic Manager

Symptoms:
TMM might crash when DSACK is enabled

Conditions:
This occurs rarely on a virtual server configured with a TCP profile that has DSACK (Duplicate Selective Acknowledgement) enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use TCP profile with the DSACK feature enabled.


479142-4 : Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD)

Component: Global Traffic Manager

Symptoms:
The resource record (RR) in ZoneRunner Daemon (ZRD) is not deleted when the associated Virtual Server is deleted from the Global Traffic Manager (GTM) server object.

Conditions:
Conditions that lead to this issue include a GTM server object with a Virtual Server; a pool with the above virtual server; a wideip using the above pool as resources; and deleting the virtual server from the GTM server object.

Impact:
BIND will contain and return RRs that were intended to be deleted.
The RR is orphaned and could only be deleted manually from ZRD.

Workaround:
To workaround this issue you can delete the GTM server associated with the virtual server to be deleted, but this would delete other associated virtual servers too. Alternatively, you can manually delete the RR in ZRD.


478751-4 : OAM10g form based AuthN is not working for a single/multiple domain.

Component: Access Policy Manager

Symptoms:
OAM10g form based AuthN is not working for a single/multiple domain.

Conditions:
Conditions leading to this issue include double encoding of parameters and race condition on parsing form body.

Impact:
Form based OAM authentication might not work.

Workaround:
This issue has no workaround at this time.


478674-2 : ASM internal parameters for high availability timeout was not handled correctly

Component: Application Security Manager

Symptoms:
The internal parameters bd_hb_interval and bd_hb_interval_low_platforms are not handled correctly and a different value is registered against the high availability (HA) system. This causes the system to have faster than expected failovers. Also, when bypass asm is turned on and a bigstart restart asm was applied, a failover happens.

Conditions:
Two possible conditions:
1. An internal parameter is configured for the timeout to the HA system. When ASM does not send a lifesign to the HA system for 10 seconds (instead of the configured time)
2. bypass asm is internal parameter is applied and a bigstart restart asm happens.

Impact:
A failover happens.

Workaround:
This issue has no workaround at this time.


478617-11 : Don't include maximum TCP options length in calculating MSS on ICMP PMTU.

Component: Local Traffic Manager

Symptoms:
TCP segment size is 40 bytes less.

Conditions:
ICMP implementation using Path MTU (PMTU)

Impact:
The impact of this issue is less data per TCP segment.

Workaround:
Disable Path MTU Discovery by doing the following,

"tmsh modify sys db tm.enforcepathmtu value disable"


478592-2 : When using the SSL forward proxy feature, clients might be presented with expired certificates.

Component: Local Traffic Manager

Symptoms:
When SSL forward proxy feature is enabled, the certificates cached might not expire at the right time resulting in expired certificates being presented to the clients.

Conditions:
When using the SSL forward proxy feature.

Impact:
Incorrect certificates are presented to the clients.

Workaround:
Manually delete the cached certs in: show ltm clientssl-proxy cached-certs.


478439-11 : Unnecessary re-transmission of packets on higher ICMP PMTU.

Component: Local Traffic Manager

Symptoms:
LTM re-transmits TCP segments even when ICMP Path maximum transmission unit (PMTU) is higher than existing MTU.

Conditions:
ICMP PMTU is higher than existing MTU.

Impact:
Burst traffic generated.

Workaround:
Disable Path MTU Discovery by entering the command: tmsh modify sys db tm.enforcepathmtu value disable.


478399-1 : PEM subscriber sessions are created without PEM licensed, if "radiusLB-subscriber-awre" profile is configured.

Component: Policy Enforcement Manager

Symptoms:
If LTM virtual server has the RADIUS profile 'radiusLB-subscriber-awre' configured, the PEM subscriber session will be created, even if the BIG-IP system is not licensed for PEM, which can cause 100% TMM usage due to the overhead of processing RADIUS messages.

Conditions:
The RADIUS profile 'radiusLB-subscriber-awre' is configured on the LTM virtual server for non-PEM configurations.

Impact:
100% TMM usage due to PEM subscriber session being created, even when the BIG-IP system is not licensed for the PEM module.

Workaround:
The workaround is to avoid the misconfiguration by not associating the RADIUS profile 'radiusLB-subscriber-awre' to LTM virtual servers for non-PEM configurations, such as when there is no PEM license for the BIG-IP system.


478333-2 : Edge-Client client shows an error about corrupted config file, when User's profile and temp folders located on different partitions

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Windows client shows an error about corrupted config file, when User's profile and temp folders are located on different partitions

Conditions:
Edge Client for Windows.
User's profile and temp folders are located on different partitions.

Impact:
Configuration will not be saved.


478257-11 : Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed

Component: Local Traffic Manager

Symptoms:
Re-transmission of fragment needed packets.

Conditions:
Multiple ICMP Destination Unreachable with Fragmentation needed code messages.

Impact:
Burst traffic generated.

Workaround:
Disable Path MTU Discovery by doing the following,

"tmsh modify sys db tm.enforcepathmtu value disable"


478195-1 : Installation of FIPS .exp key files sets incorrect public exponent.

Component: Local Traffic Manager

Symptoms:
Newer FIPS platforms use NGFIPS devices, which seem to be returning the public exponent in little-endian format, when the FIPS exported keys (.exp key files) are imported into FIPS cards. Since F5's code was expecting this in big-endian format, this leads to incorrect public exponent value being written in the key file.

Conditions:
Using FIPS platforms (except the older 8900/6900 FIPS platforms):
1. Put two FIPS platforms in the same FIPS security domain without configuring them in a device group.
2. Create or install a key into FIPS card on box1.
3. Copy the key's FIPS exported key (from /config/ssl/ssl.cavfips/) to box2.
4. Install this FIPS .exp key file on box2 using:
'tmsh install sys crypto key <keyname> from-local-file <.exp file path> security-type fips'

Impact:
If the corresponding certificate was copied from box1 to box2 and then installed on box2, configuring this key/cert on a SSL profile will lead to the error 'key and certificate do not match'.

If the corresponding certificate is newly created on box2 after the key install, then SSL traffic using this key/cert will fail.


477859-2 : ZebOS config load may fail if password begins with numeric character

Component: TMOS

Symptoms:
ZebOS config load might fail if a password begins with a number.

Conditions:
In config file, set a password that begins with a number.
e.g., neighbor 1.2.3.4 password 0abcdefghijkl

Impact:
ZebOS config load fails.

Workaround:
Use a password beginning with an alpha character.


477789-1 : SSL Certificate can accommodate & (ampersand) in the Common Name, Organization Name, Division and SAN.

Component: TMOS

Symptoms:
When an & (ampersand) character is entered for Common Name, Organization Name, Division or SAN in an SSL Certificate, the ampersand is escaped and replaced with an &amp; string.

Conditions:
Create or renew an existing certificate with an ampersand in the Common Name, Organization Name, Division, or SAN.

Impact:
The system escapes the ampersand with an &amp; string. Names such as AT&T that generate certificates that escape the ampersand character do not work as expected.


477742-1 : DTLS message sequence number is off by one

Component: Local Traffic Manager

Symptoms:
The DTLS message sequence number is incorrect.

Conditions:
SSL over UDP (DTLS) is configured.

Impact:
Incompatibility with some SSL clients using OpenSSL versions beginning with version 1.0.1h. The clients work as expected with versions of OpenSSL previous to 1.0.1h. Note: The issue is visible during renegotiation with DTLS only.

Workaround:
Use a version of OpenSSL previous to 1.0.1h.


477432-3 : Roll forward from 11.3.0 with iApp configured fails to load correctly and causes bd to core

Component: Application Security Manager

Symptoms:
ts_debug.log:
-----------
asm|INFO|Aug 14 19:10:41.710|12226|,,MCP Validation error - 010715bd:3: The parent folder is owned by application service (/Common/SharePoint.app/SharePoint), the object ownership cannot be changed to ().
-----------

Conditions:
This occurs after committing the Database changes, but the system then rolls back the UCS files under /ts/var/account. This can occur on a config roll forward from 11.3.0 and earlier to a later version.

Impact:
this causes an inconsistency for the files BD will expect when starting, and lead to BD coring. The BIG-IP system may temporarily fail to process traffic as it recovers from BD restarting.

Workaround:
Disable ASM for iApps before upgrade, and then re-enable.


477394-5 : LTM might reset and cause out-of-ports

Component: Local Traffic Manager

Symptoms:
Passive FTP using FTP range iRule might intermittently cause out-of-ports reset.

Conditions:
This occurs when using passive FTP with an range of FTP ports in an iRule.

Impact:
LTM resets.


477375 : SASP Monitor may core

Component: Local Traffic Manager

Symptoms:
Rarely, the SASP monitor cores.

Conditions:
This occurs when the SASP monitor is configured in push mode.

Impact:
When the monitor cores, a pool member gets marked down, which might lead to an outage. This occurs rarely.


477232-3 : CGNAT translations have a higher chance of port reuse when address persistence is enabled

Component: Carrier-Grade NAT

Symptoms:
When using a LSN pool with persistence mode address, in addition to reusing the same translation address for subsequent connections, the translation port also persists and is reused.

Conditions:
LSN pool with persistence mode address.

Impact:
Poor utilization of available translation ports and very high levels of port reuse. In the case of TCP connections this port reuse can cause servers to reject connections because a previous connection is in the TIME_WAIT state.

Workaround:
None.


477218-3 : Simultaneous stats query and pool configuration change results in process exit on secondary.

Component: TMOS

Symptoms:
Simultaneous stats query and pool configuration change results in process exit on secondary.

Conditions:
Running parallel operations in tmsh/GUI or multiple tmsh operations on pool objects. For example, running 'tmsh show' command while simultaneously updating the monitor on the pool in the GUI.

Impact:
The primary restarts, and the slot goes down, resulting in potential traffic impact. The ltm logs display error messages similar to the following: -- err mcpd[29041]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool (/Common/CYBS-P-UBC-43) was not found. -- notice mcpd[8487]: 0107092a:5: Secondary slot 1 disconnected.

Workaround:
Use the absolute name of the pool in the tmsh command: /partition_name/pool_name.


476886-2 : When ICAP cuts off request payload, OneConnect does not drop the connection

Component: Service Provider

Symptoms:
After sending an ICAP preview, BigIP waits for a response from the ICAP server. If BigIP receives the complete ICAP response before it has completed sending the ICAP request (for example, when the response contains an encapsulated 302 redirect), it stops sending the request payload and closes the TCP connection. However when a OneConnect profile (CONNPOOL filter) is on the IVS, the TCP connection to the ICAP server is not terminated.

Conditions:
This occurs when using ICAP and OneConnect profiles on an IVS, when the BIG-IP ICAP client has resumed sending the request body on receiving a 200-OK response after the preview. ICAP server response completes before it has received the entire request body (for example, encapsulated redirect).

Impact:
The ICAP server cannot detect the end of the ICAP request so might get confused.

Workaround:
Do not use OneConnect. As an alternative, if the ICAP server completes its response, it could ignore any further input from the client until it detects another RESPMOD or REQMOD indicating the beginning of a new transaction. ICAP servers are not required to do this, but it would allow connection reuse in the case where the server completes its response before the request is complete.


476736-1 : APM IPv6 Network Access connection may fail in some cases

Component: Access Policy Manager

Symptoms:
When the client provided link local address contains zeros for first 4+ bytes, the IPv6 Network Access connection will fail due to listener bind failure.

Conditions:
When the first 4+ bytes of IPv6 Link Local address are zeros this bug will show up.

Impact:
IPv6 Network Access Tunnels may not succeed.

Workaround:
There is no workaround for this.


476708-3 : ZebOS using BGP ECMP may not correctly update the ECMP paths when one of the paths goes down and comes back up

Component: TMOS

Symptoms:
ZebOS using BGP equal-cost multi-path routing (ECMP) might not correctly update the ECMP paths when one of the paths goes down and comes back up.

Conditions:
This occurs when a downstream ECMP link is disabled such that one of the two equal-cost paths becomes unavailable, and is then enable.

Impact:
ECMP does not function as desired because both available paths are not utilized. This can only be recovered by clearing the BGP connection on the affected ECMP path.

Workaround:
None.


476683 : Suspended DNS_RESPONSE events are not resumed

Component: Local Traffic Manager

Symptoms:
iRules that cause the DNS_RESPONSE event to suspend will not be resumed.

Conditions:
DNS_RESPONSE event with command that causes it to be suspended.

Impact:
DNS_RESPONSE event does not complete execution.

Workaround:
Do not use iRule commands in DNS_RESPONSE event that result in suspension.


476616-2 : Set active fails after accept learning suggestion for illegal metachar Policy with encoding iso-8859-1

Component: Application Security Manager

Symptoms:
The following is reported in the GUI: Could not apply configuration; Set active failed

Conditions:
When a customer's policy is configured for an application language like iso-8859-1 or iso-8859-15, and learning suggestions that stem
from multi byte UTF-8 parameter values (Illegal Meta Character in Value) are accepted, policy changes cannot be applied.

Impact:
Set active fails

Workaround:
Go to Parameters list and for each parameter with override 'Allow' for the metachar 'ÿ' remove the override completely: choose the
override, click on '>>' and click on update, see attached picture.


476599 : TMM may panic when resuming DNS_REQUEST iRule event

Component: Local Traffic Manager

Symptoms:
TMM panic when executing DNS_REQUEST event.

Conditions:
The TMM panics when the following events have occurred: - DNS_RESPONSE event has been suspended. - DNS_REQUEST event is executed.

Impact:
TMM restart.

Workaround:
None.


476476-5 : Occasional inability to cache optimized PDFs and images

Component: WebAccelerator

Symptoms:
Restarting the datastor service can result in some optimized PDFs or optimized images becoming un-cacheable

Conditions:
If WAM has a handle to cached content in datastor which no longer exists because datastor restarted or evicted it, and if this content is an image or PDF which WAM optimized, and if two requests for such content arrive on the same TCP connection, the second can get incorrectly cached such that it can not be served or replaced until tmm is restarted.

Impact:
Certain URLs become uncacheable, thus reducing effectiveness of WAM.

Workaround:
Disable client keep-alive in the HTTP profile (change Maximum Requests in the HTTP profile from 0 to 1)
or disable PDF linearization and image optimization.

A partial workaround is to use wa_clear_cache instead of restarting datastor to clear the cache. Content which datastor evicts might still suffer (but this is unlikely).


476281-2 : tmm crash on uninitialized variable

Component: Local Traffic Manager

Symptoms:
tmm occasionally crashes when server_key and client_key variables are not initialized before being used.

Conditions:
This occurs when using an FTP virtual server.

Impact:
Traffic disrupted while tmm restarts.


476144-2 : TMM generates a core file when dynamically loading a shared library.

Component: Performance

Symptoms:
When attempting to dynamically link a shared library, TMM cores.

Conditions:
Dynamically loading more than a certain number of shared libraries will result in a tmm core.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.


476038-4 : Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac crashes on OS X 10.7 if a user adds a new server using its IP address rather than its DNS name.

Conditions:
Create an APM virtual server IP address using the Edge Client for Mac

Impact:
Edge Client crashes

Workaround:
Use DNS name rather than IP address when adding a new server.


476032-3 : BIG-IP Edge Client may hang for sometime when disconnecting from Firepass server

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client hangs in "Disconnecting" state for some time if the backend server is FirePass.

Conditions:
FirePass server as backend

Impact:
User has to wait


475829-2 : AWS - VE is locked out after live install on 2nd slot.

Component: TMOS

Symptoms:
SSH access might be blocked on VE (launched in AWS) after live install on 2nd slot is performed and VE is booted to 2nd slot.

Conditions:
VE running in AWS
Live install performed on 2nd slot and VE is booted to it.

Impact:
SSH access to the box might be lost.
It's effectively locked out since there is no console access to this VM.


475819-2 : BD crash when trying to report attack signatures

Component: Application Security Manager

Symptoms:
The Enforcer rarely crashes when logging attack signatures.

Conditions:
A rare issue that happens suddenly when reporting attack signatures to the logs.

Impact:
Traffic resets, failover.

Workaround:
This issue has no workaround at this time.


475791-2 : Ramcache profile may dispatch internal messages out-of-order leading to assert

Component: Local Traffic Manager

Symptoms:
Ramcache profile might dispatch internal messages out-of-order, leading to assert.

Conditions:
Assert may occur when the following conditions are met:
 - Virtual server uses ramcache profile.
 - Virtual server has mirroring enabled.
 - Device is in standby mode.
 - Active unit is unable to fulfill incoming HTTP request (ramcache entry is invalid / no pool members).
 - Standby unit is able to fulfill mirrored request (ramcache entry is valid).

Impact:
Due to this rarely occurring race condition, a tmm_panic occurs ('valid pcb') when a connection is being closed and the ramcache feature is able fulfill an incoming request. Standby unit becomes temporarily unavailable.

Workaround:
Do not use ramcache profile and connection mirroring feature together.


475735-1 : Failed to load config after removing peer from sync-only group

Component: Access Policy Manager

Symptoms:
Load sys config fails.

Conditions:
Loading config after removing peer from sync-only device group.

Impact:
Failed to load config.

Workaround:
Remove peer device from the sync-only device group on which policy sync has been performed previously.


475677-1 : Connections may hang until timeout if a LTM policy action failed

Component: Local Traffic Manager

Symptoms:
When an LTM policy action that takes place during an HTTP request or response fails (which is very rare), the affected connection hangs until a timeout occurs.

Conditions:
This issue occurs when you attach an LTM policy to a virtual with a rule that has an action that fails. Now send a request that matches that rule. The command 'tmsh show ltm policy' will show the action failed, but the connection 'hangs' until timeout.

Impact:
When an LTM policy action fails, affected connections hang until they time out.

Workaround:
This issue has no workaround at this time.


475505-5 : Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system.

Component: Access Policy Manager

Symptoms:
Windows Phone 8.1 built-in browser is not properly detected by the BIG-IP system.

Conditions:
Windows Phone 8.1 built-in browser.

Impact:
Built-in browser is not properly detected.


475460-3 : tmm can crash if a client-ssl profile is in use without a CRL

Component: Local Traffic Manager

Symptoms:
TMM can crash if a client-ssl profile is in use without a certificate revocation list (CRL) configured.

Conditions:
A client-ssl profile is in use without a configured CRL, and the customer has an Engineering Hotfix installed that includes the fix for ID384451.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.


475363-4 : Empty or invalid configuration, or during exception in NTLM, handling might not work as expected.

Component: Access Policy Manager

Symptoms:
When the system encounters an empty or invalid configuration, or during exception in NTLM, handling might not work as expected.

Conditions:
Empty DC list configured in the NTLM configuration.

Impact:
NTLM authentication won't work correctly.

Workaround:
Fix the configuration - make sure that DC list is not empty.


475322-1 : cur_conns number different in tmstat and snmp output.

Component: Local Traffic Manager

Symptoms:
The current connections (cur_conns) number different in tmstat and snmp output.

Conditions:
This problem occurs when MPTCP is used.

Impact:
Incorrect cur_conns counting when using MPTCP.

Workaround:
None.


475125-1 : Use of HTTP::retry may cause TMM crash

Component: Local Traffic Manager

Symptoms:
Use of HTTP::retry may cause TMM to crash in certain scenarios.

Conditions:
Use of HTTP::retry may cause TMM to crash in certain scenarios.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.


475049-5 : Missing validation of disallowing empty DC configuration list

Component: Access Policy Manager

Symptoms:
NTLM authentication feature requires at least one Domain Controller to be specified in the NTLM Auth Configuration Domain Controller FQDN list. This is as designed to prevent unwanted load on the server because NTLM authentication is performed on a per connection basis. There is no DC autodiscovery mechanism implemented for NTLM authentication, by design. To effect the feature, we need the administrator to specify particular servers. Having this list empty caused an unexpected behavior, in which authentication is not performed and yet is considered a success.

The configuration of the Domain Controller for an NTLM authentication configuration is different from the configuration of the Domain Controller for an NTLM machine account. For the NTLM machine account, the BIG-IP system can automatically discover one of the available DCs using DNS method or the administrator can specify a DC.

We are asking administrators to specify at least one Domain Controller for NTLM Auth configurations in the Domain Controller FQDN list.

Conditions:
Domain Controller configuration is allowed to be empty which is both incorrect and unsupported.

Impact:
misbehave with incorrect and unsupported configuration, and causes no authentication is being performed.


474974-1 : Fix ssl_profile nref counter problem.

Component: Local Traffic Manager

Symptoms:
ssl_profile memory leak.

Conditions:
This occurs after several iterations of the following steps:
(1) Create ssl_profiles
(2) Use ssl_profiles to complete a number of handshake operations.
(3) Delete ssl_profiles.

Impact:
ssl_profile memory leak.

Workaround:
None.


474779-7 : EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails.

Component: Access Policy Manager

Symptoms:
On EAM process initialization, the plugin is unable to register a thread (MPI channel) with TMM on rare occasions. A subsequent system call to end the process fails.

Conditions:
Unknown.

Impact:
EAM plugin is up but the access gates are not initialized correctly.

Workaround:
Establish connection to OAM server.
bigstart stop eam
Clear config.cache from each accessgates by deleting /config/aaa/oam/<partition_name>/<aaa_oam_obj_name>/<accessgate_name>/config.cache using commandline.
bigstart restart eam


474771 : bigtop global statistics not including pva statistics for BIG-IP row

Component: Local Traffic Manager

Symptoms:
BIG-IP system row under-reports the statistics values.

Conditions:
BIG-IP system with PVA mode full is used.

Impact:
bigtop statistics report the wrong values for the BIG-IP system throughput columns.


474698-1 : BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions.

Component: Access Policy Manager

Symptoms:
When client initiates Single Logout (SLO) on the BIG-IP system as IdP which is associated with multiple SP connectors, IdP will send SLO request message to each SP to which user has connected within this session.

If user has connected to multiple SP (bound to different IdP) within the same session, the SLO messages f is sent with 'Issuer'element referencing the name of the last IdP service user has accessed.

Conditions:
This issue occurs when:
1.BIG-IP is configured as IdP.
2.BIG-IP has more then one IdP configuration object.
3.IdP objects are assigned as resources to the same Access Policy.
4.Each IdP configuration is bound to at least one SP-connector.
5.Client initiated SLO on IdP.

Impact:
Impact is based on recipient of the message. Recipient (SP) may reject the SLO request, or process it successfully based on implementation.

Workaround:
Disable SLO on BIG-IP.


474584-4 : igbvf driver leaks xfrags when partial jumbo frame received

Component: Local Traffic Manager

Symptoms:
On platforms utilizing the igbvf driver, xfrags can be leaked if a partial jumbo frame is received.

Conditions:
On platforms utilizing the igbvf driver, xfrags can be leaked if a partial jumbo frame is received.

Impact:
TMM memory usage increases over time and eventually TMM crashes due to lack of memory.

Workaround:
None.


474231-3 : RAM cache evictions spikes with change of access policy which may lead to slow webtop rendering

Component: Access Policy Manager

Symptoms:
When there is a high load on the system and a user changes an access policy, it can lead to slow rendering of the webtop or the access page.

Conditions:
This issue occurs when there is a high load with change of access policy around that time.

Impact:
The impact of this issue is slow webtop/access page rendering.

Workaround:
This issue has no workaround at this time.


474226 : LB_FAILED may not be triggered if persistence member is down

Component: Local Traffic Manager

Symptoms:
LB_FAILED may not be triggered if persistence member is down.

Conditions:
This occurs when the following conditions exist: - Incoming connection has cookie matching persistence entry. - Persisted pool member has been marked down. - No other pool members are available.

Impact:
Cannot utilize LB::reselect command.

Workaround:
None.


474069-2 : ICAP can assert "valid node" on resumption after long-running iRule

Component: Service Provider

Symptoms:
If the IVS connection is closed while ICAP is processing an iRule that completes asynchronously, and if on resumption of procesing the ICAP response an abort occurs, the closing is still processed after the abort, resulting in an assertion "valid node" and a TMM crash.

Conditions:
Long-running iRule on an ICAP event.
IVS connection is closed during iRule processing.
ICAP server response causes abort (such as protocol error).

Impact:
TMM crash

Workaround:
If possible, avoid commands that could complete asynchronously (like session table) in ICAP iRule events.


474058-4 : When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions

Component: Access Policy Manager

Symptoms:
When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions.

Conditions:
This issue occurs when the BIG-IP system is configured as a SAML Service Provider and BIG-IP receives a signed assertion that contains empty "Reference URI" in Signature element.

Impact:
The impact of this issue is that APD restarts.

Workaround:
This issue has no workaround at this time.


474002-2 : Server SSL profile unable to complete SSL handshake when server selects DHE-based key exchange, and is configured with 2048-bit or larger DH keys

Component: Local Traffic Manager

Symptoms:
If a BIG-IP virtual server is configured with a Server SSL profile, and a pool member or server selects a DHE-based ciphersuite (e.g. DHE-RSA-AES128-SHA), the BIG-IP system might not successfully complete an SSL handshake with the server.

Conditions:
This occurs when the following conditions exist: - HTTPS Pool member or server. - Virtual server with Server SSL profile. - Server is configured with 2048-bit or larger Diffie-Hellman keys.

Impact:
Traffic to affected pool members fails, although the pool members are marked up by HTTPS monitors.

Workaround:
Either disable the use of ephemeral Diffie-Hellman (DHE) key exchange on the backend servers, select a smaller set of DH parameters on the backend servers, or disable DHE ciphersuites in affected virtual servers' Server SSL profiles.


473759 : Unrecognized DNS records can cause mcpd to core during a DNS cache query

Component: Local Traffic Manager

Symptoms:
mcpd cores during a DNS cache record query if a DNS record with an unknown type is in the cache. mcpd attempts to translate the record's type into a text string, but ends up with a NULL pointer instead.

Conditions:
A DNS record with a type unknown by mcpd must exist in the DNS cache during the query.

Impact:
mcpd cores, causing either a failover (if there is a standby unit) or an outage while mcpd restarts (if there is no standby unit).


473577-3 : Changes not synced or received by GTMd for GTM Wide IP Alias Items

Component: Global Traffic Manager

Symptoms:
Gtmd does not receive and process updates about new GTM Wide IP Alias and topology items.

Conditions:
After creating a GTM Wide IP Alias/topology item, any subsequent changes to Wide IP Alias/topology only will not be received by the gtmd daemon, and thus will not be synchronized to other GTM devices in the sync group.

Impact:
Gtmd does not receive updated information about changes to Wide IP Alias/topology configuration items.

Workaround:
Make changes other than Wide IP alias or topology changes after making Wide IP Alias/topology changes, i.e., update Description of a Wide IP, or update any property of a server object.


473488-4 : In AD Query agent, resolving of nested groups may cause apd to spin

Component: Access Policy Manager

Symptoms:
Access policy daemon (apd) consumes approximately 100% CPU and puts a heavy load on the network sometimes when resolving nested groups in AD Query. The AD Group Cache updates in a loop.

Conditions:
This issue occurs when the user belongs to a parent domain, and is a member of a group that belongs to a sub-domain.

For example, user belongs to parent.com,
group belongs to child.parent.com;
the user is a member of the group. The
"fetch nested groups" option is enabled for AD Query.

Impact:
The impact of this issue is that the user will be unable to resolve nested groups and unable to finish AD Query.

Workaround:
There is no workaround at this time.


473485-2 : Fixed a few issues in HTTP Auth module

Component: Performance

Symptoms:
1. possible buffer overflow when session var CookieClientData is >8K
2. inappropriate use of mc_get_session_var in agent that may cause apd crash
3. per-request memory leak of cookies struct

Conditions:
1. session variable CookieClientData is > 8K
2. apd may crash unexpectedly when HTTP Auth agent cannot get session variable
3. When HTTP Auth agent is configured for an Access Policy apd might leak memory per-request

Impact:
apd might crash
apd might leak memory per-request


473344-4 : Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.

Component: Access Policy Manager

Symptoms:
Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.

Conditions:
APM access policy is configured with Kerberos authentication and the attempted authentication session was was initially created on a different VIP.

Impact:
Error occurs with no error message. The system should post an error message similar to the following: (Failure VIP Name): Kerberos Request-Based Auth failed because session was initially created on a different VIP (Original VIP Name). Please either disable RBA on the originating access profile, or remove the domain cookie.

Workaround:
Either disable RBA on the originating access profile, or remove the domain cookie.


473255-1 : Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement.

Component: Access Policy Manager

Symptoms:
Portal Access could incorrectly rewrite Javascript submit() method if it's called in scope of 'with' statement and without object.

Impact:
Form cannot be submitted from script on page.

Workaround:
Create an iRule which adds explicit object reference to submit() call.


473200 : Renaming a virtual server causes unexpected configuration load failure

Component: TMOS

Symptoms:
Manually renaming a virtual server causes unexpected configuration load failure.

Conditions:
This occurs when all the following conditions are met:

-- The BIG-IP system configuration containing a virtual server that was renamed by editing bigip.conf manually
-- The virtual server has an empty pool, or has a pool with pool members and a monitor.

Impact:
Cannot reload configuration. The system posts the following error:
01020056:3: Error computing object status for virtual_server broken (old_virtual_server_name). Unexpected Error: Loading configuration process failed.

Workaround:
Note: Traffic may be temporarily disrupted while the updated configuration loads.

Perform any one of the following:
-- Remove the pool assignment from the virtual before renaming.
-- Ensure the pool contains members before renaming. If the pool has a monitor, temporarily remove the monitor and add it back after renaming.

To load the updated configuration, after renaming, issue 'bigstart restart'.


473139-4 : IMAP monitor works for LTM fails for BIG-IP DNS

Component: Global Traffic Manager

Symptoms:
BIG-IP DNS marks down a virtual server configured with an IMAP monitor even though IMAP is working

Conditions:
Configure IMAP monitor for BIG-IP DNS virtual server. Note: IMAP monitor works for LTM. Failure occurs only on GTM.

Impact:
Login is not attempted by BIG-IP DNS monitor, so the system is unable to determine IMAP server status.

Workaround:
None.


473129-4 : httpd_apm access_log remains empty after log rotation

Component: Access Policy Manager

Symptoms:
The /var/log/httpd/access_log file remains empty after log rotation.

Conditions:
At least one log rotation which happens at 4:00am every day of the box time

Impact:
access_log are missing

Workaround:
"bigstart restart httpd_apm" must be part of the cronjob every day [around 4:30am] after log rotation.


473088-5 : Virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile

Component: TMOS

Symptoms:
The BIG-IP system does not allow you to configure a virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile. If you attach a ClientSSL profile, however, the configuration is allowed, which is incorrect behavior.

Conditions:
Create a virtual server, add tcp, request-adapt, and one-connect profiles along with ClientSSL.

Impact:
This unsupported configuration might have many unknown side effects in TMM.

Workaround:
Do not configure a virtual server with one-connect and requestadapt or responseadapt profiles.


472944 : SMTPS race condition after STARTTLS may cause incorrect SMTP responses

Component: Local Traffic Manager

Symptoms:
After STARTTLS handshake, SMTP communication fails due to one of the following reasons:
  - BIG-IP system responses to SMTP client are not synchronized (that is, the responses do not match the requested commands).
  - SMTPS profile activation mode is 'require' and the BIG-IP system responds with '530 Must issue a STARTTLS command first.

Conditions:
This occurs when the following conditions are met: -- A virtual server configured with an SMTPS profile. -- After the STARTTLS handshake on the client side and the BIG-IP system has sent an RSET command to SMTP server, the BIG-IP system receives a command (such as HELO or EHLO) from an SMTP client before the BIG-IP system receives the RSET response from SMTP server.

Impact:
SMTP communication using the SMTPS profile might not succeed. intermittently or consistently.


472831-3 : FIPS-enabled DNSSEC can cause TMM core

Component: Local Traffic Manager

Symptoms:
Creating Cavium-FIPS-enabled DNSSEC zone and keys causes TMM core.

Conditions:
FIPS DNSSEC zone and key creation on a FIPS-platform.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


472571-3 : Memory leak with multiple client SSL profiles.

Component: Local Traffic Manager

Symptoms:
If multiple client SSL profiles are attached to a virtual server, memory will leak each time any profile is changed.

Conditions:
Multiple client SSL profiles are attached to a virtual server.

Impact:
Memory will leak a small amount of memory.

Workaround:
None.


472565 : Gx session "Created" and "Terminated" counters are increased on subscriber discovery when Gx is disabled

Component: Policy Enforcement Manager

Symptoms:
Gx sessions are created and terminated on subscriber discovery if Gx is disabled. This results in a corresponding increase in the Gx session "Created" and "Terminated" counters.

Conditions:
Occurs on subscriber discovery when Gx is disabled.

Impact:
Results in an incorrect increase in Gx session "Created" and "Terminated" counters.


472446-8 : Customization group template file might cause mcpd to restart

Component: Access Policy Manager

Symptoms:
A config sync or tmsh transaction might fail and make mcpd restart if the config sync or tmsh transaction includes a misconfigured object and simultaneously includes a customization group template file.

If strict updates are enabled on iApp and Adv Customization is performed that MCPd could crash tpp.

Conditions:
The config sync or tmsh transaction includes a misconfigured object and includes a customization group template file.

Impact:
The config sync or tmsh transaction fails, and mcpd exits. Note: Avoid configurations that put customization group template file objects through a config sync or tmsh transaction, when that transaction might contain an object configured with an invalid value. This results in a configuration error.
Here is one example of the types of messages that may be displayed when this occurs:

-- info mcpd[12395]: 01071528:6: Device group '/Common/f5omb' sync inconsistent, Incremental config sync may not be complete on one or more devices in this devicegroup, Sync status may not be consistent until incremental config sync is complete.
-- err mcpd[12395]: 01070734:3: Configuration error: Cannot apply template as cache path for (customization template file logon.inc customization group /Common/ap_deptSharePt_act_logon_page_ag) cannot be empty.
-- err mcpd[12395]: 01070596:3: An unexpected failure has occurred, - apm/validation/APMCustomizationFileObject.cpp, line 1825, exiting...
-- info sod[5467]: 010c0009:6: Lost connection to mcpd - reestablishing.
-- err zxfrd[12033]: 0153e0f7:3: Lost connection to mcpd.

Workaround:
None.


472365-2 : The vCMP worker-lite system occasionally stops due to timeouts

Component: TMOS

Symptoms:
The VCMP host side of the worker-lite system has a shorter timeout that the VCMP guest side. This can cause a worker-lite VCMP host to silently stop processing worker-lite requests for a VCMP guest.

Conditions:
This issue affects worker-lite based VCMP hosts running any version of VCMP guests that are processing SSL and compression traffic.

Impact:
SSL and compression traffic does not pass through VCMP guests running on an affected VCMP host. The system posts error messages in /var/log/ltm, similar to the following: Device error: crypto codec 'device-name' queue is stuck.

Workaround:
To resume processing of SSL and compression traffic in a VCMP guest, restart the guest tmm by issuing a 'bigstart restart tmm' from within the guest. Restarting a VCMP guest by setting its state from 'deployed' to 'provisioned' and then back to 'deployed' also resumes processing of SSL and compression traffic.


472256-5 : tmsh and tmctl report unusually high counter values

Component: Access Policy Manager

Symptoms:
When running the command 'tmctl profile_access_stat', the values displayed for sessions_eval_cur, sessions_active_cur, and/or sessions_estab_cur mignt be unusually high.

Conditions:
The issue might appear if the following events happen, in sequence:
1. Some sessions have been established.
2. On a chassis system, a blade restarts. On an appliance system, tmm restarts on the active system, which triggers failover.
3. Some of the existing sessions log out after the chassis or appliance is back online.

Impact:
The profile access stat might report inaccurate readings. The system returns results similar to the following: -- sessions_active_cur 18446744073709551615. -- sessions_eval_cur 18446744073709551615.

Workaround:
None.


472202-1 : Potential false positive report of DMA RX lockup failure

Component: TMOS

Symptoms:
Due to mixed traffic in the same ring, heartbeat message might not be received in time and therefore system report DMA RX lockup after a period of time.

Conditions:
Mixed traffic stressing into DMA ring 0 and have impacts to heartbeat healthy messages.

Impact:
TMM restart and report HSB DMA RX lockup

Workaround:
None.


472157-2 : Large file uploads abort for SPDY/3 and SPDY/3.1

Component: Local Traffic Manager

Symptoms:
When uploading large file using SPDY/3 or SPDY/3.1, the browser aborts the connection.

Conditions:
The browser uploads a file larger than 16 KB while using a SPDY/3 or SPDY/3.1 connection.

Impact:
The browser will stall the upload, because it doesn't receive a correct WINDOW_UPDATE from the BIGIP. The browser will appear to be stuck.

This affects all browsers that support the mentioned protocols.


472148-6 : Highly fragmented SSL records can result in bad record errors on Nitrox based systems

Component: Local Traffic Manager

Symptoms:
If a highly fragmented SSL record is decrypted by a system with a Cavium Nitrox card, the system will incorrectly respond with a bad SSL record error.

Conditions:
Highly fragmented SSL records and a system with a Cavium Nitrox card.

Impact:
Lost SSL connections.

Workaround:
This issue has no workaround at this time.


472125 : IP Intelligence report data is not roll-forwarded between installations as it should

Component: Advanced Firewall Manager

Symptoms:
Upgrade process does not apply on AVR-DWBL tables, and thus will show no data after the upgrade.

Conditions:
Upgrading from 11.5.0 / 11.5.1 / 11.5.4

Impact:
AVR statistics for DWBL will lose their data.


472092-2 : ICAP loses payload at start of request in response to long execution time of iRule

Component: Service Provider

Symptoms:
A long-running iRule in ICAP_REQUEST can cause the loss of payload while the iRule is running, resulting in the beginning of the payload being omitted in the request to the ICAP server. (Note that headers are unaffected.)

Conditions:
This issue occurs when the following conditions are met: -- request-adapt or response-adapt is used. -- IVS with ICAP. -- iRule on ICAP_REQUEST event that takes a long time to execute.

Impact:
ICAP request to ICAP server can lose the beginning of the payload.

Workaround:
When possible, keep iRule duration short by minimizing processing in ICAP_REQUEST and avoiding unnecessary processing, or move the processing elsewhere.


472062-1 : Unmangled requests when form.submit with arguments is called in the page

Component: Access Policy Manager

Symptoms:
Expressions like form.submit(something) are not being rewritten by Portal Access.
This may cause direct URL or unmangled paths in request. Such request will fail and application could stop working.

Impact:
Web Application could send unmangled requests and stop working.

Workaround:
iRule workaround is possible, but it will be unique for each web application.


471901-1 : Log publishers with failed HSL destinations continue to accept and deliver logs.

Component: TMOS

Symptoms:
Log publishers with failed HSL destinations continue to accept and deliver logs to other destinations.

Conditions:
Log publishers normally only accept logs if all associated destinations report being up. On systems with this bug, as long as an HSL destination can be configured and initialized (i.e. as long as there is a route to the destination), it is believed to be "up" even if actual connections cannot be established.

Impact:
Customers may falsely believe either that publishers are /supposed/ to ignore failures, or that failed destinations are actually working.

Workaround:
Upgrade. There is no work-around for this problem without picking up new code.


471874-3 : VDI plugin crashes when trying to respond to client after client has disconnected

Component: Access Policy Manager

Symptoms:
VDI plugin crashes when trying to respond to client after client has disconnected.

Conditions:
Client has disconnected, VDI plugin tries to send response to the client.

Impact:
VDI plugin crash.


471821-3 : Compression.strategy "SIZE" is not working

Component: Local Traffic Manager

Symptoms:
The Compression strategy Size is not working as expected. Instead of performing compression in the software, the system use the hardware compression provider to compress HTTP server responses.

Conditions:
1. Compression.strategy "SIZE"
2. Create a http vs with http compress profile

Impact:
Compression data is done in hardware rather than software.

Workaround:
Set compression.providerbusy to 0


471644-2 : BIG-IP system total throughput stats two times higher than expected stats

Component: Local Traffic Manager

Symptoms:
BIG-IP total throughput stats are two times higher than expected throughput stats. 'Total bits/sec' is the sum of interface bits in and interface bits out, which might result in unexpected stats.

Conditions:
This occurs on 11.4.1, 11.5.0, and 11.5.1.

Impact:
Stats do not match what is expected.

Workaround:
None.


471625-2 : After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM

Component: Local Traffic Manager

Symptoms:
After deleting external data-group, importing a new or existing external data-group does not propagate to TMM.

Although the import/modify individually seem to work as expected with no errors displayed in the web interface, the ltm log shows 'update queued', but does not show 'update finished' for the imported/modified datagroup.

tmctl ext_class_stat command shows that the deleted data-groups are still in the TMM and existing data-groups stay the same and do not reflect the modification that are made to them via GUI.

Conditions:
The issue occurs when working in an administrative partition other than Common.

Impact:
iRules associated with the data-groups do not behave as expected if data-group is deleted and afterwards when data-group modifications are made.

Workaround:
There are two options for workarounds: 1. Use short names for the data-group files. It is the long names that are problematic. This is the recommended workaround. 2. Reboot. This causes the mcpd to re-load the data-groups and corrects the situation.


471421-3 : Ram cache evictions spikes with change of access policy leading to slow webtop rendering

Component: Access Policy Manager

Symptoms:
When there is a high load on the system and a user changes an access policy, it can lead to slow rendering of the webtop or the access page.

Conditions:
High load with change of access policy around that time.

Impact:
Slow webtop/access page rendering.


471292-1 : Deterministic NAT: incorrect mapping on platforms with PDE trunk size greater than 1

Component: Carrier-Grade NAT

Symptoms:
The deterministic NAT (DNAT) utility (dnatutil) might report incorrect reverse mappings for platforms with PDE trunk size greater than 1, due to PDE trunk size value incorrectly logged in the DNAT state information.

Conditions:
Using LSN pool with DNAT mode, and using dnatutil for reverse mapping.

Impact:
Reverse map could provide incorrect results.

Workaround:
Use the --flags attribute to manually provide the daglib flag attribute, which can include the PDE trunk size value.


471288-3 : TMM might crash with session-related commands in iRules.

Component: Local Traffic Manager

Symptoms:
TMM might crash with session-related commands in iRules.

Conditions:
This occurs when the following conditions are met:
1) session/table command.
2) client_closed/server_closed iRule.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid using client_closed and sever_closed iRules at same time, in a virtual server using session/table command in iRule.


471117-1 : iframe with JavaScript in 'src' attribute not handled correctly in IE11

Component: Access Policy Manager

Symptoms:
If an HTML page contains an iframe with JavaScript code in the src attribute, some web applications might not work correctly through portal access in Internet Explorer 11.

Conditions:
Conditions leading to this issue include Internet Explorer 11 and iframe with JavaScript in the src attribute: <iframe src="javascript: some code...">

Impact:
Some Web applications may work incorrectly.

Workaround:
This issue has no workaround at this time.


471042-4 : Datastor High Velocity Traffic Pattern Changes

Component: TMOS

Symptoms:
During periods of high velocity in the traffic pattern, datastor will seem to stop caching new objects.

Conditions:
A traffic pattern that requires that a given percentage of the working set be displaced in order to move the cache content towards the new working set.

Impact:
For web sites that have a fairly static working set, this will reduce the efficacy of their caching by a percentage relative to the write reserve.

Workaround:
None.


470788-5 : Creating static ARP entry with unreachable IP address causes BIG-IP to be unreachable after reboot

Component: TMOS

Symptoms:
Saved configuration may not load if static ARP entries are configured that do not match a self IP subnet.

Conditions:
Saved config with static ARP whose IP falls outside of any self IP subnet.

Impact:
The impact of this issue is that the config fails to load.

Workaround:
To work around this issue remove the static ARP entry from saved config by manually editing config file.


470214-3 : Missing APM (or other module) sessions

Component: TMOS

Symptoms:
In some high availability (HA) configurations, the system experiences data loss in the SessionDB.

Conditions:
This occurs when the following conditions are met: -- Active HA mirroring configured. -- Failover occurs. -- Failover on secondary causes fail-back to original system.

Impact:
Missing APM (or other module) sessions.


470205-3 : /config/.../policy_sync_d Directory Is 100% Full

Component: Access Policy Manager

Symptoms:
After a policy sync operation, the Policy Sync history file objects remain within the /config/.../policy_sync_d directory.

Conditions:
This issue is further exacerbated when customization an/or sandbox (hosted content) files are associated with the profiles being synced.

Impact:
Over time the saved number and size of the Policy Sync history files can grow to fill all available space.

Workaround:
The psync-history objects and related data files can be manually deleted by running the following commands from within tmsh context:
`cd /Common/PolicySyncHistory`
`delete apm policy psync-history all`
`save sys config partitions all`

Please note that the above steps will remove all psync-history and related file objects from your local device. Which means, you will no longer have entries within the history tab of your Policy Sync page of the Admin GUI.


470191 : Virtual with FastL4 with loose initiation and close enabled might result in TMM core

Component: Local Traffic Manager

Symptoms:
Virtual with FastL4, loose initiation and loose close enabled might result in TMM core.

Conditions:
The problem can occur when the following conditions are met:
 - Virtual server with FastL4 profile.
 - FastL4 profile has loose initiation and loose close enabled.
 - TCP FIN is received that is not associated with an existing connection.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not enable loose initiation and loose close on FastL4 profile


470175-1 : DNAT utility (dnatutil) does not support rfc5424 structured log format

Component: Carrier-Grade NAT

Symptoms:
DNAT utility (dnatutil) unable to handle syslog with structured data.

Conditions:
Deterministic NAT LSN pool with "Syslog" log publisher, where the syslog log entry contains structured data.

Impact:
dnatutil reverse map using rfc5424 syslog with structured data content.

Workaround:
Use default log format of "BSD format", or configure syslog daemon to only output raw syslog content.


469986 : Drive mapping paths lose backslash when entered using the GUI

Component: Access Policy Manager

Symptoms:
In Network Access -> Drive Mappings, if you enter a path such as \\host\path using the GUI, it will be saved as \hostpath instead.

Conditions:
This bug only exists in the 11.5.0-HF

Impact:
Changes the path name.

Workaround:
The path can be entered correctly via tmsh.


469824-6 : Mac Edge client on Mac mini receives settings for iOS Edge Client

Component: Access Policy Manager

Symptoms:
BIG-IP Edge Client for Mac on Mac mini receives settings for iOS Edge Client. Edge Client behavior might be different than expected if Mac Edge Client settings are different from iOS Edge Client settings.

Conditions:
Mac mini, iOS Edge and Mac Edge Client setting in connectivity profile on BIG-IP.

Impact:
Different than expected behavior of Edge Client for Mac.


469702 : Steering should be allowed with performace Layer 4 and classification disabled.

Component: Policy Enforcement Manager

Symptoms:
When fastL4 is enabled and classification is disabled, we should be able to still forward the traffice.

Conditions:
FastL4 profile and classification is disabled. configure Forwarding action.

Impact:
Forwarding is not done.


469519-2 : tmm assert "l4hdr set"

Component: Policy Enforcement Manager

Symptoms:
The TMM may assert when processing packet fragments that do not contain an L4 header while using a FastL4 profile.

Conditions:
FastL4 profile enabled
IP fragment reassembly not enabled in the profile

Impact:
The TMM crashes and restarts.

Workaround:
Enable "Reassemble IP Fragments" in the FastL4 profile.


469361-1 : Unexpected tmm restart, no core - beta tmm version

Component: Local Traffic Manager

Symptoms:
The TMM unexpectedly restarted without generating a core.

Conditions:
When the connection between the MCPD and TMM is lost the TMM will restart.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not configure MPTCP.


469296-1 : MCPD config validation error resulting in error: requested integer (0) is invalid

Component: TMOS

Symptoms:
MCPD config validation error might occur, resulting in an error such as:

01070911:3: The requested integer (0) is invalid for egress_high in profile_mblb

This is not an indication of a configuration issue with an MBLB profile.

This issue can occur when loading the configuration, or performing a ConfigSync, or during the initial configuration load of mcpd on a secondary blade in a VIPRION chassis.

Conditions:
This occurs under unknown and rare conditions. The BIG-IP configuration does not need to reference MBLB profiles for this issue to occur.

Impact:
Config sync fails, or MCPD restarts, and the system logs the message 'requested integer (0) is invalid'.

Workaround:
This issue can be mitigated by forcing the mcpd process to reload the configuration as detailed in https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html.


469139-3 : Fix for ID 429124 working but GUI statistics showing PVA connections not PVA'd

Component: Local Traffic Manager

Symptoms:
Virtual server stats detail page displays 0 values for current PVA assist, PVA max and PVA total assist. The stats for these values are being pulled from the pva struct but the counter are actually updated on the VS stat table.

Conditions:
supported pva platform

Impact:
Virtual server stats detail for PVA acceleration display zero values.


469115-1 : Management client-ssl profile does not support multiple key/cert pair.

Component: Local Traffic Manager

Symptoms:
Management SSL client-ssl profile does not support multiple key/cert pair.

Conditions:
Management client-ssl profile.

Impact:
It supports only one key/cert pair which is stored in profile key/cert/chain/passphrase. cert-key-chain in client-ssl profile is not a valid selection. Selecting cert/key pair from cert-key-chain could cause problem.


469071-1 : TMM segfault in mpctp_switch_conns

Component: Local Traffic Manager

Symptoms:
TMM segfault in mpctp_switch_conns

Conditions:
This can occur is mptcp is configured and there is an invalid tcp session.

Impact:
tmm restarts

Workaround:
Do not configure mptcp in the tcp profile.


469033-2 : Large big3d memory footprint.

Component: Global Traffic Manager

Symptoms:
The big3d process might take up a large amount of memory.

Conditions:
Using GTM in various configurations.

Impact:
Large big3d memory footprint. This is a configuration- and usage-dependent issue.

Workaround:
None.


468908-2 : Session timeout settings doesn't work properly

Component: Access Policy Manager

Symptoms:
Disabling "Session timeout" option in Resource item properties has no effect on appearing of popup dialog about user log out.

Conditions:
1. Set inactivity timeout to 105 sec.
2. Create resource item with enabled session timeout.
3. Go to this resource. Popup dialog will appear via 5 sec.
4. Disable session timeout for this item.
5. Go to this resource. Popup dialog also will appear via 5 sec.

Impact:
Session timeout can't be disabled in Resource item.

Workaround:
There is no workaround at this time.


468874-4 : Monpd errors appear when AVR loads data to MySQL

Component: Application Visibility and Reporting

Symptoms:
An error of the form "Too many partitions (4) defined for DB table..." will appear in both /var/log/ltm and /var/log/avr/monpd.log

Conditions:
This issue occurs when traffic is running and AVR is being used by any of the following provisioned modules: AVR, ASM, PEM, AFM, or SWG.

Impact:
No actual impact on data accuracy or performance - only errors in /var/log/ltm and /var/log/avr/monpd.log

Workaround:
This issue has no workaround at this time.


468837-3 : SNAT translation traffic group inheritance does not sync across devices

Component: TMOS

Symptoms:
When a snat-translation object is created, and its inherited-traffic-group property is set, this property does not sync to other devices.

Conditions:
This is relevant for any setup with multiple devices in a CMI failover device group.

Impact:
The inherited-traffic-group property must be manually maintained on all devices.

Workaround:
Enable the 'full sync' option instead of using incremental sync.


468542 : Virtual servers with a SPDY profile ignore SNAT none setting

Component: Local Traffic Manager

Symptoms:
Virtual servers with a SPDY profile ignore SNAT 'None' setting.

Conditions:
This occurs on virtual servers that have an associated SPDY profile when the Source Address Translation setting is 'None'.

Impact:
Virtual servers with a SPDY profile determine the server-side source address using SNAT Automap, which might result in the incorrect server-side source address.

Workaround:
This issue has no workaround at this time.


468519-3 : BIG-IP DNS configuration load failure from invalid bigip_gtm.conf file.

Component: Global Traffic Manager

Symptoms:
Config reload fails when renewing the license or performing a new install based on the current config.

This appears to be the result of a invalid bigip_gtm.conf which is used to load the config rather than the mcpdb.bin.

Conditions:
If any virtual servers are configured with a dependency list that includes other virtual servers from the same BIG-IP system, BIG-IP DNS creates an invalid bigip_gtm.conf file.

Impact:
BIG-IP DNS config will fail to load when triggered to load from config file

Workaround:
None.


468517-3 : Multi-blade systems can experience active/standby flapping after both units rebooted

Component: TMOS

Symptoms:
After rebooting multi-bladed BIG-IP systems configured for failover, one or more of the systems has some of its blades flap from active to standby.

Conditions:
Rebooting systems fairly close in time from one another (about a minute apart). Traffic group must reference an HA group.

Impact:
Invalid redundant status.

Workaround:
Modify the traffic group to no longer reference an HA group:
tmsh modify cm traffic-group traffic-group-1 ha-group none.


468514-2 : Receiving several ConfigSync requests in a short period of time may cause the mcpd process to restart and produce a core file

Component: TMOS

Symptoms:
Receiving several configuration synchronization (ConfigSync) requests, in a short period of time, may cause the mcpd process to exhaust memory resources, restart, and produce a core file.

Note: The Automatic Sync feature can exacerbate this issue. The Automatic Sync feature is disabled by default.

As a result of this issue, you may encounter one or more of the following symptoms:

Performing a ConfigSync operation causes the BIG-IP system to experience a brief service interruption while the mcpd process restarts.
If configured as part of a high availability (HA) group, the BIG-IP system fails over.
The BIG-IP system generates an mcpd core file.

Conditions:
Receiving several configuration synchronization (ConfigSync) requests with a short interval.

Impact:
The BIG-IP system may experience a brief service interruption while the mcpd process restarts.

Workaround:
None.


468472-4 : Unexpected ordering of internal events can lead to TMM core.

Component: Local Traffic Manager

Symptoms:
TMM may core and failover with the following tcp4 assert: ../modules/hudfilter/tcp4/tcp4.c:937: %svalid pcb%s.

Conditions:
If the TCP profile receives a spurious event it can cause TMM to crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


468395-1 : IPv4 Allocation failure ... is out of addresses

Component: Access Policy Manager

Symptoms:
Existing Network Access clients have problems reconnecting.

Conditions:
This occurs when all of the lease pool IP addresses are allocated to Network Access clients.

Impact:
Existing clients cannot reconnect. The system posts messages to the APM logs: IPv4 Allocation failure ... is out of addresses.

Workaround:
Assign more IP addresses in the lease pool.


468388-2 : Connection flows leak when service provider DAG is configured and/or under-provisioned LSN pools are configured

Component: Carrier-Grade NAT

Symptoms:
Connection flows leak when service provider DAG is configured and/or under provisioned LSN pools are configured on BIG-IP systems.

Conditions:
Service provider DAG and/or under-provisioned LSN pools configured.

Impact:
Connection flow leak causing TMM core after some time.


468387-1 : Enforcer core related to specific error condition in the session db

Component: Application Security Manager

Symptoms:
A bd restart, and failover if redundant pair, may occur.
The core file will show tm_untimeout () as the coring frame.

Conditions:
Load on the system, heavy usage of the sessiondb infrastructure.

Impact:
Traffic will reset while the bd restart or while the failover is happening.

Workaround:
Disable session tracking from the ASM policy.


468375-1 : TMM crash when MPTCP JOIN arrives in the middle of a flow

Component: Local Traffic Manager

Symptoms:
TMM crash when MPTCP JOIN arrives in the middle of a flow.

Conditions:
No workaround

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.


468235-1 : The worldwide City database (City2) does not contain all of the appropriate Proxy strings.

Component: TMOS

Symptoms:
Digital Element's proxy information is not available in the City2 database.

Conditions:
This occurs when using the City2 database available from an F5 partner.

Impact:
In the case of a customer obtaining and installing the city database, Digital Element's proxy information is not included.

Workaround:
None.


468175-3 : IPsec interop with Cisco systems intermittent outages

Component: TMOS

Symptoms:
Occasionally, traffic going through an IPsec tunnel from BIG-IP systems to Cisco systems stops after a certain period of time and recovers after an hour.

Conditions:
This issue occurs when there is more than one pair of IPsec SAs negotiated and triggers redundant SA removal on the Cisco router.

Impact:
IPsec tunnel stops passing traffic until the trouble IPsec SA expires and the new set of IPsec SAs are negotiated.

Workaround:
Delete the trouble IPsec SAs


467945-2 : Error messages in AVR monpd log

Component: Application Visibility and Reporting

Symptoms:
Following errors (similar) appear in the monpd log:
 monpd|INFO|Jun 18 13:40:08.947|12463| [stat_bridge_thread::load_file, ] Some rows of load_stat_asm_http_ip_1403124000.1 not loaded (18194 rows affected)

Conditions:
In rare cases that include stress traffic and other rare conditions.

Impact:
There can be very small percentage of lost statistics (approximately 0.002%)

Workaround:
No workaround.


467706-2 : Deterministic NAT: incorrect mapping for VIPRION C4800/C4800N

Component: Carrier-Grade NAT

Symptoms:
Forward and reverse map incorrect for deterministic NAT in VIPRION C4800/C4800N do not work as expected.

Conditions:
LSN Pool with deterministic NAT on VIPRION C4800/C4800N.

Impact:
Reverse and forward map do not work as expected.


467196-2 : Log files limited to 24 hours

Component: TMOS

Symptoms:
In this release, the max log size setting is 1024. This causes large systems (multiple blades, high-availability) to truncate log files, and often prevent log files from storing messages for more than 24 hours.

Conditions:
Multiple blades in a high-availability configuration.

Impact:
Cannot have log files spanning more than 24 hours. This makes it very difficult to use the log when diagnosing problems, because the system overwrites the files before the customer can report the issue.

Workaround:
Change the max-file-size for logrotate from '1024' (the default) to '0' to prevent logrotate from truncating log files. This workaround is also documented in SOL16015: The BIG-IP system may truncate log files, available here: https://support.f5.com/kb/en-us/solutions/public/16000/000/sol16015.html.

This can be done from tmsh by running a command such as:
    tmsh modify /sys log-rotate max-file-size 0


467022-2 : 11050 platform will not go active citing error 01071335:3: Invalid logical_disk (0) for application volume (mysqldb_.2).

Component: TMOS

Symptoms:
When booting an affected release, the system will not go active and mcpd will not come up. In /var/log/ltm, an error similar to the following will be seen.

err mcpd[1234]: 01071335:3: Invalid logical_disk (0) for application volume (mysqldb_.2).

This causes the system to have an inconsistent view of the disks and subsequent steps in the boot process fail to complete.

Conditions:
This only happens on the 11050 platform running an affected release. It occurs on boot into TMOS.

Impact:
The system will not go active.

Workaround:
If there is a duplicate platform name in /etc/hal/platform-capabilities.xml, the xml file is loaded improperly which causes problems. Specifically, the software raid capability of the 11050 is not detected properly.

The fix is to manually edit the /etc/hal/platform-capabilities.xml file and resolve this conflict, and then reboot.
Changing the 11050 Nebs platform name to "BIG-IP 11050N" will workaround the issue.

/etc/hal/platform-capabilities.xml:

--BEFORE---

        <platform name="BIG-IP 11050" pid="E102" > <!-- Turbo Apollo -->
            <raid type="software" />
        </platform>
        <platform name="BIG-IP 11050" pid="E103" > <!-- Turbo Apollo NEBS --> <------ Duplicate entry
            <raid type="software" />
            <nebs value="true" />

---AFTER---

        <platform name="BIG-IP 11050" pid="E102" > <!-- Turbo Apollo -->
            <raid type="software" />
        </platform>
        <platform name="BIG-IP 11050N" pid="E103" > <!-- Turbo Apollo NEBS --> <------ fixed entry
            <raid type="software" />
            <nebs value="true" />
        </platform>

All you need to do is add an "N", changing the platform name for Turbo Apollo NEBS to "BIG-IP 11050N", which resolves the conflict.

After making the change, save the file, reboot the box, and it should come up normally.


466761-3 : Heartbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss.

Component: Service Provider

Symptoms:
Heartbeat, UDP packet with only double CRLF, on existing SIP flow might result in connection loss.

Conditions:
SIP heartbeat message, a UDP packet with double CRLF, sent by the client to the server.

Impact:
Connection might be terminated.

Workaround:
None.


466756-1 : Automating input to gtm_add script rather than running it interactively can result in script failure

Component: Global Traffic Manager

Symptoms:
The gtm_add script can fail if you automate input to the script, even if the input is valid.

Conditions:
Automating input to gtm_add script.

For example:

echo y | tmsh run gtm gtm_add 1.1.1.1

Impact:
The gtm_add script will fail and GTM sync will not be established with the target bigip.

Workaround:
Run the script interactively from the command line.


466281-2 : Internal virtual does not inherit traffic-group from parent virtual server

Component: Service Provider

Symptoms:
A value stored in the session DB from an iRule on the parent virtual server cannot be accessed from the internal virtual server, and vice-versa.

Conditions:
This occurs when the following conditions are met: -- Virtual server with request-adapt or response-adapt profile. -- Internal virtual server referenced by adapt profile. -- iRules share data between the virtual server and the internal virtual server via session table.

Impact:
The session table cannot be used to pass data between virtual server and the internal virtual server.

Workaround:
If failover is not required, set the traffic group of the virtual address of the parent virtual server to 'traffic-group-local-only' which is the default existing on the internal virtual server. Here is an example command: tmsh modify ltm virtual-address 10.10.1.12 traffic-group traffic-group-local-only.


466266-5 : In rare cases, an upgrade (or a restart) can result in an Active/Active state

Component: TMOS

Symptoms:
After upgrading or restarting, the system starts up in an active state even if the peer system is already active.

Conditions:
An upgrade or system restart for an active/standby pair. The issue occurs intermittently and is timing-dependent. There is code executed during sod's initialization that attempts to detect when communication between mcpd and sod has gone bad; this code does this by checking for "end transaction" messages. If 30 or more messages from mcpd are received without an "end transaction" message, sod will reset its connection with mcpd. While the connection is being reset, it is possible for sod to miss messages from mcpd. Depending on which messages it misses, sod may end up in a bad state and exhibit the symptoms of this bug. If this occurs after an upgrade, it does not matter which version one is upgrading from.

Impact:
The impact of this issue is that both systems take traffic.

Workaround:
Restarting the 'sod' daemon on the system after an upgrade or reboot clears the condition. This causes the system to go offline and will disrupt traffic.

Standard BIG-IP appliance:
bigstart restart sod

VIPRION system:
clsh bigstart restart sod


465927-2 : Response is halted or reset when the request has an ignore profile

Component: Application Security Manager

Symptoms:
Response is halted for some seconds or doesn't arrive at all (fin or rst)

Conditions:
The request has a "do nothing" profile.
Request is a POST.
This happens more frequently if the response size is large.

Impact:
Response to that request is halted for some seconds or doesn't arrive at all (fin or rst)

Workaround:
Change the content profile of that URL. Note that this workaround may cause false positive attack signatures and/or other false positive.


465863 : Error: Object doesn't support property or method 'trim'

Component: Access Policy Manager

Symptoms:
When using BIG-IP Edge Client to connect to Network Access, the system posts an 'Object doesn't support property or method 'trim'' error; however, the system still connects.

Conditions:
When adding a third option in the 'logon page agent' use Select as Type, and Then connect to the virtual server using the Edge Client.

Impact:
This is an error message only. There is no loss in functionality. The system posts a message similar to the following: An error has occurred in the script on this page. Line: 356 Char: 13 Error: Object doesn't support property or method 'trim' Code: 0 URL: https://VPN_URL/my.policy Do you want to continue running scripts on this page? There are Yes and No buttons in the popup window. No matter which button you click, the Network Access connection can be established.

Workaround:
To work around the problem, add the following lines to the logon.inc customization file.

if(typeof String.prototype.trim !== 'function') {
  String.prototype.trim = function() {
    return this.replace(/^\s+|\s+$/g, '');
  };
}

... snipped ...
?><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<title>%{session.server.network.name}</title>
<link rel="stylesheet" type="text/css" HREF="/public/include/css/apm.css">
<script language="JavaScript" src="/public/include/js/session_check.js" ></script>
<script language="javascript">
<!--

<? include_customized_page("logout", "session_expired.js"); ?>

if(typeof String.prototype.trim !== 'function') {
  String.prototype.trim = function() {
    return this.replace(/^\s+|\s+$/g, '');
  };
}

var globalRestartOnSubmit = false;

... snipped ...


465607-1 : TMM cores with TMM log error 'Assertion "flow in use" failed.' when isuing FastHTTP.

Component: Local Traffic Manager

Symptoms:
TMM cores with the TMM log showing the error 'Assertion "flow in use" failed.' This is an infrequent race condition.

Conditions:
This is an infrequent race condition. The actual set of events that leads to this core is unknown. However, this requires FastHTTP to be configured, and it is known that this happens when the FastHTTP connection is closing.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use FastHTTP.


465590-5 : Mirrored persistence information is not retained while flows are active

Component: Local Traffic Manager

Symptoms:
Mirrored persistence information is not retained. This is most visible on long-running flows, where the mirrored entry is removed while the flow is still active.

Conditions:
Mirrored flows with persistence profiles assigned to the VIP, or when persistence profiles are marked to mirror persistence entries.

Impact:
If a failover occurs, a new load balancing pick is made for new flows.


465181-2 : Unhandled connection error in iprepd causes memory leak in iprepd or merged

Component: Application Security Manager

Symptoms:
If the BIG-IP system fails to connect to the IP reputation database server (either using a proxy or not), it causes a memory leak in one of the internal daemons (iprepd and/or merged).

Conditions:
IP-reputation is enabled and it fails to connect to the database server (usually to the proxy of the database server or there is a bad/non-existent connection outside).

Impact:
This issue causes a slow memory leak in the iprepd or merged daemon.

Workaround:
Fix the proxy to the ipreputation or the connection to the IP reputation or turn off IP reputation.


465142-1 : iControl LocalLB::ProfileClientSSL::create and create_v2 methods result in crash when not in /Common

Component: TMOS

Symptoms:
The iControlPortal process crashes if the LocalLB::ProfileClientSSL::create or create_v2 methods are called outside of the /Common partition.

Conditions:
This occurs when using iControl to create Client SSL profiles in partitions other than /Common.

Impact:
The iControl portal crashes with a 500 Internal Server Error. The Client SSL profile is not created.

Workaround:
Create Client SSL profile in the /Common partition.


465133-1 : SIP-ALG: When Proxy authentication is enabled, SIP-ALG will not set up media flows

Component: Carrier-Grade NAT

Symptoms:
SIP sessions fail to setup media flows.

Conditions:
This occurs under the following conditions: -- SIP-ALG is configured on a virtual server. -- SIP client and server exchange more than one INVITE, and the second INVITE has a new cseq number. This can happen when the Proxy is requiring authentication from the client.

Impact:
SIP media sessions are not established.


464972-1 : Wrong parsing of Country Code (Geo) from address region list if Country name contains parentheses.

Component: Advanced Firewall Manager

Symptoms:
Wrong parsing of Country Code (Geo) from address region list if Country name contains parentheses.

Conditions:
If Country name contains parentheses, then an error is thrown and it cannot be added to the address list

Impact:
Address List creation Page

Workaround:
Use tmsh to add the country Name with parentheses


464870-4 : Datastor cores and restarts.

Component: TMOS

Symptoms:
Datastor cores and restarts. This occurs potentially because of generational issues, object replacement from archive, and the possibility that an object was deleted in the interim.

Conditions:
Traffic patterns that shift from low to moderate velocity with strong tiling to decoherent, high velocity traffic can cause this to occur when request queuing is turned on.

Impact:
Temporary cache outage. The cache must then be completely reseeded. A datastor core file is written, and datastor is restarted.


464499-1 : client-ssl profile loses cert-key-object When the cert-key-chain object exists in partition other than /Common

Component: Local Traffic Manager

Symptoms:
A client-ssl profile loses its cert-key-object.

Conditions:
When the cert-key-chain object is configured in a client-ssl profile in a partition other than /Common partition.

Impact:
SSL connection using that profile uses wrong cert/key (but the connection does not fail).

Workaround:
Reload all partitions: 'tmsh load sys config partitions all.


464442-2 : User cannot update SNAT pools that contains resolved hostname as a member

Component: TMOS

Symptoms:
Attempting to update an existing SNAT pool that contains a resolved hostname will result in an error when "Display Host Names When Possible" is enabled.

Conditions:
Need to create a SNAT pool containing a resolved hostname and set "Display Host Names When Possible" enabled from System references.

Impact:
User cannot update SNAT pools that contains resolved hostname as a member

Workaround:
Disable "Display Host Names When Possible" from System >> Preferences


464413-1 : Descriptor shortage might cause packet loss and/or tmm crash

Component: TMOS

Symptoms:
tmm might drop packets and eventually result in tmm crash.

Conditions:
This intermittent issue might occur when TSO is enabled (enabled by default) because of TSO handling combined with certain stressful transmit conditions, as a result of which the system attempts actions on memory or content that has already been freed.

Impact:
Rare reboot with message: tmm process might crash with assertion 'we always have room in tx ring!'.

Workaround:
None. If TSO is not disabled, three related fixes are needed to fully address the issue:

-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:

-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html


464366-2 : Devices are out of Sync when new analytics profile is created and assigned to a virtual server

Component: Application Visibility and Reporting

Symptoms:
When new analytics profile is created and assigned to vip, devices are out of sync with "profile doesn't exist" error.

You will see the following error in LTM log: err mcpd: "Cannot set sampling for non-default AVR profile"

Conditions:
1. CMI system
2. Create new analytics profile.
3. Assigned the profile to vip.

Impact:
The devices can be out of Sync.

Workaround:
This issue has no workaround at this time.


464225-1 : 'tmsh list ltm message-routing' and 'tmsh show ltm message-routing' fail for non-admin users

Component: TMOS

Symptoms:
Running the commands 'tmsh list ltm message-routing' and 'tmsh show ltm message-routing' fail for non-admin users, even though non-admin users have tmsh access to all partitions.

Conditions:
A non-admin user is logged in via tmsh.

Impact:
The non-admin user cannot run the command 'list ltm message-routing' or 'show ltm message-routing' via tmsh. The system posts an error message similar to the following: Unexpected Error: Can't display all items, can't get object count from mcpd.

Workaround:
None.


464148 : Deterministic NAT: incorrect mapping on htsplit platforms

Component: Carrier-Grade NAT

Symptoms:
The deterministic NAT (DNAT) utility (dnatutil) might report incorrect reverse mappings for platforms with Intel Hyper-Threading Technology (HT) Technology split plane (htsplit) CPUs, which includes VIPRION and BIG-IP series 4000, 7000, 8000, and 10000 platforms.

Conditions:
Using LSN pool with DNAT mode, and using dnatutil for reverse mapping.

Impact:
Reverse mapping does not occur.

Workaround:
Use the --flags attribute to manually provide the daglib flag attribute.


464132 : Serverside SSL cannot be disabled if Rewrite profile is attached

Component: TMOS

Symptoms:
Cannot disable serverside SSL via iRule command or CPM policy.

Conditions:
This occurs on a virtual server that meets the following conditions:
 - Rewrite profile
 - Serverssl profile
 - iRule using the 'SSL::Disable serverside' command in an HTTP_REQUEST event or a CPM policy with a 'server-ssl disable' action and an http-uri condition.

Impact:
Cannot disable serverside SSL.

Workaround:
Utilize iRule with 'SSL::Disable serverside command in the SERVER_CONNECTED event.


464116-3 : HTTP responses are not cached when response-adapt is applied

Component: Service Provider

Symptoms:
When a response-adapt profile is applied on a virtual with ramcache, HTTP responses are not cached.

Conditions:
Both ramcache and response-adapt on a virtual.

Impact:
HTTP responses are not cached.


463715-2 : syscalld logs erroneous and benign timeout messages

Component: TMOS

Symptoms:
The syscalld timeout mechanism might cause premature logging of OPERATION_TIMEOUT messages.

Conditions:
No specific configuration is required.

Impact:
The system posts the message: syscalld[21190]: 0127000a:3: OPERATION_TIMEOUT 'command' may be hung or taking a long time.

This may cause some operations, such as establishing CMI trust, to fail and need to be launched again.


463652-1 : Inconsistent Certificate/Key/Chain listing for child Client SSL profile when parent profile is modified.

Component: TMOS

Symptoms:
Modifying a child Client SSL profile to have a different Certificate/Key/Chain listing loses setting when the parent Client SSL profile is changed.

Conditions:
When parent profile is modified.

Impact:
Inconsistent Certificate/Key/Chain listing for child Client SSL profile.


463651-3 : PPP tunnels remain open after session gets closed

Component: Access Policy Manager

Symptoms:
Point-to-Point Protocol (PPP) tunnels remain open after session gets closed. APM logs of PPP tunnel closed appears much later than Session closed log.

Conditions:
This can occur with Gzip compression configuration and may sometimes happen randomly.

Impact:
Holds resources on server side.

Workaround:
This issue has no workaround at this time.


463470-1 : Active Translation Mappings count is too high

Component: Carrier-Grade NAT

Symptoms:
In addition to mappings used by successful connections, the Active Translation Mappings count incorrectly counts some pending translation mappings that ultimately are unused. These translation mappings are not active and should not be counted. Additionally, the Active Translation Mappings count is not decremented for these pending translation mappings when the mapping is recovered and made available for new connections.

Conditions:
The high counts are associated with connection failures and can occur with heavy traffic or when there is a limited number of available translation endpoints.

Impact:
Because of the miscounting, the Active Translation Mappings count tends to grow over time and become much larger than the connection count. The high count does not represent a memory leak or translation endpoints that are not available.


463468-6 : failed tmsh command generate double logs

Component: TMOS

Symptoms:
A single failed tmsh command generates two identical audit logs, and audit_forwarder sends two logs to audit server (TACACS+ in this example).

Conditions:
tmsh audit is on and tmsh command is failed from mcpd validation. This does not occur with successful commands.

Impact:
Here is an example of the failure:
tmsh create ltm pool pool20
01020066:3: The requested pool (/Common/pool20) already exists in partition Common


Tue May 20 16:27:17 2014 10.10.10.201 root unknown unknown update service=system protocol=ip task_id=130start_time=1400627369 event=cmd_acct reason=May 20 16:09:29 aftest notice tmsh[20175]: 01420002:5: AUDIT - pid=20175 user=root folder=/Common module=(tmos)# status=[01020066:3: The requested pool (/Common/pool20) already exists in partition Common.] cmd_data=create ltm pool pool20
Tue May 20 16:27:17 2014 10.10.10.201 root unknown unknown update service=system protocol=ip task_id=132start_time=1400627369 event=cmd_acct reason=May 20 16:09:29 aftest notice tmsh[20175]: 01420002:5: AUDIT - pid=20175 user=root folder=/Common module=(tmos)# status=[01020066:3: The requested pool (/Common/pool20) already exists in partition Common.] cmd_data=create ltm pool pool20

Workaround:
None.


463380-2 : URIs with space characters may not work properly in ODATA query

Component: Device Management

Symptoms:
ODATA query strings such as: $filter=partition eq 'Common' may not work correctly unless the spaces are encoded with +.

Conditions:
ODATA query strings with spaces.

Impact:
The query will fail with a 400 error.

Workaround:
Encode the query string space characters with + as replacement.


463230-7 : Aced service does not recover if child process dies.

Component: Access Policy Manager

Symptoms:
If a child process is killed, cored, or dies, the parent process does not restart it and the service stops serving SecurID authentication.

Conditions:
In some exceptional cases, the child process exits.

Impact:
SecurID authentication failed, but service recovered by runsv.


462827-5 : Headers starting with X-F5 may cause problems if not X-F5-REST-Coordination-Id

Component: Device Management

Symptoms:
Some URIs passed to the BIG-IP system with X-F5 that are not X-F5-REST-Coordination-Id may improperly parse the HTTP request headers. These include iControl-REST URIs
/mgmt/tm/analytics/...
/mgmt/tm/vcmp/...
/mgmt/tm/actions/...
/mgmt/tm/gtm/...
/mgmt/tm/ltm/...
/mgmt/tm/net/...
/mgmt/tm/pem/...
/mgmt/tm/util/...
/mgmt/tm/sys/...
/mgmt/tm/cli/...
/mgmt/tm/secuirty/...
/mgmt/tm/ilx/...
/mgmt/tm/apm/...
/mgmt/tm/transaction/...
/mgmt/tm/auth/...
/mgmt/tm/wom/...
/mgmt/tm/cm/...
/mgmt/tm/wam/...

Conditions:
Headers prefixed with X-F5 that are not X-F5-REST-Coordination-Id.

Impact:
Headers are not parsed properly.

Workaround:
None


462714-5 : Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server

Component: Local Traffic Manager

Symptoms:
A source address persistence record created on a virtual server with a FastL4 profile times out and is aged out even while traffic is flowing through that flow. The traffic that results in this issue is UDP with checksum of 0.

Conditions:
The profile has to be FastL4. Traffic that is either UDP with checksum of 0, or SCTP, or ESP, are definitely affected.

Impact:
Source address persistence is not usable as the entry ages out when it should not.

Workaround:
None.


462351-1 : Error when resetting stats

Component: TMOS

Symptoms:
Selecting policy and clicking Reset on Statistics :: Module Statistics : Local Traffic :: Policies page produces message 'An error has occurred while trying to process your request.'

Conditions:
This occurs when resetting stats using the GUI.

Impact:
Cannot reset stats for policies using the GUI.

Workaround:
Use tmsh to reset stats.


462187-1 : 'tmsh list net tunnels' and GUI tunnel access fail for non-admin users

Component: TMOS

Symptoms:
'tmsh list net tunnels' and GUI tunnel access fail for non-admin users. Non-admin users have access to all partitions via tmsh.

Conditions:
This occurs for non-admin users on the tunnel list page when selecting a predefined tunnel or one that has been configured.

Impact:
The command or operation fails. The system displays the following error: Unexpected Error: Can't display all items, can't get object count from mcpd.


462025 : SQL monitors do not handle route domains properly

Component: Local Traffic Manager

Symptoms:
SQL monitors cannot be started consistently when route domains are involved. SQL monitors include MySQL, MSSQL, Oracle SQL, and PostgresSQL.

Conditions:
Configure a SQL monitor on a node inside a route domain.

Impact:
SQL monitors do not work as expected. They might hang or only intermittently return results.

Workaround:
None.


461818-1 : Occasional extreme large value reported for tmm-info five-min-avg-usage-ratio

Component: Local Traffic Manager

Symptoms:
The command tmsh -m show sys tmm-info field-fmt occasionally shows an invalid value such as:
five-min-avg-usage-ratio 184467440737093465

Conditions:
This occurs under normal operation.

Impact:
Faulty displayed value with zero functional impact.


461715-1 : AVR: Collecting geolocation IDs

Component: Application Visibility and Reporting

Symptoms:
Long computation in geo location handling caused Keep-Alive timer to stop the bd process.

Conditions:
This bug occurred during stress run when bd is running.

Impact:
The bug cause the bd process to crash.

Workaround:
There is no workaround.


461587-4 : TCP connection can become stuck if client closes early

Component: Local Traffic Manager

Symptoms:
Connection remains half-open and appears in connflow table after receiving FIN/ACK from serverside. the BIG-IP system never sends FIN/ACK to serverside to indicate connection has been closed.

Conditions:
Clientside connection is closed before serverside completes 3-way handshake. Serverside never completes 3-way handshake and LB::reselect command is issue via iRule.

Impact:
Connection remains half-open and stuck in connflow table


461189-3 : Generated assertion contains HEX-encoded attributes

Component: Access Policy Manager

Symptoms:
When a BIG-IP system serving as SAML identity provider (IdP), generates an assertion, the message might contain HEX-encoded values.

Conditions:
This occurs when user authenticates against LDAP/AD/RADIUS, and retrieved from AAA server attributes contain non-ASCII values. These non-ASCII values are then used by BIG-IP as Identity Provider in generated Assertion.

Impact:
SAML SSO might fail if Service Provider is not be able to process HEX-encoded attributes.

Workaround:
There is no workaround for IdentityProvider. On Service Provider side, assertion attribute values that begin with '0x' could be treated as HEX encoded. Such values can be HEX decoded after SP processed assertion.


460945-4 : Memory leak when changing a policy that is in use by a virtual server

Component: Local Traffic Manager

Symptoms:
There is a memory leak when changing a policy that is in use by a virtual server.

Conditions:
When an LTM policy is being applied to a virtual server, the policy is compiled for efficient execution.

Impact:
Upon every recompilation a small amount of memory is leaked in mcpd. If a policy is recompiled many times this can lead to memory exhaustion within mcpd which in turn causes a mcpd crash and BIG-IP system restart.


460833-10 : MCPD sync errors and restart after multiple modifications to file object in chassis

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
This symptom may occur under the following conditions:

1. Two or more VIPRION chassis are configured in a device sync group.
2. File objects (such as SSL certificates) are added/modified/deleted on one chassis in the group.
3. These changes are synchronized to other members of the device sync group.
4. While the previous changes are still being synchronized to all blades in all chassis in the device sync group, an overlapping set of file objects are added/modified/deleted on a chassis in the group (typically the same chassis as in step 2).
5. While the previous sync operation is still in progress, these subsequent changes are synchronized to other members of the device sync group.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.


460730-5 : On systems with multiple blades, large queries can cause TMM to restart

Component: TMOS

Symptoms:
When executing a chunked query (such as "show sys connection") that returns a lot of data, the primary MCP can get overwhelmed by the amount of data it is receiving from both its blade's TMMs and the secondary MCPs. It gives the data from its own TMMs priority, which eventually causes the secondary MCPs to run out of memory. At this point the MCP memory safeguards kick in and the secondary MCPs stop receiving data from their TMMs. The TMMs wait 20 seconds under these conditions, and if they have been unable to send data to MCP during that time, they exit and restart.

Conditions:
System must have multiple blades and execute a chunked query (for connection data or persistence records, for example) that returns a lot of data.

Impact:
TMM restarts and the system is unusable during that time.

Workaround:
This issue has no workaround at this time.


460178-2 : oamd may generate core during shutdown

Component: TMOS

Symptoms:
Because of a timing issue, oamd might occasionally generate a core file due to accessing a bad value in the session list.

Conditions:
Stop dynamic routing via tmsh or system shutdown.

Impact:
Core file generated during shutdown.

Workaround:
This issue has no workaround at this time.


460020-2 : Rewrite profile might cause tmm core when trying to rewrite set cookie in HTTP response header

Component: TMOS

Symptoms:
If there are multiple set cookie rewrites to an HTTP response header, then there is a chance that tmm might core due to referencing incorrect locations into the buffer.

TMM may crash and leave an error message in one of the TMM log files (/var/log/tmm*) similar to:
notice 2: lib/c/xbuf.c:930: xbuf_subtract: Assertion `valid xfrag subtraction' failed.

Conditions:
The original issue occurred with ASM, but is not specific to ASM. It can occur whenever the rewrite profile is used and the the path/domain within the set cookie filed of an HTTP response header is rewritten.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.


459994-2 : tmm may crash if default gateway pool contains members that it cannot route to

Component: Local Traffic Manager

Symptoms:
tmm may crash in an invalid routing setup

Conditions:
create gw pool member that is unreachable and not local on any subnet

Impact:
Traffic disrupted while tmm restarts.

Workaround:
do not create invalid routing setup


459851-7 : Connection aborted when using GET request If-Match header in Policy Node with No-Proxy(request)/Always_Proxy(response) setting.

Component: WebAccelerator

Symptoms:
The connection is aborted when using If-Match header with a Always Proxy response policy node but No Proxy request policy node.

Conditions:
Virtual server with Web Accelerator.
GET request with
  Header: If-Match with strong tag.
WA Policy:
  Node matching the request: No-Proxy
  Node matching the response: Always Proxy

Impact:
The connection is reset when it should return 412.

Workaround:
None.


459266-1 : SSL profile memory increases when SSL connection goes to disabled

Component: Local Traffic Manager

Symptoms:
When SSL connections go to disabled, sp->cf_disabled sets to TRUE.
the connection will be stale and never be closed. So its related SSL profile will increase reference count and never be freed.

Conditions:
This issue occurs when a SSL connection goes to disabled.

Impact:
The impact of this issue is that SSL profile memory increases.

Workaround:
This issue has no workaround at this time.


459100-3 : TMM may crash when offloading one-way UDP FastL4 flow

Component: Local Traffic Manager

Symptoms:
When handling UDP traffic on a FastL4 VIP, sometimes the TMM tries to offload both client and server flow when there is only one way traffic (either client-side or server-side). That would result TMM crashed on invalid pointer access.

Conditions:
HSBe2 platform, FastL4 VIP for UDP traffic, and one-way traffic during run time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.


459096-4 : GUI: Modifying Self IP Port lockdown from Allow All to Allow Default results in error

Component: TMOS

Symptoms:
Modifying Self IP Port lockdown from Allow All to Allow Default results in error.

Conditions:
This occurs when Self IP Port lockdown is set to 'Allow All'.

Impact:
Cannot modify the Self IP port lockdown from Allow All to Allow Default. Following error message is displayed in /var/log/ltm: 01020066:3: The requested self port (/Common/10.10.10.10 256 0) already exists in partition Common.


458928-3 : APMD cores in Kerberos authentication, when the agent tries to derefence a null authparam session variable.

Component: Access Policy Manager

Symptoms:
APMD cores in Kerberos authentication, when the agent tries to derefence a null authparam session variable.

Conditions:
This occurs when using client based Kerberos authentication without an authparam.

Impact:
APMD process cores and restarts.

Workaround:
None.


458823-3 : TMM Crash can lead to crash of other processes

Component: Application Visibility and Reporting

Symptoms:
When TMM is crashing abnormally, the restart procedure can lead to following crashes of other processes in the system.

Conditions:
Relates to cases in which TMM crashes abnormally as a result of other issues.

Impact:
The crash of the other processes has no impact on the system, as the fact that TMM already crashed is the main impact.
There is evidence of the other processes crash, since there are core dump files, so it is raising concerns about why several processes crashed and leads to customer escalations.


458770-1 : [Mac][Edge] Edge client doesn't handle ending redirects to the same box if second access policy assumes interaction

Component: Access Policy Manager

Symptoms:
Mac Edge Client doesn't work properly with ending redirects if the redirect is to the same box (another VS) and second access policy
contains agents that assume interaction (Logon page, Message box, Mac Process check).

Conditions:
Redirect not working when subsequent agent assumes interaction.

Impact:
Redirect not working.

Workaround:
N/A


458348-1 : RESOLV:: iRule commands and sFlow don't function correctly when using non-default CMP hashing.

Component: Local Traffic Manager

Symptoms:
Packets originating from the RESOLV:: iRule commands and sFlow are not routed correctly when using non-default CMP hashing on external and internal VLANs.

Conditions:
External and internal VLANs have, respectively, src-ip and dst-ip cmp hashing configured.

Impact:
Packets are dropped.


458295-3 : Memory leaks while connecting to the IP reputation database server using a proxy.

Component: Application Security Manager

Symptoms:
Memory leaks sometimes occur while connecting to the IP reputation database server using a proxy.

Conditions:
Enable IP reputation and connect using a proxy.

Impact:
Performance may degrade over time and the system may become unresponsive due to memory exhaustion.

Workaround:
None.


458286 : Adding called_station_id and calling_station_id attributes to PEM::session create/info iRule commands

Component: Policy Enforcement Manager

Symptoms:
The called_station_id and calling_station_id subscriber session attributes cannot be accessed via iRules.

Impact:
The called station id needs to be stored upon radius accouting receival into custom attr namespace, in order to make it retrivalble via PEM::Session info attr <framedip> calling_station_id


457934-2 : SSL Persistence Profile Causing High CPU Usage

Component: Local Traffic Manager

Symptoms:
Some connections through a virtual server using SSL persistence hang and cause a high CPU condition in tmm.

Conditions:
This occurs only when SSL persistence is configured as the default persistence profile, and there is a fallback profile of either source_addr or dest_addr.

Impact:
Large increase in CPU usage on the box and a percentage of SSL connections through the virtual server are delayed and eventually reset

Workaround:
None.


457293-4 : Clustered Multiprocessing (CMP) peer connection is not removed in certain race conditions.

Component: Local Traffic Manager

Symptoms:
The CMP peer connection could be left there without being swept out when the connection at origin is aborted too soon in the connection flow.

Conditions:
CMP with two tmm instances. Connection gets aborted.

Impact:
Connections are leaked up to reaching a point when the memory is consumed.

Workaround:
N/A


457034-1 : Multipath TCP (MPTCP): TMM crash in stockpile management

Component: Local Traffic Manager

Symptoms:
The tmm may core when using MPTCP.

Conditions:
This issue occurs under conditions of MPTCP heavy usage.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.


456927 : iOS Edge Client is not able to establish per-app VPN connections with APM when it has VPE with On-Demand certificate authentication or iRule event agent without assigned webtop resource.

Component: Access Policy Manager

Symptoms:
iOS Edge Client is not able to establish per-app VPN connections with APM when it has VPE with On-Demand certificate authentication agent or iRule event agent without assigned webtop resource.

Conditions:
VPE with On-Demand certificate authentication or iRule event agent without assigned webtop resource.

Impact:
Cannot use iOS Edge Client to establish per-app VPN connections.

Workaround:
Add resource assignment agent with webtop resource.


456853-1 : DTLS cannot handle client certificate when client does not send CertVerify message.

Component: Local Traffic Manager

Symptoms:
For DTLS, CCS record will be held until all other handshake messages besides Finish are handled. When pcm is set to request, client may not send CertVfy message. BIG-IP system waits for CertVfy until the timeout.

Conditions:
For DTLS, CCS record will be held until all other handshake messages besides Finish are handled. When pcm is set to request, client may or may not send CertVfy message,

Impact:
BIG-IP waits for CertVfy until timeout.

Workaround:
None.


456763-1 : L4 forwarding and TSO can cause rare TMM outages

Component: Local Traffic Manager

Symptoms:
In certain rare circumstances using L4 forwarding and TSO, the MSS sizes on client and server sides in combination with internal processing can cause an internal mismatch resulting in a TMM crash.

Conditions:
This applies only when using L4 forwarding virtuals with TSO; additional exact external conditions are still under investigation.

Impact:
This issue causes a failover or TMM outage.

Workaround:
This issue has no workaround at this time.


456608-2 : Direct links for frame content, with 'Frame.src = url'

Component: Access Policy Manager

Symptoms:
Direct links in web-application with Portal Access.

Conditions:
Direct links for frame content, when using 'Frame.src = url'.

Impact:
Web-Application misfunction.


456573-2 : Sensor read faults with DC power supply

Component: TMOS

Symptoms:
While running BIG-IP v11.5.0 or later on a BIG-IP 2000-/4000-/5000-/7000-/10000-series appliances using DC power supplies, error messages containing the following strings may appear in /var/log/ltm:

err chmand[####]: 012a0003:3: Sensor read fault for Power supply #1 fan-1
err chmand[[####]: 012a0003:3: Sensor read fault for Power supply #1 meas. inlet temp
err chmand[####]: 012a0003:3: Sensor read fault for Power supply #2 fan-1
err chmand[####]: 012a0003:3: Sensor read fault for Power supply #2 meas. inlet temp

Conditions:
- BIG-IP 2000-/4000-/5000-/7000-/10000-series appliances
- DC power supplies (FND850 for 10000-series, FND300 for 2000-/4000-/5000-/7000-series)
- Running BIG-IP v11.5.0 or later.

Impact:
These errors result from a mismatch in the list of power supply sensors queried by BIG-IP, and the sensors actually present in a DC power supply.
These errors do not indicate a problem with the power supply in question.

Workaround:
These errors, when occurring under the conditions described, can be safely ignored.


456461-2 : Creating a vlan-group after sflow receiver causes TMM sigsegv's (loop).

Component: TMOS

Symptoms:
TMM is in a restart loop.

Conditions:
Creating vlan-group after configuring sflow receiver.

Impact:
Causes TMM to go into a restart loop.

Workaround:
Configure sflow receivers after vlan-groups using these commands: -- tmsh create net vlan testvlan { interfaces add { 1.1 { tagged } } tag 1147 }. -- tmsh create net vlan-group vlan_group_001 { members add { testvlan } }. -- tmsh create sys sflow receiver sflow_001 { address 10.0.63.1 state enabled }. -- tmsh create net self 10.0.63.100/24 vlan vlan_group_001.


456378 : On a virtual server with the ipother profile assigned, iRule firing on CLIENT_ACCEPTED with discard or reject action may cause TMM to core

Component: Local Traffic Manager

Symptoms:
When using ipother profile, if there is an iRule that fires on CLIENT_ACCEPTED that contains a discard or reject action, TMM is going to failover.

Conditions:
Virtual server with ipother profile and an iRule firing on CLIENT_ACCEPTED with discard or reject action.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use CLIENT_DATA as the firing event for the iRule. Will have the same expected result when discarding the connection.


456239-1 : icrd and icrd_child processes crash when being shutdown

Component: TMOS

Symptoms:
At shutdown, sometimes the icrd and icrd_child processes can crash. icrd_child processes can seem to get stuck while waiting for a timeout to occur.

Conditions:
When restarting icrd or making iControl REST calls.

Impact:
Slow access to iControl REST endpoints, due to icrd_child processes being slow to shutdown and start up.

Workaround:
None


455980-3 : Home directory is purged when the admin changes user password.

Component: TMOS

Symptoms:
When an admin changes a user's password, the contents of the home directory are purged, that is, the system deletes some or all of the files in that user's home directory.

Conditions:
This happens whenever a user's password is modified. Can also be triggered by an upgrade from 10.x.

Impact:
Some or all of the files in that user's home directory are deleted.

Workaround:
This issue has no workaround for the basic case at this time. However, when this is caused by a 10.x-to-11.x upgrade, the original files can be recovered by booting back into the 10.x boot location and copying them off the system (or by extracting them from a UCS, or by mounting the root lvm volume from the previous boot location).


455840-2 : EM analytic does not build SSL connection with discovered BIG-IP system

Component: Local Traffic Manager

Symptoms:
EM analytic does not build SSL connection with discovered BIG-IP system.

Conditions:
When using management SSL client profile.

Impact:
EM analytic cannot connect to discovered BIG-IP system.


455651-3 : Improper regex/glob validation in web-acceleration and http-compression profiles

Component: TMOS

Symptoms:
The use of regex or glob patterns in certain MCP configuration objects leads to inconsistent parsing across MCP and TMM. For glob patterns, for example, the TMM produces an error indicating that the regex is invalid, while entries such as *.js are correctly treated as globs.

Conditions:
MCP configuration objects supporting regex and glob inclusion/exclusion patterns lead to inconsistent parsing across MCP/TMM.

Impact:
Cacheable objects are improperly cached or are not cached, or objects are deflated or are not deflated in opposition to the customer's intent.

Workaround:
None.


455493-1 : Cancel button remains enabled

Component: Access Policy Manager

Symptoms:
During normal Policy Sync operations, the Cancel button is enabled while the Access Profile is exchanged with other devices within the device group, and then should disable.

This known issue occurs when the Cancel button stays enabled even after the Access Profile has successfully been exchanged with all other devices.

Conditions:
No particular condition leads to this issue.

Impact:
While the Cancel button remains enabled, further changes and subsequent policy sync operations cannot be made for that Access Profile. The Access profile will not even be allowed to be deleted.

Workaround:
This issue has no workaround at this time.


454954-6 : Messages dropped by iRULE DIAMETER::drop will be retransmitted

Component: Local Traffic Manager

Symptoms:
DIAMETER_INGRESS event is received after DIAMETER::drop has been called

Conditions:
Virtual server with diameter profile with retransmission enabled and iRule containing DIAMETER_INGRESS event that uses DIAMETER::drop.

Impact:
Unexpected invocation of DIAMETER_INGRESS event and retransmission of dropped packet.

Workaround:
Disabled retransmission in Diameter profile.


454949-1 : AFM Optimizations to improve run-time and memory usage.

Component: Performance

Symptoms:
AFM Optimizations to improve run-time and memory usage.

Conditions:
Running AFM.

Impact:
Potential run-time and memory-usage issues.

Workaround:
None


454583-3 : SPDY may cause the TMM to crash if it aborts while there are stalled streams.

Component: Local Traffic Manager

Symptoms:
If SPDY has a stalled stream and it is being aborted, it may cause the TMM to crash due to referencing cleared state.

100 Continue messages appeared in response bodies. 100 Continue responses sent in the same packet as the response could stall the stream.

Conditions:
SPDY aborts due to a miss-ordered event. SPDY then sees egress, and marks the stream as stalled. SPDY aborts the connection to the client, and marks the stream as unknown. Finally, the stream aborts again and dereferences the NULL pointer to the client when it tries to unstall itself.

A 100 Continue message in a response, either by itself, or in the same packet as the response body.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.


454306-3 : HTML style attribute with HTML entities need to be fixed

Component: Access Policy Manager

Symptoms:
When HTML style attributes with HTML entities are rewritten, it results in direct or incorrect links to resources.

Conditions:
This occurs when using HTML style attributes with HTML entities.

Impact:
It results in broken styles in web application.

Workaround:
There is no general workaround, but custom iRules can be used.


454209-2 : TMM crash on UDP DNS virtual without datagram-load-balancing enabled

Component: Local Traffic Manager

Symptoms:
TMM crash on UDP DNS virtual without datagram-load-balancing enabled.

Conditions:
DNS virtual server without datagram lb mode.

Impact:
TMM crash with a backtrace including dns_dev_pool coring at line 360. Failover and potential traffic interruption.

Workaround:
Enable datagram-lb-mode in the UDP profile used by the DNS virtual server, or turn off DNS queuing via the db variable dns.queuing.


454018-4 : Nexthop to tmm0 ref-count leakage could cause TMM core

Component: Local Traffic Manager

Symptoms:
Each use of the interface tmm0 for inter-TMM communication is supposed to increment its count of nexthop references. When the use of the interface is expired, the reference count is supposed to decrement, but in this case, the reference count is not decremented.

Conditions:
This occurs when TMM runs over an extended period of time, and internal communication between TMMs over tmm0 is heavy during the period.

Impact:
Reference count leaks, which causes the count to monotonically increase, which eventually might cause TMM to crash and restart.

Workaround:
This issue has no workaround.


453720-2 : clientssl profile validation fails to detect config with no cert/key name and no cert/key

Component: Local Traffic Manager

Symptoms:
The system does not prevent creation of a clientssl profile with no cert-key-chain name and no cert/key (or a cert/key of 'default'), and does not post an error alerting the user to the condition. The system creates the profile without error. This can cause issues when upgrading.

Conditions:
This occurs when attempting to create a clientssl profile without a cert-key-chain name or cert/key, or a cert/key of 'default'. Note: The system should prevent this, but does not do so in versions 11.5.1, 11.5.2, or 11.5.3.

Impact:
The system incorrectly allows a blank cert-key-chain name and an empty cert/key in clientssl profiles. When upgrading such a profile to versions 11.5.4, 11.6.0, 12.0.0, or later, the configuration fails to load with a message similar to the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.

Workaround:
Use the following steps to work around this issue:
-- To correct the configuration, run the following command: sed -ie '/"" { }/d' /config/bigip.conf.
-- To load the modified configuration, run the following command: tmsh load sys config.
Note: To determine whether profiles are affected, run the following command: grep '"" { }' /config/bigip.conf -A2 -B1. On affected profiles, the system returns the following output: cert-key-chain { "" { }.


453705-1 : iRule command "SIP::header insert Via <index>" does not respect specified index

Component: Service Provider

Symptoms:
When using SIP::header insert to insert a Via header command, the system always inserts the header at index 0, ignoring the specified index.

Conditions:
Use iRule command 'SIP::header insert Via'.

Impact:
Cannot maintain proper order of customized Via headers.

Workaround:
Extract the SIP Via Header in the iRule. Parse the SIP Via Header, and reconstruct the SIP Via header. Insert the reconstructed SIP Via Header back into the SIP message.


453328-1 : Dnatutil logs must be grouped by TMM number issuing the logs

Component: Carrier-Grade NAT

Symptoms:
The dnat utility can report inconsistent results if logs from different TMMs are intermingled in the processed logs.

Conditions:
Logs with intermingled information from multiple TMMs.

Impact:
Inconsistent dnat utility results.

Workaround:
Preprocess ltm log to remove any non TMM 0 logs before running the dnat utility against the log.


453239-2 : lsndb application can only be run on primary blade in chassis.

Component: Carrier-Grade NAT

Symptoms:
Running the lsndb utility on a secondary blade with many connections might cause a hang in the display.

Conditions:
Running the lsndb utility on a secondary blade.

Impact:
The lsndb utility is not supported on secondary blades. It is only supported on a primary blade.

Workaround:
Run the lsndb application on primary blade in the chassis.


453171-2 : High CPU usage leading to tmm/apd cores/restart

Component: Local Traffic Manager

Symptoms:
High CPU usage leading to tmm/apd cores under certain conditions.

Conditions:
This might occur with a large number of cookies when using Application Policy Manager (APM).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Reduce cookie data sent.


452689-2 : Tunnels built over IPsec tunnel interface does not work

Component: TMOS

Symptoms:
If the IPsec tunnel interface is used to construct another tunnel, such as IPIP, GRE tunnels, the innermost tunnel traffic cannot be passed through the IPsec tunnel interface.

Conditions:
The self-IP of the IPsec tunnel interface is used as the local-address of other tunnel types.

Impact:
Traffic does not pass as expected.


452656-1 : NVGRE tunnel traffic might stall if the sys db variable tm.tcplargereceiveoffload is set to 'enable'

Component: TMOS

Symptoms:
NVGRE tunnel traffic might stall if the sys db variable tm.tcplargereceiveoffload is set to 'enable'.

Conditions:
The sys db variable tm.tcplargereceiveoffload is set to 'enable'.

Impact:
NVGRE tunnel traffic might stall.

Workaround:
Set the sys db variable tm.tcplargereceiveoffload to 'disable'. The default value of this variable is 'disable', so it is very unlikely that you will encounter this error condition in normal operating conditions.


452643-6 : Pool member's lb_value is not updated when transistioning from disabled to enabled

Component: Local Traffic Manager

Symptoms:
Some members may not receive traffic when the pool's load balancing method is set to one of the following:
 - Least Connections
 - Fastest
 - Least Sessions

Conditions:
Member's lb_value is non-zero when transitioned to disabled.

Impact:
Member does not receive traffic

Workaround:
Enable pool member and change load balancing method from original to Ratio and back.


452527-4 : Machine Certificate Checker Agent always works in "Match Subject CN to FQDN" mode

Component: Access Policy Manager

Symptoms:
Limited/normal user cannot pass Machine Cert Auth through 'Successful' branch if Agent is configured to match certificate by any condition except Match FQDN.

Conditions:
Machine Cert Auth agent configured to match certificate by any condition except Match FQDN.
Current user has no rights to access private key directly (that means elevation or service is required).

Impact:
User cannot pass Machine Cert Authorization.


452516-4 : Excessive memory consumption after extended use

Component: Local Traffic Manager

Symptoms:
Certain conditions can lead to excessive memory consumption.

Excessive buffering results in performance drop, connections being dropped, and Out-of-memory core errors.

Conditions:
This can occur after a long period of time, such as a month or more.

Impact:
This might result in performance drop, connections being halted, and out-of-memory cores.

Performance and stability can be impacted as well as full traffic-outages.

Workaround:
The command 'bigstart restart tmm' on the standby unit will clear up the condition.


452464-3 : iClient does not handle multiple messages in one payload.

Component: Access Policy Manager

Symptoms:
iClient does not handle multiple messages in one payload leading to possible memory leak symptoms.

Conditions:
If by chance multiple messages arrive as one from the BIG-IP Edge Client.

Impact:
Possible memory leak symptoms.

Workaround:
This issue has no workaround at this time.


452454-3 : A RST will not be forwarded for a IP forwarding Virtual server with a fastL4 profile with loose initialization configured as well as an idle timeout that is less than the server idle timeout value.

Component: Local Traffic Manager

Symptoms:
A RST will not be forwarded for a IP forwarding Virtual server with a fastL4 profile with loose initialization configured as well as an idle timeout that is less than the server idle timeout value.

Conditions:
The conditions that lead to this issue are: a fastL4 profile with loose initialization enabled, reset on timeout disabled, idle timeout less than server idle timeout, and no SNAT.

Impact:
The RST packet will not be forwarded.

Workaround:
Configure the server idle timeout to be less than the fastL4 profile's idle timeout.


452416-2 : tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values

Component: Access Policy Manager

Symptoms:
On a multi-blade chassis, tmctl leasepool_stat for some slots may not be in sync. In addition, query of snmp apmLeasepoolStatTable returns values that do not match the tmctl leasepool_stat output for the current primary slot.

Conditions:
The issue occurs after a blade or tmm of a blade restarts.

Impact:
Incorrect stats only. No impact to fuctionality.


452315-3 : Connection rate limit is not working when pool is not configured for the virtual server.

Component: Local Traffic Manager

Symptoms:
Connection rate limit is not working when pool is not configured for the virtual server.

Conditions:
Number of connections greater than configured rate limit.

Impact:
Number of connections flowing to the servers might be greater than configured rate limit.

Workaround:
This issue has no workaround.


452293-2 : Tunneled Health Monitor traffic fails on Standby device

Component: TMOS

Symptoms:
Monitor traffic fails on the Standby devices when using a floating local endpoint address for the tunnels.

Conditions:
Tunnels are configured with a floating local endpoint address.

Impact:
Failover takes longer because the status of the pool server on the Standby device needs to be rediscovered upon failover.

Workaround:
This issue has no workaround at this time.


452163-2 : Cross-domain functionality is broken in AD Query

Component: Access Policy Manager

Symptoms:
Cross-domain functionality is broken in AD Query agent due to DNS resolving library upgrade.

Conditions:
AD Query is configured with cross-domain option enabled.

Impact:
Users from trusted domains cannot pass access policy because AD Query agent failure.


452010-1 : RADIUS Authentication fails when username or password contain non-ASCII characters

Component: Access Policy Manager

Symptoms:
RADIUS Authentication fails when the logon name contains non-ASCII characters.

The problem is caused due to failure in conversion from UTF-8 to Windows-1252.

Conditions:
RADIUS authentication is configured and username/password contain non-ASCII characters.

Impact:
Users are not able to log in.

Workaround:
There is no workaround for this issue.


451867 : Adobe Flash (SWF) parser should patch the flash object even if compressed body is followed by some data

Component: Access Policy Manager

Symptoms:
Rewritten Adobe SWF can have garbled content or produce segfaults or both.

Conditions:
Any.

Impact:
Web application malfunction.

Workaround:
None. Bypassing SWF in particular cases.


451806-1 : Preserve Source Port Strict has moved from Client Settings (Advanced) to General Settings

Component: Access Policy Manager

Symptoms:
The Network Access GUI and default value for the Preserve Source Port Strict setting has changed. Preserve Source Port Strict has moved from Client Settings (Advanced) to General Settings (Basic). By default, the check box is cleared and the setting is disabled.

Conditions:
Preserve Source Port Strict has moved from Client Settings (Advanced) to General Settings.

Impact:
Admin UI component placement is changed.

Workaround:
The Network Access GUI and default value for the Preserve Source Port Strict setting has changed. Preserve Source Port Strict has moved from Client Settings (Advanced) to General Settings (Basic). By default, the check box is cleared and the setting is disabled.


451705-2 : Illegal metachar override can be added to policy which prevents Apply Policy

Component: Application Security Manager

Symptoms:
Illegal metacharacter override can be added to the security policy. This subsequently prevents the security policy from being applied.

This can be see in /var/log/asm.1_transformed:

----------------------------------------------------------------------
Feb 25 11:35:25 bigip2 info perl[10112]: 01310053:6: ASMConfig change: Parameter P3 [update]: Overridden Value Meta-characters were set to 0x3f - allowed.
Feb 25 11:35:31 bigip2 info perl[10112]: 01310053:6: ASMConfig change: Parameter P9 [update]: Overridden Value Meta-characters were set to 0x3a - allowed, 0x7fffffff - allowed.
----------------------------------------------------------------------

Conditions:
Customer upgraded from 11.3 to 11.5, and when they imported their exported policy, it produced an error and failed to roll forward.

Impact:
This subsequently prevents the policy from being applied. It could not apply configuration; set active failed.

Workaround:
N/A


451534 : TMM SIGSEGV event with SSL forward proxy in PassThrough Mode

Component: Local Traffic Manager

Symptoms:
TMM SIGSEGV event with SSL forward proxy in PassThrough Mode.

Conditions:
This occurs with SSL forward proxy in PassThrough Mode.

Impact:
Traffic disrupted while tmm restarts.


451469-2 : APM User Identity daemon doesn't generate core

Component: Access Policy Manager

Symptoms:
OMAPD is a daemon that stores all the IP->User mappings. It doesn't seem to generate cores. It will be hard to debug issues when it crashes.

Conditions:
Always

Impact:
Cores will not be generated.


451384-1 : "Differentiate between HTTP and HTTPS URLs" can't be disabled when Security Policy contains https URLs

Component: Application Security Manager

Symptoms:
"Differentiate between HTTP and HTTPS URLs" can't be disabled when Security Policy contains https URLs

Conditions:
Security Policy contains https URLs

Impact:
"Differentiate between HTTP and HTTPS URLs" can't be disabled.

Workaround:
Manually change the https URLs to http


451319-3 : HTTP CONNECT request with 4xx response with body results in RST

Component: Local Traffic Manager

Symptoms:
HTTP CONNECT request with 4xx response with body results in RST

Conditions:
This occurs when using Content-Length header when the server responds with 4xx response with body for CONNECT request.

Impact:
Connection reset when server responds. The system posts errors similar to the following: -- err tmm3[19210]: 011f0007:3: http_process_state_prepend - Invalid action EV_INGRESS_DATA during ST_HTTP_PREPEND_HEADERS (Server side: vip=/Common/http-vip profile=http pool=/Common/nc-pool server_ip=10.20.142.1) -- err tmm3[19210]: 01230140:3: RST sent from 10.10.147.80:80 to 10.10.132.1:56111, [0x18f7e62:9888] {peer} HTTP Unexpected server data past end of response. -- err tmm3[19210]: 01230140:3: RST sent from 10.20.147.1:56111 to 10.20.142.1:8080, [0x18f7e62:9888] HTTP Unexpected server data past end of response

Workaround:
Create a iRule to disable HTTP filter when CONNECT method is detected:

when HTTP_REQUEST {
  if { [HTTP::method] eq "CONNECT" } {
    HTTP::disable
  }
}


451257-2 : ASM BD process may crash on missing cookie protection config data when traffic is being passed.

Component: Application Security Manager

Symptoms:
ASM BD process may crash on missing cookie protection config data when traffic is being passed.

Error messages in /ts/log/bd.log
BD_MISC|NOTICE|Mar 04 14:42:27.913|29378|temp_func.c:0688|-- EMPTY TABLE: CONFIG_TYPE_DB_SECURITY_SERVER ack num 123
DATA_PROTECT|ERR |Mar 04 14:42:27.913|29378|src/data_protect_conf.c:0390|context_init: Error opening file '/ts/var/account/data_protection/data_protection_1d71cdd6c19765a8298828aacdc01d82': No such file or directory
DATA_PROTECT|ERR |Mar 04 14:42:27.913|29378|src/data_protect_api.c:0020|data_protect_context_init: failed to initialize security context.

Conditions:
This is a rare condition where DATA_PROTECT_cookie config is missing from the config and traffic is being passed on a multi-bladed system.

Impact:
The initial sync state for ASM in a device group does not resolve successfully. ASM starts breaking connections for which customer removed all of the ASM config and re-imported it. Upon the first request, trying to apply the crypto BD crashes.

Workaround:
Try one of the following workarounds:
-- Issue the following command: bigstart restart asm.
-- Complete the following procedure:
1. On the device group environment with the correct ASM config, turn off ASM sync for the device group.
2. Enable 'Full Sync'.
3. Turn on ASM sync for the device group.
4. Push the configuration.


451233-3 : Radius authentication fails if the NAS IP address is configured with route domain

Component: Access Policy Manager

Symptoms:
If an AAA RADIUS server is configured on a partition other than /Common with a default route domain, authentication will fail.

Conditions:
Radius authentication fails when radius configuration has NS IP Address with route domain (i.e. x.x.x.x/%RD) format.

Impact:
Radius authentication fails.

Workaround:
This issue has no workaround at this time.


451083-2 : Citrix Wyse clients when working with StoreFront in integration mode

Component: Access Policy Manager

Symptoms:
APM does not support Citrix Wyse clients when working with StoreFront in integration mode.

Conditions:
Using APM with Citrix Wyse clients when working with StoreFront in integration mode.

Impact:
Citrix Wyse clients are unable to connect to APM.

Workaround:
Use the following iRule: priority 1

when HTTP_REQUEST {
  set string [HTTP::header value Cookie]
  if {$string contains "NSC_AAAC=xyz"}{
    regsub {NSC_AAAC=xyz;?} $string {} tmp
    regsub {NSC_DLGE=xyz;?} $tmp {} result
    HTTP::header replace Cookie $result
  }
}


451059-3 : SSL server does not check and validate Change Cipher Spec payload.

Component: Local Traffic Manager

Symptoms:
SSL server does not check and validate Change Cipher Spec payload.

Conditions:
This issue occurs when a clientssl profile is used.

Impact:
There is no impact to this issue.

Workaround:
This issue has no workaround.


451035-4 : On a 11050-FIPS BIG-IP, TMM may reset when loading a large number of FIPS keys

Component: Local Traffic Manager

Symptoms:
If 11050-FIPS system is configured with hundreds of FIPS keys, TMM clock advanced messages will be seen and TMM may reset.

Conditions:
A 11050-FIPS system with over 200 FIPS keys configured with FIPS card loaded with firmware version 1.2 .

Impact:
TMM restarts.

Workaround:
Upgrade Cavium FIPS firmware to FW 2.1 using:
tmsh run util fips-util fwupdate


450814-7 : Early HTTP response might cause rare 'server drained' assertion

Component: Local Traffic Manager

Symptoms:
Early HTTP response from the server might cause 'server drained' assertion and traffic disruption.

Conditions:
This occurs when the server sends an early response, which might occur if the server responded before the system completed processing the entire incoming HTTP request data from the client.

A filter other than HTTP is also required on the chain.

Impact:
The system posts a 'server drained' assertion and traffic is disrupted.

Workaround:
None, however, this issue occurs very rarely.


450699 : Configure member IP addresses on VIPRION before downgrading

Component: TMOS

Symptoms:
After booting into a new install location, the primary blade is missing the previously configured default route.

Conditions:
-- Installation is from a downgrade, for example installing 11.5.3 from 11.5.4-hf1.
 
-- VIPRION cluster without member mgmt IP addresses configured.

-- No default route on primary blade.

Impact:
Managing the VIPRION after upgrade requires alternative access methods.

Workaround:
1. Configure cluster member IP addresses before installation. (one per blade).
2. If already booted into the new location, you can access the VIPRION and create a new default route. In this condition, Access can be obtained over the management port from another host on the same LAN as the VIPRION, or over the serial console.


450136-1 : Occasionally customers see chunk boundaries as part of HTTP response

Component: Access Policy Manager

Symptoms:
Occasionally, users see chunk boundaries as part of HTTP response if the virtual server is configured with rewrite profile variant and some other profiles.

Conditions:
Virtual server with rewrite profile variant and some other profiles like OneConnect and NTLM could cause HTTP response to be double-chunked.

Impact:
End users may see random characters displayed on their web pages, or the page may fail to render because it contains invalid HTML markup.

Workaround:
To workaround this problem, use an iRule to rechunk the HTTP response always.


450091-1 : Log state information when the TMM is ready for traffic can appear incorrect.

Component: Carrier-Grade NAT

Symptoms:
Logging that precedes a TMM that is fully booted can be confusing.

Conditions:
Logs are used by the dnat utility to reverse translation addresses for subscriber traceability.

Impact:
Premature logging can make it look like there was a window of time during which mappings are invalid.

Workaround:
This issue has no workaround.


450087-7 : Unacknowledged segments may fail to be retransmitted

Component: Local Traffic Manager

Symptoms:
Unacknowledged TCP segments are not retransmitted.

Conditions:
Remote endpoint closes TCP window early and drops incoming TCP segment(s) from BigIP.

Affects Standard TCP virtuals.

Impact:
This issue causes connection timeouts.

Workaround:
This issue has no workaround.


449989-1 : Unable to save UCS when using iControl REST

Component: TMOS

Symptoms:
Upon issuing the request to save UCS, the UCS process fails.

Conditions:
This occurs when using iControl REST to save UCS.

Impact:
UCS cannot be saved using iControl REST.

Workaround:
Issue UCS save command using the GUI or TMSH.


449896-1 : CGNAT DNAT connection failures with ECMP or route pools

Component: Carrier-Grade NAT

Symptoms:
Connections may fail when using CGNAT Deterministic NAT (DNAT) with ECMP or route pools.

Conditions:
This issue occurs with: -- LSN pool with Deterministic mode. -- Route pools or ECMP such that the same destination may have two different routes. -- Two connections from the same client to the same destination

Impact:
Second connection fails.

Workaround:
None.


449891-5 : Fallback source persistence entry is not used when primary SSL persistence fails

Component: Local Traffic Manager

Symptoms:
The existing source persistence record is not used as fallback for a second SSL request from the same source. The second request may be load balanced to a different pool member than the first one. Sometimes multiple source persistence records may be created pointing to different pool members.

Conditions:
SSL persistence configured as primary persistence method on a SSL VIP.
Source persistence configured as fallback persistence method.
The same client sends a second SSL request, but sends a different session ID so that SSL persistence look up fails.

Impact:
Requests are load balanced to different pool members instead of the same one. In other words, source fallback persistence does not work.

Workaround:
There is no workaround for this issue.


449793-3 : Edge client doesn't use new Oesis SDK libraries unless it is restarted

Component: Access Policy Manager

Symptoms:
Edge client doesn't use new Oesis libraries unless it is restarted. When edge client starts, it updates Oesis libraries on the system if new version is found on BIG-IP, but it doesn't use those libraries unless it is restarted

Conditions:
BIG-IP Edge client and new EPSEC image on BIG-IP APM.

Impact:
Edge client uses old libraries of Oesis SDK. It might not leverage certain fixes made in new oesis SDK unless it is restarted

Workaround:
Restart edge client after it updates the oesis libraries


449770 : Using "CRYPTO::keygen -alg rsa" outside of RULE_INIT can cause TMM to time out

Component: Local Traffic Manager

Symptoms:
RSA key generation is a time consuming process. Placing a key generation request in an event that is fired frequently can cause TMM to stop responding.

Conditions:
Use CRYPTO::keygen in an event such as CLIENT_DATA or HTTP_REQUEST

Impact:
TMM is killed by SOD.

Workaround:
Move key generation to RULE_INIT.


449622-1 : Issue while importing policy with customer violation conflict.

Component: Application Security Manager

Symptoms:
error reported :
r_rpc_handler.pl[29110]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ImportExportPolicy::Base::fatal_error): User-defined violation could not be added:

Conditions:
When importing a policy with a custom violation name, violation conflict imported policy is incomplete.

Impact:
Import policy failed.

Workaround:
Possible workaround is to update mysql field to match import value and also consider modifying xml file for import to match mysql as alternative.


449526-1 : LB::prime iRule with SIP filter can result in a core

Component: Local Traffic Manager

Symptoms:
Rarely LB::prime iRule with SIP filter can result in a tmm core due the flow control mechanism added in the SIP hudfilter and the fact that LB::prime, adds necessary count of prime messages in Q and calls mblb_connect synchronously which has the potential to traverse the entire serverside chain.

Conditions:
LB::prime iRule with SIP filter is used.

Impact:
Rarely results in a core with LB::prime iRule. Traffic disrupted while tmm restarts.


449453 : Loading the default configuration may cause the mcpd process to restart and produce a core file.

Component: TMOS

Symptoms:
Loading the default configuration may cause the mcpd process to restart and produce a core file.

Conditions:
This issue occurs when the following condition is met:

After you successfully load a UCS file that was created on a different system, you attempt to restore the system to factory defaults by loading the default configuration.
When you load the default configuration, if the mcpd process is unable to decrypt the master-key, or attributes exist that were encrypted with a key other than the current master-key, the mcpd process restarts and produces a core file. These situations may occur if an RMA has occurred and you install a UCS from one device to another device of the same type, if the device unit key becomes corrupted, or if the master key file (/config/bigip/kstore/master) becomes corrupted.

Impact:
The BIG-IP system may temporarily fail to process traffic and fail over if configured as part of a high-availability system.

Workaround:
None.


449225-3 : Fixed APM client crash caused by regression introduced with ID430962

Component: Access Policy Manager

Symptoms:
Fix for ID430962 introduced regression which may cause VPN client to crash on establishing VPN connection.

Conditions:
All clients which contains fix for 430962.

Impact:
EdgeClient can crash while trying to establish network access.


448787-5 : Monitors in non-default route domains may flap when large number of connections are originiated from that route-domain

Component: Local Traffic Manager

Symptoms:
Limiting TCP/IP connections on non-default route domains can cause potential non-default route domain monitor issues.

Conditions:
This occurs because the rules that provide connection tracking are not picked up in the non-default route-domain upon creation.

Impact:
When the issue occurs, the kern.log reports the following message: 'nf_conntrack: table full, dropping packet', and pool monitors flap intermittently.

Workaround:
Disable connection tracking in non-default route domains.


448533-5 : Poor source port selection in CGNAT deterministic mode

Component: Carrier-Grade NAT

Symptoms:
When a LSN Pool is configured in deterministic mode, each subscriber gets a predetermined set of translation endpoints that are used for source address translation. When a translation request is processed for a new connection the first endpoints in the set are used very heavily and other endpoints are used rarely.

Conditions:
LSN pool in deterministic mode, Virtual Server using the fastL4 profile.

Impact:
Poor utilization of available translation ports and very high levels of port reuse. In the case of TCP connections this port reuse can cause servers to reject connections because a previous connection is in the TIME_WAIT state.


448493-2 : SIP response from the server to the client get dropped

Component: Service Provider

Symptoms:
SIP responses are not forwarded to the client. Instead, the system drops those SIP responses.

Conditions:
This occurs when using SIP OneConnect with an iRule that uses the node/snat command in SIP_RESPONSE event in the iRule to direct the SIP response from the server.

Impact:
Some SIP flows do not complete, which affects the SIP clients.

Workaround:
Remove the node/snat command from SIP_RESPONSE event processing in the iRule.


448476-3 : 10G SFP interfaces cannot be part of the same trunk.

Component: Local Traffic Manager

Symptoms:
When loading ucs or scf after upgrade, if the config has a two interface 10g xfp trunk, the config fails to load with this error:
01070619:3: Interface 1/1.2 media type is incompatible with other trunk members

Conditions:
Using a two interface 10g xfp trunk, and then loading ucs or scf after an upgrade.

Impact:
This can prevent upgrading

Workaround:
Not Available, other than not using trunks with 10G XFP


447874-3 : TCP zero window suspends data transfer

Component: Local Traffic Manager

Symptoms:
HTTP pipeline request might cause TCP window stay at 0 and not recover.

Conditions:
This intermittent issue occurs when HTTP pipeline requests are sent, and those requests use the GET method.

Impact:
When this occurs, the resulting TCP zero window suspends data transfer. It is possible that the TCP window will be reduced to 0 (zero) and never recover.

Workaround:
None.


447565-1 : Renewing machine-account password does not update the serviceId for associated ntlm-auth.

Component: Access Policy Manager

Symptoms:
Renewing machine-account password does not update the serviceId for associated ntlm-auth.

Because of this issue, you might see the following symptoms:
-- End users report that they cannot access email.
-- NTLM logons stop working for all users.
-- Log file shows errors similar to the following:
err nlad[12384]: 01620000:3: <0x566d4b90> nlclnt[71601c70a] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC.

Conditions:
This occurs when the system has an NTLM machine account configured, but it is not known exactly what triggers the error. It can be triggered if the machine account credentials change, but the symptom might not show up for days since the connection can be reused.

Impact:
End users will be unable to connect.

Workaround:
Correct the problem by running the following command:
bigstart restart eca.


447272-1 : Chassis with MCPD audit logging enabled will sync updates to device group state

Component: TMOS

Symptoms:
If mcpd audit logging is enabled on a chassis, updates to device group state will be recorded on every configuration change, even if CMI is not configured or no synchronizable object was modified.

Conditions:
This only applies on chassis systems with at least one secondary blade, and the log messages only appear if mcpd audit logging is enabled.

Impact:
Updates to device group state will be recorded on every configuration change.

Workaround:
This issue has no workaround at this time.


447080-6 : VLAN tagged/untagged configuration change requires tmm restart

Component: Local Traffic Manager

Symptoms:
On BIG-IP 2000-/4000-series appliances, modifying an interface's VLAN configuration from tagged to untagged, or untagged to tagged, can result in unavailability of traffic on that interface.

Conditions:
This occurs on BIG-IP 2000-series or 4000-series appliance, connected to an upstream network that expects a tagged (or alternately, untagged) VLAN.

Impact:
Traffic does not pass after this change, until TMM is restarted.

Workaround:
Restarting the tmm with 'bigstart restart tmm' corrects this condition, as does deleting and recreating the VLAN with desired tagging attributes.


447043-7 : Cannot have 2 distinct 'contains' conditions on the same LTM policy operand

Component: Local Traffic Manager

Symptoms:
Cannot express conditions such as 'user-agent contains 'Android' AND 'Mobile'. LTM policies have operands that can be matched against a set of values, causing a match when the operand matches one of these values. There is no way to use current functionality to match all of the values. One specific situation in which this is needed is to configure 'contains'.

Conditions:
Specify an ltm rule with 2 conditions with the same operand and match type, for example:

           conditions {
                0 {
                    http-header
                    name User-Agent
                    contains
                    values { Android }
                }
                1 {
                    http-header
                    name User-Agent
                    contains
                    values { Mobile }
                }

Impact:
The policy does not work. The system posts an error message similar to the following: Failed to compile the combined policies.


446881-3 : OPSWAT library now needs scpt.dat file on MAC OS X

Component: Access Policy Manager

Symptoms:
Browsers on MAC OS X edge client crash when user connects to BIG-IP edge gateway.

Conditions:
Access policy configured with antivirus, firewall, antispyware, or hd encryption that uses OPSWAT library version 3.6.8642.2.

Impact:
Browsers crash on MAC OS X edge clients.


446573 : Username shown as "(anonymous)"

Component: Access Policy Manager

Symptoms:
Event logs for blocked request show username as "(anonymous)".

Conditions:
High stress load on SWG with explicit proxy setting.

Impact:
Username cannot be determined from event logs.


446526-3 : TCP virtual server/UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules might cause TMM crash.

Component: Local Traffic Manager

Symptoms:
When a TCP virtual server, or a UDP virtual server without datagram-LB mode enabled, runs an iRule which suspends itself, and the traffic that virtual server is handling is destined for the DNS cache, subsequent responses attempting to execute an iRule crash TMM because the first response is suspended. Those subsequent responses should be queued before attempting to execute the iRule.

Conditions:
Configuration contains TCP virtual server, or a UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Enable datagram-LB mode on the UDP profile. There is no workaround in the case of TCP.


446493-1 : foreign key index error on local traffic-only group

Component: TMOS

Symptoms:
When running the load verify command (tmsh load sys config verify) on a scf file, an error is thrown: 01070712:3: Values (/Common/traffic-group-local-only) specified for self IP (/Common/10.7.7.3_24): foreign key index (traffic_group_fk) do not point at an item that exists in the database.
Unexpected Error: Validating configuration process failed.

However, the config will still successfully load when the verify parameter is not specified.

Conditions:
Running tmsh load sys config file verify on a scf file with a local traffic group in it. traffic-group-local-only groups are not loaded during config verify which triggers the error.

Impact:
Config verify fails.

Workaround:
If there are otherwise no other errors in the configuration, it should be able to load successfully using tmsh load sys config file filename.


446248 : Memory leak seen with WAM when ICC enabled without inlining

Component: WebAccelerator

Symptoms:
WAM leaks "unknown headers" when ICC enabled without inlining. This may lead to crash due to memory starvation.

Conditions:
ICC is enabled for policy-node. Content inlining is disabled for the node.

Impact:
Crash due to lack of memory.

Workaround:
Disable ICC or enable inlining with ICC for the node.


446187-3 : If manually started, bigip service(s) may consume 100% and become not functional

Component: Access Policy Manager

Symptoms:
If a certain BIG-IP service is started and working and another instance of the same service is started manually, the original one spins in a loop, consumes around 100% CPU and, becomes nonfunctional.
These services are affected:
apd, websso, eam, acctd, aced, rba.

Conditions:
A service is started manually either using a binary located at search path, for example /usr/bin/
or using a script located at /etc/bigstart/scripts/

Impact:
Service becomes unavailable.

Workaround:
Never start any daemon manually.
The proper way to start, stop, and restart daemons on the BIG-IP system is to use the bigstart utility:
bigstart start daemonname
bigstart stop daemonname
bigstart restart daemonname


445968 : Update traffic priority option appears for non-authorized users in GUI.

Component: TMOS

Symptoms:
Update traffic priority option appears for non-authorized users in GUI but is not.

Conditions:
Logged in As a user with role other than admin or resource-admin, navigate to Network :: Class of Service : Traffic Priority in the GUI and attempt to modify a traffic priority.

Impact:
It appears that the user can modify the option; that is, buttons will be active and not greyed out, but actually attempting to complete the modification results in a 'no access' error.

Workaround:
Log in as admin or resource-admin to modify the update traffic priority option.


445633 : Config sync of SecurID config file fails on secondary blades

Component: TMOS

Symptoms:
If APM is provisioned, after uploading a new SecurID config file via the GUI, mcpd restarts and fails to sync on device group peers.

Conditions:
This happens on a device group peer with APM provisioned, only after using the GUI to update the SecurID configuration. This can also happen on chassis secondary blades.

Impact:
The peer receiving the sync restarts mcpd, which in turn restarts several other daemons. The peer never receives the config file properly.

Workaround:
Use tmsh: tmsh modify apm aaa securid <name> config-files modify { sdconf.rec { local-path /path/to/sdconf.rec } }.


445335 : Unlicensed LTM can be configured with Policy that requires license

Component: Local Traffic Manager

Symptoms:
Certain features of the LTM require specific licensing; one of these features is PEM. LTM Policy supports PEM conditions and actions, and exposes these options even when PEM is not currently licensed. Therefore it is possible to create a policy that cannot be applied to a virtual server.

Conditions:
BIG-IP is not licensed for PEM, and user applies an LTM Policy to a virtual server which specifies 'ssl-persistence classification'.

Impact:
User sees error message, policy is not applied to virtual server.

Workaround:
Either enable PEM licensing or change the LTM Policy to not use 'ssl-persistence classification'.


445330 : Incorrect values are displayed for iSession profile optimized bits

Component: Wan Optimization Manager

Symptoms:
Optimized bits reported for iSession profiles are incorrect

Conditions:
SDDv2 deduplication optimizes WAN traffic containing runs of the same repeated byte value.

Impact:
Optimized bits reported for iSession profiles are incorrect.

Workaround:
None.


444710-5 : Out-of-order TCP packets may be dropped

Component: Local Traffic Manager

Symptoms:
Out-of-order TCP packet will be dropped if it occurs during 3-way handshake.

Conditions:
Client initiates TCP connection to BigIP with ACK segment arriving after (i.e. out-of-order) a second packet.

Resultant sequence:

1. Client - BigIP : SYN
2. BigIP - Client : SYN-ACK
3. Client - BigIP : PSH, ACK (w/Segment #2) =-- Out-of-order ; Must be retransmitted.
4. Client - BigIP : ACK (w/Segment #1)

Impact:
Packet must be retransmitted by client.

Workaround:
None


444178-4 : HTTP header replace always inserts header

Component: Local Traffic Manager

Symptoms:
Setting up a Policy to replace HTTP header results in both the existing and new header values appearing instead of the expected behavior of replacing an existing header with a new one.

The following example which attempts to replace the Server: header with a generic "AnonymousServer" demonstrates this. In this example, one would observe the response containing two Server: headers.


ltm policy /Common/replace_server {
    controls { response-adaptation }
    requires { http }
    rules {
        replace_a_header {
            actions {
                0 {
                    http-header
                    response
                    replace
                    name Server
                    value AnonymousServer
                }
            }
            conditions {
                0 {
                    http-header
                    response
                    name Server
                    starts-with
                    values { Apache }
                }
            }
            ordinal 1
        }
    }
    strategy /Common/first-match
}

Conditions:
This replacement header specified in the Policy is inserted under all conditions.

Impact:
This can result in duplicate values for the specified HTTP headers.

Workaround:
Can employ a custom iRule to achieve equivalent result. Below is an example of an iRule to replace the User-Agent header:

when HTTP_REQUEST {
     set useragent [HTTP::header value User-Agent]
          if {$useragent contains "Mozilla"} {
            HTTP::header replace User-Agent "MMMMMMMMM"
    }
}


443262 : When ICC is enabled, content gets inlined even though it exists in client's local storage

Component: WebAccelerator

Symptoms:
When ICC is applied to an html node and a client requests that html using the cookie header, if AAM serves the html from the cache, the operation inlines the content instead of referencing the content already present in the client's local storage. When the Lifetime interval for the html expires, AAM revalidates with the OWS (S10232) and replaces the links with references to the content in the client's local storage.

Conditions:
ICC is enabled for node matching html.

Impact:
Content is inlined in the html even though it already exists in the clients local storage. When a client makes a request using the cookie header and AAM responds from the cache (S11101), AAM does not replace the links with references to the content in local storage.

Workaround:
Set Lifetime on the html pages to 0 to force each request to revalidate with OWS.


442993-2 : An unexpected gateway may be selected for the management interface

Component: TMOS

Symptoms:
Unexpected gateway via management interface (in /etc/sysconfig/network) is created whenever a specific management-route is configured using tmsh. This unexpected configuration is applied onto the kernel after a reboot.

Conditions:
This occurs when a specific non-default management-route is configured, and the default management-route is not configured.

Impact:
An incorrect gateway is configured after a reboot.

Workaround:
You can avoid the issue by configuring a default management-route if you are using non-default management-routes. As a workaround for the issue, delete the unexpectedly created management default route following every reboot. To do so, use a command similar to the following: 'ip route del default dev eth0' or 'ip route del default dev mgmt'. You can include the appropriate command in the file /config/startup to have the command run automatically after each boot operation.


442980-5 : GTM pool statistics incorrect if max-address-returned not set to 1 and r

Component: Global Traffic Manager

Symptoms:
With max_addresses_returned greater than 1, multiple addresses are returned, but only the pool member associated with the first address gets stats increased.

Conditions:
Set max_addresses_returned greater than 1

Impact:
Pool stats do not show the update when pool members are selected as alternate addresses.

Workaround:
None.


442613 : After applying a data group for FIX profile tag map, modifying datagroup may cause tag mapping function to be inconsistent

Component: Local Traffic Manager

Symptoms:
After user modifies tag map data group content, the tag replacement function may still use the old tag mapping data.

Conditions:
After user assigns a data group to FIX profile's sender tag map attributes, user modifies the content of the data group.

Impact:
The replaced tag may still be the data defined in the old data group, this causes the FIX message receiver to not recognize the tag and reject the message.

Workaround:
After user modifies data group, user must then remove the data group map from the FIX profile, update the profile, re-add the it and update the profile again.


442535-2 : Time zone changes do not apply to log timestamps without tmm restart

Component: Advanced Firewall Manager

Symptoms:
When the timezone of the BIG-IP system changes, logging timestamps are not updated to the new timezone.

Conditions:
This occurs when the timezone of the BIG-IP system changes.

Impact:
/var/log/ltm logs will have the correct time from the other processes that log, but tmm logs will have the incorrect time. The time remains incorrect until tmm or the system is restarted. There are potential issues with processes that depend on correct localtime in tmm.

Workaround:
In tmsh, run one or both of the following commands: 'restart tmm'. -- bigstart restart tmm.


442455-1 : Hardware Security Module (HSM) CSR and certificate fields constraints: 15 characters and no spaces.

Component: Local Traffic Manager

Symptoms:
While using the tmsh command or fipskey.nethsm utility to create HSM keys/csr/cert, Locality, Province, Organization names cannot be longer than 15 characters.

While using the tmsh command to create HSM keys/csr/cert, Locality, Province, Organization names, common name cannot process multiple words. The system accepts only the content up to the first space character.

Conditions:
HSM keys/csr/cert, Locality, Province, Organization names, common name are longer than 15 characters or consists of strings separated by space characters.

Impact:
The system truncates field content to 15 characters or to the string up to the first space character.

Workaround:
Use strings shorter than or equal to 15 characters. Use strings without spaces. To use strings containing spaces, quote the entire string and delimit spaces with a backslash character (\). For example, for the string F5 Networks Inc, use this: "F5\ Networks\ Inc". Note that the delimiting slash still counts as a character.


442391-7 : Unsolicited neighbor advertisement cannot pass through VLAN group

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not forward unsolicited neighbor advertisement messages to all VLANs, even if messages are not destined for the BIG-IP system. This behavior may adversely affect mechanisms, such as duplicate address detection within IPv6. Neighbor advertisement messages are required from IPv6 nodes in response to neighbor solicitation messages. However, a node may elect to send unsolicited advertisement messages to propagate new information quickly. For more information, see RFC 2461 section 7.2.6: Sending Unsolicited Neighbor Advertisements, available here: http://tools.ietf.org/rfcmarkup?doc=2461#section-7.2.6.

Conditions:
This issue occurs when the following condition is met:
VLAN groups are configured for VLANs that are also configured for IPv6.

Impact:
Duplicate address detection does not work, so it is possible to have duplicate IPv6 address on two VLANs in a VLAN group without detection. This might adversely affect duplicate address detection, and can slow down detection of some changes when unsolicited message are not delivered to IPv6 clients.

Workaround:
Use DHCPv6 or stateless auto-configuration to avoid duplicate addresses.


442226-3 : Link Controller fails to auto-create a self-server

Component: Global Traffic Manager

Symptoms:
Link Controller will create a data center, but fails to create a GTM server for itself. Any LTM virtual servers configured will not show up as members in the Wide IP configuration.

Conditions:
Always

Impact:
Users must manually create and maintain the GTM server

Workaround:
Use tmsh to create a GTM server:

Standalone:
create gtm server <self host name> datacenter Default_DC addresses add { 10.20.0.1 { device-name <self host name> } } virtual-server-discovery enabled product single-bigip

Redundant:
create gtm server <self host name> datacenter Default_DC addresses add { 10.20.0.1 { device-name <self host name> } 10.20.0.2 { device-name <peer host name>} } virtual-server-discovery enabled product redundant-bigip


442191-4 : HTTP Class profiles globs are upgraded to a contains condition when it should be equals

Component: TMOS

Symptoms:
HTTP Class profiles globs are upgraded to a policy with a contains condition when it should be equals. The upgrade process will succeed, but the policy will not use the correct syntax.

Conditions:
A UCS or config with HTTP Class profiles containing globs for matching must be applied to 11.4.0 or 11.4.1 to encounter this state. The UCS must be from 11.3.x or earlier.

Impact:
After the upgrade to 11.4.x, The policy will match more than the HTTP Class profile did. Network traffic will be impacted.

Workaround:
Manually modify policies with the incorrect condition after upgrading to 11.4.x.


442153-1 : "Enforce" and "Accept" buttons do not work in Redirection Domains section

Component: Application Security Manager

Symptoms:
When you click the "Enforce" button for Redirection Domains, the wildcard entry is not deleted and the action will fail with the following error:
Illegal entity type (redirection_domain).
Could not accept entity

The button then changes to "Accept", which exhibits the same problem.

Conditions:
This occurs in the GUI when clicking the Enforce or Accept buttons for Redirection Domains.

Impact:
Enforce or Accept do not work


442038-2 : Symantec AV 12.1.x fails to be detected on Mac OS X 10.9

Component: Access Policy Manager

Symptoms:
Antivirus endpoint security check in BIG-IP APM access policy fails to detect Symantec antivirus 12.1.x (12.1.4013 version) on mac os x 10.9

Conditions:
Mac OS X 10.9, BIG-IP APM with Antivirus endpoint security check in its access policy

Impact:
Symantec AV 12.1.x fails to be detected.

Workaround:
none


442020-4 : Neighbor discovery might not work correctly with VLAN group

Component: Local Traffic Manager

Symptoms:
Certain clients (such as Windows clients) can lose router information even if previously advertised via router advertisement. This occurs because neighbor discovery messages are handled by proxy even in transparent mode for VLAN groups.

Conditions:
Conditions under which this manifests are inconsistent, but it appears to affect Windows clients in various scenarios. For example, when host on one VLAN sends a neighbor advertisement with the router bit set, the proxy code does not preserve it in the proxied response.

Impact:
Some clients might lose router information and cannot send traffic.

Workaround:
avoid stateless auto-configuration or do not auto-configure cross vlan boundaries.


441985-1 : In client-ssl profile outside ckc key/cert/chain/passphrase and RSA pair inside ckc

Component: Local Traffic Manager

Symptoms:
In the client-ssl profile, sometimes the key/cert/chain/passphrase (outside ckc) does not match the RSA pair inside ckc.

Conditions:
This occurs when using the client-ssl profile.

Impact:
Configuration error, which can result in traffic issues.


441913-4 : Empty Webtop when large number of resources assigned to access policy.

Component: Access Policy Manager

Symptoms:
When a large number of resources (more than 25) is assigned to an access policy with full a webtop, the system displays an empty webtop when accessed the second time.

Conditions:
Large number of resources assigned to access policy.

Impact:
Failed to display large number of resources on webtop when accessed second time.

Workaround:
To work around the problem, you can only use fewer resources.


441601-5 : Response is truncated in the log

Component: Application Security Manager

Symptoms:
Response is truncated in the ASM events log when the client closes the connection before the response arrives.

Conditions:
Client sends a FIN before the server finishes responding.

Impact:
The response logging doesn't show all the response.


441597 : Statistics of IP intelligence network category are always 0.

Component: Advanced Firewall Manager

Symptoms:
When displaying stats you will see a 0 count for network category of IP intelligence statistics. That category is not in use in the system.

Conditions:
Always.

Impact:
No impact.

Workaround:
None


441500-5 : Fails over upon receiving updates from the IP reputation database.

Component: Application Security Manager

Symptoms:
A customer has experienced a couple of fail over incidents from bd SIGABRTs, leaving no cores. The system at the time of the core seemed to be performing fine and the logs are pretty quiet.

Conditions:
Receiving updates from the IP reputation database.

Impact:
A customer has experienced a couple of fail over incidents from bd SIGABRTs, leaving no cores. The system at the time of the core seemed to be performing fine and the logs are pretty quiet.

Workaround:
N/A


441214-2 : monpd core dumps in case of MySQL crash

Component: Application Visibility and Reporting

Symptoms:
When MySQL crashes, the monpd process creates a core dump.

Conditions:
This issue occurs when MySQL crashes or does not start correctly.

Impact:
Reports not available for the duration of MySQL going down.

Workaround:
This issue has no workaround at this time.


441146 : Delays with flooding on forwarding ports following STP blocked state changes.

Component: Local Traffic Manager

Symptoms:
Flooding on forwarding ports for some HSB equipped platforms are being delayed. The delays are due to the absence of an event-driven flushing of HSB L2 entries, when interfaces changes to a STP blocked state.

Conditions:
This occurs with the BIG-IP 3900, 6900, 8900, 8950 platforms. This is seen with multiple parallel interfaces on the same VLAN between the BIG-IP system and a remote switch, with STP enabled.

Impact:
Delays are observed with the BIG-IP system again reverting to use the STP selected forwarding port, after the original forwarding port was disabled and re-enabled.

Workaround:
None.


441075-7 : Newly added or updated signatures are erroneously added to Manual user-defined signature sets.

Component: Application Security Manager

Symptoms:
Further investigation shows the signature was added to another blocking signature set simultaneously unexpectedly.

Conditions:
Customer reported that they encountered unexpected violation when they assigned an user defined signature to a unblocking signature set.

Impact:
Further investigation shows the signature was added to another blocking signature set simultaneously unexpectedly.

Workaround:
N/A


441058-3 : TMM can crash when a large number of SSL objects are created

Component: Local Traffic Manager

Symptoms:
Administrative operations which trigger a full reload of SSL cert, key, or CRL files can cause TMM to abort. TMM will miss its heartbeat, at which time it will be killed by sod daemon via SIGABRT.

Conditions:
Configuration contains a large number of SSL certs, keys and/or CRLs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove any unused SSL objects from configuration.


440526 : When collecting support information, log messages might appear in /var/log/ltm

Component: TMOS

Symptoms:
When collecting support information, mcpd presents error message about providers for static and dynamic routes.

Conditions:
When collecting support information in a qkview file.

Impact:
Log messages might appear in /var/log/ltm. Messages appear similar to the following: err mcpd[7930]: 0107167d:3: Data publisher not found or not implemented when processing request route_static_entry. These messages are benign, and all routes should be present in output file.

Workaround:
None.


440505-6 : Default port should be removed from Location header value in http redirect

Component: Access Policy Manager

Symptoms:
Browser recognizes page loaded with URL without default port and page loaded after receiving Location header that contains rewritten URL with default port included in it as different pages and loads page twice.

Conditions:
Resource is loaded through Portal Access; page is loaded after receiving Location header with default port included in rewritten part; navigation occurs to this page without default port in domain part (for example, to anchor in this page).

Impact:
Resource is loaded twice and this can possibly change behavior of backend.

Workaround:
This issue has no workaround at this time.


440488-3 : Inadvertent Dissociation of Sandbox and APM Access Profile

Component: Access Policy Manager

Symptoms:
The association between "Hosted Content" sandbox and access profile can be inadvertently broken when a resource assignment agent is modified.

Conditions:
1. Association between "Hosted Content" sandbox and access profile is set up to allow free access to sandbox files at public security level. Free access means access to file without creating any resources in the access policy.
2. There are some resource in the access policy, but none of these resources reference a sandbox file.

When these two conditions are present in an access policy, any change to a resource assignment agent would break the association between sandbox and profile access.

Impact:
Inadvertent lost of access to public sandbox files.

Workaround:
Create a dummy resource that references a dummy sandbox file to avoid inadvertent dissociation between sandbox and access profile.

Use Webtop and Dummy Webtoplink to Maintain Association Between Sandbox and Profile Access:
 
- Use GUI to upload a dummy text file (*.txt like Blank.txt, because the content of the file can be blank) to sandbox Hosted Content. It's security level can be anything better than "public".
- Create a full Webtop resource.
- Create a Webtoplink with link-type "Hosted Content", and select the dummy text file in the sandbox.
- Use VPE to add the Webtop and webtoplink resources to an Access Policy. As long as the dummy Webtoplink is not modified or removed from the Access Policy, the association between sandbox and profile access is maintained, regardless of changes in other resources.


If the Access Policy already uses a Portal Access resource, a dummy Portal Access resource with link-type "Hosted Content" can be added to the Resource Assignment Agent. This dummy resource is not displayed on the Webtop if the option "Publish on Webtop" is not selected. As said above, as long long the dummy Portal Access resource is not modified or removed from the Access Policy, the association between sandbox and profile access is maintained, regardless of changes in other resources.


440431-5 : Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands.

Component: Local Traffic Manager

Symptoms:
Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands.

Conditions:
This issue occurs when the following condition is met:

A virtual server with Response Logging configured has an iRule assigned that uses either the HTTP::respond or HTTP::redirect command.
The Request Logging profile gives you the ability to specify the data and format for HTTP requests and responses that you want to include within the log file. Parameters, such as $HTTP_STATUS, are used to specify information that is included within the log file. The HTTP::respond and HTTP::redirect iRule commands allow you to customize the response sent to the client and are intended to run immediately when triggered. Therefore, no further processing of response data should occur. As a result, the system logs blank status information when using the $HTTP_STATUS parameter within the Request Logging profile for Response Logging.

Impact:
The system logs invalid information. As a result of this issue, you may encounter the following symptom: -- BIG-IP iHealth lists Heuristic H465653 on the Diagnostics :: Identified :: Medium screen. If $HTTP_STATUS is used within the Response Logging template, the output will be blank.

Workaround:
To work around this issue, you can use the iRule to generate the required logs, rather than the Request Logging profile. If an iRule is calling HTTP::respond or HTTP::redirect, you can log directly from that iRule using the log iRule command, and record parts of the old response, or the new one, depending on what is required.


440346-2 : Monitors removed from a pool after sync operation

Component: TMOS

Symptoms:
Monitors might be removed from a pool after sync operation.

Conditions:
If devices are in a failover device group, and this group contains a pool with multiple health monitors enabled, then using the 'Overwrite Configuration' option.

Impact:
Monitors might be removed from a pool on the devices that received a sync.


440263-1 : HTTP profile gets set to http-transparent by ASM deployment wizard

Component: Application Security Manager

Symptoms:
If the default HTTP profile "http" was modified, when creating a new virtual server in the ASM deployment wizard, the associated HTTP profile is "http-transparent".

Conditions:
This will occur if you have modified the default http profile and then create a new virtual server using the ASM deployment wizard.

Impact:
HTTP profile gets set to the wrong profile. This makes the PEM deployment unusable, updating the security policy will return an error "01070734:3: Configuration error: In Virtual Server (/Common/test) HTTP is configured as a Transparent Proxy, and thus is incompatible with any other filter other than PEM."

Workaround:
After using the wizard, you can set the http profile for the virtual server back to http


439773-1 : The TMM process may restart and produce a core file when a connection flow is in an invalid TCP state

Component: Local Traffic Manager

Symptoms:
TMM will core with panic string "Request for segment from middle of queue."

Conditions:
The conditions are infrequent and not all of them are known fully. TCP is in an invalid state for that particular flow, and this flow cannot continue anymore.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time.


439461-3 : Citrix Receiver for Linux is unable to receive full applications list.

Component: Access Policy Manager

Symptoms:
Citrix Receiver for Linux shows only a part of applications list when connecting to APM.

Conditions:
APM is configured for Citrix Replacement and Citrix Receiver for Linux is used.

Impact:
Citrix Receiver for Linux shows only a part of applications list.


439343-5 : Client certificate SSL authentication unable to bind to LDAP server

Component: TMOS

Symptoms:
When LDAP Client Certificate SSL Authentication is configured to bind to the LDAP server with a password, the bind fails due to an incorrect password.

Conditions:
LDAP client certificate SSL authentication enabled
LDAP server requires password to bind

Impact:
Client certificates cannot be authenticated


438877-1 : If the SASP monitor receives an unexpected message from the GWM server containing an expected message id then the monitor stops processing any further messages.

Component: Local Traffic Manager

Symptoms:
The send weight messages message id field does not serve any purpose as per the SASP rfc 4678. Consider a scenario where the SASP monitor sents a registration request message containing message id x. It expects a registration reply with message id x. However, if it receives a send seight message with message id x then it throws the monitor out of sync. It stops processing any further messages.

Conditions:
The SASP monitor sends a request message with a message id in it to the GWM server. It expects a reply from the GWM server to the request message containing the same message id. But instead it receives a send weights reply containing the expected message id.

Impact:
The SASP monitor stops processing of any messages after it receives the unexpected send weights message.

Workaround:
None.


438792-7 : Node flapping may, in rare cases, lead to inconsistent persistence behavior

Component: Local Traffic Manager

Symptoms:
If persistence is used, and a node is marked down and then up in quick succession (less than about 7 seconds), then persistence may act inconsistently (meaning, not all connections expected to persist to a server will do so). Further requests in certain circumstances may hang (the client will be left waiting for a response).

Conditions:
Persistence, rapid node flapping, new connection (via a TMM with an existing connection) after node has been re-marked as up.

Impact:
Inconsistent persistence behaviors. If persistence records are examined, you might find multiple, conflicting entries. This is an intermittent issue.

Workaround:
Add an iRule command to the PERSIST_DOWN event that deletes the persistence entry for this connection. One example might be:

when PERSIST_DOWN {
    persist delete source_addr [IP::client_addr]
}

For more information, see SOL14918: Node flapping may cause inconsistent persistence records, available here: http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14918.html.


438674-3 : When log filters include tamd, tamd process may leak descriptors

Component: TMOS

Symptoms:
The log filter functionality in TMOS allows users to publish logs from a specific set of processes to various log destinations.

Conditions:
Configure log filter that includes tamd.

Impact:
Client authentication might fail. When a log filter includes tamd, the tamd process might start to leak descriptors.

Workaround:
Do not define log filters that include tamd (tamd is included in 'all').


438604-4 : AVR JavaScript injection takes place regardless of content-type value

Component: Application Visibility and Reporting

Symptoms:
AVR will inject JavaScript although it should not.

Conditions:
"Page Load Time" in analytic profile is turned on.
Send HTTP request with content-type is text/html without the <head> tag.

Impact:
AVR can invalidate a response, by injecting JavaScript in a page that is not actually an HTML page.

Workaround:
Turn off "Page Load Time" in analytic profile


437773-6 : Some LACP trunk members are missing after rebooting primary blade

Component: TMOS

Symptoms:
Some of the Link Aggregation Control Protocol (LACP) trunk members are missing after rebooting the primary blade.

Conditions:
This occurs on VIPRION chassis with more than one blade, configured for LACP after rebooting the primary blade.

Impact:
Some LACP trunk members are missing.

Workaround:
If you have not saved the configuration in the bad state (that is, saved the configuration while the LACP trunk members are missing), you might be able to recover by running the command: tmsh load sys config.


437744-5 : SAML SP service metadata exported from APM may fail to import.

Component: Access Policy Manager

Symptoms:
SAML SP service metadata exported from APM contains elements in incorrect order which might cause it to fail to be imported by other implementations.

Conditions:
When SAML metadata is exported from BIG-IP when it is acting as SAML Service Provider, the order of
'SingleLogoutService' and 'AssertionConsumerService' are not right.

Impact:
Import of SAML metadata with SAML IdP from BIG-IP as SP might fail.

Workaround:
Edit exported metadata: change the order of elements in the SPSSODescriptor so that SingleLogoutService element goes first in the sequence.


437743-4 : Import of Access Profile config that contains ssl-cert is failing

Component: Access Policy Manager

Symptoms:
An access profile configuration that uses an SSL Certificate fails to import. This happens because of a change in the method to import SSL certificates.

Conditions:
Access Profile configuration contains (SSL) Certificate File object, that is configurations that include OCSP responder, Certificate Authority Profile or ServerSSL Profile.

Impact:
Serious. It's not possible to import configs that contain above mentioned objects to another box, which might prevent users from distributing profiles manually or properly importing a backup/

Workaround:
You can either exclude above-\ mentioned objects prior to export and then recreate them after the import or (not recommended) edit the config manually and import the SSL certificate prior to import.


437703-4 : LTM policies do not accept special characters in HTTP header names

Component: Local Traffic Manager

Symptoms:
LTM policies do not accept special characters in HTTP header names.

Conditions:
This occurs when trying to use a '$' character in a header name.

Impact:
The system posts a validation error. For example, for the value $WSRA, the system posts the following message: 01071748:3: Policy '/Common/ft1_pool_select', rule 'notvar2'; invalid name, value '$WSRA'.

Workaround:
None.


437627-6 : TMM may crash if fastl4 vs has fragmeneted pkt

Component: Local Traffic Manager

Symptoms:
TMM may crash if a fast L4 profile has a fragmented packet

Conditions:
fastl4 configure
incoming fragmented packets

Impact:
Traffic disrupted while tmm restarts.

Workaround:
In fast L4 profile, enable option "Reassemble IP Fragments"


437025-7 : big3d might exit during loading of large configs or when a connection to mcpd is dropped.

Component: Global Traffic Manager

Symptoms:
If big3d loses its connection to MCPD and cannot reconnect immediately, big3d retries too often and re-uses timer IDs incorrectly.
This might result in a core dump with either SIGABRT or SIGSEV.

One way this can happen is that while processing very large configs, the mcpd process does not respond to queries from the big3d process.

Conditions:
A large configuration file (for example, larger than 10 MB) or a very busy MCPD/control plane.

Impact:
big3d core errors.

Workaround:
This issue has no workaround at this time.


436616-3 : Now CTU correctly enables logs for 64bit services on Windows.

Component: Access Policy Manager

Symptoms:
64bit services uses normal logging level even if CTU has 'Enable logging' flag set


436201-4 : JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11

Component: Access Policy Manager

Symptoms:
JavaScript can misbehave when encountering the 'X-UA-Compatible' META tag from clients using Microsoft Internet Explorer 11.

Conditions:
Internet Explorer 11 and meta http-equiv='X-UA-Compatible' content='IE=10'.

Impact:
Web application malfunction.

Workaround:
Use an iRule.


435953-1 : In the GUI, the search fails to return results for the Wide IP list

Component: TMOS

Symptoms:
Using the GUI to search fails to return results from the Wide IP list.

Conditions:
This occurs when the Wide IP and the Alias share same domain name. (e.g., siterequest.com).

Impact:
Cannot search by Wide IP alias using the GUI.

Workaround:
in the GUI, use * to get all the Wide IPs, or use a prefix such as 'wip' or 'wip1'. Another work around is to use TMSH.


435555-2 : Cannot load UCS from different BIG-IP system using Secure Vault

Component: TMOS

Symptoms:
If a BIG-IP system uses in Secure Vault to encrypt secure fields, you cannot load that UCS to another BIG-IP system.

Conditions:
This occurs when a UCS originates on a BIG-IP system whose secure fields are encrypted using Secure Vault. The reason is that the Master Key to the Secure Vault has been encrypted with the Unit key of the originating BIG-IP system. The Unit key is unique to each system.

Impact:
UCS load fails.


435335-4 : SSL proxy session ID cache does not respect limit set by tmm.proxyssl.cachesize

Component: Local Traffic Manager

Symptoms:
After setting tmm.proxyssl.cachesize to a non-default value and restarting TMM, the new maximum size is not respected, either causing too many or too few entries to be retained. This can lead to memory exhaustion over time.

Conditions:
Proxy SSL feature enabled with non-default tmm.proxyssl.cachesize value set.

Impact:
The setting has no effect, so if it is being used to avoid low-memory conditions, the low-memory conditions persist.


435106-2 : Message: notice panic: ../modules/hudfilter/hudnode.c:741: Assertion 'valid proxy failed.

Component: Local Traffic Manager

Symptoms:
TMM cores and posts message: notice panic: ../modules/hudfilter/hudnode.c:741: Assertion 'valid proxy failed.

Conditions:
This might occur after changing the configuration in the following ways: removing persist records, enabling configsync auto-save.

Impact:
The systems posts the message: notice panic: ../modules/hudfilter/hudnode.c:741: Assertion 'valid proxy' failed. This is an intermittent issue.

Workaround:
None.


434730-5 : Auto-sync may fail with many synchronizations in rapid succession

Component: TMOS

Symptoms:
If an device group is configured to perform auto-sync with incremental synchronization enabled, and a number of rapid configuration changes cause a rapid sequence of auto-sync operations, synchronizations may fail, and mcpd may log a message like the following to the LTM log:

0107168e:5: Unable to do incremental sync, reverting to full load for device group

Conditions:
- This affects any device group configured with auto-sync enabled with and full-load-on-sync disabled.
- A number of rapid configuration changes resulting in a rapid sequence of auto-sync operations.

Impact:
Manual mcpd restart may be required.

Workaround:
Disable auto-sync.


434573-5 : Tmsh 'show sys hardware' displays Platform ID instead of platform name

Component: TMOS

Symptoms:
While running a version of BIG-IP older than the most recent release on a new hardware platform (recently purchased or recently acquired through RMA exchange), the 'tmsh show sys hardware' command may display the Platform ID code in place of the official F5 platform name.

For example, the 'tmsh show sys hardware' command may display a Platform ID like the following:

Platform
  Name D113

instead of the official platform marketing name, such as:

Platform
  Name BIG-IP 10000F

Conditions:
This may occur if the version of BIG-IP software installed is not the most recent release, and the hardware platform is a newer variant (due to added hardware features or other manufacturing change) than was originally supported by the older BIG-IP software release.

Impact:
Custom automation scripts which depend on correctly matching F5 platform marketing names may fail to match the platform ID.

Workaround:
Update platform-identification scripts to include the relevant platform IDs among the recognized match values.


434517-13 : HTTP::retry doesn't work in an early server response

Component: Local Traffic Manager

Symptoms:
If a HTTP_RESPONSE event fires due to the server sending an early response (i.e. a response before the entire request has been sent), then HTTP::retry does not work correctly.

Conditions:
Client begins sending a request. The server responds before that request is completely sent. A HTTP::retry is called in the HTTP_RESPONSE event.

Impact:
Typically, early server responses are error conditions.

Workaround:
HTTP::respond or HTTP::redirect may be used at the cost of an extra client-side request.


434400-4 : tmm might core with rate-limiting on virtual server

Component: Local Traffic Manager

Symptoms:
tmm might core when rate-limiting is configured on a virtual server.

Conditions:
This occurs on a virtual server with rate-limiting enabled and unexpected filter operations that send LB selection after connection is in progress. This might also occur with an iRule that behaves similarly, for example, issuing an LB command after a TCP::release.

Impact:
Traffic disrupted while tmm restarts.


434356-1 : Data-group update doesn't propagate to SSL forward proxy configuration

Component: Local Traffic Manager

Symptoms:
When an internal/external data-group configuration is modified, it doesn't reflect in a client SSL profile.

Conditions:
Modifying a data group configuration.

Impact:
You have to manually restart tmm or re-apply the data-group to the SSL profile each time the data-group is modified.

Workaround:
Restart tmm or re-apply the data-group to the SSL profile each time the data-group is modified.


434258-1 : SSL Forward Proxy versions prior to 11.6.0 do not fully support passthrough.

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy versions prior to 11.6.0 do not fully support passthrough. When upper layer profiles such as HTTP is configured, packet passthrough will not work.

Conditions:
HTTP profile and/or other modules above SSL are configured and SSL bypass is enabled.

Impact:
The TMM crashed.


433972-11 : New Event dialog widget is shifted to the left and Description field does not have action widget

Component: Access Policy Manager

Symptoms:
When you access Microsoft SharePoint 2013 through APM and use a rewrite profile, the rewritten New Event dialog box is shifted to the left and action widgets are not displayed above the Description field.

Conditions:
The problem occurs in Internet Explorer 11 with meta http-equiv='X-UA-Compatible' content='IE=10'.

Impact:
SharePoint 2013 malfunctions.

Workaround:
You could potentially use an iRule to mitigate the problem.


433847-3 : APD crashes with a segmentation fault.

Component: Access Policy Manager

Symptoms:
Uninitialized CRLDP or OCSP field might cause a crash because of possible memory corruption.

Conditions:
This occurs when there is an uninitialized field in the Crldp or OCSP module.

Impact:
APD crashes with a segmentation fault. Uninitialized field might cause a crash trying to free the client connection.


433752-7 : Web applications might rewrite their event handlers

Component: Access Policy Manager

Symptoms:
Web applications might rewrite their event handlers.

Conditions:
If a web application edits event handlers dynamically.

Impact:
Event handlers might become corrupted.

Workaround:
None.


433323-4 : Ramcache handling of Cache-Control: no-cache directive in Response

Component: Local Traffic Manager

Symptoms:
Previously, when a Cache-Control header from the OWS contained a no-cache directive, RAM Cache mistakenly interpreted that the same as a no-store directive.

Conditions:
Configure a virtual server with HTTP caching.

Impact:
Failure to cache a cachable document.

Workaround:
This issue has no workaround at this time.


433055-1 : BFD GTSM IMI shell commands don't work

Component: TMOS

Symptoms:
BFD GTSM IMI shell commands 'bfd gtsm enable' and 'bfd gtsm disable' commands are disabled and have no effect.

Conditions:
This problem shows up when BFD is configured, and attempt to configure GTSM feature of BFD.

Impact:
GTSM feature is not usable.

Workaround:
None.


432900-1 : APM configurations can fail to load on newly-installed systems

Component: Access Policy Manager

Symptoms:
APM upgrades fail if the /shared/apm directory is not present before you load the configuration. APM writes a configuration loading error to the /var/log/ltm file with content similar to this:

Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: EPSEC::In copy_file - src (/config/filestore/files_d/Common_d/epsec_package_d/:Common:EPSEC:Images:epsec-1.0.0-160.0.iso_14866_1) dst (/shared/apm/images/epsec-1.0.0-160.0.iso)
Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: Failed in file copy errno=(No such file or directory)
....
01071558:3: EPSEC - File Copy to /shared location failed Unexpected Error: Loading configuration process failed.

Conditions:
If the system is fresh from manufacturing or has had a recent formatting installation, it is vulnerable to this upgrade defect. The failure is only observed if the configuration being applied contains elements of APM.

Impact:
After booting into an upgraded system, the configuration will fail to load. A load failure can also be observed when manually loading a UCS file.

Workaround:
Create the directory /shared/apm and try to load the configuration again.


432469-9 : State of Microsoft Windows Firewall is not detected

Component: Access Policy Manager

Symptoms:
APM Client Firewall Check on does not detect state of Windows 8.1 firewall.

Conditions:
End point checking is configured in access policy and requires presence of Windows Firewall

Impact:
Session establishment will fail.

Workaround:
This issue has no workaround at this time.


432102-4 : HTML reserved characters not supported as part of SAML RelayState

Component: Access Policy Manager

Symptoms:
If the RelayState parameter includes HTML and XHTML special characters, then BIG-IP as IdP or BIG-IP as SP does not process them correctly, and does not send complete RelayState value to the Peer.

Conditions:
Using special characters

Impact:
SAML integration may not work properly with other products when configured RelayState parameter includes special characters.

Workaround:
To use reserved characters in HTML (",',&,<,>) as part of SAML RelaySate, convert them to their HTML entities (&#34;, &#39;, &#38;, &#60;, &#62;).


431980-3 : SWG Reports: Overview and Reports do not show correct data.

Component: Access Policy Manager

Symptoms:
When traffic is very sparse, the report may be incorrect and omit information due to skipped aggregation process of collected data.
The original fix caused heavy spikes to the CPU every 5 minutes.

Conditions:
Very sparse traffic with significant gaps.

Impact:
AVR reports may be incorrect.

Workaround:
This issue has no workaround at this time.


431634-5 : tmsh: modify gtm server 'xxx' virtual-servers replace-all-with 'yyy' fails

Component: TMOS

Symptoms:
If you have a gtm server object for which you wish to modify its virtual servers, the following tmsh command fails:

modify gtm server <gtm-server-name> virtual-servers replace-all-with <vs-name>

with this error:

"The requested Virtual Server (/Common/<gtm-server-name> ) was not found."

Conditions:
You have a gtm server object whose virtual servers you are attempting to modify via the replace-all-with method.

Impact:
You cannot set the virtual server(s) on a gtm server object via the replace-all-with method in tmsh.

Workaround:
You still can still add and delete virtual servers to the gtm server object via tmsh, you just cannot use the replace-all-with method to accomplish this.


431240-4 : RTSP ALG when used with CGNAT, the media connections do not have the data session translation address:port logged as LSN translations

Component: Carrier-Grade NAT

Symptoms:
RTSP established media flows will not have their public translation address and ports logged in the same way LSN translations do.

Conditions:
This occurs when an RTSP ALG profile is configured with an lsn-pool and there are RTSP RTP flows.

Impact:
Media flows will not be able to be used to identify subscribers.


431239-2 : RTSP established media connections do not honor LSN pool translation port ranges or configuration

Component: Carrier-Grade NAT

Symptoms:
RTSP established media connections will choose ports that are not consistent with the CGNAT configuration.

Conditions:
RTSP ALG profile with a VS using any LSN pool

Impact:
It may use ports outside the LSN pool range Deterministic NAT configurations - will get incorrect results or no results when reverse mapping an RTP media flow

Workaround:
There is no workaround.


431149-4 : APM config snapshot disappears and users see "Access Policy configuration has changed on gateway"

Component: Access Policy Manager

Symptoms:
In scenarios where there are multiple slots on a chassis in an HA pair (in both vCMP and chassis only mode), the error "Access Policy configuration has changed on gateway" might be displayed when a user connects to a virtual server.

Conditions:
It can occur in conditions when :
 - right after when the whole chassis is rebooted
 - secondary/slave slot's tmm cores.
 - disabling a slot on chassis

Impact:
Customer would see following message when they connect to virtual server "Access Policy configuration has changed on gateway"

Workaround:
To work around the problem, type the command "bigstart restart apd" on the primary slot.


430323-1 : VXLAN daemon may restart when 8000 VXLAN tunnels are configured

Component: TMOS

Symptoms:
VXLAN daemon may restart when 8000 VXLAN tunnels are configured.

Conditions:
8000 VXLAN tunnels are configured.

Impact:
VXLAN daemon restart.


429368-4 : SIP RTP/RTCP connections do not honor LSN pool translation port ranges

Component: Carrier-Grade NAT

Symptoms:
Session Initiation Protocol (SIP) RTP/RTCP connections do not honor Large Scale NAT (LSN) pool translation port ranges.

Conditions:
This affects all SIP RTP/RTCP connections in all LSN modes(NAPT and DNAT). The BIG-IP system chooses any valid ephemeral port instead of the range specified in the LSN pool.

Impact:
Its is not possible to trace which subscriber initiated a RTP/RTCP connection using LSN logs.

Workaround:
There is no workaround for this issue.


429365-3 : FTP data connections do not honor LSN pool translation port ranges

Component: Carrier-Grade NAT

Symptoms:
FTP data connections do not honor LSN pool translation port ranges.

Conditions:
This affects all FTP data connections in all LSN modes(NAPT and DNAT). The BIG-IP system chooses any valid ephemeral port instead of the range specified in the LSN pool

Impact:
It is not possible to trace which subscriber initiated a data connection using LSN logs.

Workaround:
None.


429011-9 : No support for external link down time on network failover

Component: Local Traffic Manager

Symptoms:
For switch based platforms, the bcm56xxd daemon monitors the active/standby state using the failover.bigipunitmask DB variable and if this indicates a transition from Active to Standby, it downs external links and starts a timer for re-enabling the links after a customer-specified delay as per the failover.standby.linkdowntime DB variable.

Conditions:
This occurs on BIG-IP 2000 series and 4000 series platforms.

Impact:
No support for external link down time on network failover.

Workaround:
None.


428467-1 : max-concurrent-udp/max-concurrent-tcp maximum values

Component: Local Traffic Manager

Symptoms:
If the max-concurrent-udp/max-concurrent-tcp dns cache parameters are set too high for the platform, the memory needed to fulfill the request may cause tmm to panic.

Conditions:
This occurs because tmm creates max-concurrent-tcp communication points, each of which has a 64 KB buffer. For example, 8 tmms at 64 KB each results in approximately 500 KB for a single communication point. When multiplied by 2 billion, there will be problems with memory allocation.

Impact:
When this occurs, tmm can core.


428387-3 : SAML SSO could fail if SAML configuration contains special XML characters (&,<,>,",')

Component: Access Policy Manager

Symptoms:
SAML AuthRequest and Assertion generation could fail if the configuration (IdpEntityID, ACS, SAML Attributes, and so on) contain special XML characters, such as [&,<,>,",'].

Conditions:
- Assertion signing is enabled on BIG-IP as IdP.
- SAML Configuration (IdpEntityID, ACS, not-encrypted SAML Attributes, ACS URL, SP Entity ID, SLO URL) contains special characters, e.g. [&,<,>,",']

Impact:
SAML AuthRequest and Assertion generation could fail.

Workaround:
You can replace special XML character with XML-escape codes in the configuration:
" &quot; ' &apos; < &lt; > &gt; & &amp;

For example, replace "http://f5.com/acs_url?user=5&password=pass"

with "http://f5.com/acs_url?user=5&amp;password=pass"


428071 : REST framework must be installed on each blade of a VIPRION

Component: Device Management

Symptoms:
When you install the required BIG-IQ components on BIG-IP devices running on a VIPRION with more than one blade, the components load only on the primary blade.

Conditions:
VIPRION chassis with 2 or more blades.

Impact:
VIPRIONs require manual workaround to be managed by a BIG-IQ.

Workaround:
To install the required components on the remaining blades, for each blade, run the update_bigip.sh script then disable the blade through TMUI. After you run the script on all blades, re-enable them through TMUI.


427924-4 : ipport hash type is not programmed in new blade

Component: TMOS

Symptoms:
When inserting a new blade in a VIPRION C2400 chassis, with UDP or TCP hash set to 'ipport', the new blade uses the 'port' hash instead. Rebooting the blade or restarting bcm56xxd and tmm causes the correct DAG (Disaggregator) hash to be used.

Conditions:
UDP or TCP hash algorithm changed from default (e.g. changed from 'port' to 'ipport'). -- UDP or TCP virtual servers configured. -- New blade inserted into chassis. New blade includes external interface to which traffic will arrive.

Impact:
Prevents adequate distribution of traffic within a chassis, which may disrupt traffic flows or reduce the traffic throughput of the BIG-IP system.

Workaround:
Reboot the new blade after it has been configured. Issue the 'bigstart restart' command (to restart the bcm56xxd and tmm modules and program the DAG with the correct hash type).


427357-2 : Virtual address icmp-echo and arp properties get reset to disabled for network prefixes on config load

Component: TMOS

Symptoms:
On a configuration load, the icmp-echo property is always set disabled for a virtual address with network prefix.

Conditions:
This occurs on virtual addresses that have a network prefix.

Impact:
ICMP and ARP behavior stops for the virtual address.

Workaround:
Manually reconfigure the icmp-echo property for virtual addresses with network prefixes.


426939-6 : APM Polices does not work in VIPRION 4800 chassis if there is no slot1

Component: Performance

Symptoms:
Access policies does not get executed according to the configuration in a VIPRION 4800 chassis. User will not be able to use those policies.

Conditions:
This issue happens only on VIPRION 4800 and only if there is no active slot1 as primary or standby

Impact:
User will not be able to use the access polices that are configured in BIG-IP

Workaround:
Always use slot1 in the VIPRION 4800


426328-4 : Updating iRule procs while in use can cause a core

Component: Local Traffic Manager

Symptoms:
When updating an iRule that is in process or parked and has existing connections and uses a proc, a core can occur due to incorrect internal reference counting.

Conditions:
High traffic iRule that both parks and uses a proc.

Impact:
The BIG-IP system might temporarily fail to process traffic, and fail over if configured as part of a high availability (HA) pair.

Workaround:
Disable listener before updating iRule. For more information, see SOL14654: Updating an iRule that uses sideband connections may cause TMM to core, available here: http://support.f5.com/kb/en-us/solutions/public/14000/600/sol14654.


426209-5 : exporting to a CSV file may fail and the Admin UI is inaccessible

Component: Access Policy Manager

Symptoms:
If there are a large number of APM report records, exporting them to a CSV file might fail and the Admin GUI can then become inaccessible.

Conditions:
When the amount of report data is large.

Impact:
The Admin UI is inaccessible.

Workaround:
Avoid exporting large amounts of report data.


422460-6 : TMM may restart on startup/config-load if it has too many objects to publish back during config load

Component: TMOS

Symptoms:
TMM restarts without any core file on startup or when mcpd is loading the configuration if the size of configuration is considered big (for example over 1000 passive monitors).

Conditions:
This issue occurs when all of the following conditions are met:
-- The mcpd process loads a large configuration with thousands of objects.
-- The platform is running 12 or more TMM instances (BIG-IP 11000, 11050 platform, or VIPRION B4300 blade).

Impact:
Traffic processed by the affected TMM instance is interrupted while TMM restarts. TMM might enter a restart loop and restart multiple times, without producing a core file. You might see errors similar to the following in log/tmm or log/daemon:
-- LTM01 crit tmm11[28599]: 01010020:2: MCP Connection aborted, exiting. -- LTM01 emerg logger: Re-starting tmm. This might cause serious traffic disruption.

Workaround:
This workaround is a mitigation and may not work in all cases; the zero-window timeout may need to be adjusted to a higher value for some configurations.

To work around this issue, increase the timeout used for the MCP connection.

1. Open the tmm_base.tcl file for modification.
2. Locate the tcp _mcptcp stanza.
3. Add the following line:
   zero_window_timeout 300000

This lengthens the timeout, which avoids the restart. For more information, see SOL14498: The mcpd connection to TMM may time out on either startup or configuration load and cause TMM to restart, available here: http://support.f5.com/kb/en-us/solutions/public/14000/400/sol14498.html.


422107-6 : Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set

Component: Local Traffic Manager

Symptoms:
DNS transparent cache may have RRSIG in the responses for queries without DO bit set.

Conditions:
DNS transparent cache receives a DNS query without DO bit set.
If the query is answered by a DNSSEC zone of a pool member. The response returned to the client will contain RRSIG.

Impact:
Responses contain unnecessary RR sets. Not RFC compliant.

Workaround:
None.


422094-7 : Data connections created through FTP Active-mode transactions through the CGNAT do not have the data session translation address:port logged as LSN translations

Component: Carrier-Grade NAT

Symptoms:
Some connections through the CGNAT may not have corresponding LSN logs associating those translation address-port end-points with an FTP subscriber. This only occurs on an LSN with NAPT mode with an FTP-ALG profile, and it only occurs for a subscriber using FTP Active mode.

Conditions:
LSN with NAPT mode
FTP-ALG profile
Subscriber using FTP Active mode

Impact:
There are CGNAT sessions missing from the LSN logs.

Workaround:
Associate the subscriber with the FTP control channel. Provide both the control channel and data channel end-points so the subscriber can be correctly located.


421791-5 : Out of Memory Error

Component: WebAccelerator

Symptoms:
TMM crashes due to a segmentation violation early in a WAM interface.

Most likely, before the crash occurs the logs should show messages indicating that the sweeper was activated one or more times.

Conditions:
Only happens when free memory is very low to non-existent.

Impact:
TMM crashes.

Workaround:
Reduce load on box if possible.


421612-5 : CGNAT traffic through SIP-ALG will not have outbound connections and addresses logged

Component: Service Provider

Symptoms:
Subscriber traffic through the Carrier Grade NAT and SIP-ALG will not have all the addresses and ports used by the subscriber logged.

Conditions:
CGNAT and SIP-ALG configured and subscriber sending SIP traffic.

Impact:
Some subscriber traffic will not have translation addresses logged as expected.


421611-1 : SIP messages through the SIP-ALG may be hairpinned when the destination address is not inside the NAT

Component: Service Provider

Symptoms:
SIP messages are sent directly to the peer and not to the SIP-Proxy when both peers are inside the NAT.

Conditions:
-- CGNAT and SIP-ALG are configured.
-- Peer1 and Peer2 are in the NAT'd network (subscribers).
-- SIP-Proxy is located outside the NAT network (internet).

Impact:
Some SIP messages may not be seen by the SIP-Proxy and cause missed messages and accounting gaps.

Workaround:
None


421446-4 : Fixed bug in APM which doesn't allow InstallerService to update.

Component: Access Policy Manager

Symptoms:
Installer service isn't updated if user access newer APM.

Conditions:
User accesses APM with special version: 11.4.0, 11.4.1, 11.5.0

Impact:
User has old InstallerService

Workaround:
N/a


421016-1 : AFM + APM configurations and traffic drop

Component: Advanced Firewall Manager

Symptoms:
Currently, when the Network Firewall is configured in Firewall mode (default deny), Access Policy Manager (APM) traffic might be dropped. The Network Firewall does work with APM when configured in ADC mode (default allow for self IPs and virtual servers).

Conditions:
Logon for BIG-IP APM resources may not function when the BIG-IP APM is configured in conjunction with the BIG-IP AFM module.

Impact:
When this occurs, users are unable to access BIG-IP APM configured services.

Workaround:
There is no workaround.


420440-3 : Multi-line TXT records truncated by ZoneRunner file import

Component: Global Traffic Manager

Symptoms:
Checking your TXT record in the web interface causes the system to give an error. Querying for the data against a listener for the record reveals that the TXT rdata is incorrect.

Conditions:
GTM enabled and a zone file with a TXT record that has multi-line rdata has been imported via the GUI into ZoneRunner.

Impact:
Your DNS TXT records will be incorrect.

Workaround:
Enter your multi-line TXT records via the web interface as single line, quote separated lines.


420341-7 : Connection Rate Limit Mode when limit is exceeded by one client also throttles others

Component: Local Traffic Manager

Symptoms:
Connection Rate Limit Mode is set to Per Virtual Server and Source Address, you might encounter unexpected results. Once a particular client is above the limit, other clients (other source IP addresses) are also throttled by the system.

Conditions:
This occurs in the following manner: There is a configured connection rate limit per virtual server per client; one client exceeds the configured rate limit; and the virtual server also throttles other, unrelated clients.

Impact:
The virtual server throttles clients that are not exceeding the connection rate limit.

Workaround:
None.


420204-1 : FIPS key deletion by-handle does not post an error if corresponding key object exists but the keyname is more than 32 characters long

Component: TMOS

Symptoms:
Starting 11.4.0, 'tmsh delete sys crypto fips by-handle handle#' command is expected to throw an error if the key object corresponding to this FIPS key handle exists in BIG-IP config. However, this does not work if the key name is longer than 32 characters because the operation relies on key name being the same as the FIPS key label, which is not the case for keynames of greater than 32 chars.

Conditions:
BIG-IP contains a FIPS key object with a name that is longer than 32 characters. User attempts 'tmsh delete sys crypto fips by-handle handle#' for this FIPS key handle. The expected error does not occur, and the operation deletes the FIPS key from the FIPS card, which makes the BIG-IP key object invalid.

Impact:
The corresponding BIG-IP key object is now invalid with no corresponding FIPS key in FIPS card. Traffic using this key object will fail.

Workaround:
Use keynames shorter than 32 characters for FIPS keys.


420107-4 : TMM could crash when modifying HTML profile configuration

Component: TMOS

Symptoms:
Modification of configuration for a virtual with HTML profile attached may cause a tmm crash if there are open connections with html content.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable virtual server (or make sure that it does not have open connections in any other way) before modifying configuration.


419664-3 : SNMP sysIfxStat stats availability on 2000/4000 platforms

Component: TMOS

Symptoms:
SNMP sysIfxStat stats are not available on 2000/4000 platforms.

Conditions:
Performing mibwalk of SNMP-sysIfxStat on 2000/4000 platforms.

Impact:
SNMP-sysIfxStat stats cannot be queried using SNMP.


419217-2 : LTM policy fails to decompress compressed http requests

Component: Local Traffic Manager

Symptoms:
Administrator configures LTM policy to decompress http request (so, for example, that ASM can check it). However compressed requests are not decompressed.

Conditions:
Issue occurs always when there is a decompress action on an LTM policy.

Impact:
Requests and/or responses are not decompressed as desired.

Workaround:
An iRule can be added to the virtual server to override policy setting. (DECOMPRESS::enable, DECOMPRESS::disable).


418734-2 : vCMP guest unit_key empty

Component: TMOS

Symptoms:
A vCMP guest fails to load, and mcpd crashes on start-up. Running 'tmsh list vcmp guest' on the host reveals that sym-unit-key is empty or does not exist.

Conditions:
There are a number of ways that this can be encountered. The most common is an RMA replacement of a VCMP-capable blade, or when moving a ucs from one device to another device of the same type, if the device unit key becomes corrupted, or if the master key file (/config/bigip/kstore/master) becomes corrupted.

Impact:
Configuration of vCMP guest fails to load, mcpd crashes.

Workaround:
Remove the encrypted attributes from the config and reenter them in plaintext.


417068-2 : Key install or deletion failure on FIPS key names longer than 32 chars on some platforms

Component: Local Traffic Manager

Symptoms:
Key operations might not succeed as expected when the key names are longer than 32 characters.

Conditions:
This occurs with keynames longer than 32 characters on the 6900 (D104), 8900 (D106), 8950 (D107), 11999 (E101), 11050 (E102), 10000/10050/10200/10250 (D113) platforms.

Impact:
FIPS key install and key deletion might fail. Deletion of the FIPS key with a keyname longer than 32 characters deletes the key from the BIG-IP configuration but does not delete the key from the FIPS card. Similarly, importing a key with keyname longer than 32 characters into the FIPS card fails.

Workaround:
Use keynames of a maximum of 32-characters for FIPS keys.


416292-2 : MCPD can core as a result of another component shutting down prematurely

Component: TMOS

Symptoms:
During a small window of opportunity, mcpd can core if it is told to restart. This often occurs when another component has failed.

Conditions:
This issue generally occurs when another component has a problem which then initiates an mcpd restart.

Impact:
An mcpd core file is generated during shutdown, and it may initially appear as if mcpd coring was the cause of the restart.


415299-2 : Recurring check failures not logged

Component: Access Policy Manager

Symptoms:
Recurring check failures are not being logged to the client's policyserver.log file

Conditions:
Access policy configured, with recurring checks enabled on a client-side agent.

Impact:
If the recurring check fails, it is not logged in the client's log file, which makes it more difficult to diagnose issues.


412160-2 : vCMP provisioning may cause continual tmm crash.

Component: TMOS

Symptoms:
vCMP provisioning may cause continual tmm crash. In rare cases, tmm cores when VCMP is provisioned/deprovisioned.

The tmm log file presents messages similar to the following: panic: ../dev/cn1120/n3_compress.c:555: Assertion 'enough n3_comp_dev structs' failed.

Conditions:
1) LTM is provisioned.
2) Provision vCMP.
3) View the tmm log file/system process table/etc.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
1) Save the system configuration.
2) Reboot
3) After reboot, ensure that the device stays active and has only twoNitrox 3 Compression Devices listed in /var/log/tmm:
-- notice n3-compress0 PASS 0.1: Nitrox 3 Compression Device
-- notice n3-compress1 PASS 0.1: Nitrox 3 Compression Device


412138-2 : If there's resource that has acl order 0 and it's been used by profile, that has been exported, you'd not be able to import it back

Component: Access Policy Manager

Symptoms:
You're trying to import profile and it fails

Conditions:
If .conf file contains resource with acl-order 0 (default)

Impact:
Medium. Import is failing if object has acl-order 0

Workaround:
1. Don't use ACL 0 in exported config
2. It's possible to open .conf.tar.gz and edit it adding
"acl-order 0" where it's missed


410398-4 : sys db tmrouted.rhifailoverdelay does not seem to work

Component: TMOS

Symptoms:
The problem is that the sys db tmrouted.rhifailoverdelay value <value> does not seem to take any effect, and the route is being withdrawn, sometimes before the newly active device is able to advertise the virtual address, leaving a blackhole route.

Conditions:
This occurs during a failover.

Impact:
Temporary black hole for a route.


409323-1 : OnDemand cert auth redirect omits port information

Component: Access Policy Manager

Symptoms:
On-Demand Cert Auth redirect does not honor a port other than 443 in virtual server.

Conditions:
On-Demand Cert Auth is used in an access policy that's assigned to a virtual server with non-standard port.

Impact:
The redirect URL is missing the port information, hence subsequent client connections aren't successful.

Workaround:
N/A


405752-6 : Monitors sourced from specific source ports can fail

Component: TMOS

Symptoms:
Monitors using TCP transport; when sourced from ports 1097 (on some platforms), 1098, 1099 and 3306, will fail. Upon receipt of SYN-ACK from the monitored device, TMOS will filter the packet and respond with ICMP port unreachable.

Conditions:
Use one or more monitors which rely upon TCP as a transport. Port 1097 will be affected on the BIG-IP 800, 1600, 3600, 3900, 6900, 8900 (and derivative), 1100, and 11050 platforms.

Impact:
May result in false monitor failures.

Workaround:
1. Set bigd.reusesocket database variable to enable and follow F5 Network's best practices for monitors, specifying a timeout of three times the interval plus 1 second.
2. Modify iptables by removing the affecting iptable rule:
    
-- /sbin/iptables -D INPUT -p tcp --dport 3306 -j REJECT --reject-with icmp-port-unreachable.
-- /sbin/iptables -D INPUT -p tcp -m tcp --dport 3306 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset.
-- /sbin/iptables -A INPUT -p tcp -m tcp --dport 3306 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset.


405348-5 : ActiveSync POST fails when body is larger than 64k.

Component: Access Policy Manager

Symptoms:
Sending of large mail (body greater than 64 KB) fails with an ERR_NOT_SUPPORTED message in /var/log/apm when using ActiveSync.

Conditions:
This occurs when the following conditions are met:
ActiveSync configured on the BIG-IP system.
Email is sent with a large attachment, when the device sending the email currently has no active session.

Impact:
Large POST bodies as in those found in emails with large attachments will not successfully send. The message fails to send with an error message that asks to use the mail server directly.

Workaround:
Modify the db variable 'tmm.access.maxrequestbodysize' to a value greater than the default, 64 KB.


404141-2 : Standby system offers option to Apply Access Policy even though it has been synced

Component: Access Policy Manager

Symptoms:
After syncing an access policy from the active system to the standby, the standby system will still prompt you to apply the access policy, even though it is in sync with the primary

Conditions:
Device group configured and an access policy is synced from the active device to the standby device(s).

Impact:
The message is erroneous on the standby, as the policy was already synced.

Workaround:
The standby device will no longer prompt to sync the access policy if it has already been synced from the active device.


402115-2 : System does not report tmm memory with consideration of threading

Component: TMOS

Symptoms:
Using the command 'tmsh show sys memory' may display zero usage for some entries.

Conditions:
This applies when using a platform that provides memory management per-process; this is all current hardware platforms, but does not apply to VCMP or VE.

Impact:
The division of memory usage may not be clear.

Workaround:
None. However, the information shows the most important value, which is the memory utilization of each process.


401852-3 : csyncd will intentionally dump core when the kernel event queue is full

Component: Local Traffic Manager

Symptoms:
csyncd is a daemon that synchronizes parts of the filesystem between blades of a chassis, and also runs in a limited mode on appliances to detect and respond to changes on the filesystem. The Linux kernel has a fixed-size buffer in which it will write a log of the filesystem events in which csyncd is interested. If the kernel indicates that this buffer is full, then csyncd will generate a log message of this format:

csyncd[6885]: 013b0004:3: Fatal error: event queue overflow

After this it will leave a core dump.

Conditions:
This can happen with no special configuration.

Impact:
The daemon will dump core as it restarts. No action is required.


394278-2 : SIP-ALG does not use translation ports consistent with a subscriber's Deterministic mappings when LSN "Deterministic Mode" is configured

Component: Carrier-Grade NAT

Symptoms:
RTP and RTSP connections established by the SIP-ALG proxy when used with LSN's Deterministic mode will not select translation ports that are reverse mappable to that subscriber by dnatutil.

Conditions:
SIP-ALG configured with a Virtual Server using an LSN pool configured with Deterministic mode.

Impact:
RTP and RTSP media connections are not reverse mappable to the correct subscriber.

Workaround:
Use an LSN pool configured with NAPT and logging to achieve subscriber traceability.


394236-1 : MCP unexpectedly exits, "failure has occurred, There is no active database transaction, status: 0 -

Component: TMOS

Symptoms:
MCP exits unexpectedly and customer sees a trace in the ltm log file similar to:

Feb 9 12:54:41 localhost err mcpd[9995]: 01070596:3: An unexpected failure has occurred, There is no active database transaction, status: 0 - EdbDbConnection.cpp, line 133, exiting...

Conditions:
Unexpected MCP exit.

Impact:
MCP is already exiting, so there is no impact.


389328-6 : RSA SecurID node secret is not synced to the standby node

Component: Access Policy Manager

Symptoms:
When RSA SecurID node secret files are created on the active node, the files are not synced to the standby node. As a result, user will not be able to log on after switchover.

Conditions:
RSA node secret files are created on the active node after the first successful authentication.

Impact:
Service will be inaccessible after switchover.

Workaround:
1. Copy node secret files /config/aaa/ace/Common/<rsa_securid_aaa_server>/sdstatus.12 and /config/aaa/ace/Common/<rsa_securid_aaa_server>/securid from the active node to the same directory on the standby node.

2. Wait for at least 30 seconds

3. Execute the command "tmsh save sys config" to commit the changes to disk.


384451-3 : Duplicated cert/keys/chain might cause SIGABRTs and low-memory conditions

Component: Local Traffic Manager

Symptoms:
SSL per-virtual stats might cause SSL profile cert/keys/chain to be instantiated per-virtual server.

Conditions:
This occurs when using cert/keys/chain in SSL profile virtual servers.

Impact:
In this case, cert/keys/chain are duplicated and those duplicates might cause excessive memory use and disk activity which might lead to SIGABRTs and low-memory conditions.

Workaround:
None.


382157-6 : Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats

Component: TMOS

Symptoms:
Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats.

Conditions:
Running the following command returns data inconsistent with sflow statistics: snmpwalk -v2c -c public localhost F5-BIGIP-SYSTEM-MIB::sysVlanStatTable.

Impact:
Incorrect interpretation of vlan stats. As a result of fixing this issue, F5-BIGIP-SYSTEM-MIB::sysVlanStatTable is obsoleted, IF-MIB::ifXTable should be used instead.

Workaround:
None.


378967-3 : Users are not synchronized if created in a partition

Component: TMOS

Symptoms:
Users in partitions attached to sync-only device groups do not sync to other devices in that device group.

Conditions:
There are users whose active partitions are attached to a sync-only device group.

Impact:
This affects sync-only device groups only, not the failover device group.

Workaround:
None.


375887-2 : Cluster member disable or reboot can leak a few cross blade trunk packets

Component: Local Traffic Manager

Symptoms:
Using the cluster member 'disable' command with a trunk that spans blades might cause a brief period where received broadcast and multicast packets egress out the enabled trunk members of the cluster.

Conditions:
This occurs on a trunk that spans blades.

Impact:
To an external device running spanning tree protocol or variant, this can look like a loop.

Workaround:
None.


374339-7 : HTTP::respond/redirect might crash TMM under low-memory conditions

Component: Local Traffic Manager

Symptoms:
HTTP::respond/redirect might crash TMM under low-memory conditions.

Conditions:
Under low-memory conditions, if a new HTTP connection triggers an HTTP::respond/redirect event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Reduce memory usage


369352-6 : No verification prompt when executing 'load sys config default' for resource administrator role

Component: TMOS

Symptoms:
When logged in as a resource administrator "load sys config default", which restores the configuration to factory defaults, doesn't prompt for verification as it should. If you execute the command from a normal administrator role you do get a prompt.

Conditions:
Login as a resource administrator
run "load sys config default"
restore begins without a verification prompt.

Impact:
System restore initiated without prompt when run as a resource administrator.

Workaround:
None.


364994-10 : TMM may restart or disabled connections may be reused when a OneConnect profile is configured and OneConnect reuse is disabled be an iRule.

Component: Local Traffic Manager

Symptoms:
Version 11.3.0 and earlier, TMM may restart.
Version 11.4.0 and later, disabled connections may be reused.

Conditions:
A virtual server with an associated OneConnect profile.
A server side connection is disabled on the client side by the iRule ONECONNECT::reuse disable command.

Impact:
Version 11.3.0 and earlier, tmm can crash.
Version 11.4.0 and later, disabled connections may be reused.

Workaround:
Version 11.3.0 and earlier:

If HTTP::disable is being called in a client-side event, OneConnect must be disabled in a server-side event. This can be done by including 'ONECONNECT::reuse disable' in the client-side event (so a new connection is created), setting a variable, and then invoking ONECONNECT::reuse disable in SERVER_CONNECTED

Example:

  set oc_reuse_ss_disable 1
  ONECONNECT::reuse disable
  CACHE::disable
  COMPRESS::disable
  HTTP::disable

Add this (or merge with an existing SERVER_CONNECTED event in the iRule):

when SERVER_CONNECTED {
  if { [info exists oc_reuse_ss_disable] } {
    ONECONNECT::reuse disable
    ONECONNECT::detach disable
  }
}

11.4.0 and later:

Replace "ONECONNECT::reuse disable" with "set oc_reuse_ss_disable 1" in the iRule client-side event.

Add this (or merge with an existing SERVER_CONNECTED event in the iRule):

when SERVER_CONNECTED {
  if { [info exists oc_reuse_ss_disable] } {
    ONECONNECT::reuse disable
  }
}


352925-3 : Updating a suspended iRule and TMM process restart

Component: Local Traffic Manager

Symptoms:
Updating a suspended iRule assigned via a profile causes the TMM process to restart when trying to return to the suspended iRule.

Conditions:
This occurs when the iRule is suspended and the TMM process is trying to restart.

Impact:
TMM restarts.

Workaround:
Assign the iRule to the virtual server instead of assigning it to the profile.


348000-5 : HTTP response status 408 request timeout results in error being logged.

Component: Local Traffic Manager

Symptoms:
HTTP response status 408 request timeout results in error being logged.

Conditions:
HTTP profile is attached to a virtual server. 408 response status is received from server and is not preceded by request from the client.

Impact:
The 408 response status received is consumed and the connection is reset. The response never makes it to the client. The following error is reported in the log: http_process_state_prepend - Invalid action EV_INGRESS_DATA during ST_HTTP_PREPEND_HEADERS.

Workaround:
None.


337934-3 : remoterole: attributes ending in 'role' or 'deny' will be parsed incorrectly

Component: TMOS

Symptoms:
The remoterole configurations in which one of the attributes ends in 'role' will have that attribute truncated. Also this could happen with an attribute that ends in 'deny' and has a deny directive.

Conditions:
remoterole attributes ending in 'role'. May also happen with attributes ending in 'deny'.

Impact:
Parsing truncates attributes.

Workaround:
Do not use remoterole configurations in which one of the attributes ends in 'role' or one that ends in 'deny" that has a deny directive.


336255-6 : OneConnect Connection Limits with Narrow Source Address Masks

Component: Local Traffic Manager

Symptoms:
If a OneConnect profile with a narrow source address mask (e.g. 255.255.255.255) is applied to a virtual with a SNAT pool, existing, idle, server connection can NOT be reused (because of the SNATted source address and narrow source address mask). New connections, therefore, will be created.

Effectively, the pool member connection limits will be interpreted as applying to active connections, with in-flight (HTTP) requests or responses.

Conditions:
This can happen when OneConnect is used with SNAT pools and narrow OneConnect source address masks.

Impact:
More TCP connections to pool members than expected will occur.

Workaround:
Relax the OneConnect source address mask width.


226473-5 : Apply Policy failures due to Null characters in entity names

Component: Application Security Manager

Symptoms:
In older versions Policy Builder could create parameters with the Null character (0x0) in the name. This caused Apply Policy failures in case there were two entities that differed only by the Null character.

Conditions:
Multiple entities exist that differ in name only by the Null character.

Impact:
Apply Policy will fail.

Workaround:
Delete the entities that have a Null character from the policy.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************
Generated: Fri Sep 23 08:11:31 2016 PDT
Copyright F5 Networks (2016) - All Rights Reserved

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)