Applies To:
Show Versions
BIG-IP AAM
- 11.5.4
BIG-IP APM
- 11.5.4
BIG-IP GTM
- 11.5.4
BIG-IP Link Controller
- 11.5.4
BIG-IP Analytics
- 11.5.4
BIG-IP LTM
- 11.5.4
BIG-IP AFM
- 11.5.4
BIG-IP PEM
- 11.5.4
BIG-IP ASM
- 11.5.4
BIG-IP Hotfix Release Information
Version: BIGIP-11.5.4
Build: 313.0
Hotfix Rollup: 4
Cumulative fixes from BIG-IP v11.5.4 Hotfix 3 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v11.5.4 that are included in this release
Cumulative fixes from BIG-IP v11.5.3 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v11.5.3 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v11.5.3 that are included in this release
Cumulative fixes from BIG-IP v11.5.2 Hotfix 1 that are included in this release
Known Issues in BIG-IP v11.5.x
Functional Change Fixes
None
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 656902 | 2-Critical | Upgrade to 11.5.4 HF3 may remove valid cipher suite configuration from SSL profile |
| 655756 | 2-Critical | TMM might crash while using SSL profiles on BIG-IP 2000/4000 platforms. |
| 587691-2 | 2-Critical | TMM crashes upon SSL handshake cancellation. |
Cumulative fixes from BIG-IP v11.5.4 Hotfix 3 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 631582-3 | CVE-2016-9250 | K55792317 | Administrative interface enhancement |
| 616772-3 | CVE-2014-3568 | K15724 | CVE-2014-3568 : OpenSSL Vulnerability (Oracle Access Manager) |
| 616765-3 | CVE-2013-6449 | K15147 | CVE-2013-6449 : OpenSSL Vulnerability (Oracle Access Manager) |
| 636702-1 | CVE-2016-9444 | K40181790 | BIND vulnerability CVE-2016-9444 |
| 636700-2 | CVE-2016-9147 | K02138183 | BIND vulnerability CVE-2016-9147 |
| 636699-3 | CVE-2016-9131 | K86272821 | BIND vulnerability CVE-2016-9131 |
| 624570-4 | CVE-2016-8864 | K35322517 | BIND vulnerability CVE-2016-8864 |
| 616498-3 | CVE-2009-3245 | K15404 | CVE-2009-3245 : OpenSSL Vulnerability (Oracle Access Manager) |
| 616491-3 | CVE-2006-3738 | K6734 | CVE-2006-3738 : OpenSSL Vulnerability (Oracle Access Manager) |
| 611830 | CVE-2016-7468 | K13053402 | TMM may crash when processing TCP traffic |
| 611469-6 | CVE-2016-7467 | K95444512 | Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector |
| 597394-5 | CVE-2016-9252 | K46535047 | Improper handling of IP options |
| 596340-4 | CVE-2016-9244 | K05121675 | F5 TLS vulnerability CVE-2016-9244 |
| 591327-3 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K36488941 | OpenSSL vulnerability CVE-2016-2106 |
| 591325-3 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K75152412 | OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 |
| 591042-6 | CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 | K23230229 | OpenSSL vulnerabilities |
| 508057-2 | CVE-2015-0411 | K44611310 | MySQL Vulnerability CVE-2015-0411 |
| 635412-1 | CVE-2017-6137 | K82851041 | Invalid mss with fast flow forwarding and software syn cookies |
| 622496-3 | CVE-2016-5829 | K28056114 | Linux kernel vulnerability CVE-2016-5829 |
| 604442-3 | CVE-2016-6249 | K12685114 | iControl log |
| 601938-5 | CVE-2016-7474 | K52180214 | MCPD stores certain data incorrectly |
| 597023-5 | CVE-2016-4954 | K82644737 | NTP vulnerability CVE-2016-4954 |
| 594496-4 | CVE-2016-4539 | K35240323 | PHP Vulnerability CVE-2016-4539 |
| 593447-3 | CVE-2016-5024 | K92859602 | BIG-IP TMM iRules vulnerability CVE-2016-5024 |
| 587077-4 | CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 | K37603172 | Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118 |
| 526514-2 | CVE-2016-3687 | K26738102 | Open redirect via SSO_ORIG_URI parameter in multi-domain SSO |
| 524279-4 | CVE-2015-4000 | K16674 | CVE-2015-4000: TLS vulnerability |
| 520924-3 | CVE-2016-5020 | K00265182 | Restricted roles for custom monitor creation |
| 475743-2 | CVE-2017-6128 | K92140924 | Improve administrative login efficiency |
| 416734-2 | CVE-2012-5195 CVE-2012-5526 CVE-2012-6329 CVE-2013-1667 | K15867 | Multiple Perl Vulnerabilities |
| 635933-2 | CVE-2004-0790 | K23440942 K13361021 | The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable |
| 599285-5 | CVE-2016-5094 CVE-2016-5095 CVE-2016-5096 | K51390683 | PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095 |
| 573343-4 | CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 | K01324833 | NTP vulnerability CVE-2015-8158 |
Functional Change Fixes
| ID Number | Severity | Description |
| 633723-1 | 3-Major | New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot |
| 620712 | 3-Major | Added better search capabilities on the Pool Members Manage & Pool Create page. |
| 561348-2 | 3-Major | krb5.conf file is not synchronized between blades and not backed up |
| 541549-3 | 3-Major | AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination. |
| 530109-1 | 3-Major | OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled. |
| 511818-5 | 3-Major | Support RSASSA-PSS signature algorithm in server SSL certificate |
| 454492-2 | 3-Major | Improved handling of signature_algorithms extension to avoid using SHA1 in TLS handshake signatures |
TMOS Fixes
| ID Number | Severity | Description |
| 624457-2 | 1-Blocking | Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195 |
| 638935-1 | 2-Critical | Monitor with send/receive string containing double-quote may cause upgrade to fail.★ |
| 624263-1 | 2-Critical | iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response |
| 616864-4 | 2-Critical | BIND vulnerability CVE-2016-2776 |
| 614865 | 2-Critical | Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors. |
| 610354-3 | 2-Critical | TMM crash on invalid memory access to loopback interface stats object |
| 605476 | 2-Critical | istatsd can core when reading corrupt stats files. |
| 601527-1 | 2-Critical | mcpd memory leak and core |
| 600396-1 | 2-Critical | iControl REST may return 404 for all requests in AWS |
| 570663-2 | 2-Critical | Using iControl get_certificate_bundle_v2 causes a memory leak |
| 562959-3 | 2-Critical | In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel. |
| 551661-3 | 2-Critical | Monitor with send/receive string containing double-quote may fail to load. |
| 483373-1 | 2-Critical | Incorrect bash prompt for created admin role users |
| 467847-1 | 2-Critical | passphrase visible in audit log |
| 440752-2 | 2-Critical | qkview might loop writing output file if MCPD fails during execution |
| 355806-2 | 2-Critical | Starting mcpd manually at the command line interferes with running mcpd |
| 632618 | 3-Major | ImageMagick vulnerability CVE-2016-3717 |
| 631627-3 | 3-Major | Applying BWC over route domain sometimes results in tmm not becoming ready on system start |
| 631530 | 3-Major | TAI offset not adjusted immediately during leap second |
| 628164-1 | 3-Major | OSPF with multiple processes may incorrectly redistribute routes |
| 624931 | 3-Major | getLopSensorData "sensor data reply too short" errors with FND300 DC PSU |
| 623119-3 | 3-Major | Linux kernel vulnerability CVE-2016-4470 |
| 621417-2 | 3-Major | sys-icheck error for /usr/share/defaults/bigip_base.conf in AWS. |
| 621242-2 | 3-Major | Reserve enough space in the image for future upgrades. |
| 620659-1 | 3-Major | The BIG-IP system may unecessarily run provisioning on successive reboots |
| 616242-1 | 3-Major | basic_string::compare error in encrypted SSL key file if the first line of the file is blank★ |
| 615934 | 3-Major | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. |
| 614675 | 3-Major | iControl SOAP API call "LocalLB::ProfileClientSSL::create_v2" creates invalid profile |
| 608320-2 | 3-Major | iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response |
| 604237-1 | 3-Major | Vlan allowed mismatch found error in VCMP guest |
| 596814-2 | 3-Major | HA Failover fails in certain valid AWS configurations |
| 595773-6 | 3-Major | Cancellation requests for chunked stats queries do not propagate to secondary blades |
| 591455-3 | 3-Major | NTP vulnerability CVE-2016-2516 |
| 560510-4 | 3-Major | Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down. |
| 558858-1 | 3-Major | Unexpected loss of communication between slots of a vCMP Guest |
| 556277-4 | 3-Major | Config Sync error after hotfix installation (chroot failed rsync error)★ |
| 534021-1 | 3-Major | HA on AWS uses default AWS endpoint (EC2_URL). |
| 533813-2 | 3-Major | Internal Virtual Server in partition fails to load from saved config |
| 502714-6 | 3-Major | Deleting files and file object references in a single transaction might cause validation errors |
| 502049-3 | 3-Major | Qkview may store information in the wrong format |
| 502048-3 | 3-Major | Qkview may store information in the wrong format |
| 499537-2 | 3-Major | Qkview may store information in the wrong format |
| 491406-2 | 3-Major | TMM SIGSEGV in sctp_output due to NULL snd_dst |
| 460833-2 | 3-Major | MCPD sync errors and restart after multiple modifications to file object in chassis |
| 420438-2 | 3-Major | Default routes from standby system when HA is configured in NSSA |
| 393270-3 | 3-Major | Configuration utility may become non-responsive or fail to load. |
| 601927-4 | 4-Minor | Security hardening of control plane |
| 599191-1 | 4-Minor | One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card |
| 591447-4 | 4-Minor | PHP vulnerability CVE-2016-4070 |
| 589379-1 | 4-Minor | ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route. |
| 551208-3 | 4-Minor | Nokia alarms are not deleted due to the outdated alert_nokia.conf. |
| 516841-3 | 4-Minor | Unable to log out of the GUI in IE8 |
| 500452-3 | 4-Minor | PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware |
| 471827-2 | 4-Minor | Firstboot early syslog-ng log: /var/run/httpd.pipe does not exist★ |
| 457951-3 | 4-Minor | openldap/ldap.conf file is not part of ucs backup archive. |
| 442231-1 | 5-Cosmetic | Pendsect log entries have an unexpected severity |
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 637181-2 | 2-Critical | VIP-on-VIP traffic may stall after routing updates |
| 622166-1 | 2-Critical | HTTP GET requests with HTTP::cookie iRule command receive no response |
| 619071-1 | 2-Critical | OneConnect with verified accept issues |
| 616215-1 | 2-Critical | TMM can core when using LB::detach and TCP::notify commands in an iRule |
| 611704-1 | 2-Critical | tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event |
| 605865-1 | 2-Critical | Debug TMM produces core on certain ICMP PMTUD packets |
| 603667-1 | 2-Critical | TMM may leak or corrupt memory when configuration changes occur with plugins in use |
| 597966-1 | 2-Critical | ARP/neighbor cache nexthop object can be freed while still referenced by another structure |
| 588351-3 | 2-Critical | IPv6 fragments are dropped when packet filtering is enabled. |
| 578045-5 | 2-Critical | The HTTP_PROXY_REQUEST iRule event can cause the TMM to crash if pipelined ingress occurs when the iRule parks |
| 576897-2 | 2-Critical | Using snat/snatpool in related-rule results in crash |
| 575011-9 | 2-Critical | Memory leak. Nitrox3 Hang Detected. |
| 574153-3 | 2-Critical | If an SSL client disconnects while data is being sent to SSL client, the connection may stall until TCP timeout. |
| 565409-3 | 2-Critical | Invalid MSS with HW syncookies and flow forwarding |
| 559973-5 | 2-Critical | Nitrox can hang on RSA verification |
| 526367-2 | 2-Critical | tmm crash |
| 488686-4 | 2-Critical | Large file transfer hangs when HTTP is in passthrough mode |
| 484214-3 | 2-Critical | Nitrox got stuck when processed certain SSL records |
| 477195-1 | 2-Critical | OSPFv3 session gets stuck in loading state |
| 469770-3 | 2-Critical | System outage can occur with MPTCP traffic. |
| 411233-2 | 2-Critical | New pool members take all requests until lb_value catches up. |
| 629771 | 3-Major | the TCP::unused_port does erroneous accept IPV4_COMPAT addresses |
| 621465 | 3-Major | The minimum IP packet fragment size is now 1 and not 24 |
| 617862-3 | 3-Major | Fastl4 handshake timeout is absolute instead of relative |
| 617824-1 | 3-Major | "SSL::disable/enable serverside" + oneconnect reuse is broken |
| 610609-4 | 3-Major | Total connections in bigtop, SNMP are incorrect |
| 610429-2 | 3-Major | X509::cert_fields iRule command may memory with subpubkey argument |
| 608551-2 | 3-Major | Half-closed congested SSL connections with unclean shutdown might stall. |
| 608024-2 | 3-Major | Unnecessary DTLS retransmissions occur during handshake. |
| 607304-1 | 3-Major | TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap. |
| 606575-2 | 3-Major | Request-oriented OneConnect load balancing ends when the server returns an error status code. |
| 604977-4 | 3-Major | Wrong alert when DTLS cookie size is 32 |
| 604496-1 | 3-Major | SQL (Oracle) monitor daemon might hang. |
| 603723-1 | 3-Major | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup |
| 603606-1 | 3-Major | tmm core |
| 600827-3 | 3-Major | Stuck nitrox crypto queue can erroneously be reported |
| 598874-1 | 3-Major | GTM Resolver sends FIN after SYN retransmission timeout |
| 597089-3 | 3-Major | Connections are terminated after 5 seconds when using ePVA full acceleration |
| 592871-1 | 3-Major | Cavium Nitrox PX/III stuck queue diagnostics missing. |
| 592784 | 3-Major | Compression stalls, does not recover, and compression facilities cease. |
| 591789 | 3-Major | IPv4 fragments are dropped when packet filtering is enabled. |
| 591659-2 | 3-Major | Server shutdown is propagated to client after X-Cnection: close transformation. |
| 591476-6 | 3-Major | Stuck crypto queue can erroneously be reported |
| 588572-2 | 3-Major | Unnecessary re-transmission of packets on higher ICMP PMTU. |
| 588569-2 | 3-Major | Don't include maximum TCP options length in calculating MSS on ICMP PMTU. |
| 588115-4 | 3-Major | TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw |
| 587892 | 3-Major | Multiple iRule proc names might clash, causing the wrong rule to be executed. |
| 586738-3 | 3-Major | The tmm might crash with a segfault. |
| 584310 | 3-Major | TCP:Collect ignores the 'skip' parameter when used in serverside events |
| 584029-7 | 3-Major | Fragmented packets may cause tmm to core under heavy load |
| 583957-3 | 3-Major | The TMM may hang handling pipelined HTTP requests with certain iRule commands. |
| 579926-2 | 3-Major | HTTP starts dropping traffic for a half-closed connection when in passthrough mode |
| 579843-4 | 3-Major | tmrouted may not re-announce routes after a specific succession of failover states |
| 572281-3 | 3-Major | Variable value in the nesting script of foreach command get reset when there is parking command in the script |
| 568543-2 | 3-Major | Syncookie mode is activated on wildcard virtuals |
| 556117-1 | 3-Major | client-ssl profile is case-sensitive when checking server_name extension |
| 555432-2 | 3-Major | Large configuration files may go missing on secondary blades |
| 554761-4 | 3-Major | Unexpected handling of TCP timestamps under syncookie protection. |
| 549329-2 | 3-Major | L7 mirrored ACK from standby to active box can cause tmm core on active |
| 545450-2 | 3-Major | Log activation/deactivation of TM.TCPMemoryPressure |
| 537326-4 | 3-Major | NAT available in DNS section but config load fails with standalone license |
| 528734-1 | 3-Major | TCP keeps retransmitting when ICMP Destination Unreachable-Fragmentation Required messages are received. |
| 519746-2 | 3-Major | ICMP errors may reset FastL4 connections unexpectedly |
| 512119-3 | 3-Major | Improved UDP DNS packet truncation |
| 508486-1 | 3-Major | TCP connections might stall if initialization fails |
| 503214-11 | 3-Major | Under heavy load, hardware crypto queues may become unavailable. |
| 500003-3 | 3-Major | Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP |
| 499478-3 | 3-Major | Bug 464651 introduced change-in-behavior for SSL server cert chains by not including the root certificate |
| 483257-2 | 3-Major | Cannot delete keys without extension .key (and certificates without .crt) using iControl SOAP |
| 468820-2 | 3-Major | MPTCP Flows may hang whan an MTU mismatch occurs on the network. |
| 468300-3 | 3-Major | Filters may not work correctly with websockets or CONNECT |
| 464801-1 | 3-Major | Intermittent tmm core |
| 455553-8 | 3-Major | ICMP PMTU handling causes multiple retransmissions |
| 442539-3 | 3-Major | OneConnect security improvements. |
| 442455-4 | 3-Major | Hardware Security Module (HSM) CSR and certificate fields constraints: 15 characters and no spaces. |
| 437256-1 | 3-Major | clientssl profile has no key/cert pair |
| 423392-7 | 3-Major | tcl_platform is no longer in the static:: namespace |
| 598860-5 | 4-Minor | IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address |
| 587966-5 | 4-Minor | LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port |
| 538708-2 | 4-Minor | TMM may apply SYN cookie validation to packets before generating any SYN cookies |
| 536868-2 | 4-Minor | Packet Sizing Issues after Receipt of PMTU |
| 486485-2 | 4-Minor | TCP MSS is incorrect after ICMP PMTU message. |
| 356841-2 | 5-Cosmetic | Don't unilaterally set Connection: Keep-Alive when compressing |
Global Traffic Manager Fixes
| ID Number | Severity | Description |
| 603598-1 | 2-Critical | big3d memory under extreme load conditions |
| 642330-4 | 3-Major | GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★ |
| 613576-9 | 3-Major | QOS load balancing links display as gray |
| 589256-4 | 3-Major | DNSSEC NSEC3 records with different type bitmap for same name. |
| 487144-1 | 3-Major | tmm intermittently reports that it cannot find FIPS key |
Application Security Manager Fixes
| ID Number | Severity | Description |
| 614441-1 | 1-Blocking | False Positive for illegal method (GET) |
| 602749 | 2-Critical | Memory exhaustion when asking for missing page of learning suggestion occurrences |
| 577668-2 | 2-Critical | ASM Remote logger doesn't log 64 KB request. |
| 499347 | 2-Critical | JSON UTF16 content could be blocked by ASM as Malformed JSON |
| 616169-1 | 3-Major | ASM Policy Export returns HTML error file |
| 615695 | 3-Major | Fixes to bd and iprepd components not included in BIG-IP v11.5.4-HF2 |
| 603945-3 | 3-Major | BD config update should be considered as config addition in case of update failure |
| 576591-3 | 3-Major | Support for some future credit card number ranges |
| 562775-3 | 3-Major | Memory leak in iprepd |
| 366605-2 | 3-Major | response_log_size_limit does not limit the log size. |
| 463314-1 | 4-Minor | Enabling ASM AJAX blocking response page feature causing cross domain AJAX requests to fail |
Application Visibility and Reporting Fixes
| ID Number | Severity | Description |
| 565085-4 | 3-Major | Analytics profile allows invalid combination of entities for Alerts setup |
| 560114-2 | 3-Major | Monpd is being affected by an I/O issue which makes some of its threads freeze |
| 491185-3 | 3-Major | URL Latencies page: pagination limited to 180 pages |
Access Policy Manager Fixes
| ID Number | Severity | Description |
| 618324-3 | 2-Critical | Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor |
| 592868-1 | 2-Critical | Rewrite may crash processing HTML tag with HTML entity in attribute value |
| 591117-2 | 2-Critical | APM ACL construction may cause TMM to core if TMM is out of memory |
| 536683-1 | 2-Critical | tmm crashes on "ACCESS::session data set -secure" in iRule |
| 511478-1 | 2-Critical | Possible TMM crash when evaluating expression for per-request policy agents. |
| 428068-2 | 2-Critical | Insufficiently detailed causes for session deletion. |
| 625376-2 | 3-Major | In some cases, download of PAC file by edge client may fail |
| 613613 | 3-Major | Incorrect handling of form that contains a tag with id=action |
| 612419-3 | 3-Major | APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable)) |
| 610243-1 | 3-Major | HTML5 access fails for Citrix Storefront integration mode with gateway pass through authentication |
| 610180-5 | 3-Major | SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin. |
| 604767-6 | 3-Major | Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object. |
| 601407 | 3-Major | Legacy PNAgent access does not work from Citrix Receiver 4.3 onwards |
| 600116 | 3-Major | DNS resolution request may take a long time in some cases |
| 598981-1 | 3-Major | APM ACL does not get enforced all the time under certain conditions |
| 598211-3 | 3-Major | Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode. |
| 597431-6 | 3-Major | VPN establishment may fail when computer wakes up from sleep |
| 597429 | 3-Major | eam maintains lock on /var/log/apm.1 after logrotate |
| 592869 | 3-Major | Syntax Error when reimporting exported content containing acl-order 0 |
| 592414-3 | 3-Major | IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed |
| 590820-5 | 3-Major | Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser. |
| 586718-5 | 3-Major | Session variable substitutions are logged |
| 586006-5 | 3-Major | Failed to retrieve CRLDP list from client certificate if DirName type is present |
| 582440-1 | 3-Major | Linux client does not restore route to the default GW on Ubuntu 15.10 |
| 568445-7 | 3-Major | User cannot perform endpoint check or launch VPN from Firefox on Windows 10 |
| 565167-3 | 3-Major | Additional garbage data being logged on user name and domain name for NTLM authentication |
| 563349-2 | 3-Major | On MAC, Network Access proxy settings are not applied to tun adapter after VPN is established |
| 561798-3 | 3-Major | Windows edge client may show scripting error on certain 3rd party authentication sites |
| 556088-2 | 3-Major | In a chassis system with APM provisioned mcpd daemon on secondary blade will restart. |
| 553063-4 | 3-Major | Epsec version rolls back to previous version on a reboot |
| 553037 | 3-Major | iOS Citrix Receiver web interface mode cannot launch the apps |
| 551260-3 | 3-Major | When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated |
| 525429-13 | 3-Major | DTLS renegotiation sequence number compatibility |
| 508337-5 | 3-Major | In Chrome, parent.document.write() from frame may cause errors on pages accessed through Portal Access |
| 451301-2 | 3-Major | HTTP iRules break Citrix HTML5 functionality |
| 450314-1 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for object field names may not work correctly |
| 447565-4 | 3-Major | Renewing machine-account password does not update the serviceId for associated ntlm-auth. |
| 424368-3 | 3-Major | parent.document.write(some_html_with_script) hangs up parent frame for IE browsers |
| 389484-5 | 3-Major | OAM reporting Access Server down with JDK version 1.6.0_27 or later |
| 584373-1 | 4-Minor | AD/LDAP resource group mapping table controls are not accessible sometimes |
WebAccelerator Fixes
| ID Number | Severity | Description |
| 467542-1 | 2-Critical | TMM core in AAM assembly code during high memory utilization |
| 474445-3 | 3-Major | TMM crash when processing unexpected HTTP response in WAM |
Wan Optimization Manager Fixes
| ID Number | Severity | Description |
| 619757-4 | 2-Critical | iSession causes routing entry to be prematurely freed |
Service Provider Fixes
| ID Number | Severity | Description |
| 649933-5 | 3-Major | Fragmented RADIUS messages may be dropped |
| 550434-4 | 3-Major | Diameter connection may stall if server closes connection before CER/CEA handshake completes |
| 489957-8 | 3-Major | RADIUS::avp command fails when AVP contains multiple attribute (VSA). |
Policy Enforcement Manager Fixes
| ID Number | Severity | Description |
| 596134-1 | 2-Critical | TMM core with PEM virtual server |
| 472106-1 | 2-Critical | TMM crash in a rare case of flow optimization |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Description |
| 624193 | 3-Major | Topology load balancing not working as expected |
| 615187 | 4-Minor | Missing hyperlink to GSLB virtual servers and servers on the pool member page. |
Cumulative fixes from BIG-IP v11.5.4 Hotfix 2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 600662-5 | CVE-2016-5745 | K64743453 | NAT64 vulnerability CVE-2016-5745 |
| 599168-5 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
| 598983-5 | CVE-2016-5700 | K35520031 | BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700 |
| 596488-5 | CVE-2016-5118 | K82747025 | GraphicsMagick vulnerability CVE-2016-5118. |
| 591806-4 | CVE-2016-3714 | K03151140 | ImageMagick vulnerability CVE-2016-3714 |
| 570716-1 | CVE-2016-5736 | K10133477 | BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736 |
| 569467-2 | CVE-2016-2084 | K11772107 | BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084. |
| 565169-1 | CVE-2013-5825 CVE-2013-5830 | K48802597 | Multiple Java Vulnerabilities |
| 580596-5 | CVE-2013-0169 CVE-2016-6907 | K14190 K39508724 | TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907 |
| 579955-4 | CVE-2016-7475 | K01587042 | BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475 |
| 577826-3 | CVE-2016-1286 | K62012529 | BIND vulnerability CVE-2016-1286 |
| 573124-5 | CVE-2016-5022 | K06045217 | TMM vulnerability CVE-2016-5022 |
| 572495-4 | CVE-2016-5023 | K19784568 | TMM may crash if it receives a malformed packet CVE-2016-5023 |
| 563670-5 | CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 | K86772626 | OpenSSL vulnerabilities |
| 539923-2 | CVE-2016-1497 | K31925518 | BIG-IP APM access logs vulnerability CVE-2016-1497 |
| 457811-1 | CVE-2013-6438 CVE-2014-0098 | K15300 | CVE-2013-6438 : HTTPD Vulnerability |
| 452318-2 | CVE-2014-0050 | K15189 | Apache Commons FileUpload vulnerability CVE-2014-0050 |
| 591918-6 | CVE-2016-3718 | K61974123 | ImageMagick vulnerability CVE-2016-3718 |
| 591908-6 | CVE-2016-3717 | K29154575 | ImageMagick vulnerability CVE-2016-3717 |
| 591894-6 | CVE-2016-3715 | K10550253 | ImageMagick vulnerability CVE-2016-3715 |
| 591881-5 | CVE-2016-3716 | K25102203 | ImageMagick vulnerability CVE-2016-3716 |
| 582952 | CVE-2011-5321 CVE-2012-6647 CVE-2012-6657 CVE-2013-0190 CVE-2013-0228 CVE-2013-1860 CVE-2013-2596 CVE-2013-2851 CVE-2013-4483 CVE-2013-4591 CVE-2013-6367 CVE-2013-6381 CVE-2013-6383 CVE-2013-7339 CVE-2014-0055 CVE-2014-0077 | K31300371 | Linux kernel vulnerability CVE-2013-4483 |
| 579220-2 | CVE-2016-1950 | K91100352 | Mozilla NSS vulnerability CVE-2016-1950 |
| 564111-2 | CVE-2015-8395 CVE-2015-8384 CVE-2015-8392 CVE-2015-8394 CVE-2015-8391 CVE-2015-8390 CVE-2015-8389 CVE-2015-8388 CVE-2015-8387 CVE-2015-8386 CVE-2015-8385 CVE-2015-8383 CVE-2015-8382 CVE-2015-8381 CVE-2015-8380 CVE-2015-2328 CVE-2015-2327 CVE-2015-8393 | K05428062 | Multiple PCRE vulnerabilities |
| 550596-2 | CVE-2016-6876 | K52638558 | RESOLV::lookup iRule command vulnerability CVE-2016-6876 |
| 541231-1 | CVE-2014-3613 CVE-2014-3707 CVE-2014-8150 CVE-2015-3143 CVE-2015-3148 | K16704 K16707 | Resolution of multiple curl vulnerabilities |
| 486791-3 | CVE-2014-6421 CVE-2014-6422 CVE-2014-6423 CVE-2014-6424 CVE-2014-6425 CVE-2014-6426 CVE-2014-6427 CVE-2014-6428 CVE-2014-6429 CVE-2014-6430 CVE-2014-6431 CVE-2014-6432 | K16939 | Resolution of multiple wireshark vulnerabilities |
| 616382 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability (TMM) |
| 580340-4 | CVE-2016-2842 | K52349521 | OpenSSL vulnerability CVE-2016-2842 |
| 580313-4 | CVE-2016-0799 | K22334603 | OpenSSL vulnerability CVE-2016-0799 |
| 579975-4 | CVE-2016-0702 | K79215841 | OpenSSL vulnerability |
| 579829-4 | CVE-2016-0702 | K79215841 | OpenSSL vulnerability CVE-2016-0702 |
| 579237-4 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability CVE-2016-0705 |
| 579085-3 | CVE-2016-0797 | K40524634 | OpenSSL vulnerability CVE-2016-0797 |
| 578570-3 | CVE-2016-0705 | K93122894 | OpenSSL Vulnerability CVE-2016-0705 |
| 577828-4 | CVE-2016-2088 | K59692558 | BIND vulnerability CVE-2016-2088 |
| 577823-3 | CVE-2016-1285 | K46264120 | BIND vulnerability CVE-2016-1285 |
| 567379-2 | CVE-2013-4397 | K16015326 | libtar vulnerability CVE-2013-4397 |
| 565895-3 | CVE-2015-3217 | K17235 | Multiple PCRE Vulnerabilities |
| 551287-3 | CVE-2010-2596 CVE-2013-1960 CVE-2013-1961 CVE-2013-4231 CVE-2013-4232 CVE-2013-4243 CVE-2013-4244 | K16715 | Multiple LibTIFF vulnerabilities |
| 481806-4 | CVE-2013-4002 | K16872 | Java Runtime Environment vulnerability CVE-2013-4002 |
| 437285-4 | CVE-2013-3571 CVE-2012-0219 CVE-2010-2799 | K14919 | Multiple socat vulnerabilities |
| 416372-3 | CVE-2012-2677 | K16946 | Boost memory allocator vulnerability CVE-2012-2677 |
| 570667-10 | CVE-2016-0701 CVE-2015-3197 | K64009378 | OpenSSL vulnerabilities |
Functional Change Fixes
| ID Number | Severity | Description |
| 583631-1 | 1-Blocking | ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers. |
| 445633-2 | 2-Critical | Config sync of SecurID config file fails on secondary blades |
| 560405-5 | 3-Major | Optional target IP address and port in the 'virtual' iRule API is not supported. |
| 532685-5 | 3-Major | PAC file download errors disconnect the tunnel |
| 544325-2 | 4-Minor | BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable). |
TMOS Fixes
| ID Number | Severity | Description |
| 572600 | 1-Blocking | mcpd can run out of file descriptors |
| 538761-1 | 1-Blocking | scriptd may core when MCP connection is lost |
| 596603-5 | 2-Critical | AWS: BIG-IP VE doesn't work with c4.8xlarge instance type. |
| 583936-1 | 2-Critical | Removing ECMP route from BGP does not clear route from NSM |
| 582295 | 2-Critical | ospfd core dump when redistributing NSSA routes in a HA failover |
| 574116-3 | 2-Critical | MCP may crash when syncing configuration between device groups |
| 568889-5 | 2-Critical | Some ZebOS daemons do not start on blade transition secondary to primary. |
| 564427-1 | 2-Critical | Use of iControl call get_certificate_list_v2() causes a memory leak. |
| 563064-5 | 2-Critical | Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory |
| 561814-4 | 2-Critical | TMM Core on Multi-Blade Chassis |
| 559034-3 | 2-Critical | Mcpd core dump in the sync secondary during config sync |
| 557144-1 | 2-Critical | Dynamic route flapping may lead to tmm crash |
| 556380-3 | 2-Critical | mcpd can assert on active connection deletion |
| 539784-2 | 2-Critical | HA daemon_heartbeat mcpd fails on load sys config |
| 529141-4 | 2-Critical | Upgrade from 10.x fails on valid clientssl profile with BIGpipe parsing error★ |
| 510979-2 | 2-Critical | Password-less SSH access after tmsh load of UCS may require password after install. |
| 507499-2 | 2-Critical | TMM can watchdog under extreme memory pressure. |
| 506199-8 | 2-Critical | VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles |
| 505071-2 | 2-Critical | Delete and create of the same object can cause secondary blades' mcpd processes to restart. |
| 490801-3 | 2-Critical | mod_ssl: missing support for TLSv1.1 and TLSv1.2 |
| 595874-3 | 3-Major | Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.★ |
| 586878-1 | 3-Major | During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★ |
| 583285-2 | 3-Major | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
| 579284-5 | 3-Major | Potential memory corruption in MCPd |
| 579047 | 3-Major | Unable to update the default http-explicit profile using the GUI. |
| 576305-1 | 3-Major | Potential MCPd leak in IPSEC SPD stats query code |
| 575735-1 | 3-Major | Potential MCPd leak in global CPU info stats code |
| 575726-1 | 3-Major | MCPd might leak memory in vCMP interface stats. |
| 575716-1 | 3-Major | MCPd might leak memory in VCMP base stats. |
| 575708-1 | 3-Major | MCPd might leak memory in CPU info stats. |
| 575671-1 | 3-Major | MCPd might leak memory in host info stats. |
| 575619-1 | 3-Major | Potential MCPd leak in pool member stats query code |
| 575608-1 | 3-Major | MCPd might leak memory in virtual server stats query. |
| 575587-1 | 3-Major | Potential MCPd leak in BWC policy class stats query code |
| 575027-3 | 3-Major | Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues. |
| 574045-3 | 3-Major | BGP may not accept attributes using extended length |
| 573529 | 3-Major | F-bit is not set in IPv6 OSPF Type-7 LSAs |
| 571344-2 | 3-Major | SSL Certificate with special characters might cause exception when GUI retrieves items list page.★ |
| 571210-3 | 3-Major | Upgrade, load config, or sync might fail on large configs with large objects. |
| 571019-2 | 3-Major | Topology records can be ordered incorrectly. |
| 570053-1 | 3-Major | HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync. |
| 569356-5 | 3-Major | BGP ECMP learned routes may use incorrect vlan for nexthop |
| 569236-2 | 3-Major | BIG-IP logs INVALID-SPI messages but does not remove the associated SAs. |
| 565534-3 | 3-Major | Some failover configuration items may fail to take effect |
| 563475-1 | 3-Major | ePVA dynamic offloading can result in immediate eviction and re-offloading of flows. |
| 562044-1 | 3-Major | Statistics slow_merge option does not work |
| 560975-1 | 3-Major | iControl can remove hardware SSL keys while in use |
| 559939-3 | 3-Major | Changing hostname on host sometimes causes blade to go RED / HA TABLE offline |
| 558779-5 | 3-Major | SNMP dot3 stats occassionally unavailable |
| 558573-3 | 3-Major | MCPD restart on secondary blade after updating Pool via GUI |
| 557281-3 | 3-Major | The audit_forwarder process fails to exit normally causing the process to consume CPU to near 100% |
| 556252 | 3-Major | sysGlobalTmmStatTmUsageRatio5s and sysGlobalTmmStatNpus in chassis |
| 555905-1 | 3-Major | sod health logging inconsistent when device removed from failover group or device trust |
| 555039-1 | 3-Major | VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration |
| 554563-2 | 3-Major | Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics. |
| 554340-2 | 3-Major | IPsec tunnels fail when connection.vlankeyed db variable is disabled |
| 553795-3 | 3-Major | Differing certificate/key after successful config-sync |
| 553649 | 3-Major | The SNMP daemon might lock up and fail to respond to SNMP requests. |
| 551927-3 | 3-Major | ePVA snoop header's transform vlan should be set properly under asymmetric routing condition |
| 551742-1 | 3-Major | Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades |
| 549971-3 | 3-Major | Some changes to virtual servers' profile lists may cause secondary blades to restart |
| 549543-2 | 3-Major | DSR rejects return traffic for monitoring the server |
| 548385-1 | 3-Major | iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results |
| 547942 | 3-Major | SNMP ipAdEntAddr indicates floating vlan IP rather than local IP |
| 547532-6 | 3-Major | Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades |
| 542742-3 | 3-Major | SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m). |
| 541316-5 | 3-Major | Unexpected transition from Forced Offline to Standby to Active |
| 540996-4 | 3-Major | Monitors with a send attribute set to 'none' are lost on save |
| 539125-1 | 3-Major | SNMP: ifXTable walk should produce the available counter values instead of zero |
| 530242-4 | 3-Major | SPDAG on VIPRION B2250 blades might cause traffic imbalance among TMMs |
| 529484-3 | 3-Major | Virtual Edition Kernel Panic under load |
| 527168-3 | 3-Major | In GUI System :: Users : Authentication TACACS+ ports have max value of 32768 instead of 65535 |
| 527145-3 | 3-Major | On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown. |
| 520408-1 | 3-Major | TMM ASSERTs due to subkey_record field corruption in the SessionDB. |
| 517209-6 | 3-Major | tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable |
| 517020-4 | 3-Major | SNMP requests fail and subsnmpd reports that it has been terminated. |
| 515667-6 | 3-Major | Unique truncated SNMP OIDs. |
| 512954-1 | 3-Major | ospf6d might leak memory distribute-list is used |
| 510580-3 | 3-Major | Interfaces might be re-enabled unexpectedly when loading a partition |
| 508076-1 | 3-Major | Cannot successfully create a key/cert via tmsh or the GUI of the form name.key1, where extension is in the name. |
| 496679-3 | 3-Major | Configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.★ |
| 491716-3 | 3-Major | SNMP attribute type incorrect for certain OIDs |
| 487625-4 | 3-Major | Qkview might hang |
| 486725-1 | 3-Major | GUI creating key files with .key extensions in the name causing errors |
| 486512-8 | 3-Major | audit_forwarder sending invalid NAS IP Address attributes |
| 483228-8 | 3-Major | The icrd_child process generates core when terminating |
| 478215-5 | 3-Major | The command 'show ltm pool detail' returns duplicate members in some cases |
| 474194-4 | 3-Major | iControl GlobalLB::PoolMember get_all_statistics and get_monitor_association cause memory leaks |
| 453949-3 | 3-Major | small memory leak observed in audit_forwarder |
| 451494-1 | 3-Major | SSL Key/Certificate in different partition with Subject Alternative Name (SAN) |
| 446493-3 | 3-Major | foreign key index error on local traffic-only group★ |
| 425980-2 | 3-Major | Blade number not displayed in CPU status alerts |
| 421971-7 | 3-Major | Renewing certificates with SAN input in the GUI leads to error. |
| 418664-3 | 3-Major | Configuration utility CSRF vulnerability |
| 405635-5 | 3-Major | Using the restart cm trust-domain command to recreate certificates required by device trust. |
| 405611-2 | 3-Major | Configuration utility CSRF vulnerability |
| 400456-2 | 3-Major | HTTP monitors with long send or receive strings may not save or update |
| 372118-1 | 3-Major | import_all_from_archive_file and import_all_from_archive_stream does not create file objects. |
| 339825-2 | 3-Major | Management.KeyCertificate.install_certificate_from_file failing silently |
| 553174-2 | 4-Minor | Unable to query admin IP via SNMP on VCMP guest |
| 551481-4 | 4-Minor | 'tmsh show net cmetrics' reports bandwidth = 0 |
| 551349-1 | 4-Minor | Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★ |
| 548053-1 | 4-Minor | User with 'Application Editor' role set cannot modify 'Description' field using the GUI. |
| 536746-2 | 4-Minor | LTM : Virtual Address List page uses LTM : Nodes List search filter. |
| 535544-7 | 4-Minor | Enhancement: ltm virtual translate-port, translate-address are not listed if they are enabled |
| 533480-4 | 4-Minor | qkview crash |
| 519216-3 | 4-Minor | Abnormally high CPU utilization from external SSL/OpenSSL monitors |
| 511332-1 | 4-Minor | Customer cannot view Pools list by Address |
| 481003-1 | 4-Minor | 'General database error' trying to view Local Traffic :: Pools :: Pool List. |
| 468949-1 | 4-Minor | audit_forwarded started error message |
| 466612-2 | 4-Minor | Missing sys DeviceModel OID for VIPRION C2200 chassis |
| 452487-5 | 4-Minor | Incremental sync causes incorrect accounting of member count of pools |
| 447364-2 | 4-Minor | BIG-IP may report getLopSensorData warnings at boot time or when changing a PSU |
| 401893-2 | 4-Minor | Allowing tilde in HTTP Profile fields Response Headers Allowed and Encrypt Cookies |
| 572133-3 | 5-Cosmetic | tmsh save /sys ucs command sends status messages to stderr |
| 524281-1 | 5-Cosmetic | Error updating daemon ha heartbeat |
| 470627-4 | 5-Cosmetic | Incorrect and benign log message of bandwidth utilization exceeded when licensed with rate limit in VE |
| 458563-3 | 5-Cosmetic | A "status down" message is logged when enabling a pool member that was previously disabled |
| 388274-2 | 5-Cosmetic | LTM pool member link in a route domain is wrong in Network Map. |
| 291469-3 | 5-Cosmetic | SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries. |
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 555549-2 | 1-Blocking | 'tmsh modify ltm node <ip_addr> state user-down' fails to bring pool member state offline. |
| 579919 | 2-Critical | TMM may core when LSN translation is enabled |
| 565810-5 | 2-Critical | OneConnect profile with an idle or strict limit-type might lead to tmm core. |
| 562566-3 | 2-Critical | High Availability connection flap may cause mirrored persistence entries to be retained after expiration on multi-blade systems |
| 558612-3 | 2-Critical | System may fail when syncookie mode is activated |
| 554967-2 | 2-Critical | Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets |
| 552937-2 | 2-Critical | HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail. |
| 552151-1 | 2-Critical | Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected |
| 549868-2 | 2-Critical | 10G interoperability issues reported following Cisco Nexus switch version upgrade. |
| 544375-2 | 2-Critical | Unable to load certificate/key pair |
| 540568-4 | 2-Critical | TMM core due to SIGSEGV |
| 534795-6 | 2-Critical | Swapping VLAN names in config results in switch daemon core and restart. |
| 517613-2 | 2-Critical | ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps |
| 483665-3 | 2-Critical | Restrict the permissions for private keys |
| 478812-4 | 2-Critical | DNSX Zone Transfer functionality preserved after power loss |
| 468791-3 | 2-Critical | Crash when using FIX tag maps and a FIX message arrives without a SenderCompID. |
| 466007-3 | 2-Critical | DNS Express daemon, zxfrd, can not start if it's binary cache has filled /var |
| 459671-1 | 2-Critical | iRules source different procs from different partitions and executes the incorrect proc. |
| 454583-4 | 2-Critical | SPDY may cause the TMM to crash if it aborts while there are stalled streams. |
| 592854-2 | 3-Major | Protocol version set incorrectly on serverssl renegotiation |
| 585412-1 | 3-Major | SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines |
| 584717 | 3-Major | TCP window scaling is not applied when SYN cookies are active |
| 580303-2 | 3-Major | When going from active to offline, tmm might send a GARP for a floating address. |
| 579371-1 | 3-Major | BIG-IP may generate ARPs after transition to standby |
| 576296-1 | 3-Major | MCPd might leak memory in SCTP profile stats query. |
| 575626-6 | 3-Major | Minor memory leak in DNS Express stats error conditions |
| 575612-4 | 3-Major | Potential MCPd leak in policy action stats query code |
| 571573-3 | 3-Major | Persistence may override node/pmbr connection limit |
| 571183-3 | 3-Major | Bundle-certificates Not Accessible via iControl REST. |
| 570617-5 | 3-Major | HTTP parses fragmented response versions incorrectly |
| 569642-3 | 3-Major | Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core |
| 569349-3 | 3-Major | Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled |
| 569288-4 | 3-Major | Different LACP key may be used in different blades in a chassis system causing trunking failures |
| 566361-2 | 3-Major | RAM Cache Key Collision |
| 563591-3 | 3-Major | reference to freed loop_nexthop may cause tmm crash. |
| 563419-3 | 3-Major | IPv6 packets containing extended trailer are dropped |
| 563227-4 | 3-Major | When a pool member goes down, persistence entries may vary among tmms |
| 558602-2 | 3-Major | Active mode FTP data channel issue when using lasthop pool |
| 557783-3 | 3-Major | TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr |
| 557645-1 | 3-Major | Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms. |
| 556560-1 | 3-Major | DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records. |
| 556103-2 | 3-Major | Abnormally high CPU utilization for external monitors |
| 554977-1 | 3-Major | TMM might crash on failed SSL handshake |
| 553688-3 | 3-Major | TMM can core due to memory corruption when using SPDY profile. |
| 552931-2 | 3-Major | Configuration fails to load if DNS Express Zone name contains an underscore |
| 552865-5 | 3-Major | SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'. |
| 551189-2 | 3-Major | Modifying an HTTP cookie value via the HTTP::cookie iRule API may yield to incorrect HTTP header data |
| 550782-2 | 3-Major | Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit |
| 550689-3 | 3-Major | Resolver H.ROOT-SERVERS.NET Address Change |
| 549406-3 | 3-Major | Destination route-domain specified in the SOCKS profile |
| 548680-3 | 3-Major | TMM may core when reconfiguring iApps that make use of iRules with procedures. |
| 548583-5 | 3-Major | TMM crashes on standby device with re-mirrored SIP monitor flows. |
| 548563-3 | 3-Major | Transparent Cache Messages Only Updated with DO-bit True |
| 547732-3 | 3-Major | TMM may core on using SSL::disable on an already established serverside connection |
| 542654 | 3-Major | bigd may experience a heartbeat failure when tcp-half-open monitors are used |
| 541126-1 | 3-Major | Safenet connection may fail on restarting pkcs11d or HSM reboot or if the connection to HSM is lost and then resumed |
| 540893-3 | 3-Major | Unevenly loaded tmms while using syncookies may cause occasional spurious connection resets. |
| 540213-4 | 3-Major | mcpd will continually restart on newly inserted secondary blades when certain configuration exists on the primary |
| 536191-3 | 3-Major | Transparent inherited TCP monitors may fail on loading configuration |
| 534111-2 | 3-Major | [SSL] Config sync problems when modifying cert in default client-ssl profile |
| 533820-3 | 3-Major | DNS Cache response missing additional section |
| 531979-4 | 3-Major | SSL version in the record layer of ClientHello is not set to be the lowest supported version. |
| 530812-5 | 3-Major | Legacy DAG algorithm reuses high source port numbers frequently |
| 529899-3 | 3-Major | Installation may fail with the error "(Storage modification process conflict.)".★ |
| 527742-1 | 3-Major | The inherit-certkeychain field of a clientSSL profile is not synchronized correctly on a standby BIG-IP system |
| 524641-4 | 3-Major | Wildcard NAPTR record after deleting the NAPTR records |
| 523471-3 | 3-Major | pkcs11d core when connecting to SafeNet HSM |
| 521711-3 | 3-Major | HTTP closes connection if client sends non-keepalive request and server responds with 200 OK on One-Connect enabled virtual |
| 519217-2 | 3-Major | tmm crash: valid proxy |
| 516816-2 | 3-Major | RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake. |
| 515322-2 | 3-Major | Intermittent TMM core when using DNS cache with forward zones |
| 513530-3 | 3-Major | Connections might be reset when using SSL::disable and enable command |
| 513213-4 | 3-Major | FastL4 connection may get RSTs in case of hardware syncookie enabled. |
| 509416-4 | 3-Major | Suspended 'after' commands may result in unexpected behaviors |
| 505089-3 | 3-Major | Spurious ACKs result in SYN cookie rejected stat increment. |
| 500786-4 | 3-Major | Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile |
| 490936-1 | 3-Major | SSLv2/TLSv1 based handshake causing handshake failures |
| 490174-3 | 3-Major | Improved TLS protocol negotiation with clients supporting TLS1.3 |
| 469627-2 | 3-Major | When persistence is overriden from cookie to some other persistence method, the cookie should not be sent. |
| 468471-1 | 3-Major | The output of DNS::edns0 subnet address command is not stored properly in a variable |
| 463202-6 | 3-Major | BIG-IP system drops non-zero version EDNS requests |
| 458348-3 | 3-Major | RESOLV:: iRule commands and sFlow don't function correctly when using non-default CMP hashing. |
| 457109-3 | 3-Major | Traffic misclassified and matching wrong rule in CPM policy. |
| 452900-3 | 3-Major | IP iRules may cause TMM to segfault in low memory scenarios |
| 452659-1 | 3-Major | DNS Express zone creation, deletion or updates can slow down or stop other DNS services. |
| 445471-1 | 3-Major | DNS Express zone creation, deletion or updates can slow down or stop other DNS services. |
| 419217-1 | 3-Major | LTM policy fails to decompress compressed http requests |
| 417006-5 | 3-Major | Thales HSM support on Chassis cluster-mode. |
| 406001-5 | 3-Major | Host-originated traffic cannot use a nexthop in a different route domain |
| 372473-3 | 3-Major | mcp error 0x1020003 may be logged to /var/log/tmm when TMM crashes |
| 336255-8 | 3-Major | OneConnect Connection Limits with Narrow Source Address Masks |
| 546747-4 | 4-Minor | SSL connections may fail with a handshake failure when the ClientHello is sent in multiple packets |
| 541134-3 | 4-Minor | HTTP/HTTPS monitors transmit unexpected data to monitored node. |
| 499795-3 | 4-Minor | "persist add" in server-side iRule event can result in "Client Addr" being pool member address |
| 492780-3 | 4-Minor | Elliptic Curves Extension in ServerHello might cause failed SSL connection. |
| 458872-1 | 4-Minor | Check SACK report before treating as dupack |
Global Traffic Manager Fixes
| ID Number | Severity | Description |
| 569972-3 | 2-Critical | Unable to create gtm topology records using iControl REST |
| 569521-2 | 2-Critical | Invalid WideIP name without dots crashes gtmd. |
| 561539-1 | 2-Critical | [Upgrade] GTM pool member ratio setting to 0 is not honored when upgrading from v10.2.4 to v11.5.3.★ |
| 539466-3 | 2-Critical | Cannot use self-link URI in iControl REST calls with gtm topology |
| 533658-3 | 2-Critical | DNS decision logging can trigger TMM crash |
| 471467-1 | 2-Critical | gtmparse segfaults when loading wideip.conf because of duplicate virtual server names |
| 569472-3 | 3-Major | TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled |
| 559975-4 | 3-Major | Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth |
| 551767-2 | 3-Major | GTM server 'Virtual Server Score' not showing correctly in TMSH stats |
| 546640-1 | 3-Major | tmsh show gtm persist <filter option> does not filter correctly |
| 540576-2 | 3-Major | big3d may fail to install on systems configured with an SSH banner |
| 552352-3 | 4-Minor | tmsh list display incorrectly for default values of gtm listener translate-address/translate-port |
Application Security Manager Fixes
| ID Number | Severity | Description |
| 560748 | 2-Critical | BIG-IQ discovery fails |
| 451089-1 | 2-Critical | ASM REST: Incorrect/Duplicate REST id for policy after a copy is made |
| 449231-1 | 2-Critical | ASM REST: Updating multiple items in a list only make one change |
| 589298 | 3-Major | TMM crash with a core dump |
| 585045 | 3-Major | ASM REST: Missing 'gwt' support for urlContentProfiles |
| 582683-1 | 3-Major | xpath parser doesn't reset a namespace hash value between each and every scan |
| 574214-2 | 3-Major | Content Based Routing daemon (cbrd) logging control |
| 573406-2 | 3-Major | ASU cannot be completed if license was last activated more than 18 months before |
| 572922-3 | 3-Major | Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES.★ |
| 566758-3 | 3-Major | Manual changes to policy imported as XML may introduce corruption for Login Pages |
| 559541-3 | 3-Major | ICAP anti virus tests are not initiated on XML with when should |
| 559055 | 3-Major | Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All" |
| 531809-1 | 3-Major | FTP/SMTP traffic related bd crash |
Application Visibility and Reporting Fixes
| ID Number | Severity | Description |
| 578353-1 | 2-Critical | Statistics data aggregation process is not optimized |
| 529900-4 | 2-Critical | AVR missing some configuration changes in multiblade system |
| 472969-3 | 2-Critical | If you try to create more than 264 AVR profiles, avrd might crash. |
| 569958-3 | 3-Major | Upgrade for application security anomalies |
| 557062-3 | 3-Major | The BIG-IP ASM configuration fails to load after an upgrade.★ |
| 488989-4 | 3-Major | AVRD does not print out an error message when the external logging fails |
| 454071-1 | 5-Cosmetic | 'Show all' button has no effect or becomes hidden for short period of time |
Access Policy Manager Fixes
| ID Number | Severity | Description |
| 581770-1 | 1-Blocking | Network Access traffic does not pass IPv6 traffic if a Network Access resource contains IPv4&IPv6 |
| 580817-4 | 2-Critical | Edge Client may crash after upgrade★ |
| 579909-3 | 2-Critical | Secondary MCPD exits for APM Sandbox warning improperly treated as configuration error |
| 579559-4 | 2-Critical | DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration |
| 578844-3 | 2-Critical | tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client. |
| 575609-4 | 2-Critical | Zlib accelerated compression can result in a dropped flow. |
| 574318-4 | 2-Critical | Unable to resume session when switching to Protected Workspace |
| 572563-4 | 2-Critical | PWS session does not launch on Internet Explorer |
| 571090-1 | 2-Critical | When BIG-IP is used as SAML IdP, tmm may restart under certain conditions |
| 569306-5 | 2-Critical | Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected |
| 565056-5 | 2-Critical | Fail to update VPN correctly for non-admin user. |
| 562919-1 | 2-Critical | TMM cores in renew lease timer handler |
| 559138-4 | 2-Critical | Linux CLI VPN client fails to establish VPN connection on Ubuntu |
| 556774-1 | 2-Critical | EdgeClient cannot connect through captive portal |
| 555272-3 | 2-Critical | Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade★ |
| 513083-2 | 2-Critical | d10200: tmm core when using ASM-FPS-AVR-APM-DOS on virtual server. |
| 586056 | 3-Major | Machine cert checker doesn't work as expected if issuer or AltName is specified |
| 581834-3 | 3-Major | Firefox signed plugin for VPN, Endpoint Check, etc |
| 580421-4 | 3-Major | Edge Client may not register DLLs correctly |
| 576350-3 | 3-Major | External input from client doesn't pass to policy agent if it is not the first in the chain. |
| 576069-1 | 3-Major | Rewrite can crash in some rare corner cases |
| 575499-3 | 3-Major | VPN filter may leave renew_lease timer active after teardown |
| 575292-2 | 3-Major | DNS Relay proxy service does not respond to SCM commands in timely manner |
| 574781-3 | 3-Major | APM Network Access IPV4/IPV6 virtual may leak memory |
| 573581-2 | 3-Major | DNS Search suffix are not restored properly in some cases after VPN establishment |
| 573429-2 | 3-Major | APM Network Access IPv4/IPv6 virtual may leak memory |
| 572893-5 | 3-Major | error "The modem (or other connecting device) is already in use or is not configured properly" |
| 571003-4 | 3-Major | TMM Restarts After Failover |
| 570640-4 | 3-Major | APM Cannot create symbolic link to sandbox. Error: No such file or directory |
| 570064-4 | 3-Major | IE gives a security warning asking: "Do you want to run ... InstallerControll.cab" |
| 569255-5 | 3-Major | Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON |
| 566908-3 | 3-Major | Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file |
| 566646-2 | 3-Major | Portal Access could respond very slowly for large text files when using IE < 11 |
| 565231-1 | 3-Major | Importing a previously exported policy which had two object names may fail |
| 564521-2 | 3-Major | JavaScript passed to ExternalInterface.call() may be erroneously unescaped |
| 564496-2 | 3-Major | Applying APM Add-on License Does Not Change Effective License Limit |
| 564482-3 | 3-Major | Kerberos SSO does not support AES256 encryption |
| 564262-3 | 3-Major | Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code |
| 564253-6 | 3-Major | Firefox signed plugin for VPN, Endpoint Check, etc |
| 563443-3 | 3-Major | WebSSO plugin core dumps under very rare conditions. |
| 558946-3 | 3-Major | TMM may core when APM is provisioned and access profile is attached to the virtual |
| 558870-4 | 3-Major | Protected workspace does not work correctly with third party products |
| 558631-6 | 3-Major | APM Network Access VPN feature may leak memory |
| 556597-3 | 3-Major | CertHelper may crash when performing Machine Cert Inspection |
| 555457-4 | 3-Major | Reboot is required, but not prompted after F5 Networks components have been uninstalled |
| 554993-1 | 3-Major | Profile Stats Not Updated After Standby Upgrade Followed By Failover |
| 554626 | 3-Major | Database logging truncates log values greater than 1024 |
| 554228-4 | 3-Major | OneConnect does not work when WEBSSO is enabled/configured. |
| 554074-3 | 3-Major | If the user cancels a connection attempt, there may be a delay in estabilshing the next connection. |
| 554041-4 | 3-Major | No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled |
| 553925-3 | 3-Major | Manual upgrade of Edge Client fails in some cases on Windows★ |
| 552498-2 | 3-Major | APMD basic authentication cookie domains are not processed correctly |
| 550536-4 | 3-Major | Incorrect information/text (in French) is displayed when the Edge Client is launched |
| 549086-3 | 3-Major | Windows 10 is not detected when Firefox is used |
| 536575-2 | 3-Major | Session variable report can be blank in many cases |
| 531983-4 | 3-Major | [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added |
| 528548-1 | 3-Major | @import "url" is not recognized by client-side CSS patcher |
| 528139-4 | 3-Major | Windows 8 client may not be able to renew DHCP lease |
| 520088-1 | 3-Major | Citrix HTML5 Receiver does not properly display initial tour and icons |
| 519059-2 | 3-Major | [PA] - Failing to properly patch webapp link, link not working |
| 518550-5 | 3-Major | Incorrect value of form action attribute inside 'onsubmit' event handler in some cases |
| 516219-2 | 3-Major | User failed to get profile license in VIPRION 4800 chassis if slot 1 is not enabled |
| 492122-4 | 3-Major | Now Windows Logon Integration does not recreate temporary user for logon execution each time |
| 488811-4 | 3-Major | F5-prelogon user profile folder are not fully cleaned-up |
| 487859-2 | 3-Major | Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI. |
| 473344-7 | 3-Major | Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP. |
| 472446-4 | 3-Major | Customization group template file might cause mcpd to restart |
| 464687-1 | 3-Major | Copying Access Profile with Machine Cert Agent check fails |
| 462268-1 | 3-Major | long session var processing in variable assignment agent |
| 461084-2 | 3-Major | Kerberos Auth might fail if client request contains Authorization header |
| 458737-1 | 3-Major | non-printable characters are escaped before hexencoding |
| 409323-2 | 3-Major | OnDemand cert auth redirect omits port information |
| 404141-3 | 3-Major | Standby system offers option to Apply Access Policy even though it has been synced |
| 399732-2 | 3-Major | SAML Error: Invalid request received from remote client is too big |
| 580429-3 | 4-Minor | CTU does not show second Class ID for InstallerControll.dll |
| 572543-4 | 4-Minor | User is prompted to install components repeatedly after client components are updated. |
| 541156-3 | 4-Minor | Network Access clients experience delays when resolving a host |
WebAccelerator Fixes
| ID Number | Severity | Description |
| 575631-2 | 3-Major | Potential MCPd leak in WAM stats query code |
| 551010-3 | 3-Major | Crash on unexpected WAM storage queue state |
Wan Optimization Manager Fixes
| ID Number | Severity | Description |
| 552198-3 | 3-Major | APM App Tunnel/AM iSession Connection Memory Leak |
| 547537-4 | 3-Major | TMM core due to iSession tunnel assertion failure |
Service Provider Fixes
| ID Number | Severity | Description |
| 572224 | 3-Major | Buffer error due to RADIUS::avp command when vendor IDs do not match |
Advanced Firewall Manager Fixes
| ID Number | Severity | Description |
| 575582-1 | 3-Major | MCPd might leak memory in FW network attack stats. |
| 575571-1 | 3-Major | MCPd might leak memory in FW DOS SIP attack stats query. |
| 575569-1 | 3-Major | MCPd might leak memory in FW DOS DNS stats query. |
| 575565-1 | 3-Major | MCPd might leak memory in FW policy rule stats query. |
| 575564-1 | 3-Major | MCPd might leak memory in FW rule stats query. |
| 575557-2 | 3-Major | MCPd might leak memory in FW rule stats. |
| 575321-1 | 3-Major | MCPd might leak memory in firewall stats. |
| 569337-4 | 3-Major | TCP events are logged twice in a HA setup |
| 561433-6 | 3-Major | TMM Packets can be dropped indiscriminately while under DOS attack |
| 556694-6 | 3-Major | DoS Whitelist IPv6 addresses may "overmatch" |
Policy Enforcement Manager Fixes
| ID Number | Severity | Description |
| 577814 | 3-Major | MCPd might leak memory in PEM stats queries. |
Carrier-Grade NAT Fixes
| ID Number | Severity | Description |
| 540571-4 | 2-Critical | TMM cores when multicast address is set as destination IP via iRules and LSN is configured |
| 482202-2 | 2-Critical | Very long FTP command may be ignored. |
| 515736-5 | 3-Major | LSN pool with small port range may not use all ports |
Device Management Fixes
| ID Number | Severity | Description |
| 453640-2 | 2-Critical | Java core when modifying global-settings |
Cumulative fixes from BIG-IP v11.5.4 Hotfix 1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 518275-3 | CVE-2016-4545 | K48042976 | The BIG-IP system may stop the normal processing of SSL traffic and dump a TMM core file |
Functional Change Fixes
| ID Number | Severity | Description |
| 577811 | 3-Major | SNMP sysObjectID OID reports ID of blade on VIPRION 2xxx-series platforms |
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 576314 | 2-Critical | SNMP traps for FIPS device fault inconsistent among versions. |
| 574262 | 3-Major | Rarely encountered lockup for N3FIPS module when processing key management requests. |
| 574073 | 3-Major | Support for New Platform: BIG-IP 10350 FIPS with NEBS support |
Cumulative fixes from BIG-IP v11.5.4 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 542314-7 | CVE-2015-8099 | K35358312 | TCP vulnerability - CVE-2015-8099 |
| 536481-8 | CVE-2015-8240 | K06223540 | F5 TCP vulnerability CVE-2015-8240 |
| 567475-4 | CVE-2015-8704 | K53445000 | BIND vulnerability CVE-2015-8704 |
| 560910-3 | CVE-2015-3194 | K86772626 | OpenSSL Vulnerability fix |
| 560180-3 | CVE-2015-8000 | K34250741 | BIND Vulnerability CVE-2015-8000 |
| 554624-1 | CVE-2015-5300 CVE-2015-7704 | K10600056 K17566 | NTP CVE-2015-5300 CVE-2015-7704 |
| 553902-3 | CVE-2015-5300 CVE-2015-7704 CVE-2015-7871 CVE-2015-7855 CVE-2015-7853 CVE-2015-7852 CVE-2015-7850 CVE-2015-7701 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 CVE-2015-5196 | K17516 | Multiple NTP Vulnerabilities |
| 546080-4 | CVE-2016-5021 | K99998454 | Path sanitization for iControl REST worker |
| 545786-2 | CVE-2015-7393 | K75136237 | Privilege escalation vulnerability CVE-2015-7393 |
| 545762-1 | CVE-2015-7394 | K17407 | CVE-2015-7394 |
| 540849-4 | CVE-2015-5986 | K17227 | BIND vulnerability CVE-2015-5986 |
| 540846-4 | CVE-2015-5722 | K17181 | BIND vulnerability CVE-2015-5722 |
| 540767-1 | CVE-2015-5621 | K17378 | SNMP vulnerability CVE-2015-5621 |
| 533156-2 | CVE-2015-6546 | K17386 | CVE-2015-6546 |
| 472093-2 | CVE-2015-8022 | K12401251 | APM TMUI Vulnerability CVE-2015-8022 |
| 556383-2 | CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 | K31372672 | Multiple NSS Vulnerabilities |
| 534633-1 | CVE-2015-5600 | K17113 | OpenSSH vulnerability CVE-2015-5600 |
| 525232-10 | CVE-2015-4024 CVE-2014-8142 | K16826 | PHP vulnerability CVE-2015-4024 |
| 485917-5 | CVE-2004-1060 | K15792 | BIG/IP is vulnerable to Path MTU discovery attack (CVE-2004-1060) |
| 427174-6 | CVE-2013-1620 CVE-2013-0791 | K15630 | SOL15630: TLS in Mozilla NSS vulnerability CVE-2013-1620 |
| 560948-3 | CVE-2015-3195 | K12824341 | OpenSSL vulnerability CVE-2015-3195 |
| 553454-3 | CVE-2015-2730 | K15955144 | Mozilla NSS vulnerability CVE-2015-2730 |
| 515345-4 | CVE-2015-1798 | K16505 | NTP Vulnerability |
| 430799-5 | CVE-2010-5107 | K14741 | CVE-2010-5107 openssh vulnerability |
| 567484-4 | CVE-2015-8705 | K86533083 | BIND Vulnerability CVE-2015-8705 |
Functional Change Fixes
| ID Number | Severity | Description |
| 557221 | 2-Critical | Inbound ISP link load balancing will use pool members for only one ISP link per data center |
| 539130-7 | 3-Major | bigd may crash due to a heartbeat timeout |
| 530133 | 3-Major | Support for New Platform: BIG-IP 10350 FIPS |
| 498992-9 | 3-Major | Troubleshooting enhancement: improve logging details for AWS failover failure. |
| 439013-5 | 3-Major | IPv6 link-local vlan tag handling incorrect |
| 425331-1 | 3-Major | On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports Chassis ID not Blade ID |
| 226043-5 | 3-Major | Add support for multiple addresses for audit-forwarder. |
| 479147-5 | 4-Minor | Cannot create VXLAN tunnels with the same local-address and different multicast addresses. |
TMOS Fixes
| ID Number | Severity | Description |
| 546260-1 | 1-Blocking | TMM can crash if using the v6rd profile |
| 544980-1 | 1-Blocking | BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle. |
| 510393-2 | 1-Blocking | TMM may occasionally restart with a core file when deployed VCMP guests are stopped |
| 465142-5 | 1-Blocking | iControl LocalLB::ProfileClientSSL::create and create_v2 methods result in crash when not in /Common |
| 445327-1 | 1-Blocking | OpenJDK 1.7 vulnerabilities |
| 397431-8 | 1-Blocking | Improved security for Apache. |
| 562427 | 2-Critical | Trust domain changes do not persist on reboot. |
| 555686-2 | 2-Critical | Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers |
| 544913-2 | 2-Critical | tmm core while logging from TMM during failover |
| 544481-4 | 2-Critical | IPSEC Tunnel fails for more than one minute randomly. |
| 530903-5 | 2-Critical | HA pair in a typical Active/Standby configuration becomes Active/Active after a software upgrade★ |
| 523434-5 | 2-Critical | mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object |
| 520380-4 | 2-Critical | save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory |
| 513151-7 | 2-Critical | VIPRION B2150 blades show up as unknown when SNMP queries the OID sysObjectID. |
| 511559-6 | 2-Critical | Virtual Address advertised while unavailable |
| 510559-5 | 2-Critical | Add logging to indicate that compression engine is stalled. |
| 507602-4 | 2-Critical | Data packet over IPsec tunnel might be looping between cores after rekey if IPsec lifebyte is enabled |
| 504508-4 | 2-Critical | IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled |
| 503600-3 | 2-Critical | TMM core logging from TMM while attempting to connect to remote logging server |
| 482373-5 | 2-Critical | Can not delete and re-create a new virtual server that uses the same virtual address in the same transaction |
| 468473-5 | 2-Critical | Monitors with domain username do not save/load correctly |
| 460165-5 | 2-Critical | General Database Error when accessing Clusters or Templates page |
| 365219-3 | 2-Critical | Trust upgrade fails when upgrading from version 10.x to version 11.x.★ |
| 355199-5 | 2-Critical | ePVA flow not removed when connection closed |
| 556284-3 | 3-Major | iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found |
| 553576-2 | 3-Major | Intermittent 'zero millivolt' reading from FND-850 PSU |
| 550694 | 3-Major | LCD display stops updating and Status LED turns/blinks Amber |
| 547047-1 | 3-Major | Older cli-tools unsupported by AWS |
| 545745-3 | 3-Major | Enabling tmm.verbose mode produces messages that can be mistaken for errors. |
| 542860-5 | 3-Major | TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event |
| 542320 | 3-Major | no login name may appear when running ssh commands through management port |
| 539822-1 | 3-Major | tmm may leak connflow and memory on vCMP guest. |
| 538133-1 | 3-Major | Only one action per sensor is displayed in sensor_limit_table and system_check |
| 536939-1 | 3-Major | Secondary blade may restart services if configuration elements are deleted using a * wildcard. |
| 534582-3 | 3-Major | HA configuration may fail over when standby has only base configuration loaded. |
| 533826-4 | 3-Major | SNMP Memory Leak on a VIPRION system. |
| 532559-2 | 3-Major | Upgrade fails to 11.5.0 and later if 'defaults-from none' is under profile '/Common/clientssl'. |
| 531986-2 | 3-Major | Hourly AWS VE license breaks after reboot with default tmm route/gateway. |
| 529977-4 | 3-Major | OSPF may not process updates to redistributed routes |
| 529524-5 | 3-Major | IPsec IKEv1 connectivity issues |
| 528881-5 | 3-Major | NAT names with spaces in them do not upgrade properly★ |
| 528498-2 | 3-Major | Recently-manufactured hardware may not be identified with the correct model name and SNMP OID |
| 528276-6 | 3-Major | The device management daemon can crash with a malloc error |
| 527431-2 | 3-Major | Db variable to specify audit forwarder port |
| 526974-5 | 3-Major | Data-group member records map empty strings to 'none'. |
| 526817-6 | 3-Major | snmpd core due to mcpd message timer thread not exiting |
| 524490-7 | 3-Major | Excessive output for tmsh show running-config |
| 524333-5 | 3-Major | iControl command pkcs12_import_from_file_v2 may fail if httpd is restarted or session times out. |
| 524300-1 | 3-Major | The MOS boot process appears to hang. |
| 523922-6 | 3-Major | Session entries may timeout prematurely on some TMMs |
| 523867-2 | 3-Major | 'warning: Failed to find EUDs' message during formatting installation |
| 523642-4 | 3-Major | Power Supply status reported incorrectly after LBH reset |
| 523527-10 | 3-Major | Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.★ |
| 522871-4 | 3-Major | [TMSH] nested wildcard deletion will delete all the objects (matched or not matched) |
| 522837-3 | 3-Major | MCPD can core as a result of another component shutting down prematurely |
| 521144-7 | 3-Major | Network failover packets on the management interface sometimes have an incorrect source-IP |
| 519510-4 | 3-Major | Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware |
| 519081-6 | 3-Major | Cannot use tmsh to load valid configuration created using the GUI. |
| 518283-4 | 3-Major | Cookie rewrite mangles 'Set-Cookie' headers |
| 517714-2 | 3-Major | logd core near end of its life cycle |
| 517388-6 | 3-Major | Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs. |
| 516995-8 | 3-Major | NAT traffic group inheritance does not sync across devices |
| 516322-5 | 3-Major | The BIG-IP system may erroneously remove an iApp association from the virtual server. |
| 514844-3 | 3-Major | Fluctuating/inconsistent number of health monitors for pool member |
| 514726-5 | 3-Major | Server-side DSR tunnel flow never expires |
| 514724-4 | 3-Major | crypto-failsafe fail condition not cleared when crypto device restored |
| 512618-2 | 3-Major | Continuous "Invalid sadb message" upon issuing "racoonctl -l show-sa esp" |
| 511145-2 | 3-Major | IPsec Policy Link not functional. |
| 510425-7 | 3-Major | DNS Express zone RR type-count statistics are missing in some cases |
| 510381-5 | 3-Major | bcm56xxd might core when restarting due to bundling config change. |
| 509600-5 | 3-Major | Global rule association to policy is lost after loading config. |
| 507853-10 | 3-Major | MCP may crash while performing a very large chunked query and CPU is highly loaded |
| 504803-4 | 3-Major | GUI Local Traffic Pool list does not show certain Pools with name containing 'mam'. |
| 504494-4 | 3-Major | Upgrading to 11.5.0 and later might associate a disabled HA group to traffic groups.★ |
| 501437-6 | 3-Major | rsync daemon does not stop listening after configsync-ip set to none |
| 497304-10 | 3-Major | Unable to delete reconfigured HTTP iApp when auto-sync is enabled |
| 495865-4 | 3-Major | iApps/tmsh cannot reconfigure pools that have monitors associated with them. |
| 495862-7 | 3-Major | Virtual status becomes yellow and gets connection limit alert when all pool members forced down |
| 493246-1 | 3-Major | SNMP error: Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot |
| 491556-10 | 3-Major | tmsh show sys connection output is corrected |
| 489113-7 | 3-Major | PVA status, statistics not shown correctly in UI |
| 485939-8 | 3-Major | OSPF redistributing connected subnets that are configured in the network element with infinity metric in a HA pair. |
| 485702-7 | 3-Major | Default SNMP community 'public' is re-added after the upgrade |
| 484861-10 | 3-Major | A standby-standby state can be created when auto failback acts in a CRC disagreement scenario |
| 484534-5 | 3-Major | interface STP state stays in blocked when added to STP as disabled |
| 483699-5 | 3-Major | No Access error when trying to access iFile object in Local Traffic :: iRules : iFile list |
| 483104-6 | 3-Major | vCMP guests report platform type as 'unknown' |
| 481089-6 | 3-Major | Request group incorrectly deleted prior to being processed |
| 479553-6 | 3-Major | Sync may fail after deleting a persistence profile |
| 479543-8 | 3-Major | Transaction will fail when deleting pool member and related node |
| 476288-5 | 3-Major | Tmrouted restarted after a series of creating/deleting route domains and adding/deleting protocols due to seg fault |
| 473037-7 | 3-Major | BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP |
| 470788-4 | 3-Major | Creating static ARP entry with unreachable IP address causes BIG-IP to be unreachable after reboot |
| 470756-8 | 3-Major | snmpd cores or crashes with no logging when restarted by sod |
| 464225-6 | 3-Major | 'tmsh list ltm message-routing' and 'tmsh show ltm message-routing' fail for non-admin users |
| 463468-9 | 3-Major | failed tmsh command generate double logs |
| 462187-6 | 3-Major | 'tmsh list net tunnels' and GUI tunnel access fail for non-admin users |
| 458104-6 | 3-Major | LTM UCS load merge trunk config issue |
| 455980-6 | 3-Major | Home directory is purged when the admin changes user password. |
| 455651-6 | 3-Major | Improper regex/glob validation in web-acceleration and http-compression profiles |
| 454392-1 | 3-Major | Added support for BIG-IP 10350N NEBS platform. |
| 439299-5 | 3-Major | iApp creation fails with non-admin users |
| 433466-5 | 3-Major | Disabling bundled interfaces affects first member of associated unbundled interfaces |
| 410101-4 | 3-Major | HSBe2 falls off the PCI bus |
| 375246-11 | 3-Major | Clarification of pool member session enabling versus pool member monitor enabling |
| 549023 | 4-Minor | warning: Failed to find EUDs★ |
| 548268-3 | 4-Minor | Disabling an interface on a blade does not change media to NONE |
| 503841-4 | 4-Minor | Slow performance with delete_string_class_member in iControl-SOAP |
| 492163-6 | 4-Minor | Applying a monitor to pool and pool member may cause an issue. |
| 473163-9 | 4-Minor | RAID disk failure and alert.conf log message mismatch results in no trap |
| 465675-5 | 4-Minor | Invalid MAX-ACCESS clause for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable. |
| 434096-5 | 4-Minor | TACACS log forwarder truncates logs to 1k |
| 413708-7 | 5-Cosmetic | BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response. |
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 536690-1 | 1-Blocking | Occasional host-tmm connections within a chassis will fail (affects APM processes trying to connect to a tmm) |
| 540473-5 | 2-Critical | peer/clientside/serverside script with parking command may cause tmm to core. |
| 538255-2 | 2-Critical | SSL handshakes on 4200/2200 can cause TMM cores. |
| 537988-3 | 2-Critical | Buffer overflow for large session messages |
| 534804-3 | 2-Critical | TMM may core with rate limiting enabled and service-down-action reselect on poolmembers |
| 534052-5 | 2-Critical | VLAN failsafe triggering on standby leaks memory |
| 533388-8 | 2-Critical | tmm crash with assert "resume on different script" |
| 530505-2 | 2-Critical | IP fragments can cause TMM to crash when packet filtering is enabled |
| 529920-6 | 2-Critical | Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit |
| 528739-5 | 2-Critical | DNS Cache might use cached data from ADDITIONAL sections in ANSWER responses. |
| 527011-4 | 2-Critical | Intermittent lost connections with no errors on external interfaces |
| 520413-12 | 2-Critical | Aberrant behavior with woodside TCP congestion control |
| 517590-1 | 2-Critical | Pool member not turning 'blue' when monitor removed from pool |
| 517465-3 | 2-Critical | tmm crash with ssl |
| 514108-7 | 2-Critical | TSO packet initialization failure due to out-of-memory condition. |
| 509646-6 | 2-Critical | Occasional connections reset when using persistence |
| 503343-9 | 2-Critical | TMM crashes when cloned packet incorrectly marked for TSO |
| 497299-7 | 2-Critical | Thales install fails if the BIG-IP system is also configured as the RFS |
| 489451-2 | 2-Critical | TMM might panic due to OpenSSL failure during handshake generation |
| 483719-4 | 2-Critical | vlan-groups configured with a single member VLAN result in memory leak |
| 481677-5 | 2-Critical | A possible TMM crash in some circumstances. |
| 481162-6 | 2-Critical | vs-index is set differently on each blade in a chassis |
| 477064-5 | 2-Critical | TMM may crash in SSL |
| 472585-5 | 2-Critical | tmrouted crashes after a series configuration changes |
| 470235-1 | 2-Critical | The HTTP explicit proxy may leak memory in some cases |
| 459100-6 | 2-Critical | TMM may crash when offloading one-way UDP FastL4 flow |
| 456766-2 | 2-Critical | SSL Session resumption with hybrid handshake might fail |
| 456175-3 | 2-Critical | Memory issues possible with really long interface names |
| 455286-2 | 2-Critical | BIG-IP might send both session ID and server certificate during renegotiation |
| 451059-8 | 2-Critical | SSL server does not check and validate Change Cipher Spec payload. |
| 569718-3 | 3-Major | Traffic not sent to default pool after pool selection from rule |
| 553311-1 | 3-Major | Route pool configuration may cause TMM to produce a core file |
| 552532-3 | 3-Major | Oracle monitor fails with certain time zones. |
| 552385 | 3-Major | Virtual servers using an SSL profile and two UDP profiles may not be accepted |
| 547815-2 | 3-Major | Potential DNS Transparent Cache Memory Leak |
| 545704-3 | 3-Major | TMM might core when using HTTP::header in a serverside event |
| 544028-3 | 3-Major | Verified Accept counter 'verified_accept_connections' might underflow. |
| 543993-4 | 3-Major | Serverside connections may fail to detach when using the HTTP and OneConnect profiles |
| 543220-3 | 3-Major | Global traffic statistics does not include PVA statistics |
| 538603-3 | 3-Major | TMM core file on pool member down with rate limit configured |
| 537964-3 | 3-Major | Monitor instances may not get deleted during configuration merge load |
| 537553-3 | 3-Major | tmm might crash after modifying virtual server SSL profiles in SNI configuration |
| 533966-4 | 3-Major | Double loopback nexthop release might cause TMM core. |
| 532107-5 | 3-Major | [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted |
| 530761-4 | 3-Major | TMM crash in DNS processing on a TCP virtual |
| 528407-6 | 3-Major | TMM may core with invalid lasthop pool configuration |
| 528188-4 | 3-Major | Packet filters are by-passed for some fragmented ICMP echo requests to a virtual address |
| 528007-5 | 3-Major | Memory leak in ssl |
| 527027-3 | 3-Major | DNSSEC Unsigned Delegations Respond with Parent Zone Information |
| 527024-2 | 3-Major | DNSSEC Unsigned Delegations Respond with Parent Zone Information |
| 526810-8 | 3-Major | Crypto accelerator queue timeout is now adjustable |
| 525958-10 | 3-Major | TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop. |
| 525322-6 | 3-Major | Executing tmsh clientssl-proxy cached-certs crashes tmm |
| 524960-5 | 3-Major | 'forward' command does not work if virtual server has attached pool |
| 523513-5 | 3-Major | COMPRESS::enable keeps compression enabled for a subsequent HTTP request. |
| 521036-4 | 3-Major | Dynamic ARP entry may replace a static entry in non-primary TMM instances. |
| 520405-2 | 3-Major | tmm restart due to oversubscribed DNS resolver |
| 517790-11 | 3-Major | When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped |
| 517510-5 | 3-Major | HTTP monitor might add extra CR/LF pairs to HTTP body when supplied |
| 517282-6 | 3-Major | The DNS monitor may delay marking an object down or never mark it down |
| 517124-6 | 3-Major | HTTP::retry incorrectly converts its input |
| 516598-6 | 3-Major | Multiple TCP keepalive timers for same Fast L4 flow |
| 516432-4 | 3-Major | DTLS may send corrupted records when the DB variable tmm.ssl.dtlsmaxcrs is not the default value 1. |
| 516320-5 | 3-Major | TMM may have a CPU spike if match cross persist is used. |
| 515482-6 | 3-Major | Multiple teardown conditions can cause crash |
| 515072-7 | 3-Major | Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased |
| 514419-7 | 3-Major | TMM core when viewing connection table |
| 514246-6 | 3-Major | connflow_precise_check_begin does not check for NULL |
| 513319-7 | 3-Major | Incorrect of failing sideband connections from within iRule may leak memory |
| 513243-5 | 3-Major | Improper processing of crypto error condition might cause memory issues. |
| 512490-10 | 3-Major | Increased latency during connection setup when using FastL4 profile and connection mirroring. |
| 512148-7 | 3-Major | Self IP address cannot be deleted when its VLAN is associated with static route |
| 511517-8 | 3-Major | Request Logging profile cannot be configured with HTTP transparent profile |
| 511057-7 | 3-Major | Config sync fails after changing monitor in iApp |
| 510921-6 | 3-Major | Database monitors do not support IPv6 nodes |
| 510164-4 | 3-Major | DNS Express zone RR statistics are correctly reset after zxfrd restart |
| 507109-6 | 3-Major | inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade★ |
| 505705-6 | 3-Major | Expired mirrored persistence entries not always freed using intra-chassis mirroring |
| 504827-3 | 3-Major | Use of DHCP relay virtual server might result in tmm crash 'top filter'. |
| 503257-13 | 3-Major | Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST |
| 502747-13 | 3-Major | Incoming SYN generates unexpected ACK when connection cannot be recycled |
| 498334-6 | 3-Major | DNS express doesn't send zone notify response |
| 495588-4 | 3-Major | Configuration fails with Syntax Error after upgrading from pre-11.5.0 releases★ |
| 493140-6 | 3-Major | Incorrect persistence entries are created when invoking cookie hash persistence within an iRule using offset and length parameters. |
| 493117-12 | 3-Major | Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted |
| 490740-9 | 3-Major | TMM may assert if HTTP is disabled by another filter while it is parked |
| 490429-4 | 3-Major | The dynamic routes for the default route might be flushed during operations on non-default route domains. |
| 475649-6 | 3-Major | HTTP::respond in explicit proxy scenarios may cause TMM crash due to assert |
| 475125-2 | 3-Major | Use of HTTP::retry may cause TMM crash |
| 472748-4 | 3-Major | SNAT pool stats are reflected in global SNAT stats |
| 471059-7 | 3-Major | Malformed cookies can break persistence |
| 467551-5 | 3-Major | TCP syncookie and Selective NACK (profile option) causes traffic to be dropped |
| 464651-7 | 3-Major | Multiple root certificates with same 'subject' and 'issuer' may cause the tmm to core. |
| 458822-5 | 3-Major | Cluster status may be incorrect on secondary blades |
| 453720-6 | 3-Major | clientssl profile validation fails to detect config with no cert/key name and no cert/key★ |
| 452246-4 | 3-Major | The correct cipher may not be chosen on session resumption. |
| 447043-11 | 3-Major | Cannot have 2 distinct 'contains' conditions on the same LTM policy operand |
| 442869-7 | 3-Major | GUI inaccessible on chassis when var/log/audit log is full |
| 441638-9 | 3-Major | CACHE::header insert fails with 'Out of bounds' error for 301 Cache response |
| 441058-5 | 3-Major | TMM can crash when a large number of SSL objects are created |
| 429011-8 | 3-Major | No support for external link down time on network failover |
| 424831-4 | 3-Major | State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover |
| 418890-5 | 3-Major | OpenSSL bug can prevent RSA keys from rolling forward★ |
| 364994-14 | 3-Major | TMM may restart or disabled connections may be reused when a OneConnect profile is configured and OneConnect reuse is disabled be an iRule. |
| 348000-16 | 3-Major | HTTP response status 408 request timeout results in error being logged. |
| 534458-4 | 4-Minor | SIP monitor marks down member if response has different whitespace in header fields. |
| 532799-4 | 4-Minor | Static Link route to /32 pool member can end using dst broadcast MAC |
| 513288-2 | 4-Minor | Management traffic from nodes being health monitored might cause health monitors to fail. |
| 503560-5 | 4-Minor | Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server. |
| 446830-2 | 4-Minor | Current Sessions stat does not increment/decrement correctly. |
| 446755-5 | 4-Minor | Connections with ramcache and clientssl profile allowing non-SSL traffic may stall |
Global Traffic Manager Fixes
| ID Number | Severity | Description |
| 469033-15 | 2-Critical | Large big3d memory footprint. |
| 437025-5 | 2-Critical | big3d might exit during loading of large configs or when a connection to mcpd is dropped. |
| 529460-5 | 3-Major | Short HTTP monitor responses can incorrectly mark virtual servers down. |
| 517582-5 | 3-Major | [GUI] [GTM] Cannot delete Region if attempting to delete another region referenced by a record. |
| 510888-8 | 3-Major | [LC] snmp_link monitor is not listed as available when creating link objects |
| 494070-4 | 4-Minor | BIG-IP DNS cannot use a loopback address with fallback IP load balancing |
Application Security Manager Fixes
| ID Number | Severity | Description |
| 555057-1 | 2-Critical | ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies. |
| 555006-1 | 2-Critical | ASM REST: lastUpdateMicros is not updated when changing a Custom Signature |
| 552139-3 | 2-Critical | ASM limitation in the pattern matching matrix builtup |
| 540424-1 | 2-Critical | ASM REST: DESC modifier for $orderby option does not affect results |
| 515728-4 | 2-Critical | Repeated BD cores. |
| 478351-2 | 2-Critical | Changing management IP can lead to bd crash |
| 475551-5 | 2-Critical | Flaw in CSRF protection mechanism |
| 547000-3 | 3-Major | Enforcer application might crash on XML traffic when out of memory |
| 544831 | 3-Major | ASM REST: PATCH to custom signature set's attackTypeReference are ignored |
| 542511-1 | 3-Major | 'Unhandled keyword ()' error message in GUI and/or various ASM logs |
| 540390-1 | 3-Major | ASM REST: Attack Signature Update cannot roll back to older attack signatures |
| 538195-5 | 3-Major | Incremental Manual sync does not allow overwrite of 'newer' ASM config |
| 535188-5 | 3-Major | Response Pages custom content with \n instead of \r\n on policy import. |
| 534246-4 | 3-Major | rest_uuid should be calculated from the actual values inserted to the entity |
| 530598-2 | 3-Major | Some Session Tracking data points are lost on TMM restart |
| 529610-4 | 3-Major | On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db |
| 528071-2 | 3-Major | ASM periodic updates (cron) write errors to log |
| 526162-6 | 3-Major | TMM crashes with SIGABRT |
| 521183-3 | 3-Major | Upgrade from 11.2.x (or earlier) to 11.5.x/11.6.x can fail when an active DoS profile exists with 'Prevention Duration' set to a value less than 5★ |
| 519053-4 | 3-Major | Request is forwarded truncated to the server after answering challenge on a big request |
| 514313-3 | 3-Major | Logging profile configuration is updated unnecessarily |
| 502852-4 | 3-Major | Deleting an in-use custom policy template |
| 498189-6 | 3-Major | ASM Request log does not show log messages. |
| 491371-4 | 3-Major | CMI: Manual sync does not allow overwrite of 'newer' ASM config |
| 491352-4 | 3-Major | Added ASM internal parameter to add more XML memory |
| 484079-5 | 3-Major | Change to signature list of manual Signature Sets does not take effect. |
| 478674-10 | 3-Major | ASM internal parameters for high availability timeout was not handled correctly |
| 471766-3 | 3-Major | Number of decoding passes configuration |
| 470779-3 | 3-Major | The Enforcer should exclude session awareness violations when counting illegal requests. |
| 466423-1 | 3-Major | ASM REST: Partial PATCH to User-Defined Signature-Set Filter Resets Other Fields to Defaults |
| 442313-6 | 3-Major | Content length header leading whitespaces should not be counted as digits |
| 440913-2 | 3-Major | Apply Policy Fails After Policy Diff and Merge |
Application Visibility and Reporting Fixes
| ID Number | Severity | Description |
| 458823-2 | 2-Critical | TMM Crash can lead to crash of other processes |
| 535246 | 3-Major | Table values are not correctly cleaned and can occupy entire disk space. |
| 530952-4 | 3-Major | MySql query fails with error number 1615 'Prepared statement needs to be re-prepared' |
| 530356-1 | 3-Major | Some AVR tables that hold ASM statistics are not being backed up in upgrade process. |
| 529903-2 | 3-Major | Incorrect reports on multi-bladed systems |
| 474613-2 | 3-Major | Upgrading from previous versions★ |
| 537435-4 | 4-Minor | Monpd might core if asking for export report by email while monpd is terminating |
Access Policy Manager Fixes
| ID Number | Severity | Description |
| 553330-2 | 1-Blocking | Unable to create a new document with SharePoint 2010 |
| 555507-3 | 2-Critical | Under certain conditions, SSO plugin can overrun memory not owned by the plugin. |
| 537227-6 | 2-Critical | EdgeClient may crash if special Network Access configuration is used |
| 532340-2 | 2-Critical | When FormBased SSO or SAML SSO are configured, tmm may restart at startup |
| 530622-2 | 2-Critical | EAM plugin uses high memory when serving very high concurrent user load |
| 502269-2 | 2-Critical | Large post requests may fail using form based SSO. |
| 480272-8 | 2-Critical | During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID |
| 459584-2 | 2-Critical | TMM crashes if request URI is empty or longer than 4096 bytes. |
| 437611-3 | 2-Critical | ERR_NOT_FOUND. File: ../modules/hudfilter/access/access_license.c, Function: access_read_license_settings, Line: 204 |
| 558859 | 3-Major | Control insertion to log_session_details table by Access policy logging level. |
| 551764-1 | 3-Major | [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform |
| 549588-3 | 3-Major | EAM memory leak when cookiemap is destroyed without deleting Cookie object in it |
| 544992-2 | 3-Major | Virtual server profile changes are ignored if it has /Common/remotedesktop and /Common/vdi assigned (Citrix/Vmware View iApp) |
| 539270-2 | 3-Major | A specific NTLM client fails to authenticate with BIG-IP |
| 539229-4 | 3-Major | EAM core while using Oracle Access Manager |
| 537614-2 | 3-Major | Machine certificate checker fails to use Machine cert check service if Windows has certain display languages |
| 532761-1 | 3-Major | APM fails to handle compressed ICA file in integration mode |
| 528808-2 | 3-Major | Source NAT translation doesn't work when APM is disabled using iRule |
| 526637-1 | 3-Major | tmm crash with APM clientless mode |
| 522791-1 | 3-Major | HTML rewriting on client might leave 'style' attribute unrewritten. |
| 482177-2 | 3-Major | Accessing Sharepoint web application portal interferes with IdP initiated SAML SSO |
| 467256-1 | 3-Major | Deleting OPSWAT/Epsec packages from GUI does not delete files from disk causing UCS packages to bloat |
| 462598-3 | 3-Major | Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members. |
| 446860-6 | 3-Major | APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348 |
| 533723-7 | 4-Minor | [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag. |
| 491080-2 | 4-Minor | Memory leak in access framework |
| 473685-2 | 4-Minor | Websso truncates cookie domain value |
WebAccelerator Fixes
| ID Number | Severity | Description |
| 525478-3 | 3-Major | Requests for deflate encoding of gzip documents may crash TMM |
| 517013-2 | 3-Major | CSS minification can on occasion remove necessary whitespace |
| 506557-5 | 3-Major | IBR tags might occasionally be all zeroes. |
| 506315-10 | 3-Major | WAM/AAM is honoring OWS age header when not honoring OWS maxage. |
| 501714-4 | 3-Major | System does not prevent low quality JPEGs from optimizing to higher quality (becoming larger) does not work when AAM image optimization enabled and JPEG quality in policy is higher than JPEGs on OWS. |
| 476476-9 | 3-Major | Occasional inability to cache optimized PDFs and images |
| 384072-5 | 3-Major | Authorization requests not being cached when allowed. |
Service Provider Fixes
| ID Number | Severity | Description |
| 528955-2 | 3-Major | TMM may core when using Request Adapt profile |
| 523854-4 | 3-Major | TCP reset with RTSP Too Big error when streaming interleaved data |
Advanced Firewall Manager Fixes
| ID Number | Severity | Description |
| 519252-1 | 3-Major | SIP statistics upgrade★ |
| 472125-3 | 3-Major | IP Intelligence report data is not roll-forwarded between installations as it should★ |
Carrier-Grade NAT Fixes
| ID Number | Severity | Description |
| 540484-4 | 2-Critical | "show sys pptp-call-info" command can cause tmm crash |
| 533562-5 | 2-Critical | Memory leak in CGNAT can result in crash |
| 515646-9 | 2-Critical | TMM core when multiple PPTP calls from the same client |
| 494743-8 | 2-Critical | Port exhaustion errors on VIPRION 4800 when using CGNAT |
| 494122-6 | 2-Critical | Deterministic NAT state information from HSL is not usable on VIPRION B4300 blades |
| 490893-9 | 2-Critical | Determinstic NAT State information incomplete for HSL log format |
| 500424-5 | 3-Major | dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error |
| 486762-2 | 3-Major | lsn-pool connection limits may be invalid when mirroring is enabled |
| 480119-5 | 3-Major | Vague error - Error ERR_BOUNDS connflow ... processing pullup of control message. |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Description |
| 514731-4 | 3-Major | GTM Fails to change GTM server with IPv4 'Address Translation enabled |
| 494305-6 | 4-Minor | [GUI] [GTM] Cannot remove the first listed dependent virtual server from dependency list. |
| 451211-3 | 4-Minor | Error using GUI when setting debug option on GTM SIP monitor. |
Cumulative fixes from BIG-IP v11.5.3 Hotfix 2 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 534630-3 | CVE-2015-5477 | K16909 | Upgrade BIND to address CVE 2015-5477 |
| 530829-2 | CVE-2015-5516 | K00032124 | UDP traffic sent to the host may leak memory under certain conditions. |
| 529509-4 | CVE-2015-4620 | K16912 | BIND Vulnerability CVE-2015-4620 |
| 527799-10 | CVE-2015-4000 CVE-2015-1792 CVE-2015-1791 CVE-2015-1790 CVE-2015-1789 CVE-2015-1788 CVE-2014-8176 | K16674 K16915 K16914 | OpenSSL library in APM clients updated to resolve multiple vulnerabilities |
| 527630-2 | CVE-2015-1788 | K16938 | CVE-2015-1788 : OpenSSL Vulnerability |
| 523032-5 | CVE-2015-3456 | K16620 | qemu-kvm VENOM vulnerability CVE-2015-3456 |
| 506034-5 | CVE-2014-9297 CVE-2014-9298 CVE-2014-9750 CVE-2014-9751 | K16393 | NTP vulnerabilities (CVE-2014-9297,CVE-2014-9298) |
| 532522-4 | CVE-2015-1793 | K16937 | CVE-2015-1793 |
| 531576-2 | CVE-2016-7476 | K87416818 | TMM vulnerability CVE-2016-7476 |
| 520466-3 | CVE-2015-3628 | K16728 | Ability to edit iCall scripts is removed from resource administrator role |
| 516618-4 | CVE-2013-7424 | K16472 | glibc vulnerability CVE-2013-7424 |
| 513382-2 | CVE-2015-0286 CVE-2015-0287 CVE-2015-0289 CVE-2015-0293 CVE-2015-0209 CVE-2015-0288 | K16317 | Resolution of multiple OpenSSL vulnerabilities |
| 527639-5 | CVE-2015-1791 | K16914 | CVE-2015-1791 : OpenSSL Vulnerability |
| 527638-5 | CVE-2015-1792 | K16915 | OpenSSL vulnerability CVE-2015-1792 |
| 527637-5 | CVE-2015-1790 | K16898 | PKCS #7 vulnerability CVE-2015-1790 |
| 527633-5 | CVE-2015-1789 | K16913 | OpenSSL vulnerability CVE-2015-1789 |
| 500091-3 | CVE-2015-0204 | K16139 | CVE-2015-0204 : OpenSSL Vulnerability |
Functional Change Fixes
| ID Number | Severity | Description |
| 502443-9 | 2-Critical | After enabling a blade/HA member, pool members are marked down because monitoring starts too soon. |
| 520705-4 | 3-Major | Edge client contains multiple duplicate entries in server list |
| 490537-4 | 3-Major | Persistence Records display in GUI might cause system crash with large number of records |
| 374067-2 | 3-Major | Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections |
TMOS Fixes
| ID Number | Severity | Description |
| 516184 | 1-Blocking | IKEv1 for IPsec does not work when VLAN cmp-hash is set to non-default values |
| 486758-6 | 1-Blocking | Management port unreachable after install★ |
| 542898 | 2-Critical | Virtual Edition: Disk partition /var shows 100% after live install to 12.0.0 |
| 513454-2 | 2-Critical | An snmpwalk with a large configuration can take too long, causing snmpd or mcpd restarts |
| 509503-3 | 2-Critical | tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration |
| 507327-2 | 2-Critical | Programs that read stats can leak memory on errors reading files |
| 495335-4 | 2-Critical | BWC related tmm core |
| 479460-4 | 2-Critical | SessionDb may be trapped in wrong HA state during initialization |
| 420107-3 | 2-Critical | TMM could crash when modifying HTML profile configuration |
| 364978-2 | 2-Critical | Active/standby system configured with unit 2 failover objects★ |
| 546410-1 | 3-Major | Configuration may fail to load when upgrading from version 10.x.★ |
| 540638 | 3-Major | GUI Device Management Overview to display device_trust_group |
| 535806-4 | 3-Major | Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE |
| 533458-2 | 3-Major | Insufficient data for determining cause of HSB lockup. |
| 533257-1 | 3-Major | tmsh config file merge may fail when AFM security log profile is present in merged file |
| 530122 | 3-Major | Improvements in building hotfix images for hypervisors. |
| 527021-2 | 3-Major | BIG-IQ iApp statistics corrected for empty pool use cases |
| 526419-2 | 3-Major | Deleting an iApp service may fail |
| 524326-3 | 3-Major | Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips |
| 524126-3 | 3-Major | The DB variable provision.tomcat.extramb is cleared on first boot.★ |
| 523125-1 | 3-Major | Disabling/enabling blades in cluster can result in inconsistent failover state |
| 520640-1 | 3-Major | The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method. |
| 519877-3 | 3-Major | External pluggable module interfaces not disabled correctly. |
| 519068-2 | 3-Major | device trust setup can require restart of devmgmtd |
| 518039-2 | 3-Major | BIG-IQ iApp statistics corrected for partition use cases |
| 517580-2 | 3-Major | OPT-0015 on 10000-series appliance may cause bcm56xxd restarts |
| 516669-2 | 3-Major | Rarely occurring SOD core causes failover. |
| 513974-4 | 3-Major | Transaction validation errors on object references |
| 513916-4 | 3-Major | String iStat rollup not consistent with multiple blades |
| 513649-3 | 3-Major | Transaction validation errors on object references |
| 510119-3 | 3-Major | HSB performance can be suboptimal when transmitting TSO packets. |
| 509782-2 | 3-Major | TSO packets can be dropped with low MTU |
| 509504-4 | 3-Major | Excessive time to save/list a firewall rule-list configuration |
| 507575-3 | 3-Major | An incorrectly formated NAPTR creation via iControl can cause an error. |
| 507331-6 | 3-Major | Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be enabled. |
| 506041-5 | 3-Major | Folders belonging to a device group can show up on devices not in the group |
| 502238-2 | 3-Major | Connectivity and traffic interruption issues caused by a stuck HSB transmit ring |
| 501517-5 | 3-Major | Very large configuration can cause transaction timeouts on secondary blades |
| 499260-2 | 3-Major | Deleting trust-domain fails when standby IP is in ha-order |
| 497564-5 | 3-Major | Improve High Speed Bridge diagnostic logging on transmit/receive failures |
| 483683-7 | 3-Major | MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error |
| 481696-5 | 3-Major | Failover error message 'sod out of shmem' in /var/log/ltm |
| 473348-5 | 3-Major | SNMP hbInterval value not set to 300 sec after upgrade from 11.2.x to 11.3.0 or later |
| 472365-5 | 3-Major | The vCMP worker-lite system occasionally stops due to timeouts |
| 470184-1 | 3-Major | In Configuration Utility, unable to view or edit objects in Local Traffic :: iRules :: Data Group List |
| 455264-2 | 3-Major | Error messages are not clear when adding member to device trust fails |
| 451602-6 | 3-Major | DPD packet drops with keyed VLAN connections |
| 441100-1 | 3-Major | iApp partition behavior corrected |
| 436682-6 | 3-Major | Optical SFP modules shows a higher optical power output for disabled switch ports |
| 410398-8 | 3-Major | sys db tmrouted.rhifailoverdelay does not seem to work |
| 405752-2 | 3-Major | TCP Half Open monitors sourced from specific source ports can fail |
| 362267-2 | 3-Major | Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors★ |
| 359774-5 | 3-Major | Pools in HA groups other than Common★ |
| 355661-2 | 3-Major | sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address |
| 523863-1 | 4-Minor | istats help not clear for negative increment |
| 475647-3 | 4-Minor | VIPRION Host PIC firmware version 7.02 update |
| 465009-2 | 4-Minor | VIPRION B2100-series LOP firmware version 2.10 update |
| 464043-4 | 4-Minor | Integration of Firmware for the 2000 Series Blades |
| 460456-3 | 4-Minor | FW RELEASE: Incorporate 5000, 5050, 5250 BIOS 2.06.214.0 |
| 460444-3 | 4-Minor | VIPRION B4300 BIOS version 2.03.052.0 update |
| 460428-3 | 4-Minor | BIG-IP 2000-/4000-series BIOS version 2.02.171.0 update |
| 460422-3 | 4-Minor | BIOS 4.01.006.0 for BIG-IP 10000, 10250, 10350 platforms. |
| 460406-3 | 4-Minor | VIPRION B2100-series BIOS version 1.06.043.0 update |
| 460397-3 | 4-Minor | FW RELEASE: Incorporate B2250 BIOS 1.26.012.0 |
| 447075-3 | 4-Minor | CuSFP module plugged in during links-down state will cause remote link-up |
| 443298-3 | 4-Minor | FW Release: Incorporate VIPRION 2250 LOP firmware v1.20 |
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 522784-3 | 1-Blocking | After restart, system remains in the INOPERATIVE state |
| 420341-5 | 1-Blocking | Connection Rate Limit Mode when limit is exceeded by one client also throttles others |
| 419458-3 | 1-Blocking | HTTP is more efficient in buffering data |
| 530963-3 | 2-Critical | BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms |
| 530769 | 2-Critical | F5 SFP+ module becomes unpopulated after mcpd is restarted in a clustered environment. |
| 528432-1 | 2-Critical | Control plane CPU usage reported too high |
| 527826-1 | 2-Critical | IP Intelligence update failed: Missing SSL certificate★ |
| 527649-1 | 2-Critical | Upgrade sets client/server SSL profiles Ciphers field to DEFAULT if upgraded cipherstring effectively contains no ciphersuites.★ |
| 523079-1 | 2-Critical | Merged may crash when file descriptors exhausted |
| 521548-5 | 2-Critical | Possible crash in SPDY |
| 521336-1 | 2-Critical | pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core |
| 499422-2 | 2-Critical | An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm. |
| 478592-5 | 2-Critical | When using the SSL forward proxy feature, clients might be presented with expired certificates. |
| 474601-4 | 2-Critical | FTP connections are being offloaded to ePVA |
| 468375-2 | 2-Critical | TMM crash when MPTCP JOIN arrives in the middle of a flow |
| 450814-9 | 2-Critical | Early HTTP response might cause rare 'server drained' assertion |
| 443157-1 | 2-Critical | zxfrd might crash when the zone file (zxfrd.bin) is deleted from the directory /var/db |
| 431283-3 | 2-Critical | iRule binary scan may core TMM when the offset is large |
| 402412-10 | 2-Critical | FastL4 tcp handshake timeout is not honored, connection lives for idle timeout. |
| 545821 | 3-Major | Idle timeout changes to five seconds when using PVA full or Assisted acceleration. |
| 530795-1 | 3-Major | In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number. |
| 524666-2 | 3-Major | DNS licensed rate limits might be unintentionally activated. |
| 522147-1 | 3-Major | 'tmsh load sys config' fails after key conversion to FIPS using web GUI |
| 521813-3 | 3-Major | Cluster is removed from HA group on restart |
| 521774-2 | 3-Major | Traceroute and ICMP errors may be blocked by AFM policy |
| 521538-3 | 3-Major | Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known |
| 521522-2 | 3-Major | Traceroute through BIG-IP may display destination IP address at BIG-IP hop |
| 521408-2 | 3-Major | Incorrect configuration in BigTCP Virtual servers can lead to TMM core |
| 520540-2 | 3-Major | Specific iRule commands may generate a core file |
| 518086-1 | 3-Major | Safenet HSM Traffic failure after system reboot/switchover |
| 518020-10 | 3-Major | Improved handling of certain HTTP types. |
| 517556-2 | 3-Major | DNSSEC unsigned referral response is improperly formatted |
| 515759-2 | 3-Major | Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time |
| 515139-4 | 3-Major | Active FTP session with inherit profile and address translation disabled may not decrement pool member current connections statistics |
| 514604-2 | 3-Major | Nexthop object can be freed while still referenced by another structure |
| 512383-4 | 3-Major | Hardware flow stats are not consistently cleared during fastl4 flow teardown. |
| 510638-2 | 3-Major | [DNS] Config change in dns cache resolver does not take effect until tmm restart |
| 507529 | 3-Major | Active crash with assert: tmm failed assertion, non-zero ha_unit required for mirrored flow |
| 507127-1 | 3-Major | DNS cache resolver is inserted to a wrong list on creation. |
| 504899-1 | 3-Major | Duplicated snat-translation addresses are possible (a named and an anonymous (created by snatpool) one) |
| 504105-3 | 3-Major | RRDAG enabled UDP ports may be used as source ports for locally originated traffic |
| 501516-4 | 3-Major | If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted. |
| 497584-5 | 3-Major | The RA bit on DNS response may not be set |
| 496758-4 | 3-Major | Monitor Parameters saved to config in a certain order may not construct parameters correctly |
| 488600-1 | 3-Major | iRule compilation fails on upgrade★ |
| 479682-5 | 3-Major | TMM generates hundreds of ICMP packets in response to a single packet |
| 478617-7 | 3-Major | Don't include maximum TCP options length in calculating MSS on ICMP PMTU. |
| 478439-5 | 3-Major | Unnecessary re-transmission of packets on higher ICMP PMTU. |
| 478257-6 | 3-Major | Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed |
| 476097-3 | 3-Major | TCP Server MSS option is ignored in verified accept mode |
| 468472-6 | 3-Major | Unexpected ordering of internal events can lead to TMM core. |
| 465590-4 | 3-Major | Mirrored persistence information is not retained while flows are active |
| 462714-3 | 3-Major | Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server |
| 460627-5 | 3-Major | SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists |
| 455762-3 | 3-Major | DNS cache statistics incorrect |
| 454018-6 | 3-Major | Nexthop to tmm0 ref-count leakage could cause TMM core |
| 452439-4 | 3-Major | TMM may crash when enabling DOS sweep/flood if a TMM process has multiple threads |
| 451960-3 | 3-Major | HTTPS monitors do not work with FIPS keys |
| 449848-5 | 3-Major | Diameter Monitor not waiting for all fragments |
| 442686-1 | 3-Major | DNSX Transfers Occur on DNSX authoritative server change |
| 422107-7 | 3-Major | Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set |
| 422087-4 | 3-Major | Low memory condition caused by Ram Cache may result in TMM core |
| 375887-5 | 3-Major | Cluster member disable or reboot can leak a few cross blade trunk packets |
| 374339-5 | 3-Major | HTTP::respond/redirect might crash TMM under low-memory conditions |
| 352925-4 | 3-Major | Updating a suspended iRule and TMM process restart |
| 342013-5 | 3-Major | TCP filter doesn't send keepalives in FIN_WAIT_2 |
| 514729-1 | 4-Minor | 10.2.1 system with SSL profile specifying ciphers 'DEFAULT:!HIGH:!MEDIUM' fails to upgrade to 11.5.1, 11.5.2, 11.5.3, or 11.6.0. |
Global Traffic Manager Fixes
| ID Number | Severity | Description |
| 515797-2 | 2-Critical | Using qos_score command in RULE_INIT event causes TMM crash |
| 526699-5 | 3-Major | TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port. |
| 516685-1 | 3-Major | ZoneRunner might fail to load valid zone files. |
| 516680-1 | 3-Major | ZoneRunner might fail when loading valid zone files. |
| 515033-1 | 3-Major | [ZRD] A memory leak in zrd |
| 515030-2 | 3-Major | [ZRD] A memory leak in Zrd |
| 496775-6 | 3-Major | [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for the bigip monitor |
| 471819-1 | 3-Major | The big3d agent restarts periodically when upgrading the agent on a v11.4.0 or prior system and Common Criteria mode is enabled. |
| 465951-1 | 3-Major | If net self description size =65K, gtmd restarts continuously |
| 225443-6 | 3-Major | gtmparse fails to load if you add unsupported SIP monitor parameters to the config |
| 479084-3 | 4-Minor | ZoneRunner can fail to respond to commands after a VE resume. |
| 353556-2 | 4-Minor | big3d https monitor is unable to correctly monitor the web server when SSL protocol is changed |
Application Security Manager Fixes
| ID Number | Severity | Description |
| 524428-2 | 2-Critical | Adding multiple signature sets concurrently via REST |
| 524004-2 | 2-Critical | Adding multiple signatures concurrently via REST |
| 520280-2 | 2-Critical | Perl Core After Apply Policy Action |
| 516523-1 | 2-Critical | Full ASM Config Sync was happening too often in a Full Sync Auto-Sync Device Group |
| 487420-3 | 2-Critical | BD crash upon stress on session tracking |
| 532030-2 | 3-Major | ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI |
| 526856-2 | 3-Major | "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency |
| 523261-2 | 3-Major | ASM REST: MCP Persistence is not triggered via REST actions |
| 523260-2 | 3-Major | Apply Policy finishes with coapi_query failure displayed |
| 523201-1 | 3-Major | Expired files are not cleaned up after receiving an ASM Manual Synchronization |
| 520796-2 | 3-Major | High ASCII characters availability for policy encoding |
| 520585-1 | 3-Major | Changing Security Policy Application Language Is Not Validated or Propagated Properly |
| 516522-2 | 3-Major | After upgrade from any pre-11.4.x to 11.4.x through 12.0.0, the configured redirect URL location is empty.★ |
| 514061-1 | 3-Major | False positive scenario causes SMTP transactions to hang and eventually reset. |
| 512668-2 | 3-Major | ASM REST: Unable to Configure Clickjacking Protection via REST |
| 510499-1 | 3-Major | System Crashes after Sync in an ASM-only Device Group. |
| 506407-1 | 3-Major | Certain upgrade paths to 11.6.x lose the redirect URL configuration for Alternate Response Pages★ |
Application Visibility and Reporting Fixes
| ID Number | Severity | Description |
| 533098 | 3-Major | Traffic capture filter not catching all relevant transactions |
| 531526-1 | 3-Major | Missing entry in SQL table leads to misleading ASM reports |
| 525708-2 | 3-Major | AVR reports of last year are missing the last month data |
| 519022-1 | 3-Major | Upgrade process fails to convert ASM predefined scheduled-reports.★ |
Access Policy Manager Fixes
| ID Number | Severity | Description |
| 525920 | 1-Blocking | VPE fails to display access policy |
| 492149-2 | 1-Blocking | Inline JavaScript with HTML entities may be handled incorrectly |
| 488736-6 | 1-Blocking | Fixed problem with iNotes 9 Instant Messaging |
| 482266-1 | 1-Blocking | Windows 10 support for Network Access / BIG-IP Edge Client |
| 482241-5 | 1-Blocking | Windows 10 cannot be properly detected |
| 437670-2 | 1-Blocking | Race condition in APM windows client on modifying DNS search suffix |
| 526833 | 2-Critical | Reverse Proxy produces JS error: 'is_firefox' is undefined |
| 526754-3 | 2-Critical | F5unistaller.exe crashes during uninstall |
| 525562-2 | 2-Critical | Debug TMM Crashes During Initialization |
| 520298-1 | 2-Critical | Java applet does not work |
| 520145-2 | 2-Critical | [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy |
| 519864-2 | 2-Critical | Memory leak on L7 Dynamic ACL |
| 518260-4 | 2-Critical | Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message |
| 517988-1 | 2-Critical | TMM may crash if access profile is updated while connections are active |
| 517146-2 | 2-Critical | Log ID 01490538 may be truncated |
| 516075-5 | 2-Critical | Linux command line client fails with on-demand cert |
| 514220-2 | 2-Critical | New iOS-based VPN client may fail to create IPv6 VPN tunnels |
| 513581 | 2-Critical | Occasional TMM crash when HTTP payload is scanned through SWG |
| 509490-1 | 2-Critical | [IE10]: attachEvent does not work |
| 507681-9 | 2-Critical | Window.postMessage() does not send objects in IE11 |
| 506223-1 | 2-Critical | A URI in request to cab-archive in iNotes is rewritten incorrectly |
| 497118-6 | 2-Critical | Tmm may restart when SAML SLO is triggered |
| 487399-3 | 2-Critical | VDI plugin crashes when View client disconnects prematurely |
| 474058-7 | 2-Critical | When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions |
| 471874-6 | 2-Critical | VDI plugin crashes when trying to respond to client after client has disconnected |
| 452163-1 | 2-Critical | Cross-domain functionality is broken in AD Query★ |
| 451469-3 | 2-Critical | APM User Identity daemon doesn't generate core |
| 540778 | 3-Major | Multiple SIGSEGV with core and failover with no logged indicator |
| 539013-2 | 3-Major | DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases |
| 537000-3 | 3-Major | Installation of Edge Client can cause Windows 10 crash in some cases |
| 534755-2 | 3-Major | Deleting APM virtual server produces ERR_NOT_FOUND error |
| 532096-3 | 3-Major | Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used |
| 531883-3 | 3-Major | Windows 10 App Store VPN Client must be detected by BIG-IP APM |
| 531483-1 | 3-Major | Copy profile might end up with error |
| 530697-3 | 3-Major | Windows Phone 10 platform detection |
| 529392-3 | 3-Major | Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script |
| 528726-2 | 3-Major | AD/LDAP cache size reduced |
| 528675-3 | 3-Major | BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired |
| 526617-2 | 3-Major | TMM crash when logging a matched ACL entry with IP protocol set to 255 |
| 526578-2 | 3-Major | Network Access client proxy settings are not applied on German Windows |
| 526492-3 | 3-Major | DNS resolution fails for Static and Optimized Tunnels on Windows 10 |
| 526275-2 | 3-Major | VMware View RSA/RADIUS two factor authentication fails |
| 526084-1 | 3-Major | Windows 10 platform detection for BIG-IP EDGE Client |
| 525384-3 | 3-Major | Networks Access PAC file now can be located on SMB share |
| 524909-3 | 3-Major | Windows info agent could not be passed from Windows 10 |
| 523431-1 | 3-Major | Windows Cache and Session Control cannot support a period in the access profile name |
| 523390-1 | 3-Major | Minor memory leak on IdP when SLO is configured on bound SP connectors. |
| 523329 | 3-Major | When BIG-IP is used as SAML Identity Provider(IdP), TMM may restart under certain conditions. |
| 523327-3 | 3-Major | In very rare cases Machine Certificate service may fail to find private key |
| 523222-7 | 3-Major | Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending. |
| 521835-1 | 3-Major | [Policy Sync] Connectivity profile with a customized logo fails |
| 521773-1 | 3-Major | Memory leak in Portal Access |
| 521506-3 | 3-Major | Network Access doesn't restore loopback route on multi-homed machine |
| 520642-2 | 3-Major | Rewrite plugin should check length of Flash files and tags |
| 520390-2 | 3-Major | Reuse existing option is ignored for smtp servers |
| 520205-2 | 3-Major | Rewrite plugin could crash on malformed ActionScript 3 block in Flash file |
| 520118-3 | 3-Major | Duplicate server entries in Server List. |
| 519966-1 | 3-Major | APM "Session Variables" report shows user passwords in plain text |
| 519415-4 | 3-Major | apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual ) |
| 519198-2 | 3-Major | [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user |
| 518981-1 | 3-Major | RADIUS accounting STOP message may not include long class attributes |
| 518583-3 | 3-Major | Network Access on disconnect restores redundant default route after looped network roaming for Windows clients |
| 517564-2 | 3-Major | APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port |
| 517441-4 | 3-Major | apd may crash when RADIUS accounting message is greater than 2K |
| 516839-7 | 3-Major | Add client type detection for Microsoft Edge browser |
| 516462-3 | 3-Major | Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines |
| 515943-1 | 3-Major | "Session variables" report may show empty if session variable value contains non-English characters |
| 514912-2 | 3-Major | Portal Access scripts had not been inserted into HTML page in some cases |
| 513969-2 | 3-Major | UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running |
| 513953-2 | 3-Major | RADIUS Auth/Acct might fail if server response size is more than 2K |
| 513706-3 | 3-Major | Incorrect metric restoration on Network Access on disconnect (Windows) |
| 513283 | 3-Major | Mac Edge Client doesnt send client data if access policy expired |
| 513165-1 | 3-Major | SAML Service Provider generated SLO requests do not contain 'SessionIndex' attribute |
| 513098-2 | 3-Major | localdb_mysql_restore.sh failed with exit code |
| 512345-6 | 3-Major | Dynamic user record removed from memcache but remains in MySQL |
| 512245 | 3-Major | Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname |
| 511961-2 | 3-Major | BIG-IP Edge Client does not display logon page for FirePass |
| 511854-3 | 3-Major | Rewriting URLs at client side does not rewrite multi-line URLs |
| 511648-3 | 3-Major | On standby TMM can core when active system sends leasepool HA commands to standby device |
| 511441-2 | 3-Major | Memory leak on request Cookie header longer than 1024 bytes |
| 510709-3 | 3-Major | Websso start URI match fails if there are more than 2 start URI's in SSO configuration. |
| 507116-3 | 3-Major | Web-application issues and/or unexpected exceptions. |
| 505755-4 | 3-Major | Some scripts on dynamically loaded html page could be not executed. |
| 500938-4 | 3-Major | Network Access can be interrupted if second NIC is disconnected |
| 500450-2 | 3-Major | ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso. |
| 498782-5 | 3-Major | Config snapshots are deleted when failover happens |
| 495702-3 | 3-Major | Mac Edge Client cannot be downloaded sometimes from management UI |
| 495336-5 | 3-Major | Logon page is not displayed correctly when 'force password change' is on for local users. |
| 494565-3 | 3-Major | CSS patcher crashes when a quoted value consists of spaces only |
| 494189-3 | 3-Major | Poor performance in clipboard channel when copying |
| 493006 | 3-Major | Export of huge policies might endup with 'too many pipes opened' error |
| 492701-2 | 3-Major | Resolved LSOs are overwritten by source device in new Policy Sync with new LSO |
| 492305-2 | 3-Major | Recurring file checker doesn't interrupt session if client machine has missing file |
| 490830-3 | 3-Major | Protected Workspace is not supported on Windows 10 |
| 488105-2 | 3-Major | TMM may generate core during certain config change. |
| 483792-6 | 3-Major | when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources |
| 483286-2 | 3-Major | APM MySQL database full as log_session_details table keeps growing |
| 482699-2 | 3-Major | VPE displaying "Uncaught TypeError" |
| 482269-2 | 3-Major | APM support for Windows 10 out-of-the-box detection |
| 482251-2 | 3-Major | Portal Access. Location.href(url) support. |
| 480761-2 | 3-Major | Fixed issue causing TunnelServer to crash during reconnect |
| 479451-2 | 3-Major | Different Outlook users with same password and client IP are tied to a single APM session when using Basic auth |
| 478492-5 | 3-Major | Incorrect handling of HTML entities in attribute values |
| 478333-4 | 3-Major | Edge-Client client shows an error about corrupted config file, when User's profile and temp folders located on different partitions |
| 474779-2 | 3-Major | EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails. |
| 474698-5 | 3-Major | BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions. |
| 473255-2 | 3-Major | Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement. |
| 472256-4 | 3-Major | tmsh and tmctl report unusually high counter values |
| 472062-2 | 3-Major | Unmangled requests when form.submit with arguments is called in the page |
| 471117-3 | 3-Major | iframe with JavaScript in 'src' attribute not handled correctly in IE11 |
| 468441-2 | 3-Major | OWA2013 may work incorrectly via Portal Access in IE10/11 |
| 468433-2 | 3-Major | OWA2013 may work incorrectly via Portal Access in IE10/11 |
| 468137-12 | 3-Major | Network Access logs missing session ID |
| 466745-2 | 3-Major | Cannot set the value of a session variable with a leading hyphen. |
| 457902-5 | 3-Major | No EAM- log stacktrace in /var/log/apm on EAM crash event. |
| 457760-6 | 3-Major | EAM not redirecting stdout/stderr from standard libraries to /var/log/apm |
| 457603-3 | 3-Major | Cookies handling issue with Safari on iOS6, iOS7 |
| 457525-3 | 3-Major | When DNS resolution for AppTunnel resource fails, the resource is removed |
| 454086-4 | 3-Major | Portal Access issues with Firefox version 26.0.0 or later |
| 452527-2 | 3-Major | Machine Certificate Checker Agent always works in "Match Subject CN to FQDN" mode |
| 442528-5 | 3-Major | Demangle filter crash |
| 440841-4 | 3-Major | sso and apm split tunnelling log message is at notice level |
| 438969-2 | 3-Major | HTML5 VMware View Client does not work with APM when Virtual Server is on non-default route domain |
| 437744-7 | 3-Major | SAML SP service metadata exported from APM may fail to import. |
| 425882-4 | 3-Major | Windows EdgeClient's configuration file could be corrupted on system reboot/sleep |
| 424936-1 | 3-Major | apm_mobile_ppc.css has duplicate 1st line |
| 423282-7 | 3-Major | BIG-IP JavaScript includes can be improperly injected in case of conditional commment presence |
| 420512-1 | 3-Major | All Messages report does not display any data when the Log Levels are selected to filter data based on Log levels |
| 416115-13 | 3-Major | Edge client continues to use old IP address even when server IP address changed |
| 408851-3 | 3-Major | Some Java applications do not work through BIG-IP server |
| 402793-13 | 3-Major | APM Network Accces tunnel slows down and loses data in secure renegotiation on Linux and Mac clients |
| 532394-1 | 4-Minor | Client to log value of "SearchList" registry key. |
| 524756-1 | 4-Minor | APM Log is filled with errors about failing to add/delete session entry |
| 517872-2 | 4-Minor | Include proxy hostname in logs in case of name resolution failure |
| 513201-5 | 4-Minor | Edge client is missing localization of some English text in Japanese locale |
| 510596-5 | 4-Minor | Broken DNS resolution on Linux client when "DNS Default Domain Suffix" is empty |
| 510459-2 | 4-Minor | In some cases Access does not redirect client requests |
| 507321-2 | 4-Minor | JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields |
| 504461-3 | 4-Minor | Logon Page agent gets empty user input in clientless mode 3 when a Variable Assign agent resides in front of it. |
| 497627-2 | 4-Minor | Tmm cores while using APM network access and no leasepool is created on the BIG-IP system. |
| 482145-4 | 4-Minor | Text in buttons not centered correctly for higher DPI settings |
| 464547-5 | 4-Minor | Show proper error message when VMware View client sends invalid credentials to APM |
| 454784-2 | 4-Minor | in VPE %xx symbols such as the variable assign agent might be invalidly decoded. |
WebAccelerator Fixes
| ID Number | Severity | Description |
| 514785-3 | 1-Blocking | TMM crash when processing AAM-optimized video URLs |
| 522231-2 | 3-Major | TMM may crash when a client resets a connection |
| 521455-5 | 3-Major | Images transcoded to WebP format delivered to Edge browser |
| 511534-2 | 3-Major | A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load, |
| 476460-4 | 3-Major | WAM Range HTTP header limited to 8 ranges |
| 421791-4 | 3-Major | Out of Memory Error |
Wan Optimization Manager Fixes
| ID Number | Severity | Description |
| 461216-2 | 2-Critical | Cannot rename some files using CIFS optimization of the BIG-IP system. |
| 497389-2 | 3-Major | Extraneous dedup_admin core |
| 457568-1 | 3-Major | Loading of configuration fails intermittently due to WOC Plug-in-related issues. |
Service Provider Fixes
| ID Number | Severity | Description |
| 521556-2 | 2-Critical | Assertion "valid pcb" in TCP4 with ICAP adaptation |
| 516057-5 | 2-Critical | Assertion 'valid proxy' can occur after a configuration change with active IVS flows. |
| 503652-1 | 2-Critical | Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit. |
| 512054-4 | 3-Major | CGNAT SIP ALG - RTP connection not created after INVITE |
| 511326-3 | 3-Major | SIP SUBSCRIBE message not forwarded by BIG-IP when configured as SIP ALG with translation. |
| 499701-6 | 3-Major | SIP Filter drops UDP flow when ingressq len limit is reached. |
| 480311-4 | 3-Major | ADAPT should be able to work with OneConnect |
| 448493-11 | 3-Major | SIP response from the server to the client get dropped |
Advanced Firewall Manager Fixes
| ID Number | Severity | Description |
| 524748 | 2-Critical | PCCD optimization for IP address range |
| 468688-1 | 2-Critical | Initial sync fails for upgraded pair (11.5.x to 11.6)★ |
| 530865-1 | 3-Major | AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists) |
| 523465-1 | 3-Major | Log an error message when firewall rule serialization fails due to maximum blob limit being hit. |
| 515187 | 3-Major | Certain ICMP packets are evaluated twice against Global and Route Domain ACL rules. |
| 515112-2 | 3-Major | Delayed ehash initialization causes crash when memory is fragmented. |
| 513565-3 | 3-Major | AFM Kill-on-the-fly does not re-evaluate existing flows against any Virtual/SelfIP ACL policies if a Global or Route-Domain rule action is modified from Accept-Decisively to Accept. |
| 509919-1 | 3-Major | Incorrect counter for SelfIP traffic on cluster |
| 497671 | 3-Major | iApp GUI: Unable to add FW Policy/Rule to context via iApp |
| 485880-3 | 3-Major | Unable to apply ASM policy with forwarding CPM policy via GUI, generic error |
| 459024-1 | 3-Major | Error L4 packets were hitting configured WL entries we were not matching the protocol for them |
| 533808-2 | 4-Minor | Unable to create new rule for virtual server if order is set to "before"/"after" |
| 533336-1 | 4-Minor | Display 'description' for port list members |
| 510226-1 | 4-Minor | All descriptions for ports-list's members are flushed after the port-list was updated |
| 495432-1 | 5-Cosmetic | Add new log messages for AFM rule blob load/activation in datapath. |
Policy Enforcement Manager Fixes
| ID Number | Severity | Description |
| 491771-1 | 2-Critical | Parking command called from inside catch statement |
| 450779-1 | 2-Critical | PEM source or destination flow filter attempts match against both source and destination IPs of a flow |
| 439249-1 | 2-Critical | PEM:Initial quota request in the rating group request is not as configured. |
| 526295-4 | 3-Major | BIG-IP crashes in debug mode when using PEM iRule to create session with calling-station-id and called-station-id |
| 511064-2 | 3-Major | Repeated install/uninstall of policy with usage monitoring stops after second time |
| 495913-3 | 3-Major | TMM core with CCA-I policy received with uninstall |
| 478399-6 | 3-Major | PEM subscriber sessions are created without PEM licensed, if "radiusLB-subscriber-awre" profile is configured. |
| 464273-1 | 3-Major | PEM: CCR-I for the Gx session has only one subscriber ID type even if session created has more than one type |
| 438608-1 | 3-Major | PEM: CCR-U triggered during Gy session may not have Request Service Unit (RSU) |
| 438092-2 | 3-Major | PEM: CCR-U triggered by RAR during Gy session will have not have Requested Service Unit(RSU) |
| 449643-2 | 4-Minor | Error message "Gx uninit failed!" and "Gy unint failed!" received during boot of the system |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Description |
| 514236-2 | 3-Major | [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses |
Device Management Fixes
| ID Number | Severity | Description |
| 525595-1 | 1-Blocking | Memory leak of inbound sockets in restjavad. |
| 509273-3 | 2-Critical | hostagentd consumes memory over time |
| 509120-1 | 2-Critical | BIG-IQ is unable to discover older BIG-IP versions due to over-zealous grooming★ |
Cumulative fixes from BIG-IP v11.5.3 Hotfix 1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 511651-2 | CVE-2015-5058 | K17047 | CVE-2015-5058: Performance improvement in packet processing. |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v11.5.3 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 513034-2 | CVE-2015-4638 | K17155 | TMM may crash if Fast L4 virtual server has fragmented packets |
| 492368-10 | CVE-2014-8602 | K15931 | Unbound vulnerability CVE-2014-8602 |
| 489323-6 | CVE-2015-8098 | K43552605 | Out-of-bounds memory access when 'remotedesktop' profile is assigned to a virtual server. |
| 507842-4 | CVE-2015-1349 | K16356 | Patch for BIND Vulnerability CVE-2015-1349 |
| 500088-10 | CVE-2014-3571 | K16123 | OpenSSL Vulnerability (January 2015) - OpenSSL 1.0.1l update |
| 497719-12 | CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296, | K15934 | NTP vulnerability CVE-2014-9293, NTP vulnerability CVE-2014-9294, NTP vulnerability CVE-2014-9295, and NTP vulnerability CVE-2014-9296 |
| 447483-7 | CVE-2014-3959 | K15296 | CVE-2014-3959 |
Functional Change Fixes
| ID Number | Severity | Description |
| 500303-11 | 1-Blocking | Virtual Address status may not be reliably communicated with route daemon |
| 499947-3 | 2-Critical | Improved performance loading thousands of Virtual Servers |
| 502770-3 | 3-Major | clientside and serverside command crashes TMM |
| 451433-2 | 3-Major | HA group combined with other failover (e.g., VLAN Failsafe or Gateway Failsafe) |
| 368824-1 | 3-Major | There is no indication that a failed standby cannot go active. |
TMOS Fixes
| ID Number | Severity | Description |
| 477218-6 | 1-Blocking | Simultaneous stats query and pool configuration change results in process exit on secondary. |
| 452656-4 | 1-Blocking | NVGRE tunnel traffic might stall if the sys db variable tm.tcplargereceiveoffload is set to 'enable' |
| 425729-1 | 1-Blocking | mcpd debug logging hardening |
| 509276-3 | 2-Critical | VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on standby device |
| 507487-3 | 2-Critical | ZebOS Route not withdrawn when VAddr/VIP down and no default pool |
| 504496-4 | 2-Critical | AAA Local User Database may sync across failover groups |
| 501343-2 | 2-Critical | In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle |
| 484733-5 | 2-Critical | aws-failover-tgactive.sh doesn't skip network forwarding virtuals |
| 477281-9 | 2-Critical | Improved XML Parsing |
| 471860-2 | 2-Critical | Disabling interface keeps DISABLED state even after enabling |
| 467196-4 | 2-Critical | Log files limited to 24 hours |
| 466266-3 | 2-Critical | In rare cases, an upgrade (or a restart) can result in an Active/Active state★ |
| 438674-4 | 2-Critical | When log filters include tamd, tamd process may leak descriptors |
| 430323-3 | 2-Critical | VXLAN daemon may restart when 8000 VXLAN tunnels are configured |
| 412160-4 | 2-Critical | vCMP provisioning may cause continual tmm crash. |
| 394236-4 | 2-Critical | MCP unexpectedly exits, "failure has occurred, There is no active database transaction, status: 0 - |
| 514450-2 | 3-Major | VXLAN: Remote MAC address movement does not trigger ARL updates across TMMs. |
| 513294-1 | 3-Major | LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances |
| 512485-2 | 3-Major | Forwarding of flooded VXLAN-encapsulated unicast frames may introduce additional forwarding |
| 503604-2 | 3-Major | Tmm core when switching from interface tunnel to policy based tunnel |
| 501953-1 | 3-Major | HA failsafe triggering on standby device does not clear next active for that device. |
| 501371-2 | 3-Major | mcpd sometimes exits while doing a file sync operation |
| 500234-3 | 3-Major | TMM may core during failover due to invalid memory access in IPsec components |
| 495526-2 | 3-Major | IPsec tunnel interface causes TMM core at times |
| 494367-4 | 3-Major | HSB lockup after HiGig MAC reset |
| 491791-2 | 3-Major | GET on non-existent pool members does not show error |
| 489750-2 | 3-Major | Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config |
| 488374-3 | 3-Major | Mismatched IPsec policy configuration causes racoon to core after failed IPsec tunnel negotiation |
| 484706-7 | 3-Major | Incremental sync of iApp changes may fail |
| 477789-2 | 3-Major | SSL Certificate can accommodate & (ampersand) in the Common Name, Organization Name, Division and SAN. |
| 468235-3 | 3-Major | The worldwide City database (City2) does not contain all of the appropriate Proxy strings. |
| 456573-5 | 3-Major | Sensor read faults with DC power supply |
| 453489-3 | 3-Major | userauth_hostbased mismatch: warnings from VIPRION for localhost or slotN |
| 439343-9 | 3-Major | Client certificate SSL authentication unable to bind to LDAP server |
| 420204-2 | 3-Major | FIPS key deletion by-handle does not post an error if corresponding key object exists but the keyname is more than 32 characters long |
| 509063-1 | 4-Minor | Creating or loading guest on cluster with empty slot 1 can result in error |
| 493223-2 | 4-Minor | syscalld core dumps now keep more debugging information |
| 441642-4 | 4-Minor | /etc/monitors/monitors_logrotate.conf contains an error |
| 437637-2 | 4-Minor | Sensor critical alarm: Main board +0.9V_CN35XX |
| 492422-3 | 5-Cosmetic | HTTP request logging reports incorrect response code |
| 456263 | 5-Cosmetic | Platform marketing name for B4300 is incorrectly shown as A108 |
| 440605-4 | 5-Cosmetic | Unknown BigDB variable type 'port_list' |
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 445329-2 | 1-Blocking | DNS cache resolver connections can be slow to terminate |
| 507611-1 | 2-Critical | On BIG-IP 2000- and 4000-series platforms BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors. |
| 506304-3 | 2-Critical | UDP connections may stall if initialization fails |
| 505222-3 | 2-Critical | DTLS drops egress packets when traffic is large |
| 504225-1 | 2-Critical | Virtual creation with the multicast IPv6 address returns error message |
| 503620-2 | 2-Critical | ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later |
| 495030-3 | 2-Critical | Segfault originating from flow_lookup_nexthop. |
| 493558-3 | 2-Critical | TMM core due to SACK hole value mismatch |
| 486450-5 | 2-Critical | iApp re-deployment causes mcpd on secondaries to restart |
| 480370-7 | 2-Critical | Connections to virtual servers with port-preserve property will cause connections to leak in TMM |
| 475460-6 | 2-Critical | tmm can crash if a client-ssl profile is in use without a CRL |
| 474974-2 | 2-Critical | Fix ssl_profile nref counter problem. |
| 474388-4 | 2-Critical | TMM restart, SIGSEGV messages, and core |
| 456853-2 | 2-Critical | DTLS cannot handle client certificate when client does not send CertVerify message. |
| 511130-2 | 3-Major | TMM core due to invalid memory access while handling CMP acknowledgement |
| 510720-2 | 3-Major | iRule table command resumption can clear the header buffer before the HTTP command completes |
| 510264-2 | 3-Major | TMM core associated with smtps profile. |
| 508716-3 | 3-Major | DNS cache resolver drops chunked TCP responses |
| 506702-2 | 3-Major | TSO can cause rare TMM crash. |
| 506282-5 | 3-Major | GTM DNSSEC keys generation is not sychronized upon key creation |
| 505964-3 | 3-Major | Invalid http cookie handling can lead to TMM core |
| 504633-7 | 3-Major | DTLS should not update 'expected next sequence number' when the record is bad. |
| 504396-3 | 3-Major | When a virtual's ARP or ICMP is disabled, the wrong mac address is used |
| 504306-7 | 3-Major | https monitors might fail to re-use SSL sessions. |
| 503979-3 | 3-Major | High CPU usage when DNS cache resolver sends a large number of DNS queries to the backend name server. |
| 503741-14 | 3-Major | DTLS session should not be closed when it receives a bad record. |
| 503118-1 | 3-Major | clientside and serverside command crashes TMM |
| 502959-3 | 3-Major | Unable get response from virtual server after node flapping |
| 502683-6 | 3-Major | Traffic intermittently dropped in syncookie mode, especially when hardware syncookie is on |
| 502174-6 | 3-Major | DTLS fragments do not work for ClientHello message. |
| 502149-2 | 3-Major | Archiving EC cert/key fails with error 'EC keys are incompatible for Webserver/EM/iQuery.' |
| 501690-7 | 3-Major | TMM crash in RESOLV::lookup for multi-RR TXT record |
| 499950-6 | 3-Major | In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs |
| 499946-2 | 3-Major | Nitrox might report bad records on highly fragmented SSL records |
| 499430-6 | 3-Major | Standby unit might bridge network ingress packets when bridge_in_standby is disabled |
| 499150-2 | 3-Major | OneConnect does not reuse existing connections in VIP targeting VIP configuration |
| 497742-5 | 3-Major | Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address |
| 495574-6 | 3-Major | DB monitor functionality might cause memory issues |
| 495443-3 | 3-Major | ECDH negotiation failures logged as critical errors. |
| 495253-5 | 3-Major | TMM may core in low memory situations during SSL egress handling |
| 494322-5 | 3-Major | The HTTP_REQUEST iRule event may cause the TMM to crash if the explicit proxy is used |
| 493673-5 | 3-Major | DNS record data may have domain names compressed when using iRules |
| 491518-5 | 3-Major | SSL persistence can prematurely terminate TCP connection |
| 491454-8 | 3-Major | SSL negotiation may fail when SPDY profile is enabled |
| 490713-5 | 3-Major | FTP port might occasionally be reused faster than expected |
| 485472-4 | 3-Major | iRule virtual command allows for protocol mismatch, resulting in crash |
| 485176-5 | 3-Major | RADIUS::avp replace command cores TMM when only two arguments are passed to it |
| 484305-5 | 3-Major | Clientside or serverside command with parking command crashes TMM |
| 483539-6 | 3-Major | With fastL4, incorrect MSS value might be used if SYN has options without MSS specified |
| 481844-4 | 3-Major | tmm can crash and/or use the wrong CRL in certain conditions |
| 481216-5 | 3-Major | Fallback may be attempted incorrectly in an abort after an Early Server Response |
| 478734-4 | 3-Major | Incorrect 'FIPS import for failed for key' failure when operation actually succeeds |
| 471625-7 | 3-Major | After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM |
| 471535-6 | 3-Major | TMM cores via assert during EPSV command |
| 461587-6 | 3-Major | TCP connection can become stuck if client closes early |
| 456763-2 | 3-Major | L4 forwarding and TSO can cause rare TMM outages |
| 456413-4 | 3-Major | Persistence record marked expired though related connection is still active |
| 455840-5 | 3-Major | EM analytic does not build SSL connection with discovered BIG-IP system |
| 447272-4 | 3-Major | Chassis with MCPD audit logging enabled will sync updates to device group state |
| 444710-8 | 3-Major | Out-of-order TCP packets may be dropped |
| 438792-10 | 3-Major | Node flapping may, in rare cases, lead to inconsistent persistence behavior |
| 435335-6 | 3-Major | SSL proxy session ID cache does not respect limit set by tmm.proxyssl.cachesize |
| 428163-2 | 3-Major | Removing a DNS cache from configuration can cause TMM crash |
| 415358-6 | 3-Major | Remote login shell hardening |
| 384451-8 | 3-Major | Duplicated cert/keys/chain might cause SIGABRTs and low-memory conditions |
| 498597-8 | 4-Minor | SSL profile fails to initialize and might cause SSL operation issues |
| 459884-5 | 4-Minor | Large POST requests are not handled well by APM. |
| 451224-2 | 4-Minor | IP packets that are fragmented by TMM, the fragments will have their DF bit |
| 436468-2 | 4-Minor | DNS cache resolver TCP current connection stats not always decremented properly |
| 442647-4 | 5-Cosmetic | IP::stats iRule command reports incorrect information past 2**31 bits |
| 435044-4 | 5-Cosmetic | Erroneous 'FIPS open failed' error on platforms without FIPS hardware |
Performance Fixes
| ID Number | Severity | Description |
| 497619-7 | 3-Major | TMM performance may be impacted when server node is flapping and persist is used |
Global Traffic Manager Fixes
| ID Number | Severity | Description |
| 479142-8 | 3-Major | Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD) |
| 468519-6 | 3-Major | BIG-IP DNS configuration load failure from invalid bigip_gtm.conf file. |
| 420440-7 | 3-Major | Multi-line TXT records truncated by ZoneRunner file import |
| 491554-5 | 4-Minor | [big3d] Possible memory leakage for auto-discovery error events. |
Application Security Manager Fixes
| ID Number | Severity | Description |
| 464735-1 | 2-Critical | Errors and unavailable virtual server upon deactivation of ASM policy that is assigned to a non-default rule of L7 policy |
| 509968 | 3-Major | BD crash when a specific configuration change happens |
| 501612-5 | 3-Major | Spurious Configuration Synchronizations |
| 485764-4 | 3-Major | WhiteHat vulnerability assessment tool is configured but integration does not work correctly |
| 482915-7 | 3-Major | Learning suggestion for the maximum headers check violation appears only for blocked requests |
| 475819-6 | 3-Major | BD crash when trying to report attack signatures |
| 442157-2 | 3-Major | Incorrect assignment of ASM policy to virtual server |
| 512687-2 | 4-Minor | Policy parameter fields minimumValue and maximumValue do not accept decimal values through REST but accept decimal through GUI |
Application Visibility and Reporting Fixes
| ID Number | Severity | Description |
| 441214-3 | 2-Critical | monpd core dumps in case of MySQL crash |
| 497681-3 | 3-Major | Tuning of Application DoS URL qualification criteria |
| 479334-4 | 3-Major | monpd/ltm log errors after Hotfix is applied |
| 439514-6 | 4-Minor | Different time-stamps are translated to the same time (due to DST clock change) and causes database errors |
Access Policy Manager Fixes
| ID Number | Severity | Description |
| 488986-13 | 1-Blocking | Access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and edge client. |
| 441613-8 | 1-Blocking | APM TMUI Vulnerability CVE-2015-8022 |
| 507782-6 | 2-Critical | TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data |
| 506235-4 | 2-Critical | SIGSEGV caused by access_redirect_client_to_original_uri |
| 505101-4 | 2-Critical | tmm may panic due to accessing uninitialized memory |
| 495901-4 | 2-Critical | Tunnel Server crash if probed on loopback listener. |
| 494098-9 | 2-Critical | PAC file download mechanism race condition |
| 493360-4 | 2-Critical | Fixed possible issue causing Edge Client to crash during reconnect |
| 489328-8 | 2-Critical | When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash. |
| 484454-7 | 2-Critical | Users not able to log on after failover |
| 441790 | 2-Critical | Logd core formed, while executing provisioning run script(mod_combo_7000_12721.py) on 5000 and 7000 series platforms |
| 511893 | 3-Major | Client connection timeout after clicking Log In to Access Policy Manager on a Chassis |
| 509956-5 | 3-Major | Improved handling of cookie values inside SWG blocked page. |
| 509758-3 | 3-Major | EdgeClient shows incorrect warning message about session expiration |
| 508719-7 | 3-Major | APM logon page missing title |
| 508630-3 | 3-Major | The APM client does not clean up DNS search suffixes correctly in some cases |
| 507318-2 | 3-Major | JS error when sending message from DWA new message form using Chrome |
| 506349-5 | 3-Major | BIG-IP Edge Client for Mac identified as browser by APM in some cases |
| 504606-6 | 3-Major | Session check interval now has minimum value |
| 503319-5 | 3-Major | After network access is established browser sometimes receives truncated proxy.pac file |
| 502441-7 | 3-Major | Network Access connection might reset for large proxy.pac files. |
| 501498-4 | 3-Major | APM CTU doesn't pick up logs for Machine Certificate Service |
| 499620-8 | 3-Major | BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated. |
| 499427-4 | 3-Major | Windows File Check does not work if the filename starts with an ampersand |
| 498469-8 | 3-Major | Mac Edge Client fails intermittently with machine certificate inspection |
| 497436-3 | 3-Major | Mac Edge Client behaves erratically while establishing network access connection |
| 497325-5 | 3-Major | New users cannot log in to Windows-based systems after installing BIG-IP EDGE client in certain deployment |
| 496817-7 | 3-Major | Big-IP Edge client for Windows fails to connect to Firepass server if tunnel is established through a proxy |
| 495319-9 | 3-Major | Connecting to FP with APM edge client is causing corporate network to be inaccessible |
| 495265-6 | 3-Major | SAML IdP and SP configured in same access profile not supported |
| 494637-6 | 3-Major | localdbmgr process in constant restart/core loop |
| 494284-10 | 3-Major | Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status. |
| 494176-1 | 3-Major | Network access to FP does not work on Yosemite using APM Mac Edge Client. |
| 494088-5 | 3-Major | APD or APMD should not assert when it can do more by logging error message before exiting. |
| 494008-4 | 3-Major | tmm crash while initializing the URL filter context for SWG. |
| 493487-5 | 3-Major | Function::call() and Function::apply() wrapping does not work as expected |
| 493164-4 | 3-Major | flash.net.NetConnection::connect() has an erroneous security check |
| 492238-9 | 3-Major | When logging out of Office 365 TMM may restart |
| 492153-7 | 3-Major | Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated. |
| 491233-9 | 3-Major | Rare deadlock in CustomDialer component |
| 490844-2 | 3-Major | Some controls on a web page might stop working. |
| 490681-5 | 3-Major | Memcache entry for dynamic user leaks |
| 490675-5 | 3-Major | User name with leading or trailing spaces creates problems. |
| 489382-8 | 3-Major | Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert |
| 488892-4 | 3-Major | JavaRDP client disconnects |
| 486597-7 | 3-Major | Fixed Network Access renegotiation procedure |
| 486268-7 | 3-Major | APM logon page missing title |
| 485355-4 | 3-Major | Click-to-Run version of Office 2013 does not work inside PWS (Protected WorkSpace) |
| 484847-13 | 3-Major | DTLS cannot be disabled on Edge Client for troubleshooting purposes |
| 484582-3 | 3-Major | APM Portal Access is inaccessible. |
| 483601-4 | 3-Major | APM sends a logout Bookmarked Access whitelist URL when session is expired. |
| 480817-4 | 3-Major | Added options to troubleshoot client by disabling specific features |
| 480242-7 | 3-Major | APD, APMD, MCPD communication error failure now reported with error code |
| 477898-2 | 3-Major | Some strings on BIG-IP APM EDGE Client User Interface were not localized |
| 477795-4 | 3-Major | SSL profile passphrase may be displayed in clear text on the Dashboard |
| 476038-9 | 3-Major | Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name |
| 476032-6 | 3-Major | BIG-IP Edge Client may hang for sometime when disconnecting from Firepass server |
| 475735-2 | 3-Major | Failed to load config after removing peer from sync-only group |
| 475505-8 | 3-Major | Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system. |
| 474582-2 | 3-Major | Add timestamps to logstatd logs for Policy Sync |
| 473386-13 | 3-Major | Improved Machine Certificate Checker matching criteria for FQDN case |
| 473129-6 | 3-Major | httpd_apm access_log remains empty after log rotation |
| 470205-4 | 3-Major | /config/.../policy_sync_d Directory Is 100% Full |
| 469824-9 | 3-Major | Mac Edge client on Mac mini receives settings for iOS Edge Client |
| 468395-2 | 3-Major | IPv4 Allocation failure ... is out of addresses |
| 458770-4 | 3-Major | [Mac][Edge] Edge client doesn't handle ending redirects to the same box if second access policy assumes interaction |
| 456608-5 | 3-Major | Direct links for frame content, with 'Frame.src = url' |
| 453455-9 | 3-Major | Added support of SAML Single Logout to Edgeclient. |
| 452464-6 | 3-Major | iClient does not handle multiple messages in one payload. |
| 452416-6 | 3-Major | tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values |
| 452010-4 | 3-Major | RADIUS Authentication fails when username or password contain non-ASCII characters |
| 442698-9 | 3-Major | APD Active Directory module memory leak in exception |
| 437743-8 | 3-Major | Import of Access Profile config that contains ssl-cert is failing |
| 436201-15 | 3-Major | JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11 |
| 432900-12 | 3-Major | APM configurations can fail to load on newly-installed systems★ |
| 431149-8 | 3-Major | APM config snapshot disappears and users see "Access Policy configuration has changed on gateway" |
| 428387-9 | 3-Major | SAML SSO could fail if SAML configuration contains special XML characters (&,<,>,",') |
| 403991-9 | 3-Major | Proxy.pac file larger than 32 KB is not supported |
| 489364-6 | 4-Minor | Now web VPN client correctly minimizes IE window to tray |
| 482134-6 | 4-Minor | APD and APMD cores during shutdown. |
| 465012-5 | 4-Minor | Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access |
| 464992-8 | 4-Minor | Mac Edge fails to pass machine certificate inspection if domain component is included in search criteria |
| 461597-10 | 4-Minor | MAC edge client doesn't follow HTTP 302 redirect if new site has untrusted self-signed certificate |
| 461560-6 | 4-Minor | Edge client CTU report does not contain interface MTU value |
| 460427-6 | 4-Minor | Address collision reported when the Primary blade goes down or its TMM crashes in an Chassis IntraCluster environment. |
| 451118-8 | 4-Minor | Fixed mistakes in French localization |
| 449525-1 | 4-Minor | apd and apmd constantly restarting |
| 432423-8 | 4-Minor | Need proactive alerts for APM license usage |
| 493385-9 | 5-Cosmetic | BIG-IP Edge Client uses generic icon set even if F5 icon set is configured |
| 486344-4 | 5-Cosmetic | French translation does not properly fit buttons in BIG-IP Edge client on Windows |
WebAccelerator Fixes
| ID Number | Severity | Description |
| 486346-2 | 2-Critical | Prevent wamd shutdown cores |
| 488917-1 | 4-Minor | Potentially confusing wamd shutdown error messages |
Wan Optimization Manager Fixes
| ID Number | Severity | Description |
| 485182-4 | 3-Major | wom_verify_config does not recognize iSession profile in /Common sub-partition |
Service Provider Fixes
| ID Number | Severity | Description |
| 503676-5 | 2-Critical | SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events |
| 500365-5 | 2-Critical | TMM Core as SIP hudnode leaks |
| 482436-9 | 2-Critical | BIG-IP processing of invalid SIP request may result in high CPU utilization |
| 466761-5 | 2-Critical | Heartbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss. |
| 455006-6 | 2-Critical | Invalid data is merged with next valid SIP message causing SIP connection failures |
| 507143-2 | 3-Major | Diameter filter may process HUDCTL_ABORT message before processing previously queued events leading to tmm assertion |
| 472092-6 | 3-Major | ICAP loses payload at start of request in response to long execution time of iRule |
| 464116-5 | 3-Major | HTTP responses are not cached when response-adapt is applied |
Advanced Firewall Manager Fixes
| ID Number | Severity | Description |
| 512609-2 | 2-Critical | Firewall rules specifying wildcard IPv6 addresses match IPv4 addresses |
| 478470 | 4-Minor | AFM Online Help updated: DoS Detection Threshold Percentage |
Policy Enforcement Manager Fixes
| ID Number | Severity | Description |
| 484278-3 | 2-Critical | BIG-IP crash when processing packet and running iRule at the same time |
Carrier-Grade NAT Fixes
| ID Number | Severity | Description |
| 493807-4 | 2-Critical | TMM might crash when using PPTP with profile logging enabled |
| 487660-1 | 3-Major | LSN translation failures when persistence is enabled, cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN and using a small port range |
Global Traffic Manager (DNS) Fixes
| ID Number | Severity | Description |
| 475549-2 | 3-Major | Input handling error in GTM GUI |
Device Management Fixes
| ID Number | Severity | Description |
| 462827-8 | 1-Blocking | Headers starting with X-F5 may cause problems if not X-F5-REST-Coordination-Id |
| 463380-4 | 3-Major | URIs with space characters may not work properly in ODATA query |
Cumulative fixes from BIG-IP v11.5.2 Hotfix 1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Solution Article(s) | Description |
| 496849-2 | CVE-2014-9326 | K16090 | F5 website update retrievals vulnerability |
| 477274-12 | CVE-2014-6031 | K16196 | Buffer Overflow in MCPQ |
| 496845-2 | CVE-2014-9342 | K15933 | NTP vulnerability CVE-2014-9296 |
| 477278-11 | CVE-2014-6032 | K15605 | XML Entity Injection vulnerabilities CVE-2014-6032 and CVE-2014-6033 |
| 468345-2 | CVE-2015-1050 | K16081 | Blocking page with harmful JavaScript can be run by system administrator |
Functional Change Fixes
| ID Number | Severity | Description |
| 382157-2 | 3-Major | Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats |
TMOS Fixes
| ID Number | Severity | Description |
| 498704-1 | 2-Critical | Module provisioning doesn't properly account for disk space |
| 487567-3 | 2-Critical | Addition of a DoS Profile Along with a Required Profile May Fail |
| 472202-2 | 2-Critical | Potential false positive report of DMA RX lockup failure |
| 507461-2 | 3-Major | Net cos config may not persist on HA unit following staggered restart of both HA pairs. |
| 504572-3 | 3-Major | PVA accelerated 3WHS packets are sent in wrong hardware COS queue |
Local Traffic Manager Fixes
| ID Number | Severity | Description |
| 509310-1 | 2-Critical | Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances |
| 498005-1 | 2-Critical | The HTTP:payload command could cause the TMM to crash if invoked in a non-HTTP event |
| 506290-3 | 3-Major | MPI redirected traffic should be sent to HSB ring1 |
| 505452-1 | 3-Major | New db variable to control packet priority for TMM generated packets |
| 505056-3 | 3-Major | BIG-IP system might send an egress packet with a priority different from that of ingress packet on the same flow. |
| 496588-2 | 3-Major | HTTP header that is larger than 64K can be analyzed incorrectly, leading to TMM crash |
Performance Fixes
| ID Number | Severity | Description |
| 489259-2 | 2-Critical | [AFM] packets from good ip's are being dropped by DoS Sweep & Flood logic |
| 496998-2 | 3-Major | Update offenders more aggressively. Increase batch size for Dwbld processing. |
Application Security Manager Fixes
| ID Number | Severity | Description |
| 510287 | 1-Blocking | Create ASM security policy by BIG-IQ |
| 509663 | 1-Blocking | asm restart periodically with errors in asm_config_server.log: ASM Config server died unexpectedly |
| 508908-2 | 2-Critical | Enforcer crash |
| 507919-2 | 2-Critical | Updating ASM through iControl REST does not affect CMI sync state |
| 504182-2 | 2-Critical | Enforcer cores after upgrade upon the first request★ |
| 498361 | 2-Critical | Manage ASM security policies from BIG-IQ |
| 493401-3 | 2-Critical | Concurrent REST calls on a single endpoint may fail |
| 489705-3 | 2-Critical | Running out of memory while parsing large XML SOAP requests |
| 481476-10 | 2-Critical | MySQL performance |
| 468387-2 | 2-Critical | Enforcer core related to specific error condition in the session db |
| 511477 | 3-Major | Manage ASM security policies from BIG-IQ |
| 511029 | 3-Major | "selfLink" for ASM Policy was incorrect for iControl REST |
| 510818 | 3-Major | Manage ASM security policies from BIG-IQ |
| 508519-1 | 3-Major | Performance of Policy List screen |
| 508338-2 | 3-Major | Under rare conditions cookies are enforced as base64 instead of clear text |
| 507905-1 | 3-Major | Saving Policy History during UCS load causes DB deadlock/timeout★ |
| 507289-1 | 3-Major | User interface performance of Web Application Security Editor users |
| 506386-1 | 3-Major | Automatic ASM sync group remains stuck in init state when configured from tmsh |
| 506355-2 | 3-Major | Importing an XML file without defined entity sections |
| 504973-2 | 3-Major | Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead |
| 497769-2 | 3-Major | Policy Export: BIG-IP does not export redirect URL for "Login Response Page" |
| 496565-2 | 3-Major | Secondary Blades Request a Sync |
| 496011-2 | 3-Major | Resets when session awareness enabled |
| 490284-6 | 3-Major | ASM user interface extremely slow to respond (e.g. >2 minutes to render policy list) |
| 469786-2 | 3-Major | Web Scraping Mitigation: Display of request status when configuration includes an ASM iRule |
| 465181-4 | 3-Major | Unhandled connection error in iprepd causes memory leak in iprepd or merged |
| 510828 | 5-Cosmetic | Manage ASM security policies from BIG-IQ |
Application Visibility and Reporting Fixes
| ID Number | Severity | Description |
| 461715-2 | 2-Critical | AVR: Collecting geolocation IDs |
| 503471-2 | 3-Major | Memory leak can occur when there is a compressed response, and abnormal termination of the connection |
| 500034-2 | 3-Major | [SMTP Configuration] Encrypted password not shown in GUI |
| 489682-4 | 3-Major | Configuration upgrade failure due to change in an ASM predefined report name★ |
| 468874-1 | 3-Major | Monpd errors appear when AVR loads data to MySQL |
| 467945-4 | 3-Major | Error messages in AVR monpd log |
Access Policy Manager Fixes
| ID Number | Severity | Description |
| 497662-4 | 1-Blocking | BIG-IP DoS via buffer overflow in rrdstats |
| 431980-2 | 2-Critical | SWG Reports: Overview and Reports do not show correct data. |
Advanced Firewall Manager Fixes
| ID Number | Severity | Description |
| 514651 | 2-Critical | db variable to disable rate-tracker |
| 514266 | 2-Critical | Change firewall rules with ip-protocol ICMP and ICMP type 0, code 0 cause pccd crash |
| 513403-3 | 2-Critical | TMM asserts when certain ICMP packets (e.g multicast echo) are classified by AFM and match rules at Global and Route Domain context with logging enabled for these rules and also log-translations is enabled in AFM Logging configuration. |
| 510162 | 2-Critical | potential TMM crash when AFM DoS Sweep & Flood is configured |
| 503541-3 | 2-Critical | Use 64 bit instead of 10 bit for Rate Tracker library hashing. |
| 501480-2 | 2-Critical | AFM DoS Single Endpoint Sweep and Flood Vectors crash TMM under heavy traffic. |
| 500925-2 | 2-Critical | Introduce a new sys db variable to control number of merges per second of Rate Tracker library. |
| 498227 | 2-Critical | Incorrect AFM firewall rule counter update after pktclass-daemon restarts. |
| 497342-2 | 2-Critical | TMM crash while executing FLOW_INIT event (with multiple commands that abort the connection) in an iRule attached to an AFM firewall rule. |
| 489845-1 | 2-Critical | Sometimes auto-blacklisting will not function after the provisioning of AFM and APM modules |
| 511406 | 3-Major | Pagination issue on firewall policy rules page |
| 510224-1 | 3-Major | All descriptions for address-list members are flushed after the address-list was updated |
| 506452-1 | 3-Major | Issues with firewall rules configured with a source or destination IPv6 address whose most significant bit is 1 |
| 505624-2 | 3-Major | Remote logger will continue to get DoS L7 messages after it was removed from the virtual server configuration |
| 504384-3 | 3-Major | ICMP attack thresholds |
| 503085-2 | 3-Major | Make the RateTracker threshold a constant |
| 502414-3 | 3-Major | Make the RateTracker tier3 initialization number less variant. |
| 501986-2 | 3-Major | Add a sys db tunable to make Sweep and Flood vectors be rate-limited per TMM process |
| 500640-2 | 3-Major | TMM core could be seen if FLOW_INIT iRule attached to Virtual server |
| 497732 | 3-Major | Enabling specific logging may trigger other unrelated events to be logged. |
| 497667 | 3-Major | Configuring of ICMPv4/ICMPv6 ip-protocol in mgmt port ACL Rules generated error |
| 497263-2 | 3-Major | Global whitelist count exhausted prematurely |
| 496278 | 3-Major | Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name |
| 495928-4 | 3-Major | APM RDP connection gets dropped on AFM firewall policy change |
| 495698 | 3-Major | iRule can be deleted even though it exists in a rule-list |
| 495390-2 | 3-Major | An error occurs on Active Rules page after attempting to reorder Rules in a Policy |
| 485771-2 | 3-Major | TMM crashes while executing multiple FLOW_INIT events and one of the event triggers an abort. |
| 469297-2 | 3-Major | Address list summary page does not display the description for individual address list entries. |
| 465229-1 | 3-Major | Fix for Policy Rule Names Displaying Distorted in Rare Conditions |
| 464972-2 | 3-Major | Wrong parsing of Country Code (Geo) from address region list if Country name contains parentheses. |
| 464966-1 | 3-Major | Active Rule page may display incorrectly if showing multiple rules and at least one rule list |
| 464762-1 | 3-Major | Rule lists may not display schedules for rules that have them |
| 464222-1 | 3-Major | Policy Rule Missing from TMSH Overlapping Status Output |
| 458810-1 | 3-Major | Time field may not display correctly in log search function |
| 445984-1 | 3-Major | Wrong overlapping status is shown if there are firewall rules with source or destination port range that begins with "1" |
| 438773-1 | 3-Major | Network Firewall event logs page pops up date/time picker automatically during drag-and-drop |
| 506470 | 4-Minor | Reduce pccd OOM probability with port expansion change |
| 497311-1 | 4-Minor | Can't add a ICMPv6 type and code to a FW rule. |
| 473589-1 | 4-Minor | Error at attempt to add GeoIP with parentheses. |
Cumulative fix details for BIG-IP v11.5.4 Hotfix 4 that are included in this release
656902 : Upgrade to 11.5.4 HF3 may remove valid cipher suite configuration from SSL profile
Component: Local Traffic Manager
Symptoms:
During the upgrade to 11.5.4 HF3, the upgrade will remove the DHE-DSS from cipher suite, which will cause the cipher suites configured beginning with the characters '@', '+', '-', or '!' will be removed from the configuration.
Conditions:
clientssl/serverssl profile ciphers configuration contains keywords beginning with the characters '@', '+', '-', or '!'.
Impact:
Cipher suites are configured using keywords such as AES, AES-GCM, !DES, -ADH, @STRENGTH, etc. The issue causes keywords beginning with the characters '@', '+', '-', or '!' to be removed from the configuration.
For example, if the cipher suite configuration before installing 11.5.4 HF3 was: 'NATIVE:!SSLV2:!SSLV3:!MD5:!EXPORT:!LOW:ECDHE+AES-GCM:ECDHE+AES:DHE+AES-GCM:DHE+AES:AES-GCM+RSA:RSA+AES:RSA+3DES:!RC4:!ADH:!ECDHE_ECDSA:!ECDH_ECDSA:!ECDH_RSA:!DHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!DHE-RSA-AES128-SHA:+DES-CBC3-SHA'
After installing 11.5.4 HF3 it would be reduced to: 'NATIVE:ECDHE+AES-GCM:ECDHE+AES:DHE+AES-GCM:DHE+AES:AES-GCM+RSA:RSA+AES:RSA+3DES'
Workaround:
Manually restore the clientssl/serverssl profile cipher configuration.
Fix:
Fixed an issue that causes the cipher suites configured beginning with the characters '@', '+', '-', or '!' to be removed from the configuration on upgrade.
655756 : TMM might crash while using SSL profiles on BIG-IP 2000/4000 platforms.
Component: Local Traffic Manager
Symptoms:
TMM might crash while using SSL profiles on BIG-IP 2000/4000 platforms.
Conditions:
-- TMOS v11.5.4 HF3.
-- SSL profile active.
-- BIG-IP 2000/4000 platform.
Impact:
TMM may crash. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The cause of the crash was identified and removed.
649933-5 : Fragmented RADIUS messages may be dropped
Component: Service Provider
Symptoms:
Large RADIUS messages may be dropped when processed by iRules.
Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.
Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:
Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""
Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.
642330-4 : GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★
Component: Global Traffic Manager
Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.
Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Configuration fails to load.
Workaround:
Manually edit each string in the BIG-IP_gtm.conf to include enclosing quotes in order to get the config to load the first time.
Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the BIG-IP_gtm.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list gtm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.
638935-1 : Monitor with send/receive string containing double-quote may cause upgrade to fail.★
Component: TMOS
Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.
Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Configuration fails to load.
Workaround:
Manually edit each string in the bigip.conf to include enclosing quotes in order to get the config to load the first time.
Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the bigip.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list ltm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.
If you have an escaped quote in your configuration, and are moving to a configuration with this the dependency of this fix, you cannot reload the configuration or the license which also reloads the configuration. Doing so, will cause the config load to fail.
637181-2 : VIP-on-VIP traffic may stall after routing updates
Component: Local Traffic Manager
Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.
Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.
Impact:
Existing connections to the outer VIP may stall.
Workaround:
None.
Fix:
Connections to VIP-on-VIP virtual servers no longer stall after routing updates.
636702-1 : BIND vulnerability CVE-2016-9444
Vulnerability Solution Article: K40181790
636700-2 : BIND vulnerability CVE-2016-9147
Vulnerability Solution Article: K02138183
636699-3 : BIND vulnerability CVE-2016-9131
Vulnerability Solution Article: K86272821
635933-2 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
Vulnerability Solution Article: K23440942 K13361021
635412-1 : Invalid mss with fast flow forwarding and software syn cookies
Vulnerability Solution Article: K82851041
633723-1 : New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
Component: Local Traffic Manager
Symptoms:
A new db variable has been added to print diagnostic information when Cavium Nitrox devices encounter a "request queue stuck" error.
Conditions:
A Cavium Nitrox "request queue stuck" error occurs and the db variable "crypto.ha.action" is set to reboot.
I.e., when log message such as:
Feb 27 07:39:07 localhost crit tmm1[19936]: 01010260:2: Hardware Error(Co-Processor): cn1 request queue stuck
Impact:
Under the above conditions, the system will automatically run "nitrox_diag" to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.
The system will immediately failover to the standby system, but will then spend approximately one minute gathering diagnostic information beffore rebooting.
See https://support.f5.com/csp/article/K95944198 for more information about nitrox_diag.
Behavior Change:
Under rare conditions, the system will take approximately one additional minute to reboot.
If a Cavium Nitrox "request queue stuck" error occurs and the db variable "crypto.ha.action" is set to reboot, the system will automatically run "nitrox_diag" to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.
When the error happens, failover to the standby system will still happen immediately. The delay is only on rebooting the system which has already gone to standby mode.
632618 : ImageMagick vulnerability CVE-2016-3717
Component: TMOS
Symptoms:
It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images.
Conditions:
ImageMagick may be used when Image Optimization is in use by an AAM policy.
Impact:
A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to disclose the contents of arbitrary files.
631627-3 : Applying BWC over route domain sometimes results in tmm not becoming ready on system start
Component: TMOS
Symptoms:
Rebooting after applying BWC to route domain stops vlan traffic on VCMP guest. You will experience connection failures when bandwidth Controller (bwc) and Web Accelerator are enabled.
Running the tmsh show sys ha-status all-properties command will indicate that tmm is in "ready-for-world", but the Fail status will read "Yes" when this is triggered.
Conditions:
BWC enabled and associated with a route domain, Web Accelerator is enabled, and the system is rebooted.
Impact:
The system does not comes up fully. TMM does not reach a ready state and will not pass traffic.
Workaround:
Remove BWC from route domain and then reapply the BWC back.
Fix:
BWC enabled and associated with a route domain, Web Accelerator enabled, and the system is rebooted, now results in the system and TMM coming up fully and passing traffic.
631582-3 : Administrative interface enhancement
Vulnerability Solution Article: K55792317
631530 : TAI offset not adjusted immediately during leap second
Component: TMOS
Symptoms:
When repeating a UTC time value during a leap second (when UTC time should be 23:59:60), the International Atomic Time (TAI) timescale should not stop, the kernel increments the TAI offset one second too late.
Conditions:
This occurs during an NTP leap second event, for example an event occurs on December 31, 2016, at 23:59:60 UTC
Impact:
Impact to applications unknown, system will stay stable and a timer may be fired off later than expected.
Workaround:
None.
Fix:
International Atomic Time (TAI) offset during leap second has been corrected.
629771 : the TCP::unused_port does erroneous accept IPV4_COMPAT addresses
Component: Local Traffic Manager
Symptoms:
when calling TCP::unused_port command with a tcl ip addr object which represents the IPv4 address as IPv4-Compatible IPv6 address,
the function searches for existing flows related to this address.
IPv4-Compatible IPv6 addresses are deprecated, the flow table uses IPv4-Mapped IPv6 address
Conditions:
the IP::Addr object has been crafted with the following command
[IP::addr <addr> mask ::ffff:ffff]
Impact:
The TCP::unused_port command is unable to return an unused port
Workaround:
use the string representation by forcing the object to be a string
e.g.
set ipv6_addr "fe80::250:56ff:0a1e:0101"
set ipv4_from_ipv6 [ string tolower [IP::addr $ipv6_addr mask ::ffff:ffff] ]
set free [TCP::unused_port $ipv4_from_ipv6 [TCP::local_port] 10.30.1.64 [TCP::client_port] 48000 48255]
Fix:
ID598860-5 fixes the IP::addr command to return IPV4 MAPPED addr
628164-1 : OSPF with multiple processes may incorrectly redistribute routes
Component: TMOS
Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.
Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.
Impact:
Incorrect routing information in the network when OSPF converges.
Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.
Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.
625376-2 : In some cases, download of PAC file by edge client may fail
Component: Access Policy Manager
Symptoms:
Edge client may fail to download PAC file and incorrectly apply proxy configuration after VPN connection.
Conditions:
- User machine proxy configuration points to a proxy auto configuration file.
- Network access proxy configuration points to a proxy auto configuration file.
- PAC file URI in either case has uppercase characters.
- PAC file is hosted on a server where resource names are case sensitive.
Impact:
PAC file download will fail and client will use incorrect proxy settings due to unavailability of PAC file.
Workaround:
Use only lowercase characters in PAC file URI.
Fix:
Now Edge client can download PAC files from URIs that have uppercase as well as lowercase characters.
624931 : getLopSensorData "sensor data reply too short" errors with FND300 DC PSU
Component: TMOS
Symptoms:
On a BIG-IP 2000-/4000-series or 5000-/7000-series appliances with FND300 DC power supplies running BIG-IP v11.5.4-HF2, errors similar to the following are logged every 30+ seconds:
warning chmand[8220]: 012a0004:4: getLopSensorData: LopHlprDev: sensor data reply too short, objId: 16d size: 39
warning chmand[8220]: 012a0004:4: getLopSensorData: LopHlprDev: sensor data reply too short, objId: 16e size: 39
In addition, the PSU status is reported as Not Present by the "tmsh show sys hardware" and "tmctl chassis_power_supply_status_stat" commands.
tmsh show sys hardware:
Chassis Power Supply Status
Index Status Current
1 not-present NA
2 not-present NA
tmctl chassis_power_supply_status_stat:
name index status input_status output_status fan_status current_status
==============================================================================
pwr1 1 2 2 2 2 0
pwr2 2 2 2 2 2 0
Totals 3 4 4 4 4 0
------------------------------------------------------------------------------
(Where a status value of 2 == Not Present)
Conditions:
This problem occurs when all of the following conditions are true:
1. BIG-IP 2000-/4000-series or 5000-/7000-series appliance
2. One or more FND300 DC power supplies installed
3. Running BIG-IP v11.5.4-HF2
Impact:
1. Errors logged every 30+ seconds
2. PSU status is reported as Not Present
Fix:
The status of FND300 DC power supplies is reported correctly on BIG-IP 2000-/4000-series and 5000-/7000-series appliances.
624570-4 : BIND vulnerability CVE-2016-8864
Vulnerability Solution Article: K35322517
624457-2 : Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
Component: TMOS
Symptoms:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html
Conditions:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html
Impact:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html
Fix:
For more information, see SOL10558632: Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195, available at https://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html
624263-1 : iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
Component: TMOS
Symptoms:
For profiles, iControl REST does not provide visibility for profile property override when "none" is specified, including references, passwords, and array of strings.
Conditions:
-- Use iControl REST API.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.
Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for profile property overrides.
Workaround:
None.
Fix:
iControl REST API now returns elements (i.e., string, enum, or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.
624193 : Topology load balancing not working as expected
Component: Global Traffic Manager (DNS)
Symptoms:
Under certain conditions, load balancing decisions can result in an unequal or unexpected distribution.
Conditions:
Occurs when topology load balancing is used for a wide IP and more than one pool share the highest assigned score for a particular load balancing decision.
Impact:
The resulting load balancing decisions can lead to an unequal or unexpected distribution of pool selections.
Workaround:
Topology records and pools can be configured to avoid the conditions which cause the condition.
Fix:
A system DB variable, gtm.wideiptoporandom, has been added. When this system DB variable is assigned the value of "enable" and more than one pool shares the highest assigned score for a given load balancing decision, a random pool is selected.
623119-3 : Linux kernel vulnerability CVE-2016-4470
Component: TMOS
Symptoms:
For more information, see SOL55672042: Linux kernel vulnerability CVE-2016-4470, available at https://support.f5.com/kb/en-us/solutions/public/k/55/sol55672042.html
Conditions:
For more information, see SOL55672042: Linux kernel vulnerability CVE-2016-4470, available at https://support.f5.com/kb/en-us/solutions/public/k/55/sol55672042.html
Impact:
For more information, see SOL55672042: Linux kernel vulnerability CVE-2016-4470, available at https://support.f5.com/kb/en-us/solutions/public/k/55/sol55672042.html
Fix:
For more information, see SOL55672042: Linux kernel vulnerability CVE-2016-4470, available at https://support.f5.com/kb/en-us/solutions/public/k/55/sol55672042.html
622496-3 : Linux kernel vulnerability CVE-2016-5829
Vulnerability Solution Article: K28056114
622166-1 : HTTP GET requests with HTTP::cookie iRule command receive no response
Component: Local Traffic Manager
Symptoms:
HTTP GET requests to virtual servers using the command "HTTP::cookie <name> <value>" in HTTP_REQUEST iRule event handlers do not get a response.
Conditions:
An LTM virtual server with an iRule including the HTTP::cookie command.
Impact:
No response is received by the client.
Workaround:
None.
Fix:
HTTP GET requests to virtual servers using the command "HTTP::cookie <name> <value>" in HTTP_REQUEST iRule event handlers now get a response as expected.
621465 : The minimum IP packet fragment size is now 1 and not 24
Component: Local Traffic Manager
Symptoms:
The minimum IP packet fragment size, set via DB Var [TM.MinIPfragSize], is 24 and that causes problems if you need to use smaller fragments in your network.
Conditions:
You are trying to configure TM.MinIPfragSize and need it to be set to a value smaller than 24.
Impact:
You are unable to configure fragment sizes smaller than 24 in your network.
Workaround:
NA
Fix:
Changed DB Var [TM.MinIPfragSize] minimum value from 24 to 1.
621417-2 : sys-icheck error for /usr/share/defaults/bigip_base.conf in AWS.
Component: TMOS
Symptoms:
On a BIG-IP deployed in AWS cloud, sys-icheck reports size an md5 errors for /usr/share/defaults/BIG-IP_base.conf file as following:
ERROR: S.5...... c /usr/share/defaults/BIG-IP_base.conf (no backup)
Conditions:
BIG-IP deployed in AWS cloud.
Impact:
sys-icheck reports "rpm --verify" size and md5 errors for /usr/share/defaults/BIG-IP_base.conf. This doesn't have any functional impact on the product but looks like factory config file was modified incorrectly by a user/application.
Workaround:
No workaround exists for this issue.
Fix:
sys-icheck error for /usr/share/defaults/BIG-IP_base.conf in AWS.
621242-2 : Reserve enough space in the image for future upgrades.
Component: TMOS
Symptoms:
Increased the reserved free space in VM image from 15% to 30% to accommodate upgrades to future versions. Each next version tends to be bigger and require more disk space to install. The increased reserved space will allow upgrading to at least next 2 versions.
Conditions:
VE in local hypervisors and VE in the Cloud (AWS, Azure).
Impact:
Extends the disk image to reserve more disk space for upgrades.
Workaround:
N/A
Fix:
Increased the reserved free space on VE images.
620712 : Added better search capabilities on the Pool Members Manage & Pool Create page.
Component: Global Traffic Manager (DNS)
Symptoms:
Large amount of virtual servers were hard to manage on the GSLB Pool Member Manage page.
Conditions:
Having large amount of virtual servers/wide ips
Impact:
Poor usability.
Workaround:
No workaround.
Fix:
The GSLB Pool Member Manage page now has a new search feature in the form of a combo box to allow for better management of large amount of virtual servers.
Behavior Change:
The GSLB Pool Member Manage page now has the new search feature to allow for better management of large amount of virtual servers.
620659-1 : The BIG-IP system may unecessarily run provisioning on successive reboots
Component: TMOS
Symptoms:
After the first boot, the system runs provisioning and boots successfully, but there is a file left on the system /mprov_firstboot. This will appear in /var/log/ltm:
info mprov:4614:: \'\'provision.initialized\' indicates force TMOS only provisioning - forcing.\'
During a subsequent boot, provisioning will run again, potentially unnecessarily, due to the existence of this file. The following will appear in /var/log/ltm during the second boot:
info mprov:4609:: \'Existence of file \'/mprov_firstboot\' indicates force TMOS only provisioning - forcing.\'
Conditions:
The memory size of the host changes and there is some other need for reprovisioning (for example a new configuration load).
Impact:
On a vCMP host, the second provisioning may not complete properly and guest systems will not pass traffic.
The vCMP host will continually try to start more than one tmm and fail when there should only be one tmm running. The /var/log/tmm logfile on the vCMP host will contain:
<13> Sep 25 01:33:28 vcmphost1 notice Too small memsize (60) -- need at least 136 MB
The /var/log/tmm logfile on the vCMP guest will contain:
<13> Sep 25 01:38:21 bigip1 notice Failed to write /var/run/libdag.so_2, err: -30
<13> Sep 25 01:38:21 bigip1 notice panic: vdag failed to attach
<13> Sep 25 01:38:21 bigip1 notice ** SIGFPE **
Workaround:
If the vCMP host is in a tmm restart loop due to this issue, reboot the vCMP host to allow the system to come up properly.
Fix:
The BIG-IP software now always removes the /mprov_firstboot file when the system is reprovisioned.
619757-4 : iSession causes routing entry to be prematurely freed
Component: Wan Optimization Manager
Symptoms:
iSession may cause TMM to prematurely free a routing entry resulting in memory corruption and TMM restarting.
Conditions:
iSession-enabled virtual.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
No reasonable workaround short of not using iSession functionality.
Fix:
iSession no longer causes routing entries to be prematurely freed.
619071-1 : OneConnect with verified accept issues
Component: Local Traffic Manager
Symptoms:
System may experience an outage.
Conditions:
Verified Accept enabled in TCP profile
hardware syncookies enabled
OneConnect profile on VIP
Syncookie threshold crossed
Impact:
System outage.
Workaround:
Disabled verified accept when used with OneConnect on a VIP.
Fix:
Verified accept, OneConnect and hardware syncookies work
correctly together.
618324-3 : Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
Component: Access Policy Manager
Symptoms:
When upgrading from OPSWAT SDK V3 to V4, opening Access Policy in VPE if one of the opswat checker (e.g. Anti-Virus checker) contains an Undefined (i.e. previously defined but out of support) ID it will display as "Any." The correct display should be "Unsupported" or "Invalid" product.
Conditions:
Wrongful information displayed.
Impact:
Wrongful information displayed.
Workaround:
N/A
Fix:
Correct (*** Invalid ***) information displayed.
617862-3 : Fastl4 handshake timeout is absolute instead of relative
Component: Local Traffic Manager
Symptoms:
TCP connections that are pending completion of the three-way handshake are expired based on the absolute value of handshake timeout. For example, if handshake timeout is 5 seconds, then the connection is reset after 5 seconds of receiving the initial SYN from the client.
Conditions:
A TCP connection in three-way handshake.
Impact:
Connections are expired prematurely if they are still in three-way handshake.
Workaround:
Disable handshake timeout.
Impact of workaround: Your TCP handshake will not prematurely timeout and connections remains open until the Idle Timeout expires.
Fix:
The handshake timeout now expires based on idleness of the connection, taking into consideration of any SYN retransmissions, etc., that might occur.
617824-1 : "SSL::disable/enable serverside" + oneconnect reuse is broken
Component: Local Traffic Manager
Symptoms:
If "SSL::disable/enable serverside" is configured in an iRule and oneConnect is configured in the iRule or in the Virtual Server profile, BIG-IP may not receive the backend server's HTTP response for every client's HTTP Request.
Conditions:
1. "SSL::disable/enable serverside" exists in the iRule
2. OneConnect is configured in the iRule or in the VS profile
3. apply the iRule and oneConnect Profile to the VS.
Impact:
The oneConnect behavior is unexpected, and may not get the backend Server's HTTP response for every client's HTTP Request.
Workaround:
You can work around the problem by disabling oneConnect.
616864-4 : BIND vulnerability CVE-2016-2776
Component: TMOS
Symptoms:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html
Conditions:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html
Impact:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html
Fix:
See SOL18829561: BIND vulnerability CVE-2016-2776, available at https://support.f5.com/kb/en-us/solutions/public/k/18/sol18829561.html
616772-3 : CVE-2014-3568 : OpenSSL Vulnerability (Oracle Access Manager)
Vulnerability Solution Article: K15724
616765-3 : CVE-2013-6449 : OpenSSL Vulnerability (Oracle Access Manager)
Vulnerability Solution Article: K15147
616498-3 : CVE-2009-3245 : OpenSSL Vulnerability (Oracle Access Manager)
Vulnerability Solution Article: K15404
616491-3 : CVE-2006-3738 : OpenSSL Vulnerability (Oracle Access Manager)
Vulnerability Solution Article: K6734
616382 : OpenSSL Vulnerability (TMM)
Vulnerability Solution Article: K93122894
616242-1 : basic_string::compare error in encrypted SSL key file if the first line of the file is blank★
Component: TMOS
Symptoms:
Trying to load a configuration that references an encrypted SSL key file may fail if the first line of the SSL key file is blank. When this occurs, the system will report a vague error message:
01070711:3: basic_string::compare
If this happens during an upgrade, the system will not load the configuration under the new software version, and will remain inoperative.
Conditions:
This can occur if an affected configuration is present on a system running BIG-IP v11.3.0 or earlier, and is upgraded to BIG-IP v11.4.0 through v12.1.1.
Impact:
Configuration fails to load on upgrade with extremely unhelpful error message, and absolutely no indication as to what file was being processed at the time (or that this relates to a filestore file).
Workaround:
Remove the newlines at the beginning of any SSL key files that begin with a newline. During an upgrade scenario, edit the files in the filestore.
616215-1 : TMM can core when using LB::detach and TCP::notify commands in an iRule
Component: Local Traffic Manager
Symptoms:
TMM cores when running an iRule that has the LB::detach command before the TCP::notify command.
Conditions:
A virtual server with an iRule that has the LB::detach command executed before the TCP::notify command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid the combination of the TCP::notify and LB::detach commands.
Fix:
TMM no longer cores in this instance.
616169-1 : ASM Policy Export returns HTML error file
Component: Application Security Manager
Symptoms:
When attempting to export an ASM Policy the resulting file contains an HTML error page.
Conditions:
It is not known what triggers this condition.
Impact:
Unable to export ASM Policies.
Workaround:
A) Restarting the asm_config_server.pl process, or restarting ASM usually clears up the issue.
B) Run "umask 0022" on the device
C) Download the file from the shell.
Fix:
Permissions are now explicitly set on exported ASM Policies so the GUI PHP process can successfully download it.
615934 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
Component: TMOS
Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.
Conditions:
If there is an existing key/certificate, and the key/certificate management iControl functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.
Impact:
Key/certificate overwrite using iControl operations might fail.
Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.
615695 : Fixes to bd and iprepd components not included in BIG-IP v11.5.4-HF2
Component: Application Security Manager
Symptoms:
The following bugs were documented as fixed in BIG-IP v11.5.4-HF2:
ID 531809: FTP/SMTP traffic related bd crash
ID 559541: ICAP anti virus tests are not initiated on XML with when should
ID 562775: Memory leak in iprepd
However, the packages containing these fixes were not actually included in the BIG-IP v11.5.4-HF2 ISO.
Therefore, these bugs are not actually fixed in BIG-IP v11.5.4-HF2.
Conditions:
BIG-IP v11.5.4-HF2
Impact:
Referenced bugs are not actually fixed in BIG-IP v11.5.4-HF2.
Fix:
[BIG-IP v11.5.4 Hotfix Rollup containing this fix] includes the packages which contain the fixes for the following bugs:
ID 531809: FTP/SMTP traffic related bd crash
ID 559541: ICAP anti virus tests are not initiated on XML with when should
ID 562775: Memory leak in iprepd
615187 : Missing hyperlink to GSLB virtual servers and servers on the pool member page.
Component: Global Traffic Manager (DNS)
Symptoms:
Hyperlinks to to GSLB virtual servers and servers on the pool member page were removed in 11.x.
Conditions:
Have a GSLB pool with pool members set up.
Impact:
Must manually note of the member's virtual or server.
Workaround:
Manually take note of virtual or server and search for it.
Fix:
Added hyperlink to GSLB virtuals and servers on the pool member page.
614865 : Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
Component: TMOS
Symptoms:
Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
Specifically, the functions are:
key_import_from_pem()
certificate_import_from_pem()
key_import_from_pem_v2()
certificate_import_from_pem_v2()
Conditions:
When there is an existing key or certificate on the BIG-IP system, and you want to overwrite them using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls, it results in errors stating that the key or certificate already exists on the BIG-IP system.
Impact:
Cannot overwrite the key/certificate file-objects using these iControl calls.
Workaround:
There are two workarounds:
- Delete and import the key/certificate using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls.
- Use key_import_from_file and certificate_import_from_file iControl calls as an alternative to import key/certificate from a file.
Fix:
Overwrite flag in iControl functions key/certificate_import_from_pem_v2() functions are now processed correctly and no longer produce errors.
614675 : iControl SOAP API call "LocalLB::ProfileClientSSL::create_v2" creates invalid profile
Component: TMOS
Symptoms:
iControl function "LocalLB::ProfileClientSSL::create_v2" creates a profile with two cert-key-chain objects containing identical cert and key but with different name:
ltm profile client-ssl my_prof {
app-service none
cert mycert.crt
cert-key-chain {
"" {
cert mycert.crt
key mycert.key
}
default_rsa_ckc {
cert mycert.crt
key mycert.key
}
}
chain none
inherit-certkeychain false
key mycert.key
passphrase none
}
Conditions:
When the user creates clientSSL profile using iControl function create_v2().
Impact:
Unable to add the invalid clientSSL profile to a virtual server.
Workaround:
Remove the invalid clientSSL profile and re-create the profile using TMSH or GUI.
Fix:
iControl SOAP API call "LocalLB::ProfileClientSSL::create_v2" no longer creates invalid profile when creating clientSSL profile using iControl function create_v2().
614441-1 : False Positive for illegal method (GET)
Component: Application Security Manager
Symptoms:
False Positive for illegal method (GET) and errors in BD log on Apply Policy:
----
ECARD|ERR |Sep 04 07:38:47.992|23835|table.h:0287|KEY_REMOVE: Failed to REMOVE data
----
Conditions:
This was seen after upgrade and/or failover.
Impact:
-- False positives.
-- BD has the incorrect security configuration.
Workaround:
Run the following command: restart asm.
613613 : Incorrect handling of form that contains a tag with id=action
Component: Access Policy Manager
Symptoms:
In some cases, a form with an absolute path in the action is handled incorrectly in Internet Explorer (IE) versions 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.
Conditions:
This issue occurs under these conditions:
-- HTML Form with absolute action path.
-- A tag with id=action inside this form.
-- A submit button in the form.
-- IE versions 7 through 9.
Impact:
The impact of this issue is that the web application can not work as expected.
Workaround:
This issue has no workaround at this time.
Fix:
Forms with absolute action paths and tag with id=action inside are handled correctly.
613576-9 : QOS load balancing links display as gray
Component: Global Traffic Manager
Symptoms:
All links in all data centers appear gray. After this patch all link appear to be green and the functional of load balancing to the first available link in each pool is restored.
Conditions:
This bug only affects devices licensed after 9/1/2016 which contain the gtm_lc: disabled field.
Impact:
Any GTM/LC devices licensed after 9/1/2016 and using links as part of their configuration will have the links reported as gray.
Workaround:
Remove all ilnks from configuration or install this hotfix.
612419-3 : APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))
Component: Access Policy Manager
Symptoms:
When there are multiple network access resources, and users switch between them within the same connection, a small memory leak happens.
Conditions:
Network access; full webtop, multiple Network Access resources.
Impact:
Memory usage increases over time.
Workaround:
There is no workaround. It is a relatively slow leak though. In the case where it was observed, the leak was about 130MB per month.
Fix:
Fixed a memory leak related to network access.
611830 : TMM may crash when processing TCP traffic
Vulnerability Solution Article: K13053402
611704-1 : tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event
Component: Local Traffic Manager
Symptoms:
A tmm crash was discovered during internal testing.
Conditions:
HTTPS virtual server configured with an iRule that uses TCP::close in the CLIENTSSL_CLIENTCERT iRule event.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm crash related to TCP::close in CLIENTSSL_CLIENTCERT
611469-6 : Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
Vulnerability Solution Article: K95444512
610609-4 : Total connections in bigtop, SNMP are incorrect
Component: Local Traffic Manager
Symptoms:
While looking at total connections for the active BIG-IP using bigtop or SNMP, the connections are reported too high. For example if you sent a single connection through BIG-IP it is reported as 2 connections. Meanwhile, the standby device with mirroring configured accurately shows the number of connections.
Conditions:
This occurs on PVA-enabled hardware platforms.
Impact:
The total connection count statistic is incorrect.
610429-2 : X509::cert_fields iRule command may memory with subpubkey argument
Component: Local Traffic Manager
Symptoms:
The X509::cert_fields iRule command can leak memory in the 'method' memory subsystem if called with the 'subpubkey' argument, when the 'subpubkey' argument is not the last argument.
Conditions:
Create an iRule using X509::cert_fields where the subpubkey is not the last argument.
Example/signature to look for:
ltm rule rule_leak {
when HTTP_REQUEST {
if { [SSL::cert 0] ne "" } {
HTTP::respond 200 content "[X509::cert_fields [SSL::cert 0] 0 subpubkey hash]\n"
} else {
HTTP::respond 200 content "no client cert (WRONG!)"
}
}
}
Impact:
Memory will leak, eventually impacting the operation of tmm.
Workaround:
Ensure that 'subpubkey' is the last argument to X509::cert_fields
610354-3 : TMM crash on invalid memory access to loopback interface stats object
Component: TMOS
Symptoms:
TMM can crash with segmentation fault when TMM drops packets on its internal loopback interface. TMM needs to update interface stats associated with the loopback interface when dropping packets on that interface. The interface stats object for loopback interface is not allocated yet. That results in segmentation fault.
Conditions:
TMM drops packets on its internal loopback interfaces.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No Workaround.
610243-1 : HTML5 access fails for Citrix Storefront integration mode with gateway pass through authentication
Component: Access Policy Manager
Symptoms:
HTML5 client can not be used to access the published applications or desktops.
HTML5 client access displays returns blank/black screen and displays "Can not connect to the server".
Conditions:
APM is configured Citrix Storefront integration mode. And in Storefront html5 client access is enabled.
Impact:
HTML5 client can not be used to access the published resources
Workaround:
None
Fix:
HTML5 client can be used to access the published resources.
610180-5 : SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
Component: Access Policy Manager
Symptoms:
When BIG-IP is used as SAML SP, and SLO is not properly configured on associated saml-idp-connector objects, IdP initiated SAML SLO may result in memory leak in SSO plugin.
Conditions:
- BIG-IP is used as SP.
- Associated saml-idp-connector object has 'single-logout-uri' property configured, but 'single-logout-response-uri' property is empty.
- User performs IdP initiated SAML SLO
Impact:
SSO plugin leaks memory
Workaround:
There are two possible workarounds:
- Fix misconfiguration: Configure SLO correctly by adding value to 'single-logout-response-uri' property of IdP connector object.
- Disable SLO by removing single-logout-uri' property of IdP connector object.
Fix:
When fixed, memory will no longer leak in SSO plugin even when SLO is misconfigured.
608551-2 : Half-closed congested SSL connections with unclean shutdown might stall.
Component: Local Traffic Manager
Symptoms:
Half-closed congested SSL connections with unclean shutdown might stall.
Conditions:
If SSL egress is congested and the client FINs with no Close Notify, connection might stall as SSL does not request more egress data from HTTP.
Impact:
Possible stalled flow.
Workaround:
Use SSL client that sends clean shutdown.
Fix:
Resolved half-closed congested SSL connections with unclean shutdown, so connections no longer stall.
608320-2 : iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
Component: TMOS
Symptoms:
For persistence profiles, iControl REST does not provide visibility for property override when "none" is specified, including references, passwords, and array of strings.
Conditions:
-- Use iControl REST API with persistence profiles.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.
Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for persistence profile property overrides.
Workaround:
None.
Fix:
iControl REST API now returns persistence profile elements (i.e., string, enum , or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.
608024-2 : Unnecessary DTLS retransmissions occur during handshake.
Component: Local Traffic Manager
Symptoms:
Unnecessary DTLS retransmissions occur during handshake.
Conditions:
During DTLS handshake, unnecessary retransmissions of handshake message may occur on VE platform.
Impact:
Possible DTLS handshake failure on VE platform.
Workaround:
None.
Fix:
This release fixes a possible failed DTLS handshake on VE platforms.
607304-1 : TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
Component: Local Traffic Manager
Symptoms:
TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
Conditions:
This can occur under normal operation, while running the geo_update command.
Impact:
Traffic disrupted while tmm restarts.
606575-2 : Request-oriented OneConnect load balancing ends when the server returns an error status code.
Component: Local Traffic Manager
Symptoms:
Request-oriented OneConnect load balancing ends when the server returns an error status code.
Conditions:
OneConnect is enabled and the server responds with a HTTP error status code.
Impact:
The client remains connected to the server, and no further load-balancing decisions are made.
Workaround:
It may be possible to detect the HTTP status code in the response, and manually detach the client-side.
To do so, use an iRule similar to the following:
when HTTP_RESPONSE {
if { [HTTP::status] == 200 } { return }
if { [HTTP::status] == 401 } {
set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]]
if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } {
# Connection-oriented auth. System should already be doing the right thing
unset auth_header
return
}
unset auth_header
}
catch { ONECONNECT::detach enable }
}.
Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).
Fix:
With OneConnect, the client-side remains detachable when the server-side returns an HTTP error status code.
605865-1 : Debug TMM produces core on certain ICMP PMTUD packets
Component: Local Traffic Manager
Symptoms:
The debug TMM will produce a core on the assert "cwnd or ssthresh too low" when receiving an ICMP PMTUD packet with an MTU larger than the current MTU. This does not affect the default TMM.
Conditions:
While using the debug TMM, an ICMP PMTUD packet is received with an MTU larger than the current MTU.
Impact:
Debug TMM crashes on assert "cwnd or ssthresh too low." Traffic disrupted while tmm restarts.
Workaround:
Block incoming ICMP PMTUD packets. Note that this will cause Path MTU Discovery to fail, and IP packets sent by the BIG-IP system with the Don't Fragment (DF) bit set may be dropped silently if the MTUs of the devices on the path are configured incorrectly.
Fix:
The system now always updates TCP MSS after an ICMP PMTUD packet, so there is no debug TMM core.
605476 : istatsd can core when reading corrupt stats files.
Component: TMOS
Symptoms:
-- The istatsd process produces a core file in the /shared/core directory.
Conditions:
This issue occurs when the following condition is met:
The istatsd process attempts to read a corrupt iStats segment file with duplicate FIDs.
Under these conditions, the istatsd process continually consumes memory which produces a core causing the istatsd process to restart.
Impact:
iStatsd process will restart due to resource exhaustion.
Workaround:
To work around this issue, you can remove the iStats files and restart the istatsd processes. To do so, perform the following procedure:
Impact of workaround: This workaround will cause all statistics in the iStats files to reset.
1. Log in to the BIG-IP command line.
2. To stop the istatsd and related processes, type the following command:
tmsh stop sys service istatsd avrd merged.
3. To delete the iStats files, type the following command:
find /var/tmstat2/ -depth -type f -delete.
4. To start the istatsd and related processes, type the following command:
tmsh start sys service istatsd avrd merged.
Fix:
Added a fix to protect against a continually reading a segment file that is corrupted and has Duplicate Fids.
604977-4 : Wrong alert when DTLS cookie size is 32
Component: Local Traffic Manager
Symptoms:
When ServerSSL profile using DTLS receives cookie with length of 32 bytes it throws fatal alert.
Conditions:
Another LTM with ClientSSL profile issues 32byte long cookie.
Impact:
DTLS with cookie size 32 is not supported.
604767-6 : Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
Component: Access Policy Manager
Symptoms:
When importing SAML IdP's metadata, certificate object might not be assigned as 'idp-certificate' value of saml-idp-connector object.
Conditions:
BIG-IP is used as SAML SP.
Impact:
Described behavior will result in misconfiguration. SAML WebSSO will subsequently fail.
Workaround:
Manually assign imported certificate as a 'idp-certificate' value of saml-idp-connector object.
604496-1 : SQL (Oracle) monitor daemon might hang.
Component: Local Traffic Manager
Symptoms:
SQL (Oracle) monitor daemon might hang with high monitoring load (hundreds of monitors). DBDaemon debug log contains messages indicating hung connection aborting and that the address in use, unable to connect.
Conditions:
High number of SQL (Oracle, MSSQL, MySQL, PostgresSQL) monitors. Slow SQL responses might make the condition worse.
Impact:
Flapping pool members connected to SQL monitors. Frequent aborts and restarts of SQL monitor daemon.
Workaround:
You can mitigate this issue in the following ways:
-- Reduce number of monitored pool members.
-- Reduce frequency of monitor interval.
-- Split monitors among multiple devices.
-- Run monitors on bladed systems.
Fix:
This release fixes the address-in-use issue, and contains multiple monitor improvements to handle aborts and restarts of the SQL monitor daemon as well so that the system handles hung connections without aborting.
604442-3 : iControl log
Vulnerability Solution Article: K12685114
604237-1 : Vlan allowed mismatch found error in VCMP guest
Component: TMOS
Symptoms:
Your vCMP guests are unable to reach the network. You see in /var/log/ltm "mcpd[5503]: 01071322:4: Vlan allowed mismatch found: hypervisor "
Conditions:
When a VLAN exists in the vlan-allowed list contains a VLAN which matches the suffix of another VLAN in the list and both VLANs are configured on the VCMP guest. For example, xyz and abc_xyz will produce the error "warning mcpd[6374]: 01071322:4: Vlan allowed mismatch found: hypervisor (abc_xyz:1860), guest (/Common/xyz:1850)."
Impact:
Unable to use VLAN.
Workaround:
Rename the VLANs such that no VLAN matches suffix of any other VLAN.
603945-3 : BD config update should be considered as config addition in case of update failure
Component: Application Security Manager
Symptoms:
A configuration update fails when the system cannot find the item to update. Configuration failures are shown in bd.log.
Conditions:
The condition that leads to this scenario is not clear and is still under investigation.
Impact:
The update fails and the entity is not added.
Workaround:
Delete the faulty entity and re-add, and then issue the following command: restart asm.
This fixes the issue in the cases in which it is a single entity.
Fix:
A configuration update no longer fails when the system cannot find the item to update. Now, the system adds the item with its updated value if the entity does not already exist. Otherwise, the operation updates the value of the existing entry.
603723-1 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
Component: Local Traffic Manager
Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.
Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.
Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.
Workaround:
None.
Fix:
The system now successfully handles TLS v1.0 fallback when pool members are configured to use TLS v1.2 only, so pool members are correctly marked as being up.
603667-1 : TMM may leak or corrupt memory when configuration changes occur with plugins in use
Component: Local Traffic Manager
Symptoms:
TMM may leak memory when plugins are in use and the plugin is re-initialized (typically due to configuration changes). In rare cases, memory corruption may occur causing TMM to restart.
Conditions:
Plugin-based functionality configured (ASM, APM, etc.) and configuration changes occur.
Impact:
The memory leakage generally occurs infrequently and at a rate that TMM operations are not affected. However, when memory corruption occurs, a traffic interruption may occur due to TMM restarting.
Workaround:
No workaround except disabling plugin-based functionality (such as ASM, APM, etc.).
Fix:
TMM now properly manages plugin memory, and no longer leaks or corrupts this memory.
603606-1 : tmm core
Component: Local Traffic Manager
Symptoms:
A tmm core occurrs with the following log message: notice panic: ../kern/page_alloc.c:521: Assertion "vmem_hashlist_remove not found" failed.
Conditions:
It is not known exactly what triggers this condition.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
603598-1 : big3d memory under extreme load conditions
Component: Global Traffic Manager
Symptoms:
big3d memory consumption can grow if big3d is unable to process monitor requests in a timely fashion.
This can be seen by monitoring the memory consumption of big3d using standard OS tools such as top.
Conditions:
big3d maintains a queue for monitor requests.
Incoming monitor requests are first placed in the Pending queue.
Requests are moved from the Pending queue to the Active queue, if there is room in the Active queue.
When the Pending queue is full, there is no room for the Monitor Request. big3d attempts to clean up the Monitor request, but fails to completely free the memory.
This might result in a significant memory leak.
For this to happen, the Active queue must be full as well as the Pending queue.
One possible condition that might cause this is if multiple Monitors time out. This results in Monitors having long life times, which keeps the Active queue full.
Thus the Pending queue might become full and the memory leak can occur.
In BIG-IP 11.1.0 versions of big3d,
the Active queue has 256 slots and
the Pending queue has 4096 slots.
In BIG-IP 11.1.0-hf3, the queue sizes were expanded to
2048 for the Active queue and 16384 for the Pending queue.
Since the queues were smaller n versions prior to
11.1.0-hf3, this leaks is more likely to manifest itself.
In later versions, the leak is still possible, but is less likely to occur.
Impact:
big3d memory consumption grows unbounded. This might result in a big3d restart or memory starvation of other processes.
Workaround:
This can be partially mitigated by ensuring that monitors
settings are reasonable and that big3d is not overloaded.
This will minimize the chances that the Pending queue
does not become full.
There is no mechanism to resize the queues.
Fix:
When a monitor request is unable to be placed in the queue, the memory for the request is freed properly.
602749 : Memory exhaustion when asking for missing page of learning suggestion occurrences
Component: Application Security Manager
Symptoms:
High CPU Utilization: event code I706 Bypassing ASM
Conditions:
Open occurrences for some suggestion, there should be multiple pages, clear requests (on real machine that'll be because of traffic, but can be done directly in database by cleaning LRN_REQUESTS table), then change to the second page.
Impact:
memory exhaustion
Workaround:
None
601938-5 : MCPD stores certain data incorrectly
Vulnerability Solution Article: K52180214
601927-4 : Security hardening of control plane
Component: TMOS
Symptoms:
File permissions changes needed as found by internal testing
Conditions:
N/A
Impact:
N/A
Fix:
Apply latest security practices to control plane files.
601527-1 : mcpd memory leak and core
Component: TMOS
Symptoms:
Mcpd can leak memory during config update or config sync.
Conditions:
All of the conditions that trigger this are not known but it seems to occur during full configuration sync and is most severe on the config sync peers. It was triggered making a single change on the primary by configuring a monitor rule, e.g., tmsh create ltm pool p members { 1.2.3.4:80 } monitor http
Impact:
Loss of memory over time, which may result in out-of-memory and mcpd core.
Fix:
Fixed a memory lean in mcpd
601407 : Legacy PNAgent access does not work from Citrix Receiver 4.3 onwards
Component: Access Policy Manager
Symptoms:
While adding a new account from Citrix Receiver, it does not prompt for the credentials
Conditions:
APM is in integration mode with Storefront or web interface and APM uses only pnagent protocol for the integration.
Impact:
Could not access the published applications.
Workaround:
None
Fix:
APM supports new user agent string from Citrix Receiver 4.3 onwards.
600827-3 : Stuck nitrox crypto queue can erroneously be reported
Component: Local Traffic Manager
Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Nitrox systems (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The message "Hardware Error(Co-Processor): n3-crypto0 request queue stuck" will appear in the ltm log file.
Conditions:
Nitrox based system performing SSL under heavy load.
Impact:
Device errors reported in logs and crypto HA action is taken, possibly resulting in failing over.
Fix:
The Nitrox crypto driver uses a proper timeout value for crypto requests.
600662-5 : NAT64 vulnerability CVE-2016-5745
Vulnerability Solution Article: K64743453
600396-1 : iControl REST may return 404 for all requests in AWS
Component: TMOS
Symptoms:
iControl REST queries may fail against specific versions of BIG-IP in AWS. When this issue is encountered, all queries fail for the entirety of the BIG-IP uptime. An error message mentioning "RestWorkerUriNotFoundException" will be returned. For instance, this basic query will always return 404:
curl -k -u admin:ADMINPASSWORD -sv -X GET https://1.2.3.4/mgmt/tm/ltm
* Trying 1.2.3.4...
* Connected to 1.2.3.4 (1.2.3.4) port 443 (#0)
* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* Server certificate: localhost.localdomain
* Server auth using Basic with user 'admin'
> GET /mgmt/tm/ltm HTTP/1.1
> Host: 1.2.3.4
> Authorization: Basic ....
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Date: 20 Jun 2016 17:49:39 UTC
< Server: com.f5.rest.common.RestRequestSender
...
{ [1093 bytes data]
* Connection #0 to host 1.2.3.4 left intact
{
"errorStack" : [
"com.f5.rest.common.RestWorkerUriNotFoundException: http://localhost:8100/mgmt/tm/ltm",
"at com.f5.rest.workers.ForwarderPassThroughWorker.cloneAndForwardRequest(ForwarderPassThroughWorker.java:293)",
"at com.f5.rest.workers.ForwarderPassThroughWorker.onForward(ForwarderPassThroughWorker.java:211)",
"at com.f5.rest.workers.ForwarderPassThroughWorker.onGet(ForwarderPassThroughWorker.java:370)",
"at com.f5.rest.common.RestWorker.callDerivedRestMethod(RestWorker.java:1009)",
"at com.f5.rest.common.RestWorker.callRestMethodHandler(RestWorker.java:976)",
"at com.f5.rest.common.RestServer.processQueuedRequests(RestServer.java:850)",
"at com.f5.rest.common.RestServer.access$000(RestServer.java:43)",
"at com.f5.rest.common.RestServer$1.run(RestServer.java:147)",
"at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)",
"at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)",
"at java.lang.Thread.run(Thread.java:722)\n"
],
"restOperationId" : 8827,
"code" : 404,
"referer" : "4.3.2.1",
"message" : "http://localhost:8100/mgmt/tm/ltm"
}
Conditions:
It is not known what triggers this, it intermittently affects new BIG-IP instances running in Amazon Web Services (AWS EC2) cloud environments.
Impact:
All iControl REST queries (GETs, PUTs, POSTs, DELETEs) will fail always until the BIG-IP is restarted.
Workaround:
Restart the BIG-IP.
600116 : DNS resolution request may take a long time in some cases
Component: Access Policy Manager
Symptoms:
DNS resolution may appear slow in some cases
Conditions:
All of following conditions should be met
1) DNS Relay proxy is installed on user's machine
2) User's machine has multiple network adapters and some of them are in disconnected state.
Impact:
DNS resolution will be slow
Workaround:
Disable network adapters that are not connected.
Fix:
Now DNS Relay proxy server doesn't proxy DNS servers on non-connected interfaces. This fixes slow resolution DNS issue.
599285-5 : PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
Vulnerability Solution Article: K51390683
599191-1 : One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card
Component: TMOS
Symptoms:
When running the tmsh show sys crypto fips command, you notice stale keys that you have previously deleted are left behind on the FIPS card.
Conditions:
This occurs when you have BIG-IPs with FIPS HSMs, configured in manual sync mode, under the following set of actions:
- Create a key-cert pair
- Associate the new key-cert pair with a clientssl profile
- Config sync to the peers
- Associate the clientssl profile with the default key and cert
- Delete the key and cert
- Manual sync
Impact:
A stale key is left on the FIPS card. There is no impact to functionality.
Workaround:
Check for the handles/key-ids of the keys in configuration using tmsh. Then remove the key that is not in use using the command tmsh delete sys crypto key <keyname>
599168-5 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
Vulnerability Solution Article: K35520031
598983-5 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
Vulnerability Solution Article: K35520031
598981-1 : APM ACL does not get enforced all the time under certain conditions
Component: Access Policy Manager
Symptoms:
APM ACL does not get enforced all the time under certain conditions
Conditions:
The following conditions individually increase the chances for this problem to occur:
1. The device is very busy. (Construction of ACL windows is prolonged.)
2. Concentration of connections into one TMM. (e.g., VPN feature.)
3. Small number of TMMs (e.g., BIG-IP low-end platform, Virtual Edition (VE) configurations.)
4. Application starts with a high number of concurrent connections.
Impact:
ACL is not applied for subsequent connections for that TMM. This issue does not consistently reproduce.
Workaround:
Mitigation:
Administrator can kill the affected session, which forces the user to re-login, and ultimately restarts the ACL construction process.
Fix:
Switching context when applying ACL is properly processed, and no longer cause ACL to be not enforced.
598874-1 : GTM Resolver sends FIN after SYN retransmission timeout
Component: Local Traffic Manager
Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.
Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.
Impact:
Firewalls may log the FIN as a possible attack.
Fix:
Do not send anything in response to a SYN retransmission timeout.
598860-5 : IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address
Component: Local Traffic Manager
Symptoms:
The IP::addr iRule can be used to translate an IPv6 address containing an IPv4 address, but instead it converts it into an IPv4 compatible IPv6 address.
Example:
ltm rule test_bug {
when CLIENT_DATA {
log local0. "[IP::addr 2A01:CB09:8000:46F5::A38:1 mask ::ffff:ffff]"
}
Expected result:
Rule /Common/test_bug <CLIENT_DATA>: 10.56.0.1
Actual result:
Rule /Common/test_bug <CLIENT_DATA>: ::10.56.0.1
Conditions:
using IP::addr to convert an IPv6 to an IPv4 address
Impact:
Address is converted into an IPv4-compatible IPv6 address.
598211-3 : Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
Component: Access Policy Manager
Symptoms:
During the logon to Citrix StoreFront through an APM virtual server, after the login page, the BIG-IP system sends the client the following error: Error 404 file or directory not found.
Conditions:
This occurs when the following conditions are met:
- Citrix Android receiver 3.9.
- APM is in integration mode with Citrix StoreFront.
- Storefront unified experience mode is enabled.
Impact:
Cannot access Citrix StoreFront unified UI through Android Receiver 3.9.
Workaround:
For StoreFront integration mode, there is an iRule that is created by the iApp that redirects the root page to the store's URI. The workaround is to add an additional redirect for the receiver_uri ending with receiver.html. The iRule below contains this workaround.
It is also recommended to delete and recreate the existing store account.
when HTTP_REQUEST {
if { [regexp -nocase {/citrix/(.+)/receiver\.html} [HTTP::path] dummy store_name] } {
log -noname accesscontrol.local1.debug "01490000:7: setting http path to /Citrix/$store_name/"
HTTP::path "/Citrix/$store_name/"
}
}
Fix:
Citrix Android Receiver 3.9 now works through APM in StoreFront integration mode.
597966-1 : ARP/neighbor cache nexthop object can be freed while still referenced by another structure
Component: Local Traffic Manager
Symptoms:
Use after free or double-free of the nexthop object may cause memory corruption or TMM core.
Conditions:
This can happen if the server-side connection establishment takes some time to complete, creating a large enough time window where the nexthop object might be freed.
Impact:
The BIG-IP dataplane might crash. This is a very timing/memory-usage-dependent issue.
Workaround:
None.
Fix:
Management of nexthop object reference counting is more consistent.
597431-6 : VPN establishment may fail when computer wakes up from sleep
Component: Access Policy Manager
Symptoms:
EdgeClient doesn't cleanup routing table before windows goes to hibernate. This may result in establishment of VPN when computer wakes up. It may also result in other network connectivity issues
Conditions:
-VPN connection is not disconnected
-Computer goes in hibernation
Impact:
Issues with Network connectivity
Workaround:
Renew DHCP lease by running
ipconfig/renew.
or
reboot the machine.
597429 : eam maintains lock on /var/log/apm.1 after logrotate
Component: Access Policy Manager
Symptoms:
/var/log fills up and eventually runs out of disk space. Old log files are not being deleted from the rotation, and they are locked and unable to be removed.
Conditions:
This occurs when eam is configured. eam provides external access management for 3rd party identity integration such as Oracle Access Manager (OAM) SSO.
Impact:
/var/log consumes an unusually high amount of disk space, and logrotate does not work correctly.
597394-5 : Improper handling of IP options
Vulnerability Solution Article: K46535047
597089-3 : Connections are terminated after 5 seconds when using ePVA full acceleration
Component: Local Traffic Manager
Symptoms:
When using a fast L4 profile with ePVA full acceleration configured, the 5-second TCP 3WHS handshake timeout is not being updated to the TCP idle timeout after the handshake is completed. The symptom is an unusually high number of connections getting reset in a short period of time.
Conditions:
It is not known all of the conditions that trigger this, but it is seen when using the fast L4 profile with pva-acceleration set to full.
Impact:
High number of connections get reset, longer than expected idling TCP connections, and potential performance issues.
Workaround:
Disabling the PVA resolves the issue.
597023-5 : NTP vulnerability CVE-2016-4954
Vulnerability Solution Article: K82644737
596814-2 : HA Failover fails in certain valid AWS configurations
Component: TMOS
Symptoms:
Some of the floating object's IPs might not be reattached to the instance acting as the new active device.
Conditions:
AWS deployments where there are multiple coincidences for the provided IP address (corresponding to other Amazon VPCs in the same Availability Zone containing unrelated instances but having the same IP address as the BIG-IP's floating IP address.
Impact:
Potential traffic disruption. Some of the floating object's IPs might not be reattached to the instance acting as the new active device.
Workaround:
Do not have AWS deployments with multiple VPCs sharing the same IP address as the BIG-IP's floating IP address.
Fix:
Failover now narrows network description by filtering with VPC id.
596603-5 : AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.
Component: TMOS
Symptoms:
When deploying BIG-IP VE in AWS with c4.8xlarge instance type, the system never boots and remains in "Stopped" state after briefly trying to start-up.
Conditions:
BIG-IP VE is deployed with c4.8xlarge instance type in AWS.
Impact:
c4.8xlarge instance type are not supported for BIG-IP VE in AWS.
Workaround:
Choose c4.4xlarge or other instance types in AWS.
Fix:
Issue corrected so that BIG-IP VE will work with c4.8xlarge instance type AWS.
596488-5 : GraphicsMagick vulnerability CVE-2016-5118.
Vulnerability Solution Article: K82747025
596340-4 : F5 TLS vulnerability CVE-2016-9244
Vulnerability Solution Article: K05121675
596134-1 : TMM core with PEM virtual server
Component: Policy Enforcement Manager
Symptoms:
TMM cores, this signature is contained in /var/log/ltm:
err tmm1[7822]: 011f0007:3: http_process_state_prepend - Invalid action:0x109010
Conditions:
A core may occur if a PEM virtual has a parked flow (through an iRule, persistence profile, or other mechanism), where an internal control event occurs while the flow is parked.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Check for the processing of a HUDCTL_ABORT message prior processing other HUD messages in PEM.
595874-3 : Upgrading 11.5.x/11.6.x hourly billing instances to 12.1.0 fails due to license SCD.★
Component: TMOS
Symptoms:
BIG-IP Virtual Edition (VE) instances that use the Amazon Web Services (AWS) hourly billing license model may fail when upgrading to version 12.1.0.
As a result of this issue, you may encounter the following symptom:
After upgrading to version 12.1.0, the BIG-IP VE instance license is invalid.
Conditions:
This issue occurs when all of the following conditions are met:
-- You have BIG-IP VE instances that use the hourly billing licensing model.
-- Your BIG-IP VE instances are running 11.5.x or 11.6.x software versions.
-- Your BIG-IP VE instances are running within the AWS EC2 environment.
-- You upgrade the BIG-IP VE instance using the liveinstall method.
Impact:
BIG-IP VE instance licenses are not valid after upgrading to software version 12.1.0.
Workaround:
To work around this issue, you can use the liveinstall method on the hotfix image directly (instead of installing the base software image and then the hotfix image). To do so, perform the following procedure:
Impact of workaround: Performing the following procedure requires rebooting the system and should be performed only during a maintenance window.
Download the BIGIP-12.1.0.0.0.1434.iso and Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso files to your workstation. For more information about downloading software, refer to SOL167: Downloading software and firmware from F5.
Copy the downloaded files from your workstation to the /shared/images directory on the VE instance.
To perform the installation by using the liveinstall method, and reboot the BIG-IP VE instance to the volume running the new software, use the following command syntax:
tmsh install sys software hotfix Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso volume <volume-number> reboot
For example, to install the hotfix to volume HD1.3 and reboot to the volume running the newly installed software, type the following command:
tmsh install sys software hotfix Hotfix-BIGIP-12.1.0.1.1.1447-HF1-ENG.iso volume HD1.3 reboot
Verify the installation progress by typing the following command:
tmsh show sys software
Output appears similar to the following example:
Sys::Software Status
Volume Product Version Build Active Status
----------------------------------------------------------------
HD1.1 BIG-IP 12.0.0 0.0.606 yes complete
HD1.2 BIG-IP 12.1.0 0.0.1434 no complete
HD1.3 BIG-IP 12.1.0 0.0.1434 no installing 6.000 pct
Fix:
BIG-IP VE instances that use the AWS hourly billing license model now complete successfully when upgrading to version 12.1.0.
595773-6 : Cancellation requests for chunked stats queries do not propagate to secondary blades
Component: TMOS
Symptoms:
Canceling a request for a chunked stats query (e.g. hitting ctrl-c during "tmsh show sys connection") does not stop data flowing from secondary blades.
Conditions:
A chassis-based system with multiple blades. Users must execute a chunked stats query (e.g. "tmsh show sys connection") and then cancel it before it finishes (e.g. with ctrl-c in tmsh).
Impact:
Unnecessary data will be sent from TMM to secondary mcpd instances, as well as from secondary mcpd instances to the primary mcpd instance. This could cause mcpd to restart unexpectedly.
Fix:
Cancellations for chunked stats queries are now propagated to secondary blades.
594496-4 : PHP Vulnerability CVE-2016-4539
Vulnerability Solution Article: K35240323
593447-3 : BIG-IP TMM iRules vulnerability CVE-2016-5024
Vulnerability Solution Article: K92859602
592871-1 : Cavium Nitrox PX/III stuck queue diagnostics missing.
Component: Local Traffic Manager
Symptoms:
Diagnostics tool to investigate rare issue where the Cavium Nitrox PX/III crypto chip gets into a "request queue stuck" situation.
Conditions:
System with Cavium Nitrox PX/III chip(s) which includes the BIG-IP 5xxx, 7xxx, 10xxx, and 12xxx platforms as well as the VIPRIOn B2200 blade, that hits a rare issue which logs a "request queue stuck" message in /var/log/ltm.
Impact:
This tool enables F5 engineers to obtain more data about this problem to help diagnose the issue.
Workaround:
None.
Fix:
Provides a diagnostics tool. Does not directly mitigate the problem.
592869 : Syntax Error when reimporting exported content containing acl-order 0
Component: Access Policy Manager
Symptoms:
Syntax Error when reimporting exported content containing acl-order 0. The error message is similar to the following.
Syntax Error: ... 'acl-order' may not be specified more than once; Validating configuration...
Conditions:
Exported config has apm resource with acl-order 0.
Impact:
Unable to import exported .conf.tar.gz.
Workaround:
None.
Fix:
It is now possible to export and then import config that contains apm resource with acl-order 0.
592868-1 : Rewrite may crash processing HTML tag with HTML entity in attribute value
Component: Access Policy Manager
Symptoms:
If HTML page contains HTML entities in attribute values, rewrite may crash processing this page.
Conditions:
HTML tag like this:
<script src=" " type="text/javascript"></script>
Impact:
Web application may not work correctly.
Workaround:
In most cases HTML entities can be replaced by appropriate characters by iRule.
Fix:
Now rewrite correctly handles HTML entities in attribute values.
592854-2 : Protocol version set incorrectly on serverssl renegotiation
Component: Local Traffic Manager
Symptoms:
If the BIG-IP serverssl profile sends a new ClientHello request to renegotiate SSL, the protocol version will be set to 0. This will cause renegotiation to fail.
Conditions:
ServerSSL profile configured on a virtual server, and BIG-IP initiates a renegotiation.
Impact:
Protocol field is invalid (0), and the server will reset the connection.
Fix:
Fixed a reset issue with SSL renegotiation in the serverssl profile.
592784 : Compression stalls, does not recover, and compression facilities cease.
Component: Local Traffic Manager
Symptoms:
Compression stalls, does not recover, and compression facilities may cease.
Conditions:
A device error of any kind, or requests that result in the device reporting an error (for example, attempting to decompress an invalid compression stream).
Impact:
In general, compression stops altogether. Under some circumstances, compression requests may end up routed to zlib (software compression), but generally the SSL hardware accelerator card does not correctly report that it is unavailable when it stalls.
Workaround:
Select the softwareonly compression provider by running the following tmsh command: tmsh modify sys db compression.strategy value softwareonly.
Fix:
The compression device driver now attempts to recover after a failure. If it still cannot recover, new compression requests will be assigned to zlib (software) for compression.
592414-3 : IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
Component: Access Policy Manager
Symptoms:
IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed from dynamically generated child.
Conditions:
Browsers: IE11 and Chrome
When: After document.write() into its parent has been performed from dynamically generated child.
Impact:
Web application malfunction.
Workaround:
None.
Fix:
Fixed.
591918-6 : ImageMagick vulnerability CVE-2016-3718
Vulnerability Solution Article: K61974123
591908-6 : ImageMagick vulnerability CVE-2016-3717
Vulnerability Solution Article: K29154575
591894-6 : ImageMagick vulnerability CVE-2016-3715
Vulnerability Solution Article: K10550253
591881-5 : ImageMagick vulnerability CVE-2016-3716
Vulnerability Solution Article: K25102203
591806-4 : ImageMagick vulnerability CVE-2016-3714
Vulnerability Solution Article: K03151140
591789 : IPv4 fragments are dropped when packet filtering is enabled.
Component: Local Traffic Manager
Symptoms:
IPv4 fragments are dropped when packet filtering is enabled.
Conditions:
Packet filtering is enabled on version 11.5.4, 11.6.0 HF6, or 11.6.1.
Impact:
IPv4 fragments with a non-zero offset are lost.
Workaround:
Disable packet filtering.
Fix:
IPv4 fragments are no longer incorrectly dropped when packet filtering is enabled.
591659-2 : Server shutdown is propagated to client after X-Cnection: close transformation.
Component: Local Traffic Manager
Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.
Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.
Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.
Workaround:
Set the OneConnect profile "Maximum Reuse" value to 2 below the value of the pool members max keep-alive setting. This forces OneConnect to close the connection before the pool member.
Fix:
Server shutdown is no longer propagated to client after X-Cnection: close transformation, so client side connections are now kept open by the BIG-IP system as expected, and subsequent requests are no longer dropped.
591476-6 : Stuck crypto queue can erroneously be reported
Component: Local Traffic Manager
Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Nitrox-based systems (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Device error: crypto codec cn-crypto-0 queue is stuck.
Conditions:
-- Running on one of the following platforms:
+ BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 5xxx, 7xxx, 10xxx, 11xxx, and 12xxx
+ VIPRION B41xx-B43xx, B21xx, and B22xx blades.
-- Performing SSL.
-- Under heavy load.
Impact:
Device errors reported in logs and crypto HA action is taken, possibly resulting in failing over.
Workaround:
Modify the crypto queue timeout value to 0 to prevent timeouts using the following command:
tmsh modify sys db crypto.queue.timeout value 0
Fix:
The crypto driver now only examines requests in the hardware DMA ring to detect a stuck queue.
591455-3 : NTP vulnerability CVE-2016-2516
Component: TMOS
Symptoms:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253
Conditions:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253
Impact:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253
Fix:
For more information, see K24613253: NTP vulnerability CVE-2016-2516, available at https://support.f5.com/csp/#/article/K24613253
591447-4 : PHP vulnerability CVE-2016-4070
Component: TMOS
Symptoms:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html
Conditions:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html
Impact:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html
Fix:
See SOL42065024: CVE-2016-4070 available at https://support.f5.com/kb/en-us/solutions/public/k/42/sol42065024.html
591327-3 : OpenSSL vulnerability CVE-2016-2106
Vulnerability Solution Article: K36488941
591325-3 : OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
Vulnerability Solution Article: K75152412
591117-2 : APM ACL construction may cause TMM to core if TMM is out of memory
Component: Access Policy Manager
Symptoms:
During ACL construction, TMM send queries regarding assigned ACL information. If the reply message contains error message of out-of-memory, TMM was not handling this error message properly, and cause TMM to core.
Conditions:
BIG-IP is extremely loaded and out of memory.
Impact:
Traffic disrupted while tmm restarts.
Fix:
When handling the error reply message of out-of-memory during ACL construction, TMM can handle it without causing TMM to crash.
591042-6 : OpenSSL vulnerabilities
Vulnerability Solution Article: K23230229
590820-5 : Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
Component: Access Policy Manager
Symptoms:
Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
Conditions:
Intense usage of JavaScript methods such as: appendChild(), insertBefore(), and other, similar JavaScript methods, in a customer's web application code.
Impact:
Very low web application performance when using Microsoft Internet Explorer.
Workaround:
None.
Fix:
Applications that use appendChild() or similar JavaScript functions to build UI now experience expected performance in Microsoft Internet Explorer browser.
589379-1 : ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
Component: TMOS
Symptoms:
In a configuration with a summary route that is added to ZebOS and configured with 'not-advertise', when deleting the exactly matching route, ospfd sends LSA route with age 1, then immediately sends update with age 3600.
Conditions:
OSPF using route health injection for default route.
Impact:
No functional impact. The extraneous LSA is immediately aged out.
Workaround:
Configure a static default route in imish instead of using RHI for the default route.
Fix:
ZebOS no longer adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
589298 : TMM crash with a core dump
Component: Application Security Manager
Symptoms:
TMM crash with a core dump
Conditions:
ASM provisioned
Session Awareness enabled
Mirroring is enabled
HA (CMI) setup
Impact:
Traffic disrupted while tmm restarts.
Workaround:
none
Fix:
We've fixed the handling of Session Awareness in HA (CMI) setup to prevent TMM crashes
589256-4 : DNSSEC NSEC3 records with different type bitmap for same name.
Component: Global Traffic Manager
Symptoms:
For a delegation from a secure zone to an insecure zone, BIG-IP returns different type bitmaps in the NSEC3 record depending on the query type. This causes BIND9's validator to reject the secure delegation to the insecure zone.
Conditions:
For insecure delegations, our DNSSEC implementation does not support the DS record. Those queries are forwarded to the backend, BIND if selected as fallback. Without ZSK/KSK for an insecure child zone, BIND responds SOA which we dynamically sign.
Impact:
DNS lookups may fail if BIND9's validator rejects the delegation.
Workaround:
None.
Fix:
If response is a NODATA from either the proxy or a transparent cache, and the query is a DS, set the types bitmap to NS.
588572-2 : Unnecessary re-transmission of packets on higher ICMP PMTU.
Component: Local Traffic Manager
Symptoms:
LTM re-transmits TCP segments even when ICMP Path maximum transmission unit (PMTU) is higher than existing MTU.
Conditions:
ICMP PMTU is higher than existing MTU. User enables MPTCP, Rate Pacing, or any of the following congestion controls:
Vegas, Illinois, Woodside, CHD, CHG
Impact:
Burst traffic generated.
Workaround:
Disable Path MTU Discovery by entering the command: tmsh modify sys db tm.enforcepathmtu value disable.
Fix:
Fixed unnecessary re-transmission of packets on higher ICMP Path maximum transmission unit (PMTU) in the advanced TCP implementation.
588569-2 : Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
Component: Local Traffic Manager
Symptoms:
TCP segment size is 40 bytes less.
Conditions:
ICMP implementation using Path MTU (PMTU). User enables MPTCP, Rate Pacing, or any of the following congestion controls:
Vegas, Illinois, Woodside, CHD, CHG
Impact:
The impact of this issue is less data per TCP segment.
Workaround:
Disable Path MTU Discovery by doing the following,
"tmsh modify sys db tm.enforcepathmtu value disable"
Fix:
Don't include maximum TCP options length in calculating MSS on ICMP PMTU in the advanced TCP implementation.
588351-3 : IPv6 fragments are dropped when packet filtering is enabled.
Component: Local Traffic Manager
Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.
Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.
Impact:
IPv6 fragments with a non-zero offset are lost.
Workaround:
Disable packet filtering.
Fix:
IPv6 fragments are no longer dropped when packet filtering is enabled.
588115-4 : TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
Component: Local Traffic Manager
Symptoms:
As a result of a known issue TMM may crash in some specific scenarios if there is an overlapping and more specific route to the floating self-IP range configured on the unit.
Conditions:
- Unit configured with a floating self-IP and allow-service != none.
- More specific route exists via GW to the self-IP.
- Configured gateway for the overlapping route is unreachable.
- Ingress traffic to the floating self-IP.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid the use of routes overlapping with configured floating self-IPs.
Fix:
TMM no longer crashes when floating self IPs are configured with more specific overlapping routes.
587966-5 : LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
Component: Local Traffic Manager
Symptoms:
LTM FastL4 DNS virtual server or SNAT: first A query dropped when A and AAAA requested at the same time with same source IP:port.
Conditions:
A and AAAA DNS Query requested at the same time with the same source IP and Port.
Impact:
A Type DNS Query dropped intermittently.
Workaround:
Configure a standard virtual server with a UDP profile for the traffic instead of using FastL4 or SNAT.
Fix:
Type A requests no longer dropped when A and AAAA DNS Query requested at the same time with the same source IP and Port.
587892 : Multiple iRule proc names might clash, causing the wrong rule to be executed.
Component: Local Traffic Manager
Symptoms:
Multiple iRule proc names might clash, causing the wrong rule to be executed.
Conditions:
This occurs when there is an iRule configured with more than one proc, which might cause the wrong proc to get executed.
Impact:
The call proc might execute the wrong proc.
Workaround:
None.
Fix:
Multiple iRules configured with more than one proc no longer cause the wrong proc to get executed.
587691-2 : TMM crashes upon SSL handshake cancellation.
Component: Local Traffic Manager
Symptoms:
TMM crashes upon SSL handshake cancellation.
Conditions:
SSL handshake cancellation.
Impact:
TMM crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes when SSL handshake is canceled.
587077-4 : Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
Vulnerability Solution Article: K37603172
586878-1 : During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.★
Component: TMOS
Symptoms:
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3.
The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade.
Conditions:
The issue occurs when all the below conditions are met.
1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, 11.6.1, and versions 12.1.0 and later).
Impact:
Configuration fails to load. The system posts an error message that might appear similar to one of the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Unexpected Error: Loading configuration process failed.
Workaround:
To workaround this situation, modify the configuration file before upgrading:
1. Check the config file /config/bigip.conf.
2. Identify the clientssl profile without a cert/key.
For example, it might look similar to the following:
ltm profile client-ssl /Common/cssl_no-cert-key2 {
app-service none
cert none
cert-key-chain {
"" { }
}
chain none
defaults-from /Common/clientssl
inherit-certkeychain false
key none
passphrase none
}
Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example:
ltm profile client-ssl /Common/cssl_no-cert-key2 {
app-service none
cert none
cert-key-chain {
default { }
}
chain none
defaults-from /Common/clientssl
inherit-certkeychain false
key none
passphrase none
}
3. Remove the clientssl profile from /config/bigip.conf.
4. Run the command: tmsh load sys conf.
5. Re-create the clientssl profiles you need.
586738-3 : The tmm might crash with a segfault.
Component: Local Traffic Manager
Symptoms:
The tmm might crash with a segfault.
Conditions:
Using IPsec with hardware encryption.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
IPsec is configured with hardware encryption error now returns an error code when appropriate, and manages the error as expected, so tmm no longer crashes with a segfault.
586718-5 : Session variable substitutions are logged
Component: Access Policy Manager
Symptoms:
With the log level set to debug, session variable substitutions are logged, including the encrypted password if you are substituting the password variable. You may see the following logs: debug apmd[3531]: 01490000:7: Util.cpp func: "ScanReplaceSessionVar()" line: 608 Msg: data: '%{session.logon.last.password}' start_pos: 0, count: 30 on 'session.logon.last.password' with the encrypted password logged
Conditions:
APM Access Policy log level set to debug, and session variable substitution is performed.
Impact:
Session variable substitution should not be logged, even if it is secure.
Workaround:
Set log level to informational or notice for normal operations. Logging at debug level is not recommended unless absolutely needed for specific troubleshooting as it adversely affects system performance.
Fix:
Session variable substitutions are no longer logged.
586056 : Machine cert checker doesn't work as expected if issuer or AltName is specified
Component: Access Policy Manager
Symptoms:
Windows Machine cert checker doesn't work as expected if issuer or AltName is specified. User cannot pass access policy even with valid machine cert.
Logs in client PC can be produced, such as:
EXCEPTION - CCertCheckCtrl::Verify FindCertificateInStore failed with error code:
and
CCertCheckCtrl::Verify, Store name:"MY", Store location:"LocalMachine", Subject match FQDN:"1", Allow elevation UI:"0", Serial number(HEX):"", Issuer:"??????????????????????", SubjectAltName:""
Conditions:
Issuer or Subject AltName fields are populated.
Site recently upgraded to 11.5.4.
Impact:
User may not pass policy as expected
Workaround:
N/A
Fix:
Now Machine Cert checker correctly processes issuer and SAN fields.
586006-5 : Failed to retrieve CRLDP list from client certificate if DirName type is present
Component: Access Policy Manager
Symptoms:
Client certification revocation check will fail.
Conditions:
Two conditions will trigger this problem:
1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND
2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.
Impact:
Users may fail access policy evaluation when client certification is used.
Workaround:
Configure an LDAP server for the CRLDP object. It need not return a valid CRL.
585412-1 : SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
Component: Local Traffic Manager
Symptoms:
Connections to a virtual server that uses an SMTPS profile may be reset with a reset cause of 'Out of memory.'
Conditions:
This might occur under the following conditions:
-- A virtual server that uses an SMTPS profile with activation-mode set to allow.
-- A client connection which does not use TLS that sends a DATA section with a text line that is longer than approximately 8192 characters.
8192 characters is an approximation for the maximum line length. The actual problem length can be affected by the MSS value and the particular way that the TCP traffic is segmented.
Impact:
The TCP connection is reset with a reset-cause of Out of memory' and the email will not be delivered.
Workaround:
None.
Fix:
A virtual server that uses an SMTPS profile with activation-mode set to allow no longer resets connections when the client does not use STARTTLS and the email body contains very long lines.
585045 : ASM REST: Missing 'gwt' support for urlContentProfiles
Component: Application Security Manager
Symptoms:
A URL's header content profile cannot be set to 'gwt' via REST, and if such a configuration exists on the device, then REST will fail to retrieve the collection.
Conditions:
ASM REST is used to configure or inspect URLs on a Security Policy, and GWT profiles are used.
Impact:
Unusable REST for the collection.
Workaround:
None.
Fix:
GWT profiles on URLs are now correctly supported via REST.
584717 : TCP window scaling is not applied when SYN cookies are active
Component: Local Traffic Manager
Symptoms:
TCP window scaling is not applied, which can be observed in transmitted packets containing small segments that are about the size of the unscaled window.
Conditions:
SYN cookies have been activated.
Impact:
Poor performance / throughput.
Workaround:
None
Fix:
The tmm now properly scales the TCP window upon SYN cookie activation.
584373-1 : AD/LDAP resource group mapping table controls are not accessible sometimes
Component: Access Policy Manager
Symptoms:
AD/LDAP resource group mapping
In case of both lengthy group names and resource names edit link and control buttons could disapper under dialogue bounds
Conditions:
very long group names and resource names
Impact:
Impossible to delete and move rows in table - still possible to edit tho.
Workaround:
Spread one assign thru multiple rows
Fix:
Scroll bar is appearing when needed
584310 : TCP:Collect ignores the 'skip' parameter when used in serverside events
Component: Local Traffic Manager
Symptoms:
When TCP::Collect is used with 'skip' and 'length' arguments in SERVER_CONNECTED, the "skip' argument does not take effect and is ignored. The Collect works, but collects only the length bytes from start.
Conditions:
TCP:Collect on server side events like SERVER_CONNECTED used with the 'skip' parameter. This is an intermittent issue that have happen only with IIS server.
Impact:
TCP:Collect collects bytes without taking into account the skip, so the bytes collected are not the correct ones.
Workaround:
None.
Fix:
The settings for TCP::Collect command skip and length arguments are now honored during packet processing.
584029-7 : Fragmented packets may cause tmm to core under heavy load
Component: Local Traffic Manager
Symptoms:
tmm core due to assertion
Conditions:
tmm offloads a fragmented packet via an ffwd operation.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
583957-3 : The TMM may hang handling pipelined HTTP requests with certain iRule commands.
Component: Local Traffic Manager
Symptoms:
Rarely, the TMM may hang during a HTTP::respond or HTTP::redirect iRule command if it is part of a pipelined HTTP request.
Conditions:
A HTTP::respond or HTTP::redirect iRule is used.
The iRule command is in an event triggered on the client-side.
A pipelined HTTP request is being handled.
Impact:
The TMM will be restarted by SOD.
Fix:
The TMM no longer hangs in rare situations when processing a pipelined HTTP request and invoking a HTTP::respond or HTTP::redirect iRule command.
583936-1 : Removing ECMP route from BGP does not clear route from NSM
Component: TMOS
Symptoms:
When configured to install multiple routes into the routing table, ZebOS does not withdraw BGP routes when a neighbor is shut down and it has more than two routes already installed for the same route prefix.
Conditions:
ECMP routing must be enabled and in-use.
Impact:
ECMP routes are not properly removed from the main routing table.
Fix:
Now properly removing ECMP routes from the routing table.
583631-1 : ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.
Component: Local Traffic Manager
Symptoms:
Server SSL ClientHello does not encode lowest supported TLS version. The outer record for a ClientHello contains the same version as the ClientHello. If, for example, the ClientHello is TLS1.2, the outer record will contain TLS1.2. Older servers that do not support later TLS versions might generate an alert and close the connection.
Conditions:
A BIG-IP system with a server SSL profile that supports a TLS version higher than that of the server to which it is connecting.
Impact:
The connection fails. The system might generate an alert.
Workaround:
Force the server SSL profile to use a lower TLS version number by selecting 'No TLSv1.2' or 'No TLSv1.1' in the `options' section of the Server SSL Profile.
Fix:
When enabled by setting the db variable, 'SSL.OuterRecordTls1_0,' to, 'enable,' the outer SSL record will always contain TLS1.0. This is the default. You can use this db variable to prevent an issue in older servers that do not support TLS versions later than 1.0, in which an alert might be generated closing the connection.
Behavior Change:
Formerly, the version present in the ClientHello and the version present in the outer record would match. Now, if the sys db variable, 'SSL.OuterRecordTls1_0,' is set to 'enable' the version present in the outer record will be TLS 1.0 regardless of the version in the ClientHello. This is the default.
583285-2 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
Component: TMOS
Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message. This is the second part of a fix provided for this issue. See fixes for bug 569236 for the first part.
Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.
Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.
Workaround:
Manually remove the invalid SA on the BIG-IP system.
Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again. This is part two of a two-part fix. Fixes for bug 569236 provide part one of the fix.
582952 : Linux kernel vulnerability CVE-2013-4483
Vulnerability Solution Article: K31300371
582683-1 : xpath parser doesn't reset a namespace hash value between each and every scan
Component: Application Security Manager
Symptoms:
After a while the iRule event stops firing until the cbrd daemon is restarted.
Conditions:
The customer has a virtual server configured with an XML, along with an iRule that triggers on the XML_CONTENT_BASED_ROUTING event.
Impact:
XML content based routing does not work dependably.
Workaround:
N/A
Fix:
fixing xpath parer -- Restoring namespace declaration each time the xpath parser finishes to parse the document.
582440-1 : Linux client does not restore route to the default GW on Ubuntu 15.10
Component: Access Policy Manager
Symptoms:
Default route may be deleted after network access connection is deleted on Linux Ubuntu 15.10 distribution.
Conditions:
Ubuntu 15.0, network access tunnel connect and then disconnect
Impact:
User will not be able to reach internet after disconnecting from network access.
Workaround:
If Wifi is in use then turn off and on again.
If Ethernet is used then unplugging and plugging cable again should solve the problem.
582295 : ospfd core dump when redistributing NSSA routes in a HA failover
Component: TMOS
Symptoms:
The ospfd is dumping a core when nssa routes are redistributed.
Conditions:
When a failover is initiated through the GUI on a BIG-IP high availability (HA) configuration, and a standby BIG-IP system cannot take the active role due to low HA score. The original active BIG-IP system takes back the active role.
Impact:
ospfd terminates on the BIG-IP system leading to connectivity issues until the ospfd comes up.
Workaround:
None.
Fix:
ospfd no longer crashes when redistributing NSSA routes in a HA failover event.
581834-3 : Firefox signed plugin for VPN, Endpoint Check, etc
Component: Access Policy Manager
Symptoms:
clients are unable to use the Firefox plugin on Firefox version 47 and above
Conditions:
Clients using Firefox v47 and above attempting to use the Firefox plugin
Impact:
Clients will be unable to use the plugin if they are using Firefox version 47 and above
Fix:
The Firefox plugin now supports all versions.
581770-1 : Network Access traffic does not pass IPv6 traffic if a Network Access resource contains IPv4&IPv6
Component: Access Policy Manager
Symptoms:
Network Access clients are unable to pass IPv6 traffic
Conditions:
Network Access resource configured with IPv4&IPv6
Client attempts to pass IPv6 traffic
Impact:
IPv6 traffic is dropped
Fix:
APM will now pass IPv6 traffic through the tunnel if an IPv4&IPv6 resource is configured.
580817-4 : Edge Client may crash after upgrade★
Component: Access Policy Manager
Symptoms:
The Edge client may crash after upgrading to 11.4.1 through 12.0.0.
Conditions:
Access Policy with Firewall Checker
Update BIG-IP to 12.1.0
Impact:
Users are unable to use the Edge client
Fix:
Fixed a crash in the Edge client
580596-5 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907
Vulnerability Solution Article: K14190 K39508724
580429-3 : CTU does not show second Class ID for InstallerControll.dll
Component: Access Policy Manager
Symptoms:
Client troubleshooting utility does not display the registered class id of Installer control.dll.
Conditions:
Client troubleshooting utility is used to display all installed edge client components.
Impact:
No impact to end user or administrator. Impacts F5 support.
Workaround:
None.
Fix:
CTU now shows the class id of installer control.dll.
580421-4 : Edge Client may not register DLLs correctly
Component: Access Policy Manager
Symptoms:
After an end-user confirms that they want to install InstallerControll.cab, the browser gets stuck in 'Checking client'.
Conditions:
Client is using Internet Explorer
Impact:
Clients are unable to install the Edge client components
Fix:
Edge client components are now getting properly registered.
580340-4 : OpenSSL vulnerability CVE-2016-2842
Vulnerability Solution Article: K52349521
580313-4 : OpenSSL vulnerability CVE-2016-0799
Vulnerability Solution Article: K22334603
580303-2 : When going from active to offline, tmm might send a GARP for a floating address.
Component: Local Traffic Manager
Symptoms:
When moving from active to offline, tmm might send one final GARP for a floating address from the device that is moving offline.
Conditions:
Using high availability, and switching a device from active to offline.
Impact:
The GARP from the offline device can arrive on upstream devices after the GARP from the newly active device, which might poison the address cache of the upstream device. The result is that failover takes longer, since the upstream devices must rediscover the active device.
Workaround:
Use MAC masquerading along with the floating address; the system sends a GARP for the MAC masqueraded address, which prevents the issue.
Fix:
tmm no longer sends a final GARP for a floating address immediately before going offline.
579975-4 : OpenSSL vulnerability
Vulnerability Solution Article: K79215841
579955-4 : BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
Vulnerability Solution Article: K01587042
579926-2 : HTTP starts dropping traffic for a half-closed connection when in passthrough mode
Component: Local Traffic Manager
Symptoms:
HTTP starts dropping traffic for a half-closed connection when in passthrough mode.
Conditions:
HTTP is in passthrough mode. Traffic is flowing for a half-closed connection.
Impact:
Incomplete data transfer to end-point, when the connection is half-closed and HTTP is in passthrough mode.
Workaround:
No workaround.
579919 : TMM may core when LSN translation is enabled
Component: Local Traffic Manager
Symptoms:
tmm core
Conditions:
Virtual uses LSN translation with a destination matching a pool-based route
Impact:
Traffic disrupted while tmm restarts.
Fix:
Virtual with LSN translation no longer leads tmm coring when destination matches a pool-based route.
579909-3 : Secondary MCPD exits for APM Sandbox warning improperly treated as configuration error
Component: Access Policy Manager
Symptoms:
Secondary blade MCPD exits if APM Sandbox intends to log a warning message when it fails to remove the corresponding sandbox directory /var/sam/www/webtop/sandbox/files_d/<partition_name>_d while the user is removing the partition.
There are multiple cases that can potentially log such kind of Sandbox warning message and cause an mcpd crash and/or tmm crash. APM can log the warning if it encounters a directory which is not empty, or if the directory does not exist. You will see this error signature in /var/log/ltm:
Mar 11 11:36:49 slot2/viprion-3 warning mcpd[6022]: 010717ac:4: Configuration Warning: Cannot remove directory with symlink to sandbox for partition (p1). Error: Directory not empty. If you have access to bash shell, try to run command: rmdir /var/sam/www/webtop/sandbox/files_d/p1_d/
Conditions:
The sandbox directory corresponding to the partition that you are deleting cannot be removed due to any reason such as Not Existing, Not Empty, etc. on the secondary blade. This can occur on the secondary blades if you create a partition before provisioning APM, then delete the partition on the primary blade, and auto-sync is enabled in the device group.
Impact:
Secondary MCPD exits and blade restarts. Tmm can core. Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Fixed such that Secondary MCP will not exit but only log the warning message as the partition is successfully deleted.
579843-4 : tmrouted may not re-announce routes after a specific succession of failover states
Component: Local Traffic Manager
Symptoms:
tmrouted does not re-announce RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.
Conditions:
- Active/Standby HA pair set up
- Both units configured with a dynamic routing protocol and Route Health Injection enabled on one or more Virtual-Addresses.
- Active unit has the following succession of failover states:
Active->Offline->Online->Standby->Active
Impact:
Tmrouted may not announce the Virtual addresses when coming back to Active state after the mention succession.
Workaround:
A failover to Standby and back to Active works around the issue.
Restarting tmrouted is also an alternative option.
Fix:
tmrouted now re-announces RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.
579829-4 : OpenSSL vulnerability CVE-2016-0702
Vulnerability Solution Article: K79215841
579559-4 : DTLS Networks Access may not work with some hardware platforms with Nitrox hardware acceleration
Component: Access Policy Manager
Symptoms:
Network Access always fallbacks to TLS connection even if DTLS is configured when connecting to some hardware platforms.
Conditions:
Network Access is configured to use DTLS
Hardware BIG-IP with DTLS Nitrox acceleration is used,
Impact:
Network Access connection always fallbacks to TLS connection
Workaround:
N/A
Fix:
Previously, Network Access always fell back to a TLS connection even if DTLS was configured when connecting to some hardware platforms. Network Access no longer falls back to TLS.
579371-1 : BIG-IP may generate ARPs after transition to standby
Component: Local Traffic Manager
Symptoms:
tmm generates unexpected ARPs after entering standby.
Conditions:
-- High availability configuration with a vlangroup with bridge-in-standby disabled.
-- ARP is received just before transition to standby.
Impact:
Unexpected ARP requests that might result in packet loops.
Workaround:
None.
Fix:
ARPs will no longer be proxied on vlangroups with bridge-in-standby disabled after entering standby.
579284-5 : Potential memory corruption in MCPd
Component: TMOS
Symptoms:
Memory in mcpd could get corrupted. The effect of this is unpredictable.
Conditions:
Varies. One way (but not the only way) this could be seen is by cancelling a chunked stats query (e.g. hitting ctrl-c during "show sys connection").
Impact:
Varies. Sometimes nothing will happen; other times MCP could start acting unpredictably. In one case it closed its connection to TMM, which caused all TMMs to restart.
Fix:
Identified and fixed areas of potential memory corruption in MCP.
579237-4 : OpenSSL Vulnerability CVE-2016-0705
Vulnerability Solution Article: K93122894
579220-2 : Mozilla NSS vulnerability CVE-2016-1950
Vulnerability Solution Article: K91100352
579085-3 : OpenSSL vulnerability CVE-2016-0797
Vulnerability Solution Article: K40524634
579047 : Unable to update the default http-explicit profile using the GUI.
Component: TMOS
Symptoms:
Trying to update default Local Traffic :: Profiles : Services : HTTP :: http-explicit profile, the system posts the following error: 'Some fields below contain errors. Correct them before continuing.' Under the 'Explicit Proxy' section for 'DNS Resolver' option, the system posts the following error: '010717e8:3: Invalid 'dns-resolver' value for profile /Common/http-explicit. The dns-resolver does not exist.'
Conditions:
Updating default http-explicit profile using the GUI.
Impact:
Error messages. Unable to update the default http-explicit profile using the GUI.
Workaround:
Use tmsh to update the default http-explicit profile.
Fix:
You can now update the default http-explicit profile without error using the GUI.
578844-3 : tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client.
Component: Access Policy Manager
Symptoms:
tmm cores when switching to IPv6 virtual server while connected to IPv4 virtual server with Edge Client.
Conditions:
NA resource with IPv4&IPv6 is used (SNAT pool in NA resource is set to None). User is connected to IPv4 Virtual server.
While connected user clicks on 'Change server' and chooses an IPv6 virtual server.
Impact:
Traffic disrupted while tmm restarts.
578570-3 : OpenSSL Vulnerability CVE-2016-0705
Vulnerability Solution Article: K93122894
578353-1 : Statistics data aggregation process is not optimized
Component: Application Visibility and Reporting
Symptoms:
CPU spikes may occur every 5 minutes
Conditions:
Occurs all the time
Impact:
High CPU usage may be observed every 5 minutes
Workaround:
For versions based on 11.5.4 and 11.6.0 take the following steps:
1. Edit the entry 'AggregationMode' under the /etc/avr/monpd/monpd.cfg file and set it to be 'low' instead of 'medium' or 'high'.
2.Restart Monpd afterwards.
For 12.0.0 and on:
tmsh modify sys db avr.stats.aggregation value low
Fix:
The aggregation process of statistics in DB which is done using monpd should be optimized, and skip redundant updates of tables.
578045-5 : The HTTP_PROXY_REQUEST iRule event can cause the TMM to crash if pipelined ingress occurs when the iRule parks
Component: Local Traffic Manager
Symptoms:
The TMM crashes while resuming from a HTTP_PROXY_REQUEST event.
Conditions:
A HTTP_PROXY_REQUEST iRule event parks. Pipelined ingress occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Don't use parking iRule commands within the HTTP_PROXY_REQUEST event.
If a parking command must be used, the following may work:
Try using TCP::collect to disable ingress while a potentially parking iRule command executes. TCP::release can be used after the command completes to restore normal behavior.
Another work-around is to set max-requests to 1. (Disabling pipelining.)
577828-4 : BIND vulnerability CVE-2016-2088
Vulnerability Solution Article: K59692558
577826-3 : BIND vulnerability CVE-2016-1286
Vulnerability Solution Article: K62012529
577823-3 : BIND vulnerability CVE-2016-1285
Vulnerability Solution Article: K46264120
577814 : MCPd might leak memory in PEM stats queries.
Component: Policy Enforcement Manager
Symptoms:
Memory leak may result in an "Out of Memory" condition causing functional issues in the BIG-IP.
Conditions:
Occurs when a valid PEM stats query is issued by a UI (GUI TMSH, REST, etc.) and PEM is configured on the BIG-IP.
Impact:
System may be unresponsive or crash due to being out of memory.
Workaround:
None.
Fix:
Fixed the potential MCPd memory leak in PEM stats queries.
577811 : SNMP sysObjectID OID reports ID of blade on VIPRION 2xxx-series platforms
Component: TMOS
Symptoms:
In BIG-IP v11.5.4, the behavior of the SNMP sysObjectID changed for VIPRION 2xxx-series platforms.
On other BIG-IP 10.x and 11.x versions running on VIPRION 2xxx-series platforms, the SNMP sysObjectID reports the ID of the Chassis (bigipVprC2400 or bigipVprC2200).
In BIG-IP v11.5.4 and v12.0.0 and later running on VIPRION 2xxx-series platforms, the SNMP sysObjectID reports the ID of the Blade (bigipVprB2100, bigipVprB2150, or bigipVprB2250).
In all versions of BIG-IP running on VIPRION 4xxx-series platforms, the SNMP sysObjectID reports the ID of the Blade (bigipPb100, bigipPb100n, bigipPb200, bigipPb200N, bigipVprB4300 or bigipVprB4300N).
In BIG-IP v12.0.0 and later running on VIPRION 2xxx-series platforms, the BIG-IP design is changed such that the SNMP sysObjectID reports the ID of the Blade (bigipVprB2100, bigipVprB2150, or bigipVprB2250), consistent with VIPRION 4xxx-series platforms.
[See Solution article for ID 425331, when published.]
Conditions:
VIPRION C2400 and C2200 chassis
VIPRION B2100, B2150 and B2250 blades
BIG-IP v11.5.4 (release)
Impact:
SNMP queries to identify VIPRION 2xxx-series platforms return the Blade ID instead of the Chassis ID, requiring changes in how the returned sysObjectID is interpreted.
Workaround:
Identify a VIPRION 2xxx-series platform by the appropriate Blade ID (bigipVprB2100, bigipVprB2150, or bigipVprB2250), instead of by the Chassis ID (bigipVprC2400 or bigipVprC2200).
Fix:
On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports the ID of the Chassis, to match the behavior on VIPRION 2xxx-series platforms with previous BIG-IP versions 10.2.x and 11.x.
Behavior Change:
On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID now reports the ID of the Chassis, to match the behavior on VIPRION 2xxx-series platforms with previous BIG-IP versions 10.2.x and 11.x.
Previously, SNMP sysObjectID reported the ID of the Blade on VIPRION 2xxx-series platforms, to match the behavior on VIPRION 4xxx-series platforms.
577668-2 : ASM Remote logger doesn't log 64 KB request.
Component: Application Security Manager
Symptoms:
A request longer than 10 KB is truncated to 10 KB in the ASM remote logger although the remote logger is configured to log up to 64 KB requests.
Conditions:
The remote logger is configured to max request size 64k .
A request is longer than 10 KB.
Impact:
Incorrect request size in the log.
Workaround:
N/A
Fix:
ASM can now logs up to 64 KB requests. (Actual size depends on the total message size and the other fields in the message.)
576897-2 : Using snat/snatpool in related-rule results in crash
Component: Local Traffic Manager
Symptoms:
TMM crash resulting in failover.
Conditions:
Using snat/snatpool command in related-rule.
Impact:
TMM crash resulting in failover.
Workaround:
Do not use snat/snatpool commands in related rule.
576591-3 : Support for some future credit card number ranges
Component: Application Security Manager
Symptoms:
ASM does not block or mask when a specific credit card number range (planned for the future) appears in the response.
Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card number with specific ranges.
Impact:
The traffic passes unmasked or unblocked to the end client.
Workaround:
A custom pattern is possible for these cases, but should be adjusted to each customer specifically.
576350-3 : External input from client doesn't pass to policy agent if it is not the first in the chain.
Component: Access Policy Manager
Symptoms:
When client gets authenticated, and then the session is deleted (times out or is manually deleted from memcache), the browser still has its authorization token.
If client refreshes the page, the browser passes the existing 'authorization' token, which gets deleted by the agent processing the existing task (a message box, in this case) for the targeted agent (HTTP_401_Response agent, in this case).
Conditions:
When a logon page is not the first agent in the access policy chain and it gets a pre-authenticated token from browser.
Impact:
Although client (browser) sends the pre-authenticated token, the browser still posts a challenge for credential (pop up window). This is unnecessary and should not occur.
Workaround:
None.
Fix:
An HTTP_401_RESPONSE page can be placed anywhere in the access policy chain. Any pre-authenticated information for the targeted agent will not be consumed by another agent sitting in front.
576314 : SNMP traps for FIPS device fault inconsistent among versions.
Component: Local Traffic Manager
Symptoms:
The snmp traps bigipFipsDeviceError and bigipFipsFault are inconsistent among versions.
Conditions:
This trap is raised if the FIPS device firmware has stopped responding to requests and is no longer functional. The trap is different on the BIG-IP 10350 FIPS platform.
Impact:
The meaning of the trap is that the system is not able to perform any FIPS operations and process FIPS related traffic. You will need to be mindful of which version you are on to interpret the OIDs correctly.
Fix:
An SNMP trap is generated when the system has detected a FIPS device fault indicating that said device can no longer service FIPS operations. The OIDs are different across versions and one specific platform. Here is the OIDs and versions:
BIGIP-COMMON-MIB::bigipFipsDeviceError .1.3.6.1.4.1.3375.2.4.0.152
This trap means "Encountered error in the FIPS card operation" on all FIPS platforms
BIGIP-COMMON-MIB::bigipFipsFault .1.3.6.1.4.1.3375.2.4.0.156 (from v11.5.4-hf1 and 11.6.1, not 12.0.0)
BIGIP-COMMON-MIB::bigipFipsFault .1.3.6.1.4.1.3375.2.4.0.166 (from v12.1.0)
These traps mean "The FIPS card is currently in faulty state" for the specific FIPS hardware included on the BIG-IP 10350
576305-1 : Potential MCPd leak in IPSEC SPD stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying IPSEC SPD stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying IPSEC SPD stats.
576296-1 : MCPd might leak memory in SCTP profile stats query.
Component: Local Traffic Manager
Symptoms:
The memory allocation for mcpd might grow by a small amount if SCTP profile stats are queried. In order to begin to impact the performance of the system, the stats would have to be queried many thousands of times.
Conditions:
An SCTP profile is configured, and the stats are displayed in TMSH or the GUI.
Impact:
Performance may be degraded.
Workaround:
None.
Fix:
Resolved a memory leak in mcpd resulting from a query of SCTP profile stats.
576069-1 : Rewrite can crash in some rare corner cases
Component: Access Policy Manager
Symptoms:
Rewrite can crash in some rare corner cases when some specific erroneous elements are present in an HTML content.
Conditions:
Any of the strings:
<meta http-equiv="refresh" />
<meta http-equiv="location" />
<param name="general_servername" />
<param name="wmode" />
triggers guaranteed rewrite crash.
Impact:
Web application malfunction.
Workaround:
iRule or direct fix of improper HTML tag.
Fix:
Fixed.
575735-1 : Potential MCPd leak in global CPU info stats code
Component: TMOS
Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.
Conditions:
In some cases, querying global CPU information stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying global CPU information stats.
575726-1 : MCPd might leak memory in vCMP interface stats.
Component: TMOS
Symptoms:
MCPd might leak memory in vCMP interface stats.
Conditions:
The memory leak occurs when viewing VCMP interface statistics.
Impact:
Over time this can cause MCPd to run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying vCMP interface stats.
575716-1 : MCPd might leak memory in VCMP base stats.
Component: TMOS
Symptoms:
MCPd might leak memory in VCMP base stats.
Conditions:
This occurs when looking at VCMP base statistics.
Impact:
Over time this might cause MCPd to run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying VCMP base stats.
575708-1 : MCPd might leak memory in CPU info stats.
Component: TMOS
Symptoms:
MCPd might leak memory in CPU info stats.
Conditions:
In some cases, querying CPU information stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying CPU information stats.
575671-1 : MCPd might leak memory in host info stats.
Component: TMOS
Symptoms:
MCPd might leak memory in host info stats.
Conditions:
In some cases, querying host information stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying host information stats.
575631-2 : Potential MCPd leak in WAM stats query code
Component: WebAccelerator
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying WAM stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying WAM stats.
575626-6 : Minor memory leak in DNS Express stats error conditions
Component: Local Traffic Manager
Symptoms:
A minor memory leak might occur in certain error conditions relating to DNS Express statistics.
Conditions:
There are no known DNS Express configurations that lead to this issue. The problem was detected through standard code review practices.
Impact:
Memory leaks might eventually lead to system reboots.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur in certain error conditions relating to DNS Express statistics.
575619-1 : Potential MCPd leak in pool member stats query code
Component: TMOS
Symptoms:
MCPd leaks memory; the umem_alloc_8 cache will grow.
Conditions:
In some cases, querying pool member stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying pool member stats.
575612-4 : Potential MCPd leak in policy action stats query code
Component: Local Traffic Manager
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying policy action stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying policy action stats.
575609-4 : Zlib accelerated compression can result in a dropped flow.
Component: Access Policy Manager
Symptoms:
Some compression requests would fail when the estimated compression output block was too small. Such errors deposit an error in the log similar to: Device error: n3-compress0 Zip engine ctx eviction (comp_code=2): ctx dropped.
Conditions:
A block that will not compress can generate a compression output that exceeds the estimated output block size.
Impact:
The flow that encounters the error is dropped.
Workaround:
Disable hardware accelerated compression.
Fix:
Difficult to compress requests may be dropped.
575608-1 : MCPd might leak memory in virtual server stats query.
Component: TMOS
Symptoms:
MCPd might leak memory in virtual server stats query.
Conditions:
In some cases, querying virtual server stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying virtual server stats.
575587-1 : Potential MCPd leak in BWC policy class stats query code
Component: TMOS
Symptoms:
MCPd leaks memory.
Conditions:
In some cases, querying BWC policy stats can leak memory.
Impact:
MCPd might eventually run out of memory and core.
Workaround:
None.
Fix:
This release fixes the memory leak that could occur when querying BWC policy stats.
575582-1 : MCPd might leak memory in FW network attack stats.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW network attack stats.
Conditions:
This occurs when looking at firewall network attack statistics.
Impact:
Over time this can cause MCPd to run out of memory and core.
575571-1 : MCPd might leak memory in FW DOS SIP attack stats query.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW DOS SIP attack stats query.
Conditions:
This occurs when looking at firewall DOS SIP stats.
Impact:
Over time this can cause MCPd to run out of memory and core.
575569-1 : MCPd might leak memory in FW DOS DNS stats query.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW DOS DNS stats query.
Conditions:
This occurs when looking at firewall DOS DNS statistics.
Impact:
Over time this can cause MCPd to run out of memory and core.
575565-1 : MCPd might leak memory in FW policy rule stats query.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW policy rule stats query.
Conditions:
This occurs when looking at firewall policy rule stats.
Impact:
Over time this can cause MCPd to run out of memory and core.
575564-1 : MCPd might leak memory in FW rule stats query.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW rule stats query.
Conditions:
This occurs when looking at firewall rule statistics.
Impact:
Over time this can cause MCPd to run out of memory and core.
575557-2 : MCPd might leak memory in FW rule stats.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in FW rule stats.
Conditions:
This occurs when looking at firewall rule statistics.
Impact:
Over time this can cause MCPd to run out of memory and core.
575499-3 : VPN filter may leave renew_lease timer active after teardown
Component: Access Policy Manager
Symptoms:
TMM core making the system unavailable for a period of time until it comes back up.
Conditions:
When using both IPv4 & IPv6 network access resources with static IP address for IPv4 and dynamic address assignment for IPv6 tmm will core while NA tunnel is running or on NA's disconnect time.
Impact:
TMM core and bring down the system.
Workaround:
N/A
Fix:
No more stale renew_lease timer in vpn_ctx to cause TMM core.
575321-1 : MCPd might leak memory in firewall stats.
Component: Advanced Firewall Manager
Symptoms:
MCPd might leak memory in firewall stats.
Conditions:
This occurs when looking at firewall stats.
Impact:
Over time this can cause MCPd to run out of memory and core.
575292-2 : DNS Relay proxy service does not respond to SCM commands in timely manner
Component: Access Policy Manager
Symptoms:
DNS relay proxy service may appear unresponsive when stopped/started through Service control manager and user may see a system dialog box saying "Service did not respond in a timely manner"
Conditions:
DNS relay services component of edge client is installed on user's machine
Impact:
Usability, User may think that service has failed.
Workaround:
Wait for service to respond proper status
Fix:
Service now reports correct status to service control manager immediately.
575027-3 : Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
Component: TMOS
Symptoms:
Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
Conditions:
This occurs when the following conditions are met:
1. Use of tagged VLANs in the configuration.
2. Change cmp-hash of the tagged VLAN.
Impact:
Throughput is lower than expected. Packets are not being hashed using the hash set in config. (This can be verified by looking at 'tmm/flow_redir_stat'.)
Workaround:
Use untagged VLANs and hypervisor side tagging.
Fix:
You can now use tagged VLAN configurations along with a cmp-hash setting for the VLAN, without compromising performance.
575011-9 : Memory leak. Nitrox3 Hang Detected.
Component: Local Traffic Manager
Symptoms:
System exhausts available memory due to compression memory leak. Prior to running out of memory, repeatedly logs "Nitrox3 Hang Detected".
Conditions:
Compression device unavailable during creation of a new context.
Impact:
System can run out of memory.
Workaround:
Disable hardware compression using tmsh:
% tmsh modify sys db compression.strategy softwareonly
Fix:
Repaired memory leak.
574781-3 : APM Network Access IPV4/IPV6 virtual may leak memory
Component: Access Policy Manager
Symptoms:
Observation of performance graphs shows increasing TMM memory usage over time. Specifically, xhead and xdata caches grow over time. Additionally, the ppp_npmode_errors in the ppp stat table will increment with each leak.
Conditions:
APM virtual with Network Access configured with IPV4 and IPv6.
Impact:
Memory leakage over time leads to performance degradation and possible traffic outage.
Workaround:
No workaround short of not enabling IPv6.
Fix:
APM Network Access now correctly manages its memory resources.
574318-4 : Unable to resume session when switching to Protected Workspace
Component: Access Policy Manager
Symptoms:
Clients logging into Protected Workspace are unable to view the page. The client's log file may have the following signature: HandlePwsCmd, detoured.dll signature validation error
Conditions:
This occurs infrequently on certain Windows clients logging into Protected Workspace
Impact:
Client browser cannot render the protected workspace
Fix:
Fixed an issue preventing Windows clients from using Protected Workspace
574262 : Rarely encountered lockup for N3FIPS module when processing key management requests.
Component: Local Traffic Manager
Symptoms:
The N3FIPS module does not respond to key management requests.
Conditions:
No specific condition has been identified for this failure.
Impact:
Existing data continues to forward, but new traffic keys fail. MGMT locks up. This is a rarely encountered issue.
Workaround:
A SNMP trap is generated when N3FIPS is locked up. The trap informs the user that the BIG-IP system must be rebooted. Rebooting clears the condition.
Fix:
The N3FIPS module no longer experiences occasional lockups when processing key management requests.
574214-2 : Content Based Routing daemon (cbrd) logging control
Component: Application Security Manager
Symptoms:
The cbrd logger might not produce enough useful output for troubleshooting purposes, and debug logging is not available.
Conditions:
Using xml profile, and you would like to see the xpath prints to a log file.
Impact:
Unable to see the xpath information
Fix:
It is now possible to enable xpath logging by adding these lines to /etc/cbr/logger.cfg:
MODULE=CBR_PLUGIN;
LOG_LEVEL=TS_INFO | TS_DEBUG;
FILE = 2;
Then:
bigstart restart cbrd
574153-3 : If an SSL client disconnects while data is being sent to SSL client, the connection may stall until TCP timeout.
Component: Local Traffic Manager
Symptoms:
If an SSL connection gracefully begins to disconnect at the same time as data is being encrypted by SSL acceleration hardware, the connection will remain open until the TCP profile timeout occurs instead of being closed immediately. This can cause unwanted higher memory usage, possibly causing crashes elsewhere.
Conditions:
* A virtual server with ClientSSL or ServerSSL profile.
* BIG-IP SSL acceleration hardware.
* While an SSL record is being encrypted by SSL accelerator hardware, the SSL connection begins to close by client TCP FIN or by any iRule command that closes the connection.
Impact:
There is a potential for higher memory usage, which in turn may cause TMM crash due to memory exhaustion resulting in service disruption.
Workaround:
If the affected SSL traffic does not include any long idle periods, memory consumption can be mitigated by reducing the idle timeout of the TCP or SCTP profile.
Fix:
SSL connections now disconnect normally if a disconnect attempt occurs while data is being encrypted by SSL acceleration hardware.
574116-3 : MCP may crash when syncing configuration between device groups
Component: TMOS
Symptoms:
mcpd on the sync target crashes when syncing configuration.
Conditions:
This can occur when a local non-synced object references an object that is synced (such as a local-only virtual server referencing a synced iRule), and a non-synced object on the target machine happens to be referencing the same synced object. In this condition, mcpd could crash if objects in a sync group are deleted and synced.
Impact:
Outage due to mcp crash which causes tmm to restart.
Workaround:
When you have devices with local-only resources that are referencing objects contained in a sync/failover group, avoid deleting any objects (such as iRules) that might be referenced by other local-only resources on other devices. Instead of a "this object is in use error", mcpd on the target machine will crash.
Fix:
Verify existence of rule objects when validating configuration.
574073 : Support for New Platform: BIG-IP 10350 FIPS with NEBS support
Component: Local Traffic Manager
Symptoms:
New platform introduction
Conditions:
New platform introduction
Impact:
New platform introduction
574045-3 : BGP may not accept attributes using extended length
Component: TMOS
Symptoms:
If a BGP peer sends a path attribute using the "extended length" flag and field, the attribute may be rejected and the BGP connection terminated.
Conditions:
Neighbor sends path attributes using extended length.
Impact:
The BGP adacency will repeatedly bounce and the RIB will never converge.
Fix:
Received BGP attributes using extended length are no longer rejected.
573581-2 : DNS Search suffix are not restored properly in some cases after VPN establishment
Component: Access Policy Manager
Symptoms:
Modified DNS suffix after VPN establishment and closure may result in failure to resolve some DNS names
Conditions:
DNS Relay proxy service is stopped in the middle of VPN session.
User's machine is rebooted.
Impact:
DNS suffixes are not restored properly which may lead to incorrect resolution of certain DNS names.
Workaround:
Any of the following workarounds
1) Do not stop DNS relay proxy service in the middle of a VPN session
2)Restore DNS search suffixes manually.
573529 : F-bit is not set in IPv6 OSPF Type-7 LSAs
Component: TMOS
Symptoms:
The forwarding address and the F-bit are not set in Type-7 LSAs sent out by the ASBR.
Conditions:
Virtual IP from a virtual server is redistributed as a Type-7 route by the ASBR.
Impact:
ABR routers are not able to propagate NSSA routes to other OSPF areas as External Type-5 routes. As a result, OSPF areas cannot reach external networks.
Fix:
ASBR sets the F-bit and forwarding address correctly.
573429-2 : APM Network Access IPv4/IPv6 virtual may leak memory
Component: Access Policy Manager
Symptoms:
Observation of performance graphs shows increasing TMM memory usage over time. Specifically, connflow and tunnel_nexthop caches grow over time.
Conditions:
APM virtual with Network Access configured with no SNAT and both IPV4 and IPV6 enabled.
Impact:
Memory leakage over time leads to performance degradation and possible traffic outage.
Workaround:
No workaround short of not enabling IPv6 support.
Fix:
Network Access now correctly manages its memory resources.
573406-2 : ASU cannot be completed if license was last activated more than 18 months before
Component: Application Security Manager
Symptoms:
Attack Signature Update (ASU) if license was last activated more than 18 months before.
Conditions:
The license was last activated more than 18 months before.
Impact:
Attack SIgnature Update (ASU) cannot be performed.
Workaround:
The license must be re-activated.
Fix:
Attack Signature Update (ASU) can now be completed based on a license retrieved from server.
573343-4 : NTP vulnerability CVE-2015-8158
Vulnerability Solution Article: K01324833
573124-5 : TMM vulnerability CVE-2016-5022
Vulnerability Solution Article: K06045217
572922-3 : Upgrade causes an ASM subsystem error of PL_PARAM_ATTRIBUTES.★
Component: Application Security Manager
Symptoms:
The following error is produced in ASM log during upgrade:
-----------
ASM subsystem error (ts_configsync.pl,F5::DbUtils::insert_data_to_table): Row <some_row_id> of table <some_db_table_name> is missing <some_field_name> (DDD) -- skipping F5::<some_package_name>
-----------
Conditions:
ASM provisioned
Impact:
Different portions of the security policy may be incorrectly upgraded.
Workaround:
N/A
Fix:
We have fixed the root cause so that the following error does not reproduce upon upgrading:
ASM subsystem error (ts_configsync.pl,F5::DbUtils::insert_data_to_table): Row <some_row_id> of table <some_db_table_name> is missing <some_field_name> (DDD) -- skipping F5::<some_package_name>
572893-5 : error "The modem (or other connecting device) is already in use or is not configured properly"
Component: Access Policy Manager
Symptoms:
Clients get an error: error "The modem (or other connecting device) is already in use or is not configured properly"
Conditions:
The exact reproduction steps are not known, but it was seen to occur on certain Windows 10 clients where the access components were removed and login was attempted afterward.
Impact:
Clients will be unable to connect to the VPN
Workaround:
Rebooting might correct the issue on the client machine.
Fix:
Network Access will no longer fail on client machines that first uninstall the components and then attempt to reconnect.
572600 : mcpd can run out of file descriptors
Component: TMOS
Symptoms:
Mcpd crashes with the log message err mcpd[8835]: 01071070:3: Failed to open file /config/BigDB.dat.tmp with error 24
Conditions:
This can happen in multiple ways, in this case it was detected while running BIG-IQ policy sync.
Impact:
Mcpd can crash, rendering the system instable
Fix:
A crash related to mcpd running out of file descriptors has been fixed.
572563-4 : PWS session does not launch on Internet Explorer
Component: Access Policy Manager
Symptoms:
Internet Explorer (IE) gets stuck entering Protected Work Space (PWS).
Conditions:
One of the DLLs provided by APM, vdeskctrl.dll, provides COM services. Internet Explorer (IE), consumes the COM services. The DLL is loaded by IE during upgrade of PWS components. For some reason (especially on slow systems), IE does not unload the the old DLL promptly after upgrading PWS. When COM services are invoked to initialize PWS after upgrade, old DLL provides the service. Due to the recent renewal of our signing certificate, old DLL can't certify the integrity of the new PWS components. We have researched the issue, but we have not found a way to instruct IE to unload the old DLL after upgrade.
Impact:
PWS session does not launch.
Workaround:
After upgrade, if Internet Explorer(IE) does not enter into PWS within 60 seconds, close IE and start a new session. This is an one time event.
Fix:
Internet Explorer can now launch a Protected Workspace session.
572543-4 : User is prompted to install components repeatedly after client components are updated.
Component: Access Policy Manager
Symptoms:
After auto-update of client components from internet explorer, user will be prompted to install components again if he goes to VPN site again.
Conditions:
Administrator upgrades big-ip to 12.1.
User has client components from a release older than 12.1
Impact:
User is prompted to install components again and again
Workaround:
Restart browser after components are updated the first time.
572495-4 : TMM may crash if it receives a malformed packet CVE-2016-5023
Vulnerability Solution Article: K19784568
572281-3 : Variable value in the nesting script of foreach command get reset when there is parking command in the script
Component: Local Traffic Manager
Symptoms:
When there is something like the following script:
foreach a [list 1 2 3 4] {
set a 10
after 100
}
There is parking command, after, in the script and it runs after "set a 10", when after command returns, the value of a goes back to the initial value set in the foreach, value of 10 is lost.
Conditions:
There is parking command in the nesting script of foreach. For more information on commands that park, see K12962: Some iRule commands temporarily suspend iRule processing at https://support.f5.com/csp/#/article/K12962
Impact:
Variable values get reset.
Workaround:
Set(or set again) the variable value after the parking command.
Fix:
Will fix in later release.
572224 : Buffer error due to RADIUS::avp command when vendor IDs do not match
Component: Service Provider
Symptoms:
Errors similar to the following in the ltm log:
err tmm3[21915]: 01220001:3: TCL error: /Common/RadiusTest CLIENT_DATA - Buffer error (line 1) (line 1) invoked from within 'RADIUS::avp 26 ip4 index 0 vendor-id 12345 vendor-type 6'.
Conditions:
The issue happens when there is a RADIUS::avp command for a vendor specific AVP and there's a RADIUS request that contains a different vendor-id than what was specified in the iRule command.
Impact:
You are unable to use vendor-specific RADIUS AVP commands
Workaround:
None.
Fix:
Vendor-specific RADIUS AVP commands no longer generate errors.
572133-3 : tmsh save /sys ucs command sends status messages to stderr
Component: TMOS
Symptoms:
When you run the tmsh save /sys ucs command, some normal status messages are being sent to stderr instead of stdout. This will be seen if a you are watching stderr for error messages.
Conditions:
There are no conditions, every time the command is run, it will send some status type messages to stderr.
Impact:
If a script runs the command it may report that the save failed because messages were send to stderr.
Workaround:
You can ignore the message "Saving active configuration..." being sent to stderr. It is not an error.
Fix:
The command will send the status messages to stdout.
571573-3 : Persistence may override node/pmbr connection limit
Component: Local Traffic Manager
Symptoms:
In certain circumstances the BIG-IP system may load balance connections to a node or poolmember over the configured connection limit.
Conditions:
- Node or pool member configured with connection limit.
- L4 or L7 virtual server.
- Persistence configured on the Virtual Server.
- Very high load on unit.
Impact:
BIG-IP system may load balance connections to a node or pool member over the configured connection limit.
Workaround:
Remove persistence or use another method of limiting the connections (rate limiting or connection limit on the Virtual Server).
Fix:
The BIG-IP system now correctly enforces the pool member/node connection limit.
571344-2 : SSL Certificate with special characters might cause exception when GUI retrieves items list page.★
Component: TMOS
Symptoms:
After upgrading, unable to view certain certs from gui. Catalina.out file could contain the signature MalformedByteSequenceException: Invalid byte 2 of 3-byte UTF-8 sequence.
iControl SOAP methods
====================
Management::KeyCertificate::get_certificate_list and get_certificate_list_v2 will return an exception if returning a certificate with special characters.
Conditions:
SSL Certificate with special characters might cause exception when GUI retrieves items list page. This has been observed on upgrades to BIG-IP version 11.5.4 through 12.0.0.
Impact:
The GUI does not display the page containing certificate information. iControl SOAP cannot return a list of certificates if they contain information with special characters.
Workaround:
None.
Fix:
The GUI now correctly displays certificates with special characters, and iControl SOAP methods Management::KeyCertificate::get_certificate_list and get_certificate_list_v2 no longer return exceptions.
571210-3 : Upgrade, load config, or sync might fail on large configs with large objects.
Component: TMOS
Symptoms:
Attempting to load a large config with large objects may result in the following error message:
err mcpd[7366]: 01070710:3: Database error (52), Can't write blob data, attribute:implementation status:52 - EdbBlobData.cpp, line 57
Attempting to synchronize a large change may result in the following error messages and a crash of the MCPD process:
err mcpd[8210]: 01071693:3: Incremental sync: Caught an exception while adding a transaction to the incremental config sync cache: unexpected exception.
err mcpd[8210]: 01070734:3: Configuration error: MCPProcessor::processRequestNow: Can't write blob data, attribute:msgs status:52
err mcpd[8210]: 01070596:3: An unexpected failure has occurred, request_group destroyed while processing, exiting...
Conditions:
The config must be approximately 19.75 MB (slightly less) prior to processing a large object in the config that exceeds 256 KB.
Or, once config exceeds 19.75 MB and 2 MB of additional memory has been allocated, processing config objects that exceed 256 KB (the larger, the more likely to occur) lead to the error.
Impact:
Upgrade, load config, or sync might fail, and a system crash and restart might occur.
Workaround:
Stagger the load, or reduce the size of particularly large objects within a config.
Fix:
Memory handling is improved so that large configs with large objects now successfully complete upon upgrade, load config, or sync.
571183-3 : Bundle-certificates Not Accessible via iControl REST.
Component: Local Traffic Manager
Symptoms:
Bundle-certificates Not Accessible via iControl REST.
Conditions:
This occurs when using iControl REST to look at bundle certificates via /mgmt/tm/sys/file/ssl-cert/~Common~ca-bundle.crt/bundle-certificates
Impact:
Unable to get data from the command.
Workaround:
If you do not need to do it via iControl REST, you can view bundle certificates using the tmsh command tmsh list sys file ssl-cert ca-bundle.crt bundle-certificates
Fix:
The iControl rest command for viewing bundle-certificates now displays all of the certificates.
571090-1 : When BIG-IP is used as SAML IdP, tmm may restart under certain conditions
Component: Access Policy Manager
Symptoms:
tmm restarts.
Conditions:
It is not known exactly what the conditions are, but this occurs when BIG-IP is configured as SAML IdP.
Impact:
Tmm may restart.
Workaround:
None
571019-2 : Topology records can be ordered incorrectly.
Component: TMOS
Symptoms:
Topology records can contain missing order numbers, duplicate order numbers, and differences in the ordering of topology records on BIG-IP's in a sync group.
Conditions:
When adding or deleting topology records or modifying the order of existing topology records, the resulting ordering of the topology records can be inconsistent. This can lead to ordering issues including differences in the ordering of topology records on BIG-IP's in a sync group.
Impact:
It is difficult to manage the order of topology records. Topology records are evaluated in different orders on different BIG-IP's in a sync group.
Workaround:
None.
Fix:
Topology records are now ordered consistently.
571003-4 : TMM Restarts After Failover
Component: Access Policy Manager
Symptoms:
TMM generates core file and restarts.
Conditions:
1. In a HA pair running pre 11.5.3-HF2 or 11.6.0-HF6, the standby is upgraded to 11.6.0-HF6 EHF 186, 241, 243, or 247.
2. Force failover.
3. A new session is established or an existing session terminated.
Impact:
Serivce is disrupted. All existing sessions are terminated.
Workaround:
None.
Fix:
TMM no longer generates core file and restarts upon upgrade.
570716-1 : BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736
Vulnerability Solution Article: K10133477
570667-10 : OpenSSL vulnerabilities
Vulnerability Solution Article: K64009378
570663-2 : Using iControl get_certificate_bundle_v2 causes a memory leak
Component: TMOS
Symptoms:
Using iControl call get_certificate_bundle_v2() causes a memory leak. iControlPortal memory use grows unbounded every time the method is called.
Conditions:
This occurs anytime the method is invoked; BIG-IP devices managed by Enterprise Manager can be especially impacted.
Impact:
Eventually iControlPortal will run out of memory and crash.
Fix:
The memory leak issue has been fixed.
570640-4 : APM Cannot create symbolic link to sandbox. Error: No such file or directory
Component: Access Policy Manager
Symptoms:
The user may encounter the following configuration error when adding a new APM sandbox-contained object in a non-default partition (other than /Common) if the user has ever attempted (but failed) to delete this partition (for example, couldn't delete it because it was not empty).
01070734:3: Configuration error: Cannot create symbolic link to sandbox. Error: No such file or directory. If you have access to bash shell, try to run command: ln -s /config/filestore/files_d/p1_d/sandbox_file_d /var/sam/www/webtop/sandbox/files_d/p1_d/sandbox_file_d. Then try to upload file again.
Unexpected Error: Validating configuration process failed.
Conditions:
The user has ever attempted (but failed) to delete the partition.
Impact:
No more APM sandbox object such as Hosted-Content can be added to the partition.
Upgrade may fail to install configuration with the impacted sandbox object.
Workaround:
Manually use the shell command 'mkdir -p' to re-create the missing folder where the symbolic link is suppsed to be created as shown in the error message.
Directories are: {to do mkdir -p)
/config/filestore/files_d/OUTSIDE_PROD_d/sandbox_file_d
/var/sam/www/webtop/sandbox/files_d/OUTSIDE_PROD_d/sandbox_file_d
After creating the directors sync to active unit.
570617-5 : HTTP parses fragmented response versions incorrectly
Component: Local Traffic Manager
Symptoms:
When a fragmented response is parsed by HTTP, the version field may be incorrectly bounded. HTTP correctly determines the version of the response. However, other filters that re-scan the version field might see a truncated value. The filters then miss-parse the HTTP version.
Conditions:
A fragmented response where the HTTP version field appears in multiple packets. Another filter, for example VDI, re-scans the HTTP version field.
Impact:
The detected version of HTTP may be incorrect. Typically, the response is detected as a HTTP/0.9 response rather than the 1.0 or 1.1 response it actually uses.
Workaround:
None.
Fix:
HTTP correctly bounds the response version for other filters to parse.
570064-4 : IE gives a security warning asking: "Do you want to run ... InstallerControll.cab"
Component: Access Policy Manager
Symptoms:
When logging into a VPN connection using Internet Explorer, Internet Explorer may prompt "Do you want to run ... InstallerControll.cab"
Conditions:
BIG-IP APM configured and is accessed by Internet Explorer. This can happen after an upgrade of BIG-IP.
Impact:
The prompt should not occur.
Fix:
Internet Explorer will no longer prompt to run InstallerControll.cab
570053-1 : HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.
Component: TMOS
Symptoms:
HA peer's certkeychain of clientssl profile is unexpectedly either removed or re-named after config sync.
Conditions:
The issue is seen when all the below conditions are met.
1. When more than one certkeychains are configured in the clientSSL profile.
2. When the content of a certkeychain of the clientSSL profile is modified. For example, "modify ltm profile client-ssl a4 cert-key-chain modify { default { cert rsa.crt key rsa.key } }".
3. Performs config sync in HA setup.
Impact:
Missing certkeychain of a clientSSL profile can result in its inability to handle some kind of SSL traffic. For example, if the clientSSL originally has EC key/cert but loses it, then it is no longer able to handle SSL connection using EC cipher suites.
Workaround:
Basically reconfigure certkeychain but avoid modifying the content.
1. On any BIG-IP system, leave only the RSA certkeychain in the clientSSL profile, just like the default configuration.
2. Config sync, so that both systems have only the RSA certkeychain.
3. In any BIG-IP system, add certkeychains for other types (EC or DSA) you need. You can "add" or "delete" but do not "modify" any existing certkeychain.
4. Do config sync, so that both systems have the same certkeychains in the clientSSL profile.
569972-3 : Unable to create gtm topology records using iControl REST
Component: Global Traffic Manager
Symptoms:
The user is unable to create gtm topology records using iControl REST.
Conditions:
This occurs when a user issues an iControl REST POST command for a gtm topology record.
Impact:
The iControl REST POST command fails with the following error: 'Topologies must specify both regions: ldns: server:'.
Workaround:
Use TMSH, iControl SOAP, or the GUI to create gtm topology records.
Fix:
You can now create gtm topology records using iControl REST.
Please be sure to format the gtm topology oid string using the following rules:
1) Use only a single space between each item in the topology string.
2) Use a fully-pathed name for datacenter, isp, region, and pool objects.
For example:
"ldns: subnet 11.11.11.0/24 server: datacenter /Common/DC".
569958-3 : Upgrade for application security anomalies
Component: Application Visibility and Reporting
Symptoms:
If upgrading to newer version, old statistics for application security anomalies are not shown.
Conditions:
Upgrade from BIG-IP version older than 12.1.0 to newer version
Impact:
Losing old statistics for application security anomalies
Fix:
Upgrade to newer version and verify that old statistics are shown.
569718-3 : Traffic not sent to default pool after pool selection from rule
Component: Local Traffic Manager
Symptoms:
If you have an iRule configured to match a pattern in the HTTP::uri and send it to a non-default pool, subsequent requests in the HTTP keep-alive session will also be sent to the non-default pool even though they do not match the iRule.
Conditions:
This occurs after upgrading from 11.5.3 HF1 to 11.5.3 HF2.
Impact:
If the pool members are not configured to accept traffic that doesn't match the uri criterial, the server will not respond properly.
Fix:
Reverted a change that caused subsequent HTTP requests to go to the non-default pool after it was selected in an iRule.
569642-3 : Deleting all routes on a unit with a mirroring fastL4 Virtual may cause TMM to core
Component: Local Traffic Manager
Symptoms:
In certain circumstances TMM may core if an HA pair configured with mirroring has all the routes to the server pool removed.
Conditions:
- HA pair.
- FastL4 VIP with mirroring.
- default route to pool via an intermediate router.
- The active unit is handling traffic.
- Active unit fails over and loses its mirroring connection.
- Prior active unit comes back and HA connection is reestablished.
- During the loss of HA and its recovery the now active unit loses its only route to the pool member.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not remove all routes to poolmembers. If this is needed please create other backup routes prior to the deletion.
Fix:
TMM no longer cores on deleting all routes on a unit with a mirroring fastL4 Virtual during HA connection loss and recovery.
569521-2 : Invalid WideIP name without dots crashes gtmd.
Component: Global Traffic Manager
Symptoms:
If a user creates a WideIP or WideIP Alias with a name that does not contain a dot, gtmd crashes.
The symptom is a crash and core dump from gtmd.
Conditions:
This occurs when the following conditions are met:
-- FQDN validation is suppressed by the following setting: gtm global-settings general domain-name-check == 'none'.
-- User attempts to create a WideIP with a name that does not contain a dot.
Impact:
gtmd crashes and WideIPs do not function.
Workaround:
When creating a WideIP or WideIP Alias while FQDN validation has been disabled (by setting gtm global-settings general domain-name-check == 'none'), make sure that the WideIP or WideIP Alias name contains at least one dot, and follows these rules:
-- The name must not end with a dot.
-- The name must not begin with a dot, unless '.' is the entire name.
-- The name contains no consecutive dots.
Fix:
FQDN now validates to confirm that a WideIP or WideIP Alias name has at least one dot in an appropriate position, and has no consecutive dots, so there is no crash and core dump from gtmd. This validation occurs even when other FQDN validation has been suppressed by setting
gtm globlal-settings general domain name check == 'none'.
569472-3 : TMM segfault in lb_why_pmbr_str after GTM/BIG-IP DNS disables a GTM pool and LB why log is enabled
Component: Global Traffic Manager
Symptoms:
tmm cores with sigsegv within lb_why_pmbr_str.
Conditions:
1. Disable a GTM/BIG-IP DNS pool or pool member;
2. pool-member-selection is enabled for load-balancing-decision-log-verbosity.
Impact:
tmm cores.
Workaround:
Disable pool-member-selection for load-balancing-decision-log-verbosity.
Fix:
tmm no longer cores when disabling pool-member-selection for load-balancing-decision-log-verbosity.
569467-2 : BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
Vulnerability Solution Article: K11772107
569356-5 : BGP ECMP learned routes may use incorrect vlan for nexthop
Component: TMOS
Symptoms:
BGP with ECMP may result in learned routes using an incorrect next-hop vlan if there are more than one VLAN configured with global IPv6 addresses in the same RD where the routing protocol is running.
Conditions:
BIG-IP configuration with two or more VLANs configured with IPv6 global addresses and BGP with ECMP is peered with an active IPv6 BGP neighbor. The BGP is also configured with max-paths.
Impact:
The traffic randomly gets sent using the incorrect nexthop.
Workaround:
None
Fix:
Routes learned from the peer will have the correct nexthop VLANs.
569349-3 : Packet's vlan priority is not preserved for CMP redirected flows when net cos feature is enabled
Component: Local Traffic Manager
Symptoms:
When net cos (class of Service) feature is enabled, vlan priority for those cmp redirected packets are not being preserved from ingress to egress.
Conditions:
1. net cos feature is enabled
2. packet is being cmp redirected from one tmm to another tmm for processing.
Impact:
Egress packets are not being processed according to the ingress vlan priority by BIG-IP and down stream router. Certain packets will be dropped by downstream router due to the wrong mark of vlan priority.
Workaround:
None.
569337-4 : TCP events are logged twice in a HA setup
Component: Advanced Firewall Manager
Symptoms:
TCP log events are logged twice (if enabled in security log profile) with connection mirroring enabled on the virtual server in a HA setup (Active/Standby).
Conditions:
When there's a HA setup (Active/Standby) or both client side and server side connection flow.
Impact:
TCP log events are logged twice (duplicate events from active unit and standby unit or from both client side and server side of the connection flow).
Workaround:
N/A
Fix:
TCP log events are no longer logged twice when enabled in the security log profile with connection mirroring enabled on the virtual server in a HA setup (Active/Standby).
569306-5 : Edge client does not use logon credentials even when "Reuse Windows Logon Credentials" is selected
Component: Access Policy Manager
Symptoms:
User is shown the logon page to connect to VPN after he logs on. Windows logon credentials are not used for VPN automatically.
Conditions:
Connectivity profile has "Reuse Windows Logon Credentials" selected
Impact:
User has to retype his credentials to connect to VPN
Workaround:
Enter the credentials again to connect to VPN
Fix:
Now logged on credentials are used automatically to connect to VPN
569288-4 : Different LACP key may be used in different blades in a chassis system causing trunking failures
Component: Local Traffic Manager
Symptoms:
In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch.
Conditions:
This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation.
Impact:
Non aggregated trunk members won't be able to pass traffic.
Workaround:
Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd"
569255-5 : Network Access incorrectly manipulates routing table when second adapter being connected if "Allow Local subnet access' is set to ON
Component: Access Policy Manager
Symptoms:
When Network Access is already established and a second network interface is being connected to client system, VPN quickly reconnects, which breaks existing TCP connections. Because reconnect occurs very quickly, it might appear to the user that nothing happened.
Conditions:
-- 'Allow Local subnet access' enabled.
-- Client system is getting second network interface connected.
Impact:
Long-standing TCP connection may break, for example, VPN over Network Access.
Workaround:
Disable 'Allow Local subnet access'.
Fix:
Now Network Access remains stable when a second network interface is being connected, so any long-standing TCP connections (such as VPN over Network Access) continue as expected.
569236-2 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
Component: TMOS
Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message. This is the first part of a fix provided for this issue. See fixes for bug 569236 for the second part.
Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.
Impact:
If the BIG-IP is always the Initator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.
Workaround:
Manually remove the invalid SA on the BIG-IP system.
Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again. This is part one of a two-part fix. Fixes for bug 583285 provide part two of the fix.
568889-5 : Some ZebOS daemons do not start on blade transition secondary to primary.
Component: TMOS
Symptoms:
In some specific cases the standby unit's secondary blade ZebOS daemons might not get started when it becomes active.
Conditions:
If the failover occurs as a result of the primary blade's mcpd restarting
Impact:
The new primary blade does not start some ZebOS daemons resulting in ospf not working as expected on the standby unit.
Workaround:
Run the following tmsh command on the new active unit: bigstart restart tmrouted.
Fix:
The BIG_IP system now correctly starts ZebOS daemons on the standby unit on a new blade that is starting up as a primary.
568543-2 : Syncookie mode is activated on wildcard virtuals
Component: Local Traffic Manager
Symptoms:
Syncookie mode can be activated with a wildcard virtual, even in the case where there is no SYN flood.
Conditions:
The default number of connections per second before activating syncookie mode is 1993. This value can be increased to a max of 4093. After this threshold is reached, then syncookie mode is activated. This is an insufficient maximum for wildcard virtuals, since they can have 30k+ connections per second.
Impact:
Syncookie mode is activated with high connection rates to a wildcard virtual.
Workaround:
Break up the wildcard virtual into multiple virtuals to reduce the number of connections per virtual.
Fix:
It is now possible to set the PvaSynCookies.Virtual.MaxSynCache DB variable to 64K (previous max was 4093)
568445-7 : User cannot perform endpoint check or launch VPN from Firefox on Windows 10
Component: Access Policy Manager
Symptoms:
If Firefox is used on Windows 10 to connect to APM, access policy may fail, or system fails to launch VPN.
Conditions:
Firefox is used to connect to APM on Windows 10. The following conditions are exclusive and have different impact:
1) Access policy requires client side inspection.
2) Attempt to launch VPN from WebTop.
Impact:
1) Access policy will fail.
2) VPN cannot be launched from WebTop.
Workaround:
None.
Fix:
User can now perform endpoint check or launch VPN from Firefox on Windows 10.
567484-4 : BIND Vulnerability CVE-2015-8705
Vulnerability Solution Article: K86533083
567475-4 : BIND vulnerability CVE-2015-8704
Vulnerability Solution Article: K53445000
567379-2 : libtar vulnerability CVE-2013-4397
Vulnerability Solution Article: K16015326
566908-3 : Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN with proxy.pac file
Component: Access Policy Manager
Symptoms:
Webserver listening on local Wifi or ethernet IP cannot be accessed after VPN if proxy.pac is defined in a way that forwards all web traffic over VPN.
Conditions:
proxy.pac, network access, OS X system.
Impact:
Local web server is inaccessible if proxy.pac is defined in a way that forwards all traffic over VPN to corporate proxy server.
Workaround:
None.
Fix:
Webserver listening on local Wifi or Ethernet IP can be accessed after VPN even if proxy.pac is defined in a way that forwards all web traffic over VPN to corporate proxy server.
566758-3 : Manual changes to policy imported as XML may introduce corruption for Login Pages
Component: Application Security Manager
Symptoms:
Manual changes to policy imported as XML may introduce corruption for Login Pages. If the expiration period is omitted, the Login Page will be inaccessible.
Conditions:
Expiration period is omitted in hand-crafted XML policy file.
Impact:
The Login Page created as a result is inaccessible in GUI and REST.
Workaround:
Ensure that expiration period exists in XML policy file before import.
Fix:
A policy file, with a missing expiration field, imported as XML is now handled correctly.
566646-2 : Portal Access could respond very slowly for large text files when using IE < 11
Component: Access Policy Manager
Symptoms:
When accessing a large 'text/plain' file from server with Internet Explorer versions 7 through 10 client browsers, Portal Access sometimes holds the response until it fetches and processes the entire file contents. This can take several dozen seconds, or even minutes.
Conditions:
Internet Explorer version 7 through 10 with Portal Access
Impact:
Large text files can't be accessed or downloaded through Portal Access.
Workaround:
Irule that does any of following:
a) Preferred: append F5CH=I to request uri in HTTP_REQUEST for affected requests.
b) Call REWRITE::disable for affected requests.
Fix:
Fixed the issue where Portal Access could try to buffer contents of some large files and respond with significant delay.
566361-2 : RAM Cache Key Collision
Component: Local Traffic Manager
Symptoms:
Intermittent tmm SIGSEGV when RAM Cache is enabled
Conditions:
This occurs when RAM cache is enabled in certain circumstances.
Impact:
Invalid response format, and/or serving the wrong object from cache, and/or tmm crash, interruption of service.
Workaround:
None.
Fix:
The system now avoids RAM Cache Key collisions, the correct object and response format are delivered from the cache, and tmm no longer cores.
565895-3 : Multiple PCRE Vulnerabilities
Vulnerability Solution Article: K17235
565810-5 : OneConnect profile with an idle or strict limit-type might lead to tmm core.
Component: Local Traffic Manager
Symptoms:
OneConnect profile with an idle or strict limit-type might lead to tmm core.
Conditions:
OneConnect profile with a limit-type value of idle or strict.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use a limit-type of 'none'.
Fix:
A OneConnect profile using an idle or strict limit-type no longer causes the tmm to core when attempting to shutdown idle connections.
565534-3 : Some failover configuration items may fail to take effect
Component: TMOS
Symptoms:
These symptoms apply to version 12.0.0 and later:
When only multicast failover is configured, traffic-groups are active on all devices in the device-group. If unicast failover is also configured, the traffic-group unexpectedly switches to a different device.
These symptoms can occur on all versions:
When the unicast address list is changed at the same time as other device properties, sod (the failover daemon) may fail to recognize one of the other changes.
Conditions:
For version 12.0.0 and later:
Multicast failover is configured and the system loads the configuration from the configuration files. For example during the first boot of a new boot location, or after performing the procedure in K13030: Forcing the mcpd process to reload the BIG-IP configuration https://support.f5.com/csp/article/K13030.
For all versions:
A change is made to the cm device configuration that includes a unicast-address change along with something else.
Impact:
When only multicast failover is configured, traffic-groups may become active on all devices in the device-group. If unicast failover is also configured, the traffic-group might switch to a different device.
Workaround:
Mitigation for v12.0.0 (and later) symptom:
To restore multicast failover, disable and re-enable multicast failover.
To do so, perform the following procedure on the the local device.
1. Determine which interface is being used for multicast failover by running the following tmsh command:
list cm device device1 multicast-interface.
3. Disable and re-enable multicast failover by running the following tmsh commands:
modify cm device device1 { multicast-interface none }.
modify cm device device1 { multicast-interface eth0 }.
Mitigation for all versions symptoms:
Do not make cm device unicast-address changes simultaneously with changes to other cm device properties.
Fix:
With the fix, sod now sends out multicast FO heartbeat datagrams under the same condition.
565409-3 : Invalid MSS with HW syncookies and flow forwarding
Component: Local Traffic Manager
Symptoms:
A packet may have an MSS set to 65536 when using HW syncookies and flow forwarding.
Conditions:
The conditions which cause this are not fully known.
Impact:
TMM core/reboot.
Workaround:
Disable HW syncookies or TSO.
565231-1 : Importing a previously exported policy which had two object names may fail
Component: Access Policy Manager
Symptoms:
If an exported access policy includes two object names profile_name-aaa and aaa, import that policy may fail or be incorrect.
Conditions:
For example:
access policy name "test"
access policy item name "test-empty"
access policy item name "empty"
For example:
access policy name "test"
access policy item name "test-empty"
macro name "empty"
Impact:
Rare case, but the import of such a policy may fail.
Workaround:
One of the objects could be renamed in the bigip.conf file to avoid such a naming pattern.
Fix:
Objects are being exported correctly without error.
565169-1 : Multiple Java Vulnerabilities
Vulnerability Solution Article: K48802597
565167-3 : Additional garbage data being logged on user name and domain name for NTLM authentication
Component: Access Policy Manager
Symptoms:
ECA logs an error message in this format:
Could not verify user (<Domain Name>\<User Name>) credential (<Reason>)
Example:
Could not verify user (mv4\test1) credential (STATUS_NO_LOGON_SERVERS)
However, due to missing NUL termination, the user name and domain name may include garbage data such as follwing example:
Could not verify user (mv413abfee\test1ewq12dsasd) credential (STATUS_NO_LOGON_SERVERS)
Conditions:
When NTLM front end authentication could not send the verification of the user's credential (e.g. ActiveDirectory server is down)
Impact:
BIG-IP could not send the verification to ActiveDirectory server for any reasons such as down ActiveDirectory server, incorrect machine account information between BIG-IP, and ActiveDirectory server, etc.
Workaround:
No workaround
Fix:
Now it properly logs the message with correct domain name and user name.
565085-4 : Analytics profile allows invalid combination of entities for Alerts setup
Component: Application Visibility and Reporting
Symptoms:
When non cumulative metrics are selected for an Alert on a dimension that's other than a Virtual Server, errors appear in the log.
Conditions:
Analytics in use, and non-cumulative metrics such as the following are used on a time dimension:
- Maximum TPS
- Maximum Server Latency
- Maximum Page Load Time
- Maximum Request Throughput
- Maximum Response Throughput
Impact:
You are able to configure invalid alerts but no warning is given and the metric does not work and generates errors in the /var/log/monpd.log file.
Workaround:
None needed. This is Cosmetic.
Fix:
Invalid combination of entities for Alerts setup is no longer allowed. Validation is present both on UI side and the backend.
565056-5 : Fail to update VPN correctly for non-admin user.
Component: Access Policy Manager
Symptoms:
VPN is not updated correctly for non-admin users.
Conditions:
Steps to Reproduce:
1. In BIG-IP 12.0, create Access Policy containing (Firewall Check, Machine Info, Machine Cert Auth, Cache and Session Control, Protected Workspace, VPN Resources with Optimized Applications.)
2. Login with a User without admin privileges
3. Run FF
4. Login to VS and install components
5. Click on NA resource on the webtop to start VPN tunnel => a user is asked for an admin password and VPN is successfully installed and established
6. Close FF and exit PWD
Impact:
VPN is not updated. A user is not asked to enter admin credentials and an error is given: "Error downloading required files (-1)"
Workaround:
None.
Fix:
VPN is now updated as expected for non-admin users.
564521-2 : JavaScript passed to ExternalInterface.call() may be erroneously unescaped
Component: Access Policy Manager
Symptoms:
JavaScript passed to ExternalInterface.call() may be erroneously unescaped.
Conditions:
Adobe ActionScript 3.0 version 24 or less.
Impact:
Adobe Flash application may crash.
Workaround:
None
Fix:
Completely fixed.
564496-2 : Applying APM Add-on License Does Not Change Effective License Limit
Component: Access Policy Manager
Symptoms:
When an add-on license is applied on the active node, the effective license limit is not updated, even though telnet output shows that it is.
Conditions:
1. Set up a high availability (HA) configuration with a base APM license.
2. Apply an APM add-on license to increase Access and CCU license limits.
Impact:
The actual number of sessions that can be established remains unchanged after adding an add-on license.
Workaround:
To make the add-on license effective, run the following command:
bigstart restart tmm.
For systems running v11.5.3, v11.5.4, and v11.6.0, use the following workaround:
- Take one unit Offline.
- Remove the HA configuration.
- Reactivate license on the offline unit.
- Take a peer unit Offline.
- Release the first unit from Offline.
- Reactivate license on the peer unit.
- Rebuild HA configuration.
- Release the peer unit from Offline.
Fix:
Applying APM add-on license now increases Access and CCU license limits, as expected.
564482-3 : Kerberos SSO does not support AES256 encryption
Component: Access Policy Manager
Symptoms:
If the delegation account is enforced to use AES256 encryption, then APM Kerberos SSO will fail. Example error message: Dec 18 19:22:19 bigip8910mgmt err websso.7[31499]: 014d0005:3: Kerberos: can't decrypt S4U2Self ticket for user 'username' - Decrypt integrity check failed (-1765328353).
Conditions:
Delegation account is enforced to use AES256 encryption.
Impact:
Kerberos SSO will fail and user will be prompted to enter credential.
Workaround:
Disable the option to enforce AES256 encryption for the delegation account.
Fix:
Delegation account can be enforced to use AES256 encryption, provided the delegation account is configured as SPN format on the Kerberos SSO configuration.
564427-1 : Use of iControl call get_certificate_list_v2() causes a memory leak.
Component: TMOS
Symptoms:
Use of iControl call get_certificate_list_v2() causes a memory leak.
Conditions:
This occurs when using the Management::KeyCertificate::get_certificate_list_v2 method in iControl.
Impact:
memory leak.
Workaround:
Restarting httpd helps reduce memory, but it must be restarted periodically to clear up the memory issues.
Fix:
Use of Management::KeyCertificate::get_certificate_list_v2 method in iControl no longer causes a memory leak.
564262-3 : Network Access does not work if DNS cannot be resolved on client and PAC file contains DNS resolution code
Component: Access Policy Manager
Symptoms:
Tunnel server component of Edge client crashes, and user cannot establish VPN.
Conditions:
-DNS names cannot be resolved on client system.
-PAC file used to determine proxy server uses JavaScript DNS resolution function.
Impact:
Tunnel server crashes and user cannot establish VPN.
Workaround:
Enable DNS resolution on client or do not use DNS resolution JavaScript functions in PAC file.
Fix:
Network Access now works as expected even when DNS cannot be resolved on client and PAC file contains DNS resolution code.
564253-6 : Firefox signed plugin for VPN, Endpoint Check, etc
Component: Access Policy Manager
Symptoms:
Firefox v44.0 and later does not allow loading of Netscape Plugin Application Programming Interface (NPAPI) plugins, which are not signed by Firefox.
Conditions:
Using APM with Firefox v44.0 and later.
Impact:
Firefox v44.0 and later cannot establish network access or perform endpoint checking.
Workaround:
- Use Firefox v43.0 and earlier on all platforms.
- Use Safari on Mac systems and Microsoft Internet Explorer on Microsoft Windows systems.
Fix:
Firefox v44.0 through v46.0 can now install F5 Network plugins, perform endpoint checking, and establish network access connections.
564111-2 : Multiple PCRE vulnerabilities
Vulnerability Solution Article: K05428062
563670-5 : OpenSSL vulnerabilities
Vulnerability Solution Article: K86772626
563591-3 : reference to freed loop_nexthop may cause tmm crash.
Component: Local Traffic Manager
Symptoms:
tmm may crash intermittently when there are cmp directed VIP (Virtual IP) to VIP traffic.
Conditions:
When CMP directed VIP to VIP traffic exists.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
none.
Fix:
tmm should not crash on this condition any more
563475-1 : ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.
Component: TMOS
Symptoms:
ePVA dynamic offloading can result in immediate eviction and re-offloading of flows. If dynamic offloading is enabled in the fastl4 profile, flows that collide in the ePVA will ping/pong in and out of the ePVA due to immediate eviction and re-offloading. Flows that are evicted due to collisions are reported in the epva_flowstat stats, tot.hash_evict.
Conditions:
A fastl4 profile with PVA Offload Dynamic enabled and two flows that result in a hash collision, resulting in an evicted flow.
Impact:
Flows that collide will be re-offloaded, evicted, and then re-offloaded again within a short time span. It is unknown if there is a direct impact, but in some cases a delay in processing packets on a connection may occur.
Workaround:
Disable PVA Offload Dynamic in the fastl4 profile. Another option would be to disable PVA Flow Evict in the fastl4 profile.
Fix:
The system now handles flows involved in hash collisions such that ePVA dynamic offloading no longer results in immediate eviction and re-offloading of flows.
563443-3 : WebSSO plugin core dumps under very rare conditions.
Component: Access Policy Manager
Symptoms:
WebSSO plugin core dumps under very rare conditions.
Conditions:
This occurs rarely when the WebSSO plugin is enabled.
Impact:
WebSSO plugin core dumps.
Workaround:
None.
Fix:
This release fixes a rare core dump related to the Websso plugin.
563419-3 : IPv6 packets containing extended trailer are dropped
Component: Local Traffic Manager
Symptoms:
Some IPv6 packets are dropped
Conditions:
IPv6 packet contains trailing bytes after payload
Impact:
Packet loss
Fix:
IPv6 packets that exceed the size of the 'Payload Length' header will be trimmed and processed instead of being dropped.
563349-2 : On MAC, Network Access proxy settings are not applied to tun adapter after VPN is established
Component: Access Policy Manager
Symptoms:
In some cases, user may not be able to browse to external or internal web sites, Because the proxy settings won't be used.
Conditions:
User's machine has local proxy settings configured
NA settings specify a proxy configuration
Impact:
User may not be able to browse some sites, or the connection would not take the proxy settings into account.
Workaround:
None
563227-4 : When a pool member goes down, persistence entries may vary among tmms
Component: Local Traffic Manager
Symptoms:
When a pool member goes down, persistence entries may vary among tmms. The result will be that rather than persisting to a single pool member, the new connections may arrive on different pool members based on the number of tmms on the BIG-IP platform in use.
Conditions:
Using persistence with some connections persisted to a pool member that goes down, either administratively or due to a monitor. During this time, the client is issuing several new connections to the BIG-IP system.
Impact:
Inconsistent persistence entries.
Workaround:
None.
Fix:
The race conditions that involved dropping an offline pool member have been resolved.
563064-5 : Bringing up and tearing down an IPsec tunnel will slowly leak tmm memory
Component: TMOS
Symptoms:
Cipher memory initialized when an IPsec tunnel is created is not cleaned up when IPsec tunnel is removed.
Conditions:
Every time an IPsec tunnel is established and then removed will leave the allocated cipher memory in the system.
Impact:
Slowly leak TMM memory
Fix:
Cipher memory is freed when an IPsec tunnel is removed
562959-3 : In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.
Component: TMOS
Symptoms:
In some error scenarios, IPsec might send packets not intended for the IPsec over the tunnel.
Conditions:
This occurs when there is some issue processing the packet going through IPsec tunnel.
Impact:
Tmm restart without core due to internal connection timeout.
Workaround:
None.
Fix:
IPsec now only sends packets intended for IPsec over the tunnel.
562919-1 : TMM cores in renew lease timer handler
Component: Access Policy Manager
Symptoms:
TMM generates core.
Conditions:
All three following conditions have to be met for this to trigger :
1) Both IPv4 and IPv6 network access connection has to be enabled for the same network access resource.
2) IPv4 address have to be statically assigned.
3) IPv6 address have to be dynamically assigned from the leasepool.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Workaround 1) Use IPv4 only network access connection.
Workaround 2) While using both IPv4 and IPv6 network access connection, assign both IPv4 and IPv6 endpoint addresses from IPv4 and IPv6 leasepool respectively.
Workaround 3) While using both IPv4 and IPv6 network access connection, assign both IPv4 and IPv6 endpoint statically.
Fix:
TMM no longer cores in renew lease timer handler
562775-3 : Memory leak in iprepd
Component: Application Security Manager
Symptoms:
The IP reputation daemon (iprepd) has a small leak of around ~8 to ~16 bytes every 5 minutes.
Conditions:
This occurs when the BIG-IP box is licensed with IPI Subscription, and iprepd is running.
Impact:
Memory increases slowly until the kernel out-of-memory kills the iprepd process.
Workaround:
None.
Fix:
This release fixes a memory leak in the IP reputation daemon (iprepd).
562566-3 : High Availability connection flap may cause mirrored persistence entries to be retained after expiration on multi-blade systems
Component: Local Traffic Manager
Symptoms:
Prior to expiration, the age of persistence entries is reset back to 0, thus retaining the persistence entries forever.
Conditions:
Persistence is configured on a multi-blade system, a configured High Availability peer is present, and a flap occurs on the High Availability connection between active and standby systems.
Impact:
Retention of persistence entries leads to eventual low memory conditions, performance degradation, and traffic outage or restarting of some daemons.
Workaround:
Although no reasonable workaround exists, you can clear the persistence table to reclaim leaked memory.
Fix:
Persistence entries are no longer retained beyond their expiration.
562427 : Trust domain changes do not persist on reboot.
Component: TMOS
Symptoms:
Some earlier releases saved only the internal binary database for trust domain changes (generally, changes to device group objects and device objects), rather than saving the text-based authoritative configuration in '/config/bigip*.conf'.
Conditions:
This occurs when making changes to devices via the Device Management UI.
Impact:
Device Group configuration may not be correct after a reboot.
Workaround:
Explicitly run a command to save the configuration before rebooting devices.
Fix:
Trust domain changes do not persist on reboot.
562044-1 : Statistics slow_merge option does not work
Component: TMOS
Symptoms:
When the statistics DB variable option 'merged.method' is set to 'slow_merge' then the merging of statistics stops working. This causes statistics to no longer appear to be updated.
Conditions:
The DB variable 'merged.method' is set to 'slow_merge'.
Impact:
Statistics no longer appear to be updated.
Workaround:
1) Set "merged.method" to "fast_merge" which is the default.
-or-
2) Create the /var/tmstat/cluster directory using mkdir. Please note the directory must be created on every blade in a chassis. Additionally, this directory needs to be re-created after reboots, so something like "/bin/mkdir /var/tmstat/cluster" should be added to "/config/startup"
Fix:
Statistics are now updated as expected when the statistics DB variable option 'merged.method' is set to 'slow_merge'.
561814-4 : TMM Core on Multi-Blade Chassis
Component: TMOS
Symptoms:
TMM core.
Conditions:
On a multi-blade chassis with WAM caching in use, where the datastor daemon is stopped and restarted, and where traffic is being cached by datastor.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
The software defect has been found and fixed.
561798-3 : Windows edge client may show scripting error on certain 3rd party authentication sites
Component: Access Policy Manager
Symptoms:
User sees JavaScript error on third party IDP sites.
Conditions:
Windows Edge client is used
Access policy requires user to authenticate on a third party site
Impact:
Usability of Edge Client
Fix:
Edge Client now runs embedded browser in Internet Explorer 10 emulation mode, which has support for modern JavaScript.
561539-1 : [Upgrade] GTM pool member ratio setting to 0 is not honored when upgrading from v10.2.4 to v11.5.3.★
Component: Global Traffic Manager
Symptoms:
When upgrading from 10.x to 11.x Wide IP pool member ratio value is changed from 0 to 1.
Conditions:
1. Upgrade from v10.x to v11.x through 12.0.0
2. Have a Wide IP pool member ratio set to 0.
Impact:
Wide IP pool member ratio is changed to 1 (the default) from 0 after upgrading, potentially enabling selection of members that had been "disabled" with a ratio of 0.
Workaround:
Manually change ratio back to 0 after upgrade.
561433-6 : TMM Packets can be dropped indiscriminately while under DOS attack
Component: Advanced Firewall Manager
Symptoms:
When we have a loaded tmm which cannot consume packets fast enough, then packets could be dropped while DMAing from the HW.
Conditions:
This could happen for a variety of reasons which cause tmm to be loaded.
Impact:
Packets will be dropped indiscriminately.
Workaround:
none
Fix:
We've now added a sys db tunable (sys db dos.scrubtime) which can be set to drop DoS attack packets in HW more aggressively. This will prevent other non-attack packets from being dropped indiscriminately.
561348-2 : krb5.conf file is not synchronized between blades and not backed up
Component: Access Policy Manager
Symptoms:
krb5.conf file is not in sync across all blades.
this may cause a feature (Kerberos SSO / Kerberos Auth) to not work as expected.
Conditions:
When administrator made changes to krb5.conf file manually, the configuration file is not synchronized to all blades or is lost upon upgrade.
Impact:
Kerberos Auth / Kerberos SSO does not work properly on all blades.
Workaround:
None.
Fix:
The APM code now automatically synchronizes the changes to /etc/krb5.conf file to all devices in the Failover Device group. Any change made to this file either in Active Device or Standby device will be automatically synced to other device.
In Chassis, all the Secondary blades will mirror the file on the Primary blade. Any manual change done on the Secondary blade(s) will be lost. The admin has to do the changes on Primary blade only and it will be synchronized with all others blades.
Behavior Change:
When admin modifies /etc/krb5.conf file, the changes are automatically updated on other devices in the same Failover Device group.
When admin modifies the /etc/krb5.conf file on the primary blade of the chassis, the changes are automatically updated on all secondary blades.
560975-1 : iControl can remove hardware SSL keys while in use
Component: TMOS
Symptoms:
When deleting SSL keys via iControl it is possible to delete keys from the Hardware Security Module even while they are configured in an active profile.
Conditions:
Using iControl to delete SSL key installed in hardware.
Impact:
Key is removed from HSM and must be reloaded.
Workaround:
Verify that keys are not in use before using iControl to delete them.
560948-3 : OpenSSL vulnerability CVE-2015-3195
Vulnerability Solution Article: K12824341
560910-3 : OpenSSL Vulnerability fix
Vulnerability Solution Article: K86772626
560748 : BIG-IQ discovery fails
Component: Application Security Manager
Symptoms:
After updating attack signatures, a Signature-system called "IBM WebSphere" may be created that does not contain a REST ID, and BIG-IQ will fail discovery.
If you look at the REST output for this item at https://bigip_address/mgmt/tm/asm/signature-systems/
and look for "IBM WebSphere", you will see that the id field is empty.
Conditions:
This can occur when updating attack signatures, and when using BIG-IQ discovery.
Impact:
BIG-IQ discovery fails.
Workaround:
On the affected device run the following:
perl -MF5::Utils::Rest -MF5::DbUtils -MF5::ASMConfig::Entity::SignatureSystem -e "F5::Utils::Rest::populate_uuids(dbh => F5::DbUtils::get_dbh(), rest_entities => ['F5::ASMConfig::Entity::SignatureSystem'])"
Fix:
Fixed an issue with attack signature updates causing BIG-IQ discovery to fail.
560510-4 : Invalid /etc/resolv.conf when more than one DNS servers are set and MCPD is down.
Component: TMOS
Symptoms:
When MCPD is not in the running state, dhclient directly writes domain-name-server information into /etc/resolv.conf. If multiple domain-name-servers are given by DHCP server, they are written in the incorrect format with multiple domain-name-servers in a single line comma-separated. Each domain-name-servers entry should be written in a single line with "nameserver" prefix.
Conditions:
- MCPD is not in the running state.
- DHCP is enabled.
- DHCP server has provided multiple domain-name-server entries in the lease.
Impact:
Domain name resolution doesn't work.
Workaround:
Bring up MCPD which would write the resolv.conf in the correct format. Alternatively, user can manually modify /etc/resolv.conf to write multiple nameserver entry one per line.
Fix:
DHCP will now write a single nameserver per line in /etc/resolv.conf when multiple nameservers are configured in DHCP.
560405-5 : Optional target IP address and port in the 'virtual' iRule API is not supported.
Component: Local Traffic Manager
Symptoms:
In certain scenarios there is a need to redirect an HTTP request through a given virtual server to a another virtual server (or remote endpoint). Such an operation is also known as 'vip-to-vip' forwarding. The available iRule API (specifically, the 'virtual' command) does not currently support this functionality.
Conditions:
Using an iRule to forward a request through a given virtual server to another virtual server or remote endpoint.
Impact:
Cannot implement HTTP Forward Proxy plus Transparent redirection to Web-Cache Pool.
Workaround:
None.
Behavior Change:
The 'virtual' iRule API has been changed to support a secondary target IP address and port to redirect the connection to, from a given virtual server. The new signature of the 'virtual' iRule API is:
virtual [<name>] [<ipaddr> [<port>]]
where:
-- <name> = the name of the virtual server to redirect the connection from.
-- <ipaddr> = the target IP address of the remote endpoint to route the connection to, through the specified virtual server; <ipaddr> can also have a route-domain (%).
-- <port> = the port of the remote endpoint to route the connection to, through the specified virtual server.
560180-3 : BIND Vulnerability CVE-2015-8000
Vulnerability Solution Article: K34250741
560114-2 : Monpd is being affected by an I/O issue which makes some of its threads freeze
Component: Application Visibility and Reporting
Symptoms:
When Monpd is restarted, it starts printing non-stop error message to logs. Analytics statistics may be lost, and new data cannot be loaded. The ltm log contains this error signature - err stat_bridge_thread[8278]: monpd`ERR`date`11285` [stat_bridge_thread::validateCorrectNumberOfPartitions, ] Too many partitions (44) defined for DB table AVR_STAT_DISK_T
Conditions:
A system I/O issue (maybe caused by /var/log being full).
Impact:
AVR statistics are lost.
Monpd thread cannot load new data, and it prints non-stop error messages to the logs.
Workaround:
Run the following:
find /var/avr/loader/ -mindepth 1 -name "*" -print0 | xargs -0 rm
touch /var/avr/init_avrdb
bigstart restart monpd
559975-4 : Changing the username or password used for HTTP monitor basic auth may break HTTP basic auth
Component: Global Traffic Manager
Symptoms:
HTTP basic authentication uses a base64 encoded string. When an HTTP monitor username or password is changed, the b64 string is regenerated and may become malformed.
Conditions:
When an http monitor username or password is changed, e.g. shortened, then the HTTP basic auth string may be mangled.
Impact:
An HTTP monitor may show its resource as unavailable after changing the username or password.
Workaround:
Restart big3d, or delete then recreate the monitor instead of modifying the existing monitor.
Fix:
HTTP monitors will now correctly handle a username or password change.
559973-5 : Nitrox can hang on RSA verification
Component: Local Traffic Manager
Symptoms:
With certain signatures, RSA verification can hang the Nitrox crypto accelerator chip. Errors in the ltm log show crit tmm[11041]: 01010260:2: Hardware Error(Co-Processor): n3-crypto2 request queue stuck
Conditions:
RSA verification with certain signatures.
Impact:
Nitrox crypto accelerator can hang.
Fix:
The Nitrox crypto accelerator will no longer hang when performing RSA verification.
559939-3 : Changing hostname on host sometimes causes blade to go RED / HA TABLE offline
Component: TMOS
Symptoms:
If the UI System::Platform screen is used to change the hostname on a Standalone VIPRION, the non-primary blades in the chassis may temporarily report an offline state.
Conditions:
This affects only multi-blade chassis systems in Standalone mode.
Impact:
If the system is hosting vCMP guests, it may cause unexpected failovers, and interruption of traffic.
Workaround:
To change the hostname on the VIPRION, use the tmsh command:
'modify sys global-settings hostname new-host-name'.
Fix:
Changing hostname on Standalone VIPRION no longer causes the non-primary blade to go RED / HA TABLE offline.
559541-3 : ICAP anti virus tests are not initiated on XML with when should
Component: Application Security Manager
Symptoms:
ICAP anti virus tests are not performed on XML with sensitive data.
Conditions:
ICAP and XML profile are configured on the policy, the ICAP configured to inspect the XML.
The XML has sensitive data configured.
The XML request contained sensitive data.
The expectation was that XML with sensitive data would initiate ICAP tests.
Impact:
Virus tests will not be enabled on this request if the only reason for testing the ICAP was the existence of the sensitive XML data.
Fix:
ICAP tests are performed on XML with sensitive data.
559138-4 : Linux CLI VPN client fails to establish VPN connection on Ubuntu
Component: Access Policy Manager
Symptoms:
Linux client is unable to establish a VPN connection. An error is displayed which says that server certificate verification has failed.
Conditions:
CLI client used on Ubuntu to establish VPN connection.
Impact:
User cannot connect to VPN
Workaround:
Use web client.
Fix:
Fixed bug in certificate verification code.
559055 : Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All"
Component: Application Security Manager
Symptoms:
Staging is not disabled on wildcard parameter "*" when Learn New Parameters is set to "Add All Entities".
Conditions:
Learn New Parameters is set to "Add All Entities".
Impact:
Staging on wildcard parameter "*" remains unchanged.
Workaround:
Disable staging on wildcard parameter "*" manually.
Fix:
Staging is now disabled correctly on wildcard parameter "*" when Learn New Parameters is set to "Add All Entities".
559034-3 : Mcpd core dump in the sync secondary during config sync
Component: TMOS
Symptoms:
mcpd will crash if certain files are missing from the file store during sync operations.
Conditions:
This can happen when files associated with file objects are removed from the file store. Users are not permitted to directly modify the contents of the file store.
Impact:
mcpd will crash
Workaround:
Users are not permitted to directly modify the contents of the file store. Use tmsh or the Configuration Utility to manage BIG-IP objects such certificates.
Fix:
Mcpd will no longer crash during a config sync if a file store object is missing.
558946-3 : TMM may core when APM is provisioned and access profile is attached to the virtual
Component: Access Policy Manager
Symptoms:
TMM may core when APM is provisioned and access profile is attached to the virtual.
Conditions:
This crash is most likely to occur when there are more than 1 ABORT events sent to a connection on a virtual with attached access profile.
Impact:
Traffic disrupted while tmm restarts.
Fix:
APM virtual server that can have multiple ABORTs events to a connection will no longer cause TMM to crash and restart.
558870-4 : Protected workspace does not work correctly with third party products
Component: Access Policy Manager
Symptoms:
1) Internet Explorer and Firefox cannot be launched in Windows protected workspace if Norton Internet Security 22.x is present on user's machines.
2) Microsoft OneDrive does not work correctly inside protected workspace.
Conditions:
Norton Internet Security 22.x is installed on user's desktop.
Protected workspace is used.
Impact:
User cannot launch Internet Explorer or Firefox inside protected workspace.
Files cannot be synced to OneDrive.
Workaround:
There is no workaround.
Fix:
User can now launch Internet Explorer or Firefox inside protected workspace.
558859 : Control insertion to log_session_details table by Access policy logging level.
Component: Access Policy Manager
Symptoms:
Session records are always written to log_session_details table upon new session creation, regardless of access log level.
Conditions:
New sessions created
Impact:
CPU hogged when large numbers of sessions are created within short time period
Fix:
Control insertion to log_session_details table by Access policy logging level.
558858-1 : Unexpected loss of communication between slots of a vCMP Guest
Component: TMOS
Symptoms:
1. Within the vCMP guest, the affected slot shows the other slot(s) to be offline. When logged into any other "offline" slot, the slot shows itself to be online.
2. Within the vCMP guest, on the affected slot, the log files (such as /var/log/ltm) have stopped recording log entries from the other slot(s).
3. Within the vCMP guest, on the affected slot, the eth1 interface shows TX increasing but RX not increasing. The eth1 interface on other slots shows both TX and RX increasing.
Conditions:
Only affects vCMP guests with 2 or more slots on VIPRION C2000-series chassis.
Impact:
The number of working slots in a vCMP guest is reduced to 1 slot. The effect on traffic may range from none to severe.
Workaround:
Within the vCMP guest, login to the command line (vconsole or SSH) of the affected slot and run the following:
ifconfig eth1 down ; ifconfig eth1 up
Alternatively, from the hypervisor, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.
Fix:
This release no long exhibits loss of communication between slots of a vCMP Guest.
558779-5 : SNMP dot3 stats occassionally unavailable
Component: TMOS
Symptoms:
SNMP would not provide values for some dot3 stats.
Conditions:
Always under affected version
Impact:
SNMP would not provide values for some dot3 stats.
This is no impact actual traffic.
Workaround:
None
Fix:
The dot3 stats are now available.
558631-6 : APM Network Access VPN feature may leak memory
Component: Access Policy Manager
Symptoms:
VPN connections may cause memory usage to increase with the memory never being reclaimed.
Conditions:
-- APM Network Access feature is configured.
-- VPN connections are being established.
Impact:
Slow memory leak over time with eventual out-of-memory condition, performance degradation, and traffic outage.
Workaround:
No workaround short of not using the APM Network Access feature.
Fix:
The APM Network Access VPN feature no longer leaks memory.
558612-3 : System may fail when syncookie mode is activated
Component: Local Traffic Manager
Symptoms:
TMM may core when syncookie mode has been activated when under extreme memory pressure.
Conditions:
L7 VIP with certain TCP profile attributes enabled.
Syncookies have been activated.
System under memory pressure due to heavy load.
Impact:
tmm may core.
Workaround:
Use the default TCP profile for all L7 VIPs.
Fix:
The BIG-IP will not encounter a system failure when syncookie mode has been activated.
558602-2 : Active mode FTP data channel issue when using lasthop pool
Component: Local Traffic Manager
Symptoms:
The data channel for active mode FTP may fail.
Conditions:
Active mode FTP through a virtual with ftp profile with port set to zero and configured to use a lasthop pool.
Impact:
Active mode FTP does not work.
Workaround:
Use auto-lasthop instead of lasthop pool.
Use passive mode FTP.
Fix:
Active mode FTP now works correctly.
558573-3 : MCPD restart on secondary blade after updating Pool via GUI
Component: TMOS
Symptoms:
If you use the LTM GUI in a clustered environment to add an IP Encapsulation profile to a Pool, then click Update, mcpd and other daemons may restart on secondary blades in the cluster.
When this occurs, errors similar to the following will be logging from the secondary blades:
-- err mcpd[22537]: 01020036:3: The requested pool profile (49825) was not found.
-- err mcpd[22537]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool profile (49825) was not found.
Conditions:
This problem may occur when operating BIG-IP in a clustered environment (VIPRION), and using the GUI to update the properties of an LTM pool with an IP Encapsulation profile defined.
Impact:
Daemon restarts, disruption of traffic passing on secondary blades.
Workaround:
Perform pool updates via the tmsh command-line utility.
Fix:
Pool profile update is performed by name rather than object ID, so MCPD no longer restarts on secondary blade after updating a pool using the GUI.
557783-3 : TMM generated traffic to external IPv6 global-addr via ECMP routes might use link-local addr
Component: Local Traffic Manager
Symptoms:
TMM might use a link-local IPv6 address when attempting to reach an external global address for traffic generated from TMM (for example, dns resolver, sideband connections, etc.).
Conditions:
- ECMP IPv6 routes to a remote destination where the next hop is a link local address. Typically this occurs with dynamic routing.
- Have configured a virtual server that generates traffic from TMM (for example, dns resolver, sideband connections, etc.).
Impact:
Traffic might fail as its egresses from a link-local address instead of a global address.
Workaround:
It might be possible to work around if the dynamic routing peer can announce the route from a global address instead of a link local.
Use of static routes might also work around the issue.
Fix:
TMM now uses the correct IPv6 global address when generating traffic to a remote address using ECMP routes via link-local next-hops.
557645-1 : Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.
Component: Local Traffic Manager
Symptoms:
Communication between devices in a high availability (HA) configuration might occasionally fail on VIPRION 2200 and 2400 platforms.
Conditions:
VIPRION 2200 and 2400 platforms with more than one blade.
Multiple devices in an HA configuration.
TMM incorrectly identifies which TMM should handle host connections from an HA peer.
The host connection will be reset after the SYN retransmits are exceeded between TMM and the host process.
Impact:
Periodic reported failures in host-to-host communication. This could affect config sync, and other HA related communication.
Workaround:
None.
Fix:
Host communication on VIPRION 2200 and 2400 platforms behaves the same as host communication on non-VIPRION 2200 and 2400 platforms, as expected.
557281-3 : The audit_forwarder process fails to exit normally causing the process to consume CPU to near 100%
Component: TMOS
Symptoms:
audit_forwarder and mcpd consume almost 100% CPU. When syslog-ng restarts it will start another audit_forwarder process, but it is the orphaned audit_forwarder process that will consume almost 100% CPU. When syslog-ng is restarted and audit_forwarder does not exit cleanly, the mcpd process will also begin consuming high CPU.
Conditions:
syslog-ng is stopped manually or sometimes (rarely) during a normal resstart of syslog-ng.
Impact:
The audit_forwarder and mcpd processes consume excessive CPU.
Workaround:
Stop audit_forwarder manually (kill -9), once the orphaned audit_forwarder process is stopped, mcpd will return to normal CPU consumption.
Fix:
When syslog-ng is stopped manually (or when expected), audit_forwarder also exits, so the audit_forward process no longer consumes increasing CPU.
557221 : Inbound ISP link load balancing will use pool members for only one ISP link per data center
Component: Global Traffic Manager
Symptoms:
In BIG-IP Link Controller and GTM 11.5.3, 11.6.0 and prior versions, and BIG-IP DNS 12.0.0, the inbound ISP link load balancing functionality uses pool members for more than one ISP link per data center.
Conditions:
Using the inbound ISP link load balancing functionality in BIG-IP Link Controller and GTM 11.5.3, 11.6.0 and prior versions, and BIG-IP DNS 12.0.0.
Impact:
If a pool has multiple members that use different ISP links within a data center, the system uses only pool members associated with the ISP link of the first available pool member. The system marks pool members associated with subsequent ISP links as unavailable (grey).
Fix:
The inbound ISP link load balancing functionality will use pool members for only one ISP link per data center for each pool.
Behavior Change:
Beginning in BIG-IP Link Controller and GTM 11.5.4, 11.6.1, and BIG-IP DNS 12.1.0, the ISP link load balancing functionality will use pool members for only one ISP link per data center for each pool.
The link that is associated with the first configured and available pool member within each data center will determine the link that will be used for the data center. The system will use only pool members associated with that link.
557144-1 : Dynamic route flapping may lead to tmm crash
Component: TMOS
Symptoms:
When dynamic routing is in use and routes are being actively added and removed, tmm may crash.
Conditions:
Virtual Server configured with Dynamic Routing
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Flapping dynamic routes no longer trigger a tmm crash.
557062-3 : The BIG-IP ASM configuration fails to load after an upgrade.★
Component: Application Visibility and Reporting
Symptoms:
A configuration load failure occurs after creating an ASM predefined report in a previous version - (11.3 or 11.4) and upgrading to a version prior to 12.1.0.
Conditions:
Define scheduled report with 'predefined-report-name: '/Common/Top alerted URLs' on version 11.3 or 11.4 upgrade the version.
Impact:
Version upgrade fails (the BIG-IP system becomes unusable).
Workaround:
Manually change predefined-report-name '/Common/Top alerted URLs' to predefined-report-name '/Common/Top alarmed URLs'.
Fix:
If an ASM predefined report was created in a previous version and the system was updated, it could have caused the configuration upgrade to fail. This failure no longer occurs.
556774-1 : EdgeClient cannot connect through captive portal
Component: Access Policy Manager
Symptoms:
EdgeClient cannot connect through captive portal.
Conditions:
1) Install EdgeClient on a PC that connects to the APM through a captive portal.
2) Launch EdgeClient and try to connect to the APM.
3) System posts certificate warnings. Accept them.
4) Captive portal is not shown to the user.
5) EdgeClient just toggles between 'Waiting to connect to server' and 'Downloading server settings' messages.
Impact:
No captive portal displayed to the user. EdgeClient UI shows he user.
5) EdgeClient just toggles between 'Waiting to connect to server' and 'Downloading server settings' messages.
Workaround:
None.
Fix:
Install EdgeClient on a PC that connects to the APM through a captive portal now opens as expected.
556694-6 : DoS Whitelist IPv6 addresses may "overmatch"
Component: Advanced Firewall Manager
Symptoms:
When using the 8-entry "rich" DoS whitelist with IPv6 addresses, the HW matches only 32 bits of an incoming IPv6 address against the whitelist entry, meaning that if an incoming IPv6 address matches those 32 bits, the whitelist will result in "match", even if other bits of the IPv6 address do not match.
Note that the configuration can select which set of bits (there are 4 choices -- 127:96, 95:64, 63:32, 31:0) to match against, via the db.tunable dos.wlipv6addrsel.
Also, note that IPv4 matches are always perfect, and are not affected by this issue.
Conditions:
Occurs when the 8-entry AFM DoS Whitelist is used to match against IPv6 addresses.
Impact:
In some cases, the Whitelist may overmatch, meaning some IPv6 addresses will be considered whitelist matches, when they do not match the whitelist.
556597-3 : CertHelper may crash when performing Machine Cert Inspection
Component: Access Policy Manager
Symptoms:
CertHelper may crash while checking of machine certificate.
Conditions:
APM installed
Impact:
Authentication may fail.
Fix:
Fixed crash cause in CertHelper.
556560-1 : DNS messages may become malformed if the Additional section contains an OPT record followed by multiple records.
Component: Local Traffic Manager
Symptoms:
DNS messages which contain an OPT record followed by more than one record in the additional section will become malformed when they pass through a virtual with an assigned DNS profile.
Conditions:
A DNS message contains and OPT record in the Additional section, the message is compressed, and more than one record follow the OPT record.
Impact:
This issue impacts all DNS messages that contain an OPT record followed by more than one record. The DNS handling code expects a message containing an OPT record to have 0 or 1 TSIG record following the OPT record in the additional record section of a message.
The RFCs permit the OPT record to be placed anywhere in the additional record section of a DNS message, with the exception of a TSIG record. If a TSIG record is present, it must always be last. If no TSIG record is present, then an OPT record can be last.
The RFCs do not restrict a query from containing records in the additional record section of the message.
When a DNS query or response is passed through the TMM DNS message handler, and that message contains an OPT record followed by more than one record, and those records that follow the OPT record contain compression pointers to other records that also follow the OPT record, then the message becomes mangled.
Workaround:
Disable DNS compression on the resolver, or configure the resolver to place OPT records at the end of the additional section (except TSIG records which must always be last).
Fix:
DNS messages which contain a record other than TSIG following an OPT record in the additional record section will be transformed in the message handler and the message inspection will be restarted.
The transformation involves safely moving the OPT record to be last or second-to-last (in the presence of a TSIG record) position of the additional record section. 'Safely' means updating the relevant compression pointers.
The subsequent code paths which depend on the OPT record's position now work as expected.
556383-2 : Multiple NSS Vulnerabilities
Vulnerability Solution Article: K31372672
556380-3 : mcpd can assert on active connection deletion
Component: TMOS
Symptoms:
When all of the peers in an HA / DSC configuration are removed, then it is possible for the connection tear down to result in an assert.
Conditions:
Removal of all peers while a connection is handling a transaction.
Impact:
MCPD asserts and restarts.
Workaround:
No workaround is necessary. MCPD restarts.
Fix:
Connection tear down checks for active connections and does not result in an assert when removing all peers while a connection is handling a transaction.
556284-3 : iqsyncer: GTM/LC config sync failure with error from local mcpd Monitor parent not found
Component: TMOS
Symptoms:
GTM/LC config sync fails with error in /var/log/gtm and /var/log/ltm similar to the following:
Monitor /Common/my_http_monitor parent not found
Conditions:
There is a customized GTM monitor on one member of a high availability configuration, but not on others.
Impact:
Config sync fails. On the device that does not have the monitor, the system logs a parent-not-found message into /var/log/gtm.
Workaround:
None.
Fix:
GTM/LC sync now completes successfully even when the configuration being sync'd contains a custom GTM/LC monitor definition.
556277-4 : Config Sync error after hotfix installation (chroot failed rsync error)★
Component: TMOS
Symptoms:
Once an installation has been booted into, applying a hotfix over that installation does not change the SELinux policy, but instead uses the previously installed SELinux policy.
Conditions:
This affects installations of a later hotfix atop an earlier hotfix, or onto a base build of the same software version. Installation onto a new volume is unaffected.
To determine whether the configuration will experience this issue, use md5sum to see whether the following have the same checksums:
-- /etc/selinux/targeted/modules/active/modules/f5_mcpd.pp
-- /usr/share/selinux/targeted/f5_mcpd.pp.
If the checksums are the same, the system will use the SELinux policy installed with the previous hotfix, and this issue will occur.
Impact:
Sync of file objects might fail with an error similar to the following:
01071488:3: Remote transaction for device group [name] to commit id [number] failed with error 01070712:3: Caught configuration exception (0), verify_sync_result:() :Failed to sync files. - sys/validation/FileObject.cpp, line 6276..
Workaround:
Instead of installing the hotfix over an existing installation of the base build of that version (or an earlier hotfix), install the base ISO (for example 11.5.4) into a volume, and then install the hotfix onto that volume, without booting the volume in between.
Fix:
Installing a hotfix over an existing base install now rebuilds the SELinux policy as expected.
556252 : sysGlobalTmmStatTmUsageRatio5s and sysGlobalTmmStatNpus in chassis
Component: TMOS
Symptoms:
The sysGlobalTmmStatTmUsageRatio5s and sysGlobalTmmStatNpus OIDs read lower than expected given the traffic on the system. The values suddenly increase when a non-running blade is powered down.
Conditions:
This occurs on a chassis where one or more of the blades are not in the cluster, but are not powered down. The usage ratios and Npus stats treat the blades as if they are in the cluster, and are factored into the calculation, making them appear lower than they actually are because non-working blades are in the calculation.
Impact:
Misleading, confusing statistics
Workaround:
You can completely power down the blade and it will be removed from the statistics calculation.
Fix:
sysGlobalTmmStatTmUsageRatio5s and sysGlobalTmmStatNpus are now calculated only against running blades.
556117-1 : client-ssl profile is case-sensitive when checking server_name extension
Component: Local Traffic Manager
Symptoms:
The client-ssl profile is Case-Sensitive when configuring server-name in the client-ssl profiles and checking server_name extension in the ClientHello Message.
Conditions:
When using mixed upper-lower case server-name in the client-ssl profile configuration and ClientHello messages.
Impact:
The system treats mixed upper-lower case server-name as different names which violate the RFC6066, which states: "Currently, the only server names supported are DNS hostnames. DNS hostnames are case-insensitive."
Workaround:
1. Configure only one client-ssl profile with same server-name.
2. Use only lower-case server-name when configure the client-ssl profile.
3. Use lower-case server-name in the Client side.
Fix:
The system now treats mixed upper-lower case server-names as the same name, so server-name is no longer case sensitive.
556103-2 : Abnormally high CPU utilization for external monitors
Component: Local Traffic Manager
Symptoms:
High CPU utilization for external monitors that use SSL.
Conditions:
External monitor using SSL.
Impact:
Abnormally high CPU utilization.
Workaround:
None.
Fix:
This release improves the handling of external monitors that use SSL so that CPU utilization no longer increases.
556088-2 : In a chassis system with APM provisioned mcpd daemon on secondary blade will restart.
Component: Access Policy Manager
Symptoms:
Uploading and installing an epsec/Opswat package on a chassis system will result in mcpd restart on the secondary blades.
Conditions:
Installing a new epsec package in a chassis system is the only condition under which this can happen.
Impact:
All daemons dependent on mcpd will restart
Fix:
Prevent validation of epsec package on secondary blades
555905-1 : sod health logging inconsistent when device removed from failover group or device trust
Component: TMOS
Symptoms:
When a device is in a failover group, sod logs the state change messages indicating the reachability of other devices in the group. For example:
Nov 2 11:34:54 BIGIP-1 notice sod[5716]: 010c007f:5: Receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Online).
Nov 2 11:31:19 BIGIP-1 notice sod[5716]: 010c007f:5: Receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Offline).
Nov 2 11:31:43 BIGIP-1 notice sod[5716]: 010c007e:5: Not receiving status updates from peer device /Common/BIGIP-3.localdomain (10.145.192.5) (Disconnected).
If a reachable device is removed from the failover group, no "Disconnected" message is issued, so the last reported status will be inaccurate.
When a device is part of a trust, sod logs messages indicating what unicast addresses it is monitoring on remote devices:
Nov 2 11:34:29 BIGIP-1 info sod[5716]: 010c007a:6: Added unicast failover address 10.145.192.5 port 1026 for device /Common/BIGIP-3.localdomain.
If devices are removed from the trust, sod does not log a message that those unicast addresses are no longer in use.
Conditions:
When a device is removed from a failover device group, or removed from a device trust.
Impact:
Inaccurate state reporting.
Fix:
When a device is removed from a failover device group, it is now reported as "Disconnected".
When a device is removed from the device trust, sod on the other devices correctly reports that the unicast addresses belonging to the other devices have been deleted.
555686-2 : Copper SFPs OPT-0015 on 10000-series appliance may cause interfaces to not come up and/or show corrupted serial numbers
Component: TMOS
Symptoms:
Some OPT-0015 copper small form-factor pluggable (SFP) transceiver might cause an internal bus to hang.
Conditions:
This happens only when the following conditions are met:
-- 10000-series appliances.
-- At reboot, at a restart of the bcm56xxd daemon, or when a copper SFP is enabled or disabled.
-- There is at least one copper SFP present in the appliance.
-- Interfaces are spread between hardware muxes. That means some SFPs are in ports 1.1-1.8 and other SFPs are in ports 1.9-1.16.
Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up. Enable and disable of copper SFPs may not work.
Workaround:
None.
Fix:
The system now ensures that the I2C bus muxes only enable a single interface, so the issue with interfaces on Copper SFPs OPT-0015 on 10000-series appliances no longer occurs.
555549-2 : 'tmsh modify ltm node <ip_addr> state user-down' fails to bring pool member state offline.
Component: Local Traffic Manager
Symptoms:
The command to set the ltm note state to user-down fails to bring pool member state offline.
Running the command results in error messages similar to the following:
01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 1137
Conditions:
This occurs when running the command to set the ltm node state to user-down, for example: tmsh modify ltm node 10.10.10.10 state user-down.
Impact:
Session status fails to update for pool member.
Workaround:
None.
Fix:
The command to set the ltm node state to user-down now successfully brings pool member state offline.
555507-3 : Under certain conditions, SSO plugin can overrun memory not owned by the plugin.
Component: Access Policy Manager
Symptoms:
Under certain conditions, SSO plugin can overrun memory not owned by the plugin. Symptoms could be different based on the owner of overrun memory.
Conditions:
This occurs when the following conditions are met:
1. The BIG-IP system is configured and used as SAML Identity Provider.
2. Single Logout (SLO) protocol is configured on an attached SP connector.
3. At least one user executed SAML WebSSO profile.
Impact:
Symptoms might differ based on the owner of overrun memory.
Potentially, tmm could restart as a result of this issue.
Workaround:
Disable SAML SLO: remove SLO request and SLO response URLs from configuration in appropriate SAML SP connectors.
Fix:
SSO plugin no longer overruns memory not owned by the plugin, so the system supports the following configuration without memory issues:
The BIG-IP system is configured and used as a SAML Identity Provider.
Single Logout (SLO) protocol is configured on the attached Service Provider (SP) connector.
At least one user executed SAML webSSO profile.
555457-4 : Reboot is required, but not prompted after F5 Networks components have been uninstalled
Component: Access Policy Manager
Symptoms:
Attempt to establish a VPN connection from a Windows 10, Windows 8.1, Windows 7, or Vista desktop fails if F5 Networks components have been removed previously and the desktop was not rebooted.
Typically this issue can be identified by these log records:
<snip>
DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP)
DIALER, 48, \driverstatechecker.cpp, 10, dump, WAN Miniport (SSTP)
DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter <--- Two F5 Devices
DIALER, 48, \driverstatechecker.cpp, 10, dump, F5 Networks VPN Adapter (7) <--- Two F5 Devices
DIALER, 48, \driverstatechecker.cpp, 155, GetVPNDriverRASDeviceName, found device, F5 Networks VPN Adapter
<snip>
DIALER, 1, \urdialer.cpp, 1573, CURDialer::OnRasCallback(), RAS error (state=RASCS_OpenPort, error=633: The modem (or other connecting device) is already in use or is not configured properly.)
Conditions:
Windows desktop.
Existing F5 components uninstalled.
Reboot was not performed after uninstall.
Impact:
End users cannot establish a VPN connection from Windows-based clients.
Workaround:
Reboot the affected Windows desktop.
Fix:
After F5 Networks components have been uninstalled, the system does not require reboot, and uses the latest installed software-device for VPN, as expected.
555432-2 : Large configuration files may go missing on secondary blades
Component: Local Traffic Manager
Symptoms:
bigip.conf or other configuration files may go missing on secondary blades once the configuration exceeds a certain size (approximately 8 MB).
Conditions:
This is only relevant on chassis.
Impact:
If the primary changes, then the configuration is at risk of being lost.
Workaround:
touch the relevant configuration file (usually bigip.conf) and the configuration file will reappear.
Fix:
bigip.conf or other configuration files would go missing on secondary blades once the configuration exceeded a certain size (approximately 8 MB). This has been fixed.
555272-3 : Endpoint Security client components (OPSWAT, EPSEC) may fail to upgrade★
Component: Access Policy Manager
Symptoms:
Previously, F5 Client components were signed using SHA1 certificate. SHA1 is now considered insecure and Windows will reject components signed using a SHA1 certificate after March 31st 2016.
To support this new requirement, F5 has changed the client component signing certificates to utilize a higher security validation algorithm.
The result of this change is that clients utilizing client components built prior to these versions:
Big-IP 12.0.0HF1 or earlier
Big-IP 11.6.0 HF8 or earlier
Big-IP 11.5.4 (base release) or earlier
cannot Endpoint Security updates build 431 or greater.
If you require updated Endpoint Security (OPSWAT / EPSEC) builds greater than 431 you must upgrade to these versions:
Big-IP 12.1.0 or later
Big-IP 12.0.0HF2 or later
Big-IP 11.6.1 or later
Big-IP 11.5.4 HF1 or later
Conditions:
Running incompatible BIG-IP version with EPSEC build 431 or later.
Impact:
User will see certificate warnings and installation of client component updates may fail. The failure may occur multiple times.
Workaround:
Upgrade BIG-IP to the correct version.
Use the BIG-IP Web GUI's Software Management :: Antivirus Check Check Updates section to install an EPSEC build prior to 431.
Fix:
Updated signing certificate to a sha256 certificate. Client components and EPSEC binaries are now signed using the new, higher security certificate. Please note that upgrade to a HF in which client is signed using updated certificate is needed to install updated EPSEC releases. Please review the information carefully.
555057-1 : ASM REST: Removing a Signature Set From One Security Policy Removes It From All Security Policies.
Component: Application Security Manager
Symptoms:
When using ASM REST to remove a signature set association from a policy (DELETE), the set is removed from all policies in the system.
Conditions:
ASM REST is used to remove a signature set association from a policy.
DELETE /mgmt/tm/asm/policies/<ID>/signature-sets/<ID>
Impact:
All policies will lose their association to that signature set. This may leave some policies not enforcing all the Attack Signatures that they are expected to.
Workaround:
A DELETE can be issued to the collection endpoint: /mgmt/tm/asm/policies/<ID>/signature-sets utilizing the $filter parameter to delete only the desired sets.
Ex. DELETE /mgmt/tm/asm/policies/<ID>/signature-sets?$filter=id eq '<ID>'
Fix:
When using ASM REST to remove a signature set association from a policy (DELETE), the signature set association is removed only from the desired policy and not from all policies in the system.
555039-1 : VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
Component: TMOS
Symptoms:
There is a high drop counts when running tmsh show net interface, and running tmctl -a drop_reason shows that a large number of drops are due to counters.rx_cosq_drop
Smaller buffering alpha values are configured for egress buffering to allow an 8 HW CoS queue feature to correctly implement weight based egress dropping. This results in busy ports dropping more aggressively, although allowing more fair buffering amongst multiple active ports.
Conditions:
Higher traffic rates, which stress switch MMU buffering resources, might result in egress CoS queue drop on busy ports.
This affects the BIG-IP 5000- and 7000 series platforms, and VIPRION B2100, B2150, and PB200 blades.
Impact:
This results in busy ports dropping more aggressively. Note that using smaller values allows more fair buffering amongst multiple active ports, whereas higher values allow better burst absorption but less fair buffering.
Workaround:
None.
Fix:
This release uses a larger alpha value for better burst absorption when the 8 hardware CoS queue feature is not enabled.
555006-1 : ASM REST: lastUpdateMicros is not updated when changing a Custom Signature
Component: Application Security Manager
Symptoms:
The lastUpdateMicros field is meant to be updated if a user changes a custom signature, but it is not.
Conditions:
REST client is used to look at/filter the signatures collection (/mgmt/tm/asm/sigantures)
Impact:
Checking for updated signatures does not return the expected result.
Workaround:
None.
Fix:
REST: The lastUpdateMicros field is now correctly updated after updating a user defined signature.
554993-1 : Profile Stats Not Updated After Standby Upgrade Followed By Failover
Component: Access Policy Manager
Symptoms:
1. The current active sessions, current pending sessions, and current established sessions counts shown in commands 'tmsh show /apm profile access' and 'tmctl profile_access_stat' become zero after failover.
2. The system posts an error message to /var/log/apm:
01490559:3: 00000000: Access stats encountered error: SessionDB operation failed (ERR_NOT_FOUND).
Conditions:
This issue happens when the following conditions are met:
1. The HA configuration is running a release prior to 11.5.3 HF2, 11.6.0 HF6, or 12.0.0.
2. A standby unit is upgraded to version 11.5.3 HF2, 11.6.0 HF6, or 12.0.0.
3. Failover is triggered.
Impact:
The current active sessions, current pending sessions, and current established sessions counts of profile access stats remain zero after failover.
Workaround:
Upgrade all devices in the HA configuration to the same release and reboot them simultaneously.
Fix:
The current active sessions, current pending sessions, and current established sessions counts of profile access stats now report correctly after failover.
554977-1 : TMM might crash on failed SSL handshake
Component: Local Traffic Manager
Symptoms:
SSL handshake failures may crash in ssl_verify().
Conditions:
Certain types of failed SSL handshakes in versions 11.5.0 through 11.5.4.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Modifying serverssl cipher string to exclude ECDHE_RSA and ECDHE_ECDSA might help prevent the crash.
Fix:
This release fixes a TMM crash that might be encountered during the SSL handshake.
554967-2 : Small Client EDNS0 Limits can Sometimes Truncate DNSSEC or iRule DNS Packets
Component: Local Traffic Manager
Symptoms:
A resolver sending a query with a small EDNS0 UDP buffer limit can lead to packet truncation. These response packets are flagged as truncated in the header, but the OPT record might be cut/missing leading some resolvers to consider the packet malformed.
Conditions:
Primarily via dynamic settings such as iRules on DNS_RESPONSE events adding new records, or DNSSEC record signing with responses over UDP.
Impact:
Some resolvers regard OPT-less truncated packets as malformed and cease follow-up requests via TCP or a larger EDNS0 UDP limit.
Workaround:
none
Fix:
Truncated DNSSEC or iRule DNS packets are RFC-compliant.
554761-4 : Unexpected handling of TCP timestamps under syncookie protection.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system experiences intermittent packet drops.
Despite being negotiated during TCP handshake, the BIG-IP system fails to present timestamp option in subsequent segments.
The BIG-IP system calculates invalid round trip time immediately after handshake, which might result in delayed retransmissions.
Conditions:
This occurs when the following conditions are met:
- Virtual server configured with a TCP profile with timestamps enabled.
- The syncookie mode has been activated.
- Clients that support timestamps.
Impact:
Connection might be reset by remote TCP stack (e.g., NetBSD and FreeBSD), which requires timestamps to be maintained once negotiated.
Retransmission timeout (RTO) value may be skewed. Segments that are subject to RTO might take up to 64 segments to retransmit.
Workaround:
Choose or create a TCP profile that has timestamps disabled.
Fix:
TCP Timestamps are now maintained on all negotiated flows.
554626 : Database logging truncates log values greater than 1024
Component: Access Policy Manager
Symptoms:
The Logging agent truncates log values greater than 1024. If the log value size is greater than 4060, the field is empty or null.
Conditions:
Logging into local database with log values (such as session variables) greater than 1024. If this size is too high (greater than 4060), the field displays as empty or null in reports.
Impact:
The reporting UI displays null or empty fields when the logged value is too large in size, such as a huge session variable.
Workaround:
No workaround.
Fix:
This release handles large single log values.
554624-1 : NTP CVE-2015-5300 CVE-2015-7704
Vulnerability Solution Article: K10600056 K17566
554563-2 : Error: Egress CoS queue packet drop counted against both Drops In and Drops Out statistics.
Component: TMOS
Symptoms:
Class of Service Queues (cosq) egress drop statistics are counted against both Drops In and Drops Out interface statistics.
Conditions:
This occurs for all cosq drops in response to excess egress traffic and MMU egress congestion.
Impact:
Any CoS queue egress drop is also counted against ingress drop stats, which could be interpreted incorrectly as doubled total drop stats.
Workaround:
None.
Fix:
The Drops In interface statistics no longer includes Class of Service Queues (cosq) egress drop counts, which is correct behavior.
554340-2 : IPsec tunnels fail when connection.vlankeyed db variable is disabled
Component: TMOS
Symptoms:
When connection.vlankeyed db variable is disabled, if the data traffic coming out of IKEv1 tunnels that needs to be secured using IKEv2 tunnels lands on tmm's other than tmm0, it will be dropped. The system establishes the IKEv2 tunnel but the data traffic will not be secured.
Conditions:
This issue is seen when the interesting data traffic lands on tmm's other than tmm0. The reason for this issue is due to incorrectly creating a flow on another TMM that is the owner of the outbound SA (IKEv2 tunnel).
Impact:
The system drops the data traffic to be secured using IPsec and connections fail.
Workaround:
Disable the cmp in the virtual server configuration.
Fix:
Flow creation at the TMM that owns the outbound SA for the IKEv2 tunnel is properly handled. TMM can handle the inner traffic from IKEv1 tunnel and secure it over another IKEv2 tunnel.
554228-4 : OneConnect does not work when WEBSSO is enabled/configured.
Component: Access Policy Manager
Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and doesn't reuse pooled connections.
Conditions:
WEBSSO and OneConnect.
Impact:
Idle serverside connections that should be eligible for reuse by the virtual server are not used. This might lead to build-up of idle serverside connections, and may result in unexpected 'Inet port exhaustion' errors.
Workaround:
None.
Fix:
OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server side connections.
554074-3 : If the user cancels a connection attempt, there may be a delay in estabilshing the next connection.
Component: Access Policy Manager
Symptoms:
Clicking on connect button does not trigger start of VPN connection immediately.
Conditions:
User cancelled previous connection attempt
Impact:
User must wait for ten seconds before attempting to reconnect.
Workaround:
None
Fix:
Fixed code to trigger VPN connection immediately even when user clicked cancel before.
554041-4 : No connectivity inside enterprise network for "Always Connected" client if Network Location Awareness is enabled
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client loses all connectivity and an option to establish VPN is not available.
Conditions:
All of the following conditions must apply.
1) Edge Client is installed in "Always Connected" mode.
2) The Connectivity profile on server has location DNS list entries.
3) One of the DNS locations matches the DNS suffix set on the local network adapter.
Impact:
Client shows "LAN Detected" in the UI and does not try to connect to VPN.
All traffic to and from the user's machine is blocked.
Workaround:
This issue has no workaround at this time.
Fix:
Edge Client now ignores DNS location settings in Always Connected mode and establishes VPN even inside enterprise networks.
553925-3 : Manual upgrade of Edge Client fails in some cases on Windows★
Component: Access Policy Manager
Symptoms:
Manual upgrade of BIG-IP Edge Client for Windows fails and this message displays "Newer version of this product is already installed."
Conditions:
Edge Client version 11.2.0. Version 12.0 is installed.
User tries to upgrade Edge Client by running a newer installer package of Edge Client.
Impact:
Edge Client cannot be upgraded.
Workaround:
Uninstall and reinstall Edge Client or use the installer service component for automatic update of Edge Client.
Fix:
Fixed installer package.
553902-3 : Multiple NTP Vulnerabilities
Vulnerability Solution Article: K17516
553795-3 : Differing certificate/key after successful config-sync
Component: TMOS
Symptoms:
1) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with the same name as the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip will retain a copy of the original key.
2) If you change a client-ssl profile to a different certificate/key, delete the original certificate/key, create a new certificate/key with a different name from the original one, associate the new certificate/key with the original client-ssl profile, then do a config-sync, the peer's client-ssl profile will still use the original certificate/key instead of the new one.
Conditions:
1) High Availability failover systems with FIPS configured with Manual Sync.
2) High Availability failover systems configured with Manual Sync.
Impact:
1) An abandoned FIPS key is left behind.
2) The systems claim to be synced, but one system's client-ssl profile uses one certificate/key pair, while the other system(s)' same client-ssl profile uses a different certificate/key pair.
Workaround:
1) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
Workaround #2: Delete the FIPS key by-handle on the peer system(s).
2) Workaround #1: Run an extra config-sync before the second change of the client-ssl profile.
Workaround #2: Manually update the client-ssl profile then delete the old certificate/key on the peer system(s).
Fix:
Systems now have the same certificate/key after successful config-sync of High Availability configurations.
553688-3 : TMM can core due to memory corruption when using SPDY profile.
Component: Local Traffic Manager
Symptoms:
TMM corefiles containing memory corruption within 112-byte memory cache.
Conditions:
Virtual server using a SPDY profile encounters an internal error while processing a SPDY packet.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
This release contains a fix that prevents a double free on error within the SPDY component.
553649 : The SNMP daemon might lock up and fail to respond to SNMP requests.
Component: TMOS
Symptoms:
The SNMP daemon might lock up and fail to respond to SNMP requests.
Conditions:
If the SNMP configuration on the BIG-IP changes and the SNMP daemon restarts. This is a timing issue that might appear intermittently.
Impact:
The BIG-IP system stops responding to SNMP requests. You then cannot monitor the BIG-IP system via SNMP.
Workaround:
If the SNMP daemon is locked up, restart it by issuing the following command: bigstart restart snmpd.
Fix:
The SNMP daemon no longer locks up and become unresponsive when it is restarted.
553576-2 : Intermittent 'zero millivolt' reading from FND-850 PSU
Component: TMOS
Symptoms:
In rare instances, certain BIG-IP platforms may erroneously generate power supply error messages that indicate zero milli-voltage.
Specific symptoms include:
- SNMP alert 'bigipSystemCheckAlertMilliVoltageLow' detected.
- Front panel Alarm LED is blinking amber.
- Errors such as the following are logged:
emerg system_check[<#>]: 010d0017:0: Power supply #<x> meas. main outpu: milli-voltage (0) is too low.
[where <x> is the power supply location (either 1 or 2)]
- Errors such as the following may also be logged:
-- err chmand[<#>]: 012a0003:3: Sensor read fault for Power supply #<x> meas. main outpu : File sensor/LopSensSvc.cpp Line 1453.
-- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>).
-- notice chmand[<#>]: 012a0005:5: reinitialize tmstat sensors (num sensors:<#>).
Note that this condition may affect either PSU 1 or PSU 2.
Conditions:
This may occur intermittently on BIG-IP 10000-/12000-series appliances (including 10000s/10200v, 10050s/10250v, 10055/10255, 10350v and 12250v models) with FND850 model DC power supplies.
Impact:
There is no impact; these error messages are benign.
Workaround:
None.
Fix:
Resolved intermittent erroneous "zero millivolt" reading from FND-850 PSU on BIG-IP 10000-/12000-series appliances.
553454-3 : Mozilla NSS vulnerability CVE-2015-2730
Vulnerability Solution Article: K15955144
553330-2 : Unable to create a new document with SharePoint 2010
Component: Access Policy Manager
Symptoms:
VPN users are unable to create a new document with SharePoint 2010
An error is given: "The Internet address https://ip:port/shared documents/forms/template.dotx" is not valid
Conditions:
Create a new document using the"New Document button".
Impact:
User cannot create a new document with SharePoint 2010.
Workaround:
none
Fix:
You can create a new document with Microsoft SharePoint 2010.
553311-1 : Route pool configuration may cause TMM to produce a core file
Component: Local Traffic Manager
Symptoms:
TMM might produce a core file and take the action defined in configuration.
Conditions:
Client-side route pool configuration that configures a route pool to route back and has auto lasthop disabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid using any route at client side (using auto lasthop or lasthop pool).
Fix:
The tmm crash caused by the route pool configuration is fixed.
553174-2 : Unable to query admin IP via SNMP on VCMP guest
Component: TMOS
Symptoms:
The admin IP address is not returned via ipAdEntAddr.
Conditions:
Query admin IP via SNMP on VCMP guest via ipAdEntAddr.
Impact:
Unable to obtain admin IP address via SNMP for VCMP guests.
Workaround:
none
Fix:
ipAdEntAddr will now return the admin IP address on a VCMP guest.
553063-4 : Epsec version rolls back to previous version on a reboot
Component: Access Policy Manager
Symptoms:
If administrator has installed multiple EPSEC packages, after a reboot the EPSEC version rolls back to the previously installed version.
Conditions:
The BIG-IP system needs to be rebooted for this issue to be seen, and multiple EPSEC packages must have been installed on the system before the reboot.
Impact:
OPSWAT version rolls back without prompting or logging. This might open up the end-point security issues that are supposed to be fixed by the latest installed OPSWAT package.
Workaround:
The workaround is to upload a dummy file in Sandbox.
1. Go to Access Policy :: Hosted Content :: Manage Files.
2. Upload any dummy file, even a 0 byte file. Change the security level to 'session'.
After this change, even if you reboot or shutdown-restart, the EPSEC version does not revert.
Fix:
The most recently installed EPSEC version now remains configured, and does not roll back after reboot or shutdown-restart.
553037 : iOS Citrix Receiver web interface mode cannot launch the apps
Component: Access Policy Manager
Symptoms:
When a user clicks an app, a window displays with this message: "Cannot start the requested App. Select More info for further details."
Conditions:
An iOS Citrix Receiver in Web interface connection type and a BIG-IP system in Web interface configuration.
Impact:
Customer cannot launch app.
Workaround:
1. In the Citrix Receiver, you can use the native GUI with Access-Gateway Enterprise edition type with this URI:
https://<BIG-IP system virtual server FQDN>/
2. Define an LTM data-group with FQDN set to /config/<storename>/pnagent/config.xml
Fix:
LaunchICA get request to be passed through VDI.
552937-2 : HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.
Component: Local Traffic Manager
Symptoms:
An iRule that calls HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the TMM to core on the next pipelined request.
Conditions:
HTTP::respond or HTTP::redirect used in a non-HTTP iRule event. A pipelined request follows the request that triggers the iRule response.
Impact:
TMM core.
Workaround:
Add the close header to the HTTP::response, and the connection will be automatically closed.
Fix:
The TMM will no longer core due to not being able to handle the next pipelined request after a HTTP::respond or HTTP::redirect is used in a non-HTTP iRule event.
552931-2 : Configuration fails to load if DNS Express Zone name contains an underscore
Component: Local Traffic Manager
Symptoms:
A configuration with a DNS Express Zone with an underscore in the name does not load, even though the gtm global-settings general domain-name-check is set to any of allow-underscore, svn-compatible, or none.
Conditions:
-- Configuration setting gtm global-settings general domain-name-check is set to any of allow-underscore, svn-compatible, or none.
-- DNS Express Zone exists with an underscore in the name.
Impact:
Cannot load the LTM configuration when restarting BIG-IP system when DNS Express Zones that have an underscore character in the name.
Workaround:
Force the GTM configuration to load by sequentially running the following commands:
tmsh load sys config gtm-only.
tmsh load sys config.
Fix:
All FQDNs may now contain underscore character. The BIG-IP system now correctly load configurations that contain DNS Express Zones with underscores in the name.
552865-5 : SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'.
Component: Local Traffic Manager
Symptoms:
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, handshake might fail if the client sends an invalid signed Certificate Verify message.
Conditions:
When SSL client certificate mode is request, and the client sends an invalid signed Certificate Verify message to the BIG-IP system.
Impact:
The handshake does not ignore the invalid signed certificate verify message, and handshake might fail. SSL client authentication should ignore invalid signed Certificate Verify message when PCM is set to 'request'. Regardless of whether the Certificate and Certificate Verify message is valid, the handshake should ignore the Certificate Verify signature error and let the handshake continue.
Workaround:
None.
Fix:
When peer certificate mode (PCM) is set to request, and the BIG-IP system client-ssl asks for the client certificate, the handshake now ignores the Certificate Verify signature error and lets the handshake continue. This is correct behavior.
552532-3 : Oracle monitor fails with certain time zones.
Component: Local Traffic Manager
Symptoms:
Occasionally, the OJDBC driver reads a time zone file that it cannot understand, which causes Oracle monitors to fail.
Conditions:
- The system uses ojdbc6.jar for Oracle monitor functionality.
- The UTC time zone is configured.
- Contents of the /usr/share/zoneinfo directory are arranged so that the 'UTC' file is not the first in the list. (Versions prior to 10.2.4 use the 1.4-compatible ojdbc14.jar driver. The objdbc6.jar OJDBC driver, as supplied by Oracle for Java 6 (aka 1.6) auto-detects the local system's time zone name by scanning and comparing files under /usr/share/zoneinfo. The filenames are created during installation, and seem to depend on the 'Directory Hash Seed' of the /usr filesystem, so there is no predictable result.)
Impact:
Cannot use direct Oracle monitoring to ensure the backend is functionally operational. OJDBC driver seems to negotiate the time zone for the session, and instead of 'UTC', it attempts to change the time zone to: 'Universal', 'Zulu', 'Etc/Universal', 'Etc/Zulu', which will cause the monitor to fail, and not execute the actual monitoring.
Note: Other time zones might be affected.For example, a similar issue might happen with the time zone set to GMT, which can become 'Greenwich' because of the same functionality.
Workaround:
Although there is no reliable workaround, reinstalling might resolve the issue, as may using another time zone.
Fix:
Oracle monitor functions now as expected with UTC and other time zones.
552498-2 : APMD basic authentication cookie domains are not processed correctly
Component: Access Policy Manager
Symptoms:
401 responses containing Set-Cookie headers might not be processed correctly. Domains that begin with a dot will be truncated and the cookies will not be sent to pool members.
Conditions:
An access policy needs to use Basic or NTLM authentication and one or more of the 401 responses must contain Set-Cookie headers. If a domain is specified and the domain begins with a dot, it will not be processed correctly.
Impact:
Cookies assigned during the authentication handshake might not be sent to pool members.
Workaround:
An iRule can be used to process the 401 responses and remove any leading dots from domain fields of Set-Cookie headers.
Fix:
Domain fields in Set-Cookie headers found in 401 responses are processed correctly.
552385 : Virtual servers using an SSL profile and two UDP profiles may not be accepted
Component: Local Traffic Manager
Symptoms:
Error message:
01070711:3: Found disallowed profile: Not Profile profile_clientssl
or
01070711:3: Found disallowed profile: Not Profile profile_serverssl
Conditions:
Create a virtual server with a client-ssl profile and/or a server-ssl profile and two different UDP profiles (one on the server side and one on the client side).
Impact:
When using either a client-ssl profile or a server-ssl profile, depending on the sort order of the UDP profiles, the configuration may not be accepted.
When using both a client-ssl profile and a server-ssl profile, the configuration is not accepted.
Workaround:
When using either a client-ssl profile or a server-ssl profile, either use a common UDP profile for both client and server side or try renaming one of the UDP profiles to alter the sort order.
When using both a client-ssl profile and a server-ssl profile, try using one UDP profile for both the client and server side.
Fix:
Virtual servers that utilize an SSL profile and a combination of UDP profiles are now accepted.
552352-3 : tmsh list display incorrectly for default values of gtm listener translate-address/translate-port
Component: Global Traffic Manager
Symptoms:
tmsh list displays incorrectly for default values of GTM listener translate-address/translate-port settings.
Conditions:
Using the tmsh list command to show translate-address/translate-port for GTM listener.
Impact:
tmsh list gtm listener does not display 'translate-address'/'translate-port' when it is set to enabled, but the command does show the values when it is set to disabled. The tmsh list gtm listener command should not show the default settings. This becomes an issue when used with the TMSH merge command, where the value gets set to the LTM virtual server default instead of maintained as the GTM Listener default. This might eventually result in failing traffic.
Workaround:
Use tmsh list with 'all-properties' instead.
Fix:
GTM Listener's translate-address and translate-port field are now always displayed in TMSH commands. This is because there are different defaults in GTM Listeners than the LTM virtual servers. When used with the TMSH merge command, the value gets set to the LTM virtual server default instead of maintained as the GTM Listener default. By always displaying this attribute, no matter what the value is, the merge will always be handled appropriately.
552198-3 : APM App Tunnel/AM iSession Connection Memory Leak
Component: Wan Optimization Manager
Symptoms:
A memory leak occurs when APM application tunnels or AM iSession connections are aborted while waiting to be reused.
Conditions:
The iSession profile reuse-connection attribute is true.
A large number of iSession connections are aborted while waiting to be reused.
Impact:
Available memory might be significantly reduced when a large number of iSession connections waiting to be reused are aborted.
Workaround:
Disable the iSession profile reuse-connection attribute. Restart TMM.
Fix:
This release fixes an APM App Tunnel/AM iSession connection memory leak.
552151-1 : Continuous error report in /dev/log/ltm: Device error: n3-compress0 Nitrox 3, Hang Detected
Component: Local Traffic Manager
Symptoms:
Hardware compression slowly and progressively fails to handle compression operations. The system posts the following errors in ltm.log: crit tmm3[14130]: 01010025:2: Device error: n3-compress0 Nitrox 3.
Conditions:
This occurs when the system encounters errors during hardware compression handling. This occurs on the BIG-IP 5000-, 7000-, 10000-, and 12000-series platforms, and on VIPRION B22xx blades.
Impact:
Compression is (eventually) performed by software. This can result in high CPU utilization.
Workaround:
Disable compression if CPU usage is too high.
Fix:
Improved the device exception handling so that errors are correctly propagated to compression clients, thus preventing the progressive failure of the compression engine, and stopping the offload to software compression (which was driving up the CPU).
552139-3 : ASM limitation in the pattern matching matrix builtup
Component: Application Security Manager
Symptoms:
The signature configuration is not building up upon adding new signatures. This can look like a configuration change is not finishing, or if it does, it may result in crashes when the Enforcer starts up resulting in constant startups.
Conditions:
Too many signatures are configured with custom signatures. The exact number varies (depending on the signature) but hundreds of signatures may be enough to trigger it.
Impact:
Configuration change doesn't finish or crashes in the ASM startup (which results in constant startups of the system).
Workaround:
Workarounds are possible only in a custom signature scenario, only using fewer signatures or by removing unused signatures.
Fix:
Fixed a limitation in the attack signature engine.
551927-3 : ePVA snoop header's transform vlan should be set properly under asymmetric routing condition
Component: TMOS
Symptoms:
On ePVA capable platform with fastl4 profile and asymetric routing on client side, ltm sends packets to the client with wrong vlan/correct mac address (or correct vlan and wrong mac-address) and undecremented ttl.
Conditions:
fastl4 profile and asymetric routing on client side
Impact:
Return traffic could use the wrong vlan
Workaround:
none
Fix:
Use the nexthop VLAN for ePVA transformation for offloaded flow when available, instead of the incoming VLAN
551767-2 : GTM server 'Virtual Server Score' not showing correctly in TMSH stats
Component: Global Traffic Manager
Symptoms:
GTM server 'Virtual Server Score' is not showing correct values in TMSH stats. Instead, stats shows zero value.
Conditions:
You have a virtual server configured with a non-zero score.
Impact:
tmsh show gtm server server-name detail lists 'Virtual Server Score' as zero. Note that there is no impact to actual load balancing decisions. Those decisions take into account the configured score. This is an issue only with showing the correct information and stats.
Workaround:
None.
Fix:
TMSH now shows the correct value for 'Virtual Server Score' when you have a virtual server configured with a non-zero score.
551764-1 : [APM] HTTP status 500 response of successful Access Policy in clientless mode on chassis platform
Component: Access Policy Manager
Symptoms:
Successful execution of an Access Policy will result in the client receiving a HTTP status 500 error response when clientless mode is set. This error response is generated by APMD. This is a regression condition that occurs when the fix for bug 374067 is included.
Conditions:
-- The system has the fix for bug 374067.
-- Clientless mode is enabled.
-- BIG-IP platform is chassis platform.
-- The administrator does not override the Access Policy response with iRule command.
Impact:
Client receives an invalid response.
Workaround:
None.
Fix:
Upon successful execution of the Access Policy in clientless mode, the request is forwarded to the configured backend as needed.
551742-1 : Hardware parity error mitigation for the SOURCE_VP table on 10000s/10200v/10250v platforms and B4300/B4340N and B2250 blades
Component: TMOS
Symptoms:
In rare occurrences, BIG-IP hardware is susceptible to parity errors due to unknown source. This bug mitigates parity errors that occur in the SOURCE_VP table of the switch hardware, indicated with the following message in the ltm log:
Sep 15 12:12:12 info bcm56xxd[8066]: 012c0016:6: _soc_xgs3_mem_dma: SOURCE_VP.ipipe0 failed(NAK)
Conditions:
This occurs only on the BIG-IP 10000s/10200v/10250v platforms, and on the VIPRION B4300/B4340N and B2250 blades. The exact trigger of the parity error is unknown at this time.
Impact:
This impacts several series of BIG-IP products with hardware parity error mitigation capabilities.
Workaround:
Rebooting BIG-IP hardware should clear issues caused by hardware parity errors.
Fix:
A hardware parity error issue has been fixed.
551661-3 : Monitor with send/receive string containing double-quote may fail to load.
Component: TMOS
Symptoms:
When a monitor string contains contains \" (backslash double-quote) but does not contain a character that requires quoting, one level of escaping is lost at each save/load.
Note: Re-loading a config happens during licensing. If you decide to upgrade, first verify that you have an escaped quote in the monitor string. If you do, remove the re-licensing step from your MOP (Method of Procedure). The failure message for reloading the license with an escaped quote appears similar to the following example:
Monitor monitor_1 parameter contains unescaped " escape with backslash.
Conditions:
If the string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.
Impact:
Monitors are marked down due to expected string not matching or incorrect send string. Potential load failure.
Workaround:
You can use either of the following workarounds:
-- Modify the content the BIG-IP system retrieves from the web server for the purposes of health monitoring, so that double quotes are not necessary.
-- Use an external monitor instead.
Fix:
If the monitor send-recv strings contain a double-quote ", character, the system now adds quotes to the input.
If a configuration contains '/"', does not reload the license before upgrade.
551481-4 : 'tmsh show net cmetrics' reports bandwidth = 0
Component: TMOS
Symptoms:
'tmsh show net cmetrics' reports bandwidth = 0
Conditions:
tcp profile enables cmetrics-cache.
connection involves at least 4 rtt updates.
Impact:
User cannot view cmetrics data.
Workaround:
For 12.0.0 and later, you can get this data using the ROUTE::bandwidth iRule. For earlier versions, there is no workaround.
Fix:
Properly compute bandwidth with the formula cwnd/rtt.
551349-1 : Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade★
Component: TMOS
Symptoms:
A monitor destination address in the form of *:port (IPv4) is converted to *.port when upgrading from 10.2.4 to 11.5.x.
Conditions:
A monitor exists with a non-explicit address and explicit port on a BIG-IP system running 10.2.4. Then upgrade to 11.5.x (or install 10.2.4 ucs)
Impact:
Monitors appears to function normally but they will have the wrong format in the config file.
Workaround:
None.
Fix:
Determine if non-explicit (*) address is ipv4 or ipv6 based on next character to be parsed.
551287-3 : Multiple LibTIFF vulnerabilities
Vulnerability Solution Article: K16715
551260-3 : When SAML IdP-Connector Single Sign On Service URL contains ampersand, redirect URL may be truncated
Component: Access Policy Manager
Symptoms:
When BIG-IP is used as SAML Service Provider, and IdP-Connectors Single Sign On Service URL contains ampersand (&),
part of the URL may be truncated when user is redirected to IdP for authentication.
Conditions:
All conditions must be true:
- BIG-IP is used as SAML Service Provider
- Single Sign On Service URL property of IdP connector contains ampersand, e.g. https://idp.f5.com/saml/idp/profile/redirectorpost/sso?a=b&foo=bar
- User performs SP initiated SSO
Impact:
The query part of the redirect URL after ampersand will be lost when user is redirected to SSO URL with Authentication Request.
Fix:
Redirect URL is no longer truncated after ampersand sign.
551208-3 : Nokia alarms are not deleted due to the outdated alert_nokia.conf.
Component: TMOS
Symptoms:
Some of the log messages watched by alertd changed between BIG-IP software versions 10.x to versions 11.x/12.x. However, the /etc/alertd/alert_nokia.conf file has not been updated accordingly.
Conditions:
Running versions 11.x/12.x and receiving targeted messages that match the 10.x regex key fields. This occurs when the Nokia snmp alarms are enabled. See K15435 at https://support.f5.com/csp/#/article/K15435
Impact:
Matching the specific fields in the log message fails, so the corresponding alarm is not deleted from the nokia_alarm table. This might cause SNMP alerts to not be broadcast in Nokia-specific environments.
Workaround:
None.
Fix:
The log messages watched by alertd and appearing in alert_nokia.conf now match each clear event key to its corresponding error definition, so alerts are recorded correctly.
551189-2 : Modifying an HTTP cookie value via the HTTP::cookie iRule API may yield to incorrect HTTP header data
Component: Local Traffic Manager
Symptoms:
Upon repeatedly modifying the same HTTP cookie value (in the Set-Cookie header) within an iRule attached to a virtual server, the HTTP::cookie API may produce stale HTTP header data (e.g. HTTP Set-Cookie header and/or other HTTP headers).
Conditions:
LTM Virtual Server handling HTTP traffic, with iRule attached which modifies a given HTTP cookie value through the HTTP::cookie API, on ingress and/or egress traffic (through the HTTP_REQUEST and/or HTTP_RESPONSE events). An example use-case for producing the error would be encrypting and decrypting HTTP cookies via an iRule.
Impact:
Repeatedly altering the same HTTP cookie value in an iRule, via the HTTP::cookie API, may yield to an HTTP request/response with inconsistent HTTP header data, including but not limited to the Set-Cookie HTTP header.
Workaround:
None.
551010-3 : Crash on unexpected WAM storage queue state
Component: WebAccelerator
Symptoms:
In rare circumstances WAM may enter an unexpected queue state and crash.
Conditions:
WAM configured on virtual with request queuing enabled
Impact:
Crash
Workaround:
none
Fix:
Gracefully recover from unexpected WAM storage queue state
550782-2 : Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit
Component: Local Traffic Manager
Symptoms:
RRSIG present when not asked for, and RRSIG and AD drop from response upon expiration from the cache.
Conditions:
If standard DNS requests are made against a Validating Resolver DNS cache that points to a second BIG-IP which in turn contains a wideip in a signed zone
Impact:
RRSIG present when not asked for, and RRSIG and AD drop from response upon expiration from the cache
Workaround:
N/A
Fix:
Update message encoding to depend on client DO bit.
550694 : LCD display stops updating and Status LED turns/blinks Amber
Component: TMOS
Symptoms:
The LCD display may stop updating and the Status LED may turn Amber and begin blinking on BIG-IP 2000, 4000, 5000, 7000, or 10000-series appliances.
Conditions:
The Status LED turns Amber if the LED/LCD module stops receiving updates from the BIG-IP host, and begins blinking Amber if the LED/LCD module does not receive updates from the BIG-IP host for three minutes or longer.
This condition may occur if data transfers between the BIG-IP host and the LED/LCD module over the connecting USB bus becomes stalled.
Due to changes in BIG-IP v11.5.0 and later, the frequency and likelihood of this condition is greatly reduced, but may still occur under rare conditions.
Impact:
When this condition occurs, the front-panel LCD display does not display the current BIG-IP host status, and the Status LED blinks Amber. There is no impact to BIG-IP host operations, and no disruption to traffic.
Workaround:
This condition can be cleared by either of the following actions:
1. Press one of the buttons on the LCD display to navigate the LCD menus.
2. Issue the following command at the BIG-IP host console:
/sbin/lsusb -v -d 0451:3410.
Either action generates USB traffic, which triggers recovery from the USB stalled transfer condition.
Fix:
Auto-recovery from a USB stalled-transfer condition has been implemented, which prevents the Status LED from blinking Amber on BIG-IP 2000, 4000, 5000, 7000, 10000 or 12000-series appliances.
550689-3 : Resolver H.ROOT-SERVERS.NET Address Change
Component: Local Traffic Manager
Symptoms:
The IPv4 and IPv6 addresses for H.ROOT-SERVERS.NET are changing on December 1st 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53). The old addresses will be good for 6 months after the change, and then the IPv4 address will go completely offline, and the IPv6 address is subject to go offline as well. More details http://h.root-servers.org/renumber.html
Conditions:
DNS Resolver uses hard-coded root hints for H.ROOT-SERVERS.NET.
Impact:
Incorrect address for a root-server means no response to that query.
Workaround:
There are 12 other root-servers that also provide answers to TLD queries, so this is cosmetic, but the addresses still need to be updated to respond to the change.
Fix:
Updated H.ROOT-SERVERS.NET to reflect the new IPv4 and IPv6 addresses taking effect December 1st, 2015 from (128.63.2.53 / 2001:500:1::803f:235) to (198.97.190.53 / 2001:500:1::53).
For more information, see H-Root will change its addresses on 1 December 2015, available here: http://h.root-servers.org/renumber.html.
550596-2 : RESOLV::lookup iRule command vulnerability CVE-2016-6876
Vulnerability Solution Article: K52638558
550536-4 : Incorrect information/text (in French) is displayed when the Edge Client is launched
Component: Access Policy Manager
Symptoms:
Incorrect information/text (in French) is displayed when the Edge Client is launched.
Conditions:
Edge client is used in French locale.
Impact:
User sees grammatically incorrect text in French. This is a cosmetic error that has no impact on system functionality.
Workaround:
None.
Fix:
The correct information/text (in French) is now displayed when the Edge Client is launched.
550434-4 : Diameter connection may stall if server closes connection before CER/CEA handshake completes
Component: Service Provider
Symptoms:
Serverside connection stalls. Connection is not torn down and packets are not forwarded to serverside.
Conditions:
Selected pool member closes (via FIN) connection before sending CEA as part of Diameter handshake.
Impact:
Connection stalls until handshake timeout and then it is reset.
Workaround:
none
Fix:
Serverside diameter connections will be immediately reset if FIN is received before CEA (Capabilities-Exchange-Answer).
549971-3 : Some changes to virtual servers' profile lists may cause secondary blades to restart
Component: TMOS
Symptoms:
If a virtual server's ip-protocol is not set, then some changes to the list of attached profiles may cause a validation error on secondary blades. This will cause those blades to restart.
Conditions:
This may happen in some cases when changing the list of profiles attached to a virtual server, but does not happen if 'ip-protocol' was explicitly set by the user.
Impact:
mcpd will restart on secondary blades. This will cause most other daemons on those blades to restart as well, including the TMM. Traffic will be lost.
Workaround:
You should explicitly set the ip-protocol when changing the profiles of a virtual server. Then this bug will not occur.
Fix:
If a virtual server's ip-protocol was not set, then some changes to the list of attached profiles would cause a validation error on secondary blades. This would cause those blades to restart. This issue has been fixed.
549868-2 : 10G interoperability issues reported following Cisco Nexus switch version upgrade.
Component: Local Traffic Manager
Symptoms:
10G link issues reported with VIPRION B2250, B4300 blades and BIG-IP 10x00 appliances connected to Cisco Nexus switches.
Conditions:
Issues reported after version upgrade on Cisco switch to version 7.0(5)N1(1).
Impact:
The links might not come up.
Workaround:
Toggling the SFP+ interfaces reportedly usually restores link.
Fix:
The BIG-IP system's 10G link now consistently becomes active when it is connected to other switches.
549588-3 : EAM memory leak when cookiemap is destroyed without deleting Cookie object in it
Component: Access Policy Manager
Symptoms:
EAM memory growing and OOM kills EAM process under memory pressure.
Conditions:
This occurs when using access management such as Oracle Access Manager, when an authentication request is redirected to IDP (redirect URL is present) with cookies present, memory can grow unbounded.
Impact:
EAM memory usage increases and OOM kills EAM process if the system is under memory pressure.
Workaround:
No Workaround
Fix:
EAM memory usage no longer grows. Cookie objects are deleted prior to deleting cookieMap from obAction destructor.
549543-2 : DSR rejects return traffic for monitoring the server
Component: TMOS
Symptoms:
System DB variable 'tm.monitorencap' controls whether the server monitor traffic is encapsulated inside DSR tunnel. If it is set to 'enable', monitor traffic is encapsulated, and return traffic is without the tunnel encapsulation. In such a case, the return traffic is not mapped to the original monitor flow, and gets rejected/lost.
Conditions:
System DB variable 'tm.monitorencap' is set to 'enable', and DSR server pool is monitored.
Impact:
Monitor traffic gets lost, and server pool is marked down.
Workaround:
None.
Fix:
The DSR tunnel flow now sets the correct underlying network interface, so that the return monitor flow can match the originating flow, which results in the DSR monitor working as expected.
549406-3 : Destination route-domain specified in the SOCKS profile
Component: Local Traffic Manager
Symptoms:
The SOCKS profile route-domain setting is supposed to control which route domain is used for destination addresses. It is currently used to identify the listener/tunnel interface to use when forwarding the traffic, but does not set the route domain on the destination address used by the proxy to determine how to forward the traffic.
Conditions:
When the virtual server receives a SOCKS request and the route-domain is not the default (0).
Impact:
SOCKS connection fails immediately and the system returns the following message to the client: Results(V5): General SOCKS server failure (1). Traffic is forwarded correctly only when the destination is route-domain 0. Other route domains might result in error messages and possible failed traffic.
Workaround:
Use a destination route-domain of 0 when working with the SOCKS profile.
Fix:
The system now uses the destination route-domain specified in the SOCKS profile. This allows the SOCKS profile to work correctly when the destination is not in route-domain 0.
549329-2 : L7 mirrored ACK from standby to active box can cause tmm core on active
Component: Local Traffic Manager
Symptoms:
A spurious ACK sent to the standby unit will be mirrored over to the active unit for processing. If a matching connection on the active has not been fully initialized, tmm will crash.
Conditions:
HA active-standby configuration setup for L7 packet mirroring.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.
549086-3 : Windows 10 is not detected when Firefox is used
Component: Access Policy Manager
Symptoms:
Windows 10 is not detected when the Firefox browser is used.
Conditions:
Windows 10 and Firefox (at least versions 40 and 41).
Impact:
The Client OS agent chooses an incorrect branch. Network Access might be disabled for such a client.
Workaround:
There is no workaround.
Fix:
Now Windows 10 is properly detected with the Firefox browser.
549023 : warning: Failed to find EUDs★
Component: TMOS
Symptoms:
There are normal circumstances where the system does not yet have a diagnostics package installed. Even though it is normal, a warning log message is emitted for this condition.
Conditions:
This occurs on newly formatted installations prior to version 11.5.4.
Impact:
Even though this is logged at the warning level, lack of an EUD can indicate a normal condition on new installations.
Workaround:
ignore the warning
Fix:
If the system cannot find the EUD it will now be logged at the info level.
548680-3 : TMM may core when reconfiguring iApps that make use of iRules with procedures.
Component: Local Traffic Manager
Symptoms:
TMM may core when reconfiguring iApps that make extensive use of iRules with procedures.
Conditions:
During the reconfiguration of more than one iApp by switching templates, prior and new templates to contain iRules with procedures of the same name.
After the second or later reconfiguration TMM may core.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Modify iApp template to generate procedures that have a unique name per iApp.
Fix:
TMM no longer cores when reconfiguring more than one iApp that contains iRule procedures of the same name.
548583-5 : TMM crashes on standby device with re-mirrored SIP monitor flows.
Component: Local Traffic Manager
Symptoms:
Occasionally, the standby system with a SIP monitor crashes in a configuration where the active system contains a forwarding virtual server with a wildcard IP address and port, with connection mirroring enabled.
Conditions:
This occurs on an active-standby setup in which there is an L4 forwarding virtual server or SNAT listener configuration with a wildcard IP address and port, and with connection mirroring enabled. Also, the standby has a SIP monitor configured.
Impact:
Packets that are sent by the SIP monitor on the standby get routed back to the active unit (possibly due to a routing loop) and are then sent to the standby because of the wildcard mirrored configuration. tmm on standby might crash. When the crash occurs, the standby system posts the following assert and crashes: tmm failed assertion, non-zero ha_unit required for mirrored flow.
Workaround:
-- If a routing or switching loop is the reason the packets come back to the active unit, then the routing issues can be eliminated.
-- The mirroring of the wildcard virtual server or SNAT listener can be disabled.
Fix:
TMM no longer crashes on standby device with re-mirrored SIP monitor flows.
548563-3 : Transparent Cache Messages Only Updated with DO-bit True
Component: Local Traffic Manager
Symptoms:
When a transparent cache stores a message with DNSSEC OK (DO) bit TRUE and its TTL expires, the message is only updated when a new message arrives with DO-bit TRUE.
Conditions:
Running a DNS transparent cache with clients requesting DNSSEC messages.
Impact:
When the DO-bit TRUE's cached message TTL expires, the general impact is DO-bit FALSE queries will be proxied until the message cache is updated with DO-bit TRUE.
Workaround:
None.
Fix:
The message cache is updated regardless of DO-bit state after TTL expiration. However, the cache prefers DO-bit TRUE messages, and will update the cached message if a newer one arrives with DNSSEC OK.
548385-1 : iControl calls that query key/cert from parent folder, and the name is missing the extension, result in incorrect results
Component: TMOS
Symptoms:
If the active folder is not same as the folder in which the query is being run, and the corresponding key/cert extension is not present in the name of the key/certificate file, the query result returns incorrect results.
Conditions:
This occurs when iControl calls that query key/cert from parent folder, and the name is missing the extension.
Impact:
The query result returns incorrect results.
Workaround:
You can use one of the following workarounds:
-- Change the filename to include the extension.
-- Change to the folder containing the iControl call you are executing.
Fix:
The system now correctly loads key/cert/csr/crl files without an extension, so iControl calls that query those files from parent folder, now return correct results.
548268-3 : Disabling an interface on a blade does not change media to NONE
Component: TMOS
Symptoms:
When an interface on a blade in a chassis is disabled, it's media does not get reported as NONE and the link on the other end stays UP.
Conditions:
Disabling an interface on a blade within a chassis.
Impact:
Media on the disabled interface is not reported as NONE and link on partner end is UP.
Workaround:
none
Fix:
fixed
548053-1 : User with 'Application Editor' role set cannot modify 'Description' field using the GUI.
Component: TMOS
Symptoms:
User with 'Application Editor' role set cannot modify 'Description' field using the GUI.
Conditions:
Users with a role of Application Editor.
Impact:
Cannot modify 'Description' field using the GUI.
Workaround:
User with 'Application Editor' roles can modify 'Description' fields using tmsh.
Fix:
User with 'Application Editor' role can now modify 'Description' field using the GUI.
547942 : SNMP ipAdEntAddr indicates floating vlan IP rather than local IP
Component: TMOS
Symptoms:
An SNMP query response for ipAdEntAddr would sometimes return floating IPs rather than local IPs. This was due to the supporting software returning the first found IP address for a given vlan.
Conditions:
Problem started after upgrading to v11.5.1 Eng-HF7, from v10.2.4.
The same problem can happen on freshly installed 11.5.x as well.
Impact:
No impact to BIG-IP services, but the returned information to the SNMP query is sometimes incorrect.
Workaround:
None.
547815-2 : Potential DNS Transparent Cache Memory Leak
Component: Local Traffic Manager
Symptoms:
When a transparent cache is populated with messages where the DNSSEC OK-bit is true, and a query with that bit true, arrives at or after the expiration of the message TTL, the system leaks all subsequent queries with DNSSEC OK set to false, up through the TTL of that message.
Conditions:
Running a DNS transparent cache with clients requesting DNSSEC messages.
Impact:
A few hundred bytes can leak on each clientside query, leading to a massive leak over a short period of time.
Workaround:
Disable DNSSEC on all cached messages by disabling DNSSEC on pool members.
Fix:
This release fixes a potential DNS transparent cache memory leak.
547732-3 : TMM may core on using SSL::disable on an already established serverside connection
Component: Local Traffic Manager
Symptoms:
TMM process may crash if the SSL::disable iRule command is used on a serverside with a connection that has already established SSL.
Conditions:
Use of the 'SSL::disable serverside' iRule command on a serverside connection that has already established SSL
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use SSL::disable on an event where the serverside SSL connection is already established.
Fix:
TMM no longer cores on using SSL::disable on an already established serverside connection, it will now log a warning Connection error: hud_ssl_handler:605: disable profile (80)
547537-4 : TMM core due to iSession tunnel assertion failure
Component: Wan Optimization Manager
Symptoms:
TMM core due to "valid isession pcb" assertion failure in isession_dedup_admin.c.
Conditions:
Deduplication endpoint recovery occurs on a BIG-IP that has duplication is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
none
Fix:
An iSession tunnel initialization defect has been corrected.
547532-6 : Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades
Component: TMOS
Symptoms:
Error messages similar to this are present in the ltm log:
-- err mcpd[9369]: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.
-- err mcpd[9369]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/part10/test_mon 90.90.90.90%10 443 ltm-pool-member) was not found.
Conditions:
A chassis-based system with multiple blades. This can occur a few different ways:
- A monitor is attached to an object that is configured in a partition that uses a non-default route domain, but the address of the monitor is explicitly using the default route domain (e.g. %0).
- A monitor defined in the Common partition is attached to an object from a partition where the default route domain is different.
Impact:
Monitor instances in a partition that uses a non-default route domain can fail validation on secondary blades. mcpd restarts.
Workaround:
There are two possible workarounds:
-- Move the monitor to the /Common/ partition and do not specify %0 in the Alias Address.
-- Do not use monitors from other partitions where the default route domain is different.
Fix:
The complete state for addresses on the primary blade is propagated to secondary blades.
547047-1 : Older cli-tools unsupported by AWS
Component: TMOS
Symptoms:
Older EC2 tools stopped working in some AWS regions.
Conditions:
This can happen in some AWS regions.
Impact:
BIG-IP high availability configurations may stop working in some AWS regions.
Workaround:
None.
Fix:
F5 Networks added the latest available version (1.7.5.1) of EC2 tools in this release/hotfix.
547000-3 : Enforcer application might crash on XML traffic when out of memory
Component: Application Security Manager
Symptoms:
Enforcer application might crash on XML traffic when out of memory.
Conditions:
This occurs when the system is out of memory.
Impact:
The BIG-IP system might temporarily fail to process traffic.
Workaround:
None.
Fix:
This release fixes a scenario where the system might crash when the XML parser ran out of memory.
546747-4 : SSL connections may fail with a handshake failure when the ClientHello is sent in multiple packets
Component: Local Traffic Manager
Symptoms:
Sometimes BIG-IP system responds with a fatal-handshake alert and closes the SSL session for a new connection when a ClientHello record is split between two or more packets.
If SSL debug logging is enabled, the system logs an error such as the following:
01260009:7: Connection error: ssl_hs_rxhello:6210: ClientHello contains extra data (47).
Note: For information on SSL debug logging, see SOL15292: Troubleshooting SSL/TLS handshake failures at https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15292.html.
Conditions:
This occurs when a SSL ClientHello record is split across multiple TCP segments, and the last segment is relatively small.
Impact:
SSL connections fail to complete with a handshake failure.
Workaround:
No workaround.
Fix:
SSL handshakes no longer fails to complete when the ClientHello is split across multiple TCP segments, and the last segment is relatively small.
546640-1 : tmsh show gtm persist <filter option> does not filter correctly
Component: Global Traffic Manager
Symptoms:
Following commands fail to return results even if there are matching records:
# tmsh show gtm persist level wideip
# tmsh show gtm persist target-type pool-member
Conditions:
This only happens when running the tmsh commands listed in the Symptoms.
Impact:
It is not possible to get a granular detail for persist stats.
Workaround:
Use GUI.
Fix:
Filters for the tmsh show gtm persist command now apply the filters correctly.
546410-1 : Configuration may fail to load when upgrading from version 10.x.★
Component: TMOS
Symptoms:
After upgrade from 10.x to 11.5.3 HF2, configuration fails to load with the following error:
01070734:3: Configuration error: Invalid primary key on monitor_param object () - not a full path 2.
Conditions:
Configuration contains a user-created monitor (A) that inherits from user-created monitor (B). Monitor A appears first within the configuration files and monitor B does not have a 'destination' attribute.
Impact:
Configuration fails to load.
Workaround:
Re-order monitors such that Monitor B appears first, or add a 'destination' attribute (i.e., 'destination *:*') to monitor B.
Fix:
10.x upgrade now completes successfully, even when parent monitors appear later in the monitor list, or when there is no destination attribute in the child monitor.
546260-1 : TMM can crash if using the v6rd profile
Component: TMOS
Symptoms:
TMM might crash intermittently when traffic is sent through v6rd profile-configured tunnels.
Conditions:
Specific conditions required for encountering this issue are not well understood.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed root cause of TMM core related to the v6rd profile, so this issue no longer occurs.
546080-4 : Path sanitization for iControl REST worker
Vulnerability Solution Article: K99998454
545821 : Idle timeout changes to five seconds when using PVA full or Assisted acceleration.
Component: Local Traffic Manager
Symptoms:
When FastL4 performs hardware acceleration during the TCP handshake, the FastL4 handshake timeout is not updated to match the profile timeout value after the connection is established.
Conditions:
Accelerated, established TCP flows with no traffic for more than five seconds.
Impact:
TCP flows in the established state are dropped if they have more than five seconds of inactivity.
Workaround:
Disable embedded Packet Velocity Acceleration (ePVA) acceleration.
Fix:
Once the TCP connection reaches established state, the idle timeout is set to the value found in the associated profile. By default the profile timeout value is 300 seconds.
545786-2 : Privilege escalation vulnerability CVE-2015-7393
Vulnerability Solution Article: K75136237
545762-1 : CVE-2015-7394
Vulnerability Solution Article: K17407
545745-3 : Enabling tmm.verbose mode produces messages that can be mistaken for errors.
Component: TMOS
Symptoms:
When tmm first starts, the system logs multiple messages containing the words "error:" and "best_error:" in the tmm log files when tmm.verbose is enabled, and hardware accelerators are present.
Conditions:
Must have an accelerator device, and enable tmm.verbose logging.
Impact:
The system posts messages that could be mistaken for errors. For example: en: 1, clkf: 13, pll_MHz: 650, ddr_hertz: 650000000, error: 17000000, best_error: 667000000. These are not errors, and may be safely ignored.
Workaround:
Ignore the lines with format similar to the following:
en: 1, clkf: 13, pll_MHz: 650, ddr_hertz: 650000000, error: 17000000, best_error: 667000000
Fix:
The cosmetic messages containing 'err' and 'best err' are no longer posted on initial tmm startup when tmm.verbose logging on hardware accelerated devices.
545704-3 : TMM might core when using HTTP::header in a serverside event
Component: Local Traffic Manager
Symptoms:
In certain circumstances TMM might core when using an HTTP iRule command in a HTTP_REQUEST_SEND serverside event.
Conditions:
- iRule with an HTTP command in a serverside event prior to the serverside being completely established, such as HTTP_REQUEST_SEND.
- OneConnect configured on the virtual server.
Impact:
The command might either return invalid value or lead to a condition where TMM might core.
Workaround:
Use the {clientside} Tcl command to execute on the client side.
Alternatively, you might use the HTTP_REQUEST_RELEASE event for HTTP inspection/modification on the server-side.
Fix:
TMM no longer cores when using HTTP iRule commands on the server-side of the HTTP_REQUEST_SEND event.
545450-2 : Log activation/deactivation of TM.TCPMemoryPressure
Component: Local Traffic Manager
Symptoms:
The TCP memory pressure feature allows packets to be randomly dropped when the TMM is running low on available memory. The issue is that these packets are dropped silently.
Conditions:
TM.TCPMemoryPressure set to "enable".
Impact:
Packets are dropped, where the cause of the drop cannot be easily determined.
Fix:
Logging added in /var/log/ltm for activation and deactivation of TCP memory pressure. The deactivation message also includes the number of packets and bytes dropped.
544992-2 : Virtual server profile changes are ignored if it has /Common/remotedesktop and /Common/vdi assigned (Citrix/Vmware View iApp)
Component: Access Policy Manager
Symptoms:
Changes to the profiles that are assigned to a virtual server are ignored if the /Common/remotedesktop and /Common/vdi profiles are already assigned to it. Some iApps that F5 provides to create Citrix or VMware View configurations assign those profiles to a virtual server.
Conditions:
/Common/remotedesktop and /Common/vdi profiles are assigned to a virtual server.
Impact:
Changes to the profiles assigned to a virtual server (adding a new new profile, deleting a profile, changing existing profiles) have no effect until either of these occurs: The /Common/vdi profile is removed from the virtual server or tmm is restarted.
Workaround:
Use tmsh to remove /Common/vdi from the profiles for the virtual server.
(There is no option in the GUI that allows you to do this.)
Fix:
The /Common/remotedesktop and /Common/vdi profiles can be assigned to a virtual server without affecting other profiles.
544980-1 : BIG-IP Virtual Edition may have minimal disk space for the /var software partition when deploying from the OVA file for the Better or Best license bundle.
Component: TMOS
Symptoms:
The size of /var volume is 500 MB instead of 3 GB for BETTER and BEST license bundles.
Conditions:
BIG-IP VE BETTER and BEST vm_bundle images.
Impact:
Not enough space in /var.
Workaround:
In the current volume:
1. Modify global_attributes file.
* The global_attributes file is located at /shared/.tmi_config, so modify global_attributes file by using vi command.
From:
{"TMI_VOLUME_FIX_VAR_MIB":"500","TMI_VOLUME_FIX_CONFIG_MIB":"500"}
To:
{"TMI_VOLUME_FIX_VAR_MIB":"3000","TMI_VOLUME_FIX_CONFIG_MIB":"500"}
2. Install version.
3. Modify global_attributes file to back original value.
4. Switchboot to newly installed volume.
5. To change /var to 3 GB and from tmsh, run the following command:
modify /sys disk directory /var new-size 3145728
6. Reboot.
Fix:
BIG-IP Virtual Edition now has 3GB of disk space for the /var software partition when deploying from OVA for the Better or Best license bundle
544913-2 : tmm core while logging from TMM during failover
Component: TMOS
Symptoms:
TMM crash and coredump while logging to remote logging server when an HA failover occurs.
Conditions:
The problem might occur when:
1. A log message is created as the result of errors that can occur during log-connection establishment.
2. An error occurs while attempting to connect to the remote logging server.
3. The Primary HA member fails over. The crash occurs on the HA member which was the Primary member prior to the failover.
Impact:
TMM runs out of stack and dumps core. Stack trace shows recursion in errdefs. The system cannot function under these conditions. This is an issue that might occur anytime logs are generated when managing resources that are also used by the logging system itself.
Workaround:
Two possible workarounds are available:
1) Create a log filter specifically for message-id :1010235: that either discards or directs such messages to local syslogs.
2) If the problem occurs on TMM startup, disable and then re-enable the corresponding log source once the TMM starts up.
Fix:
Logging recursion no longer occurs in TMM during failover while the system is attempting to connect to the remote logging server.
544831 : ASM REST: PATCH to custom signature set's attackTypeReference are ignored
Component: Application Security Manager
Symptoms:
When trying to update filter/attackTypeReference for a User-Defined Filter-Based Signature Set (/mgmt/tm/asm/signature-set/<ID>), the PATCH call completes successfully, but the change never occurred.
Conditions:
Using the REST API, a user tries to update filter/attackTypeReference for a User-Defined Filter-Based Signature Set (/mgmt/tm/asm/signature-set/<ID>)
Impact:
The PATCH call completes successfully, but the change never occurred. This may result in the Signature Set not containing the expected signatures.
Workaround:
The bug only exists via the REST API, the GUI can be used to change this value.
Fix:
The attackTypeReference field is now correctly updated using a REST PATCH.
544481-4 : IPSEC Tunnel fails for more than one minute randomly.
Component: TMOS
Symptoms:
IPsec IKEv1: DPD ACK may be dropped when excessive DPD message exchange. This causes the IPsec tunnel to fail.
Conditions:
Excessive DPD message exchange.
Impact:
Connection resets.
Workaround:
None.
Fix:
Excessive DPD message exchange no longer causes the IPsec tunnel to fail.
544375-2 : Unable to load certificate/key pair
Component: Local Traffic Manager
Symptoms:
After creating SSL profile, 'could not load key/certificate file' appears in /var/log/ltm with profile name. Unable to connect to virtual with SSL profile.
Conditions:
Certificate uses sha1WithRSA or dsaWithSHA1_2 signature algorithm.
Impact:
Unable to load certificate.
Workaround:
None.
Fix:
Can now load certificates with sha1WithRSA or dsaWithSHA1_2 signature algorithm.
544325-2 : BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable).
Component: Local Traffic Manager
Symptoms:
A BIG-IP UDP virtual server may not send an ICMP Destination Unreachable message Code 3 (port unreachable). As a result of this issue, you may encounter the following symptoms:
-- Client applications may not respond or appear to hang.
-- When attempting to troubleshoot the connectivity issue from remote devices, no ICMP diagnostic data is available from the BIG-IP system.
Conditions:
This issue occurs when the following condition is met: All pool members for the UDP virtual server are unavailable.
Impact:
In versions 11.3.0 through 11.4.1, the system silently drops the request. In versions 11.5.0 and later, the system sends back the ICMP message with type 13 ('administratively filtered').
Workaround:
None.
Fix:
LTM now sends back an ICMP Destination Unreachable message Code 3 (port unreachable), which is expected behavior.
Behavior Change:
In version 11.2.1 and earlier, the system responded to a request with an ICMP packet containing the type code 'port unreach' when a UDP virtual server pool member was down due to no available pool members. For the same scenario in versions 11.3.0 through 11.4.1, the system sends no ICMP packet. In versions 11.5.0 through this hotfix/release, the system sends an ICMP packet containing the 'administratively filtered' type code for the same scenario.
In this hotfix/release, the 11.2.1 behavior is restored. In this case, the system responds with an ICMP packet containing the type code set to 'port unreach'.
544028-3 : Verified Accept counter 'verified_accept_connections' might underflow.
Component: Local Traffic Manager
Symptoms:
Verified Accept counter 'verified_accept_connections' might underflow.
Conditions:
When the verified accept setting on a TCP profile is changed for an active virtual server.
Impact:
When the counter underflows, new connections on any verified-accept enabled virtual server are dropped. The counter will never recover.
Workaround:
Avoid changing the verified accept setting on a TCP profile for an active virtual server.
Fix:
This release corrects the issue in which the Verified Accept counter 'verified_accept_connections' might underflow.
543993-4 : Serverside connections may fail to detach when using the HTTP and OneConnect profiles
Component: Local Traffic Manager
Symptoms:
Serverside connection does not detach when using OneConnect profile
Conditions:
An HTTP/1.1 response without Content-Length header is received in response to an HTTP/1.0 HEAD request
Impact:
HTTP requests on the same connection are not LB'ed across pool members.
Workaround:
Remove OneConnect profile
Fix:
Ensure serverside detachment when handling HTTP responses to HEAD requests.
543220-3 : Global traffic statistics does not include PVA statistics
Component: Local Traffic Manager
Symptoms:
Global traffic statistics shown in the GUI and in TMSH are not correct.
Conditions:
Hardware acceleration enabled.
Impact:
Statistics discrepancy in global traffic statistics.
Workaround:
None.
Fix:
Global traffic statistics now includes the correct PVA statistics in the GUI and in TMSH.
542898 : Virtual Edition: Disk partition /var shows 100% after live install to 12.0.0
Component: TMOS
Symptoms:
After installing a new Virtual Edition software instance and booting into it, disk partition /var shows 100%
Conditions:
Virtual Edition only
Impact:
System is generally un-usable; applications cannot operate without space in /var.
Workaround:
1) reboot into the previous software location
2) delete the new software location that is non-functional
3) remove this file:
/shared/.tmi_config/global_attributes
4) install the new software again.
Fix:
after applying the fix, subsequent operations that install new software will size the /var filesystem appropriately.
542860-5 : TMM crashes when IPsec SA are deleted during HA Active to Standby or vice versa event
Component: TMOS
Symptoms:
TMM can crash when IPsec SA's are deleted using TMSH or racoonctl utility during HA Active to Standby or vice versa.
Conditions:
During the HA Active to standby or vice versa event, Use of TMSH or racoonctl utility to delete IPsec SA's can cause TMM crash. This is a race condition and can occur rarely.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Running TMSH command or racoonctl utility to delete IPsec SA's during HA Active to Standby or vice versa event does not result in TMM crash and IPsec SA's will be deleted as per the request.
542742-3 : SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).
Component: TMOS
Symptoms:
SNMP reports invalid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).
Conditions:
Querying the OIDs.
Impact:
Unable to monitor the moving averages of the current connection counts as they return 0.
Workaround:
There is no known workaround.
Fix:
SNMP now reports valid data from global_stat, avg server-side cur_conns (for 5s, 1m, 5m).
542654 : bigd may experience a heartbeat failure when tcp-half-open monitors are used
Component: Local Traffic Manager
Symptoms:
bigd generates a core file and restarts. The system writes a message to /var/log/ltm that is similar to the following: notice sod[6504]: 01140029:5: HA daemon_heartbeat bigd fails action is restart.
Conditions:
tcp-half-open monitors are in use.
Impact:
bigd restarts and there is an interruption in monitoring.
Workaround:
There is no workaround, but this has been seen extremely rarely.
542511-1 : 'Unhandled keyword ()' error message in GUI and/or various ASM logs
Component: Application Security Manager
Symptoms:
'Unhandled keyword ()' error message may appear in 'Session Awareness Tracking' GUI page and/or various ASM logs, such as: learning manager log, asm config server log, main asm log.
In the case of learning manager, it causes a crash of the latter. Learning manager process is then restarted ~15 seconds later.
Conditions:
ASM provisioned.
Session Awareness Tracking is enabled.
Impact:
Uninformative errors in 'Session Awareness Tracking' GUI page and/or various ASM logs, such as: learning manager log, asm config server log, main asm log.
Learning manager process restart.
Workaround:
None.
Fix:
Learning manager now handles the 'Unhandled keyword ()' exception in a graceful manner and does not crash.
542320 : no login name may appear when running ssh commands through management port
Component: TMOS
Symptoms:
ssh root@mgmt_port_ip_address "bash -cl 'tmsh show sys sof'" displays "logname: no login name"
Conditions:
ssh root@mgmt_port_ip_address "bash -cl 'tmsh show sys sof'" displays "logname: no login name"
Impact:
Display issue
Fix:
Properly display login name
542314-7 : TCP vulnerability - CVE-2015-8099
Vulnerability Solution Article: K35358312
541549-3 : AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.
Component: TMOS
Symptoms:
The default settings of an AMI is not to delete an attached volume of an instance when the instance is terminated. This results in extra effort to delete a volume manually after terminating the instance. If not done always, the orphaned volume causes extra bills.
Conditions:
A BIG-IP VE is launched from an AMI in the marketplace.
Impact:
Volumes attached to BIG-IP VE instances will be deleted automatically when the instance is terminated. This option is set to be default now. If you want to keep a volume even after terminating a BIG-IP VE instance, you will have to set it to not be deleted upon termination during instance launch in AWS console.
Workaround:
None.
Fix:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.
Behavior Change:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.
541316-5 : Unexpected transition from Forced Offline to Standby to Active
Component: TMOS
Symptoms:
If a BIG-IP configuration is reset to default, and then restored from a saved UCS that was taken while the system was Forced Offline, the system will be restored to the Forced Offline state, but the state may not persist across reboots.
Conditions:
Restore a saved UCS that was created while the BIG-IP system was Forced Offline.
Impact:
System may unexpectedly go Active after a reboot.
Workaround:
None.
Fix:
Device forced offline remains forced offline after restoring a UCS and rebooting.
541231-1 : Resolution of multiple curl vulnerabilities
Vulnerability Solution Article: K16704 K16707
541156-3 : Network Access clients experience delays when resolving a host
Component: Access Policy Manager
Symptoms:
The DNS Relay proxy for Network Access clients operating in split-tunnel mode intercepts a client's DNS request for a non-matching host and will forward it to the client's local DNS server. If the client contains multiple NICs, one containing a down or invalid DNS server, this could cause a delay in resolving the host.
Conditions:
Network Access with the DNS Relay Proxy configured
A client machine has multiple NICs
One of the NICs has an invalid or down DNS server configured
Client attempts to resolve a host not matching the Network Access policy
Impact:
Clients will experience unusual delays (10+ seconds) when resolving hosts.
Workaround:
Clients can check their system setup and remove the affected interfaces that contain an invalid DNS server (virtual machine network adapters are becoming increasingly common and can exhibit this), or they can ensure that they are mapped only to valid DNS servers that can resolve the host.
Fix:
The DNS Relay proxy will now avoid sending DNS requests to down DNS servers for DNS requests that do not match the Network Access policy while Network Access is connected.
541134-3 : HTTP/HTTPS monitors transmit unexpected data to monitored node.
Component: Local Traffic Manager
Symptoms:
HTTP/HTTPS) monitors send unexpected data (crlfcrlf) after completion of TCP and/or SSL handshake.
Conditions:
HTTP/HTTPS monitor with a send attribute set to 'none'. HTTP/HTTPS monitors with a 'none' send string should complete the TCP handshake(+SSL handshake) and then close the connection without sending any data.
Impact:
A monitor configured with a 'none' send string sends a 4-byte string, \r\n\r\n (crlfcrlf), after completing the handshake. This is ignored by the monitored node, which might cause it to be marked down.
Workaround:
None.
Fix:
HTTP/HTTPS monitor no longer transmits any L7 data when send attribute is set to 'none'.
541126-1 : Safenet connection may fail on restarting pkcs11d or HSM reboot or if the connection to HSM is lost and then resumed
Component: Local Traffic Manager
Symptoms:
netHSM usage may fail for Safenet users with error message in the ltm log similar to the following:
warning tmm1[11930]: 01260009:4: Connection error: ssl_hs_vfy_sign_srvkeyxchg:9678: sign_srvkeyxchg (80).
info tmm1[11930]: 01260013:6: SSL Handshake failed for TCP 10.10.0.1:59513 -> 10.10.1.150:20001.
warning pkcs11d[12005]: 01680022:4: Crypto operation [2] failed.
crit tmm1[11930]: 01260010:2: FIPS acceleration device failure: fips_poll_completed_reqs: req: 56 status: 0x1 : Cancel.
Conditions:
This may happen for any of the following conditions:
-- Restart pkcs11d without starting tmm immediately after.
-- Network connection between the BIG-IP and HSM is interrupted and then restored.
-- HSM is rebooted without being followed by a restart to pkcs11d and tmm.
Impact:
SSL handshake failure with a message similar to the following:
SSL Handshake failed for TCP 10.10.0.1:59513 -> 10.10.1.150:20001.
Workaround:
For Safenet, always restart tmm after restarting pkcs11d. To do so, run the following commands:
bigstart restart pkcs11d
bigstart restart tmm
When the networking to HSM is restored or after a HSM reboot, always run the following commands:
bigstart restart pkcs11d
bigstart restart tmm
Fix:
After restarting pkcs11d, Safenet connections no longer fails with the message 'cannot locate key'.
540996-4 : Monitors with a send attribute set to 'none' are lost on save
Component: TMOS
Symptoms:
Monitors that have a send, recv, or recv-disable attribute set to 'none' are lost on configuration save.
Impact:
Monitor may send unexpected string.
Workaround:
None.
Fix:
Monitor send, recv, and recv-disable attributes now retains a 'none' value on configuration save.
540893-3 : Unevenly loaded tmms while using syncookies may cause occasional spurious connection resets.
Component: Local Traffic Manager
Symptoms:
Flows for a syncookie-enabled listener might occasionally receive a RST after responding correctly to a syncookie challenge.
Conditions:
-- Fast Flow Forwarding is enabled.
-- At least one tmm thread is heavily loaded but has not reached its syncookie thresholds, while at least one tmm thread is less heavily loaded but has met its syncookie threshold.
Impact:
Occasional clients take an incorrect path and have their valid syncookie ACKs rejected with a TCP RST and must retry.
Workaround:
Set db variable tmm.ffwd.enable = false.
Doing this may modestly reduce peak performance on CPU bound loads.
Fix:
Fixed occasional RST in response to valid syncookie ACKs when under uneven load.
540849-4 : BIND vulnerability CVE-2015-5986
Vulnerability Solution Article: K17227
540846-4 : BIND vulnerability CVE-2015-5722
Vulnerability Solution Article: K17181
540778 : Multiple SIGSEGV with core and failover with no logged indicator
Component: Access Policy Manager
Symptoms:
A multimodule HA pair under high load experiences 3 failover events.
Conditions:
Configure HA pair for GBB multimodule testing (AFM, ASM, APM, GTM, LTM) and apply high concurrent load.
Impact:
Instability in HA. The current HA config under test has not had a unit remain active for more than ~12 hours.
Workaround:
None.
Fix:
Fix to free memory with same length as used for alloc using umem_alloc.
540767-1 : SNMP vulnerability CVE-2015-5621
Vulnerability Solution Article: K17378
540638 : GUI Device Management Overview to display device_trust_group
Component: TMOS
Symptoms:
The Device Management Overview page is displaying a blank page in the Device Groups panel.
Conditions:
No special condition is required.
Impact:
The Device Management Overview page does not display any information. This might be especially confusing when devices are not in sync.
Workaround:
None.
Fix:
Device Management Overview page now displays the device and device group details in the Device Groups panel.
540576-2 : big3d may fail to install on systems configured with an SSH banner
Component: Global Traffic Manager
Symptoms:
When a BIG-IP system is configured to display a banner at SSH login, big3d_install may be unable to update the big3d daemon on that device.
Conditions:
sshd banner enabled.
Impact:
big3d_install fails to install big3d on the target remote BIG-IP system.
Workaround:
1. Disable the SSH banner on the target device:
tmsh modify /sys sshd banner disabled.
2. Add the target:
bigip_add target_name.
3. Re-enable the SSH banner:
tmsh modify /sys sshd banner enabled.
Fix:
big3d now installs correctly on systems configured with an SSH banner.
540571-4 : TMM cores when multicast address is set as destination IP via iRules and LSN is configured
Component: Carrier-Grade NAT
Symptoms:
TMM may core when an iRule changes the destination address of a connection to use a multicast address such as 224.0.0.1. When the BIG-IP system looks up the route, it returns an internal route with no interface designed for use with multicast traffic. LSN expects to find an interface and crashes when it attempts to use the non-existent interface.
Conditions:
- CGNAT enabled and LSN pools configured on active virtual server that accepts traffic.
- On the same virtual server, an iRule is configured that changes the destination IP to a multicast address in the 224.0.0.0/24 network.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There are two workarounds: -- Remove the offending iRule that is sending traffic to the 224.0.0.0/24 network. -- Prevent traffic from using that destination in the iRule.
Fix:
TMM no longer cores when multicast address is set as destination IP via iRules and LSN is configured. Now, the system fails connections when the route's IFC is null, which is correct behavior.
540568-4 : TMM core due to SIGSEGV
Component: Local Traffic Manager
Symptoms:
TMM may core due to a SIGSEGV.
Conditions:
Occurs rarely. Specific conditions unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed an intermittent tmm core related to Bug 540571.
540484-4 : "show sys pptp-call-info" command can cause tmm crash
Component: Carrier-Grade NAT
Symptoms:
Core when "show sys pptp-call-info" is called.
Conditions:
On BIG-IP with fastl4 virtual server forwarding PPTP GRE traffic, TMSH "show sys pptp-call-info" command can cause crash in TMM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not issue "show sys pptp-call-info" command on BIG-IP forwarding PPTP GRE traffic.
Fix:
Fixed crash from incorrectly matching PPTP ALG traffic in forwarding fastl4 virtual server.
540473-5 : peer/clientside/serverside script with parking command may cause tmm to core.
Component: Local Traffic Manager
Symptoms:
When the peer/clientside/serverside iRule contains parking commands, or in NTLM profiles (which utilize parking commands), tmm might core upon connection reuse.
Conditions:
1. The iRule used in peer/clientside/serverside contains a parking command.
2. The connection is reused. This might occur in OneConnect configurations, for example.
In configurations that do not have parking iRule commands, this issue might also occur when the NTLM profile is in use, as the NTLM profile also utilizes parking. Note: The NTLM profile might be deployed automatically if you are using a SharePoint iApp.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use parking commands in cases where the system might reuse the connection. If the issue occurs with the NTLM profile, do not use the NTLM profile, if possible.
Fix:
When the peer/clientside/serverside iRule contains parking commands, or when using NTLM profiles that utilize parking commands, tmm no longer cores upon connection reuse.
540424-1 : ASM REST: DESC modifier for $orderby option does not affect results
Component: Application Security Manager
Symptoms:
Collections returned from the REST API can be sorted by a field from the $orderby ODATA parameter. The default sort order is ascending, but it is meant to allow a "DESC" modified to sort in descending order. The "DESC" modifier has no effect on the sort order.
Conditions:
ASM REST API is used to retrieve a collection with the elements sorted by a field's value in descending order.
Impact:
The collection is always returned in ascending sort order even if it descending order was requested.
Workaround:
None.
Fix:
The DESC operator is now honored for the $orderby ODATA parameter on ASM REST API requests.
540390-1 : ASM REST: Attack Signature Update cannot roll back to older attack signatures
Component: Application Security Manager
Symptoms:
There is no way to roll back to an older attack signature update using the REST interface
Conditions:
REST is used to manage Attack Signature Updates on a BIG-IP device, and an older version than the currently installed file is desired to be installed.
Impact:
REST clients have no way to fully manage Attack Signature Updates for the BIG-IP
Workaround:
The GUI can be used to roll back to an earlier version
Fix:
The REST API now includes support for the "allowOlderTimestamp" field to the update-signatures task in order to allow rolling back to an older attack signature update using the REST interface.
POST https://<host>/mgmt/tm/asm/tasks/update-signatures/
{
"allowOlderTimestamp": true,
<Rest of body as usual>
}
540213-4 : mcpd will continually restart on newly inserted secondary blades when certain configuration exists on the primary
Component: Local Traffic Manager
Symptoms:
When a secondary blade's mcpd starts up, it may continually restart, failing to load, when the primary blade has a certain configuration. The easiest way to reproduce this is to insert a new blade into an existing running cluster.
This will happen when a link local IPv4 self IP is in use and the DB variable config.allow.rfc3927 is set to disabled (which is the default).
It is not possible to create such self IPs unless the DB variable is first enabled, the object is created, and then the DB variable is disabled.
In certain scenarios a secondary blade mcpd may go into a restart loop when receiving the configuration from the primary blade if ipv4 link local SelfIP addresses are in use enabled by DBKey config.allow.rfc3927.
Conditions:
This happens only on MCP startup on secondary blades, when a link local IPv4 self IP is configured, and when the DB variable config.allow.rfc3927 is set to disabled (which is the default).
Impact:
Secondary blade will not become part of the cluster and will not be able to process traffic. Continual log messages will show up on existing blades announcing that mcpd is continually restarting.
Workaround:
Enable the config.allow.rfc3927 DB variable on the primary to suspend this validation.
Fix:
When a link local IPv4 self IP is in use and the DB variable config.allow.rfc3927 is set to disabled (which is the default), mcpd would previously fail to start on a newly inserted secondary blade. This no longer occurs.
539923-2 : BIG-IP APM access logs vulnerability CVE-2016-1497
Vulnerability Solution Article: K31925518
539822-1 : tmm may leak connflow and memory on vCMP guest.
Component: TMOS
Symptoms:
tmm may leak connflow and memory on vCMP guests.
Conditions:
This occurs on a vCMP guest when only one tmm is provisioned on the blade.
Impact:
tmm leaks memory and might eventually crash from an out-of-memory condition.
Workaround:
Provision more than one tmm.
Fix:
tmm no longer leaks connflows and memory on vCMP guests when only one tmm is provisioned.
539784-2 : HA daemon_heartbeat mcpd fails on load sys config
Component: TMOS
Symptoms:
A particular stage of validation can take longer than the ha-daemon heartbeat interval, and while nothing is actually wrong, the system responds as if there is an unresponsive daemon, so the system restarts it.
Conditions:
iRules must be present in the configuration that the system is loading.
Impact:
MCPd restarts.
Workaround:
On the BIG-IP system, run the command: tmsh mod sys daemon-ha mcpd heartbeat disabled.
Fix:
Added additional heartbeats during validation, so HA daemon_heartbeat mcpd no longer fails on load sys config.
539466-3 : Cannot use self-link URI in iControl REST calls with gtm topology
Component: Global Traffic Manager
Symptoms:
The self-link URI cannot be used in iControl REST calls with gtm topology.
Conditions:
User issues iControl REST commands for gtm topology that include the self-link URI.
Impact:
The given command is not executed and the system posts the following error message: "Topologies must specify both regions: ldns: server:".
Workaround:
Do not use the self-link in iControl REST commands with gtm topology.
Fix:
You can now use self-link URI in gtm topology-related iControl REST commands.
Be sure to format the gtm topology OID string using the following rules:
1) Use only a single space between each item in the topology string.
2) Use a fully-pathed name for datacenter, isp, region, and pool objects.
For example:
"ldns: subnet 11.11.11.0/24 server: datacenter /Common/DC"
539270-2 : A specific NTLM client fails to authenticate with BIG-IP
Component: Access Policy Manager
Symptoms:
Specific NTLM client (such as Android Lync 2013) fails to authenticate with BIG-IP as it sends a particular NTLMSSP_NEGOTIATE which BIG-IP was not able to parse properly and throws an error. This effectively stops the authentication process, and this particular client never completes the authentication.
Conditions:
Specific NTLM client. It is not clear whether this issues affect a particular version of Android Lync 2013 or a particular Android version.
Impact:
Cannot complete the authentication, hence, not allowed to access protected resources.
Workaround:
No workaround exists for the affected clients.
Fix:
The BIG-IP system now processes NTLM requests for affected Lync clients, and users of the client are able to authenticate.
539229-4 : EAM core while using Oracle Access Manager
Component: Access Policy Manager
Symptoms:
Authentication with Oracle Access Manager can result in an exception while checking whether authentication is required. This is an intermittent issue.
Conditions:
This event can be triggered while using the Oracle Access Manager.
Impact:
An unhandled exception will cause EAM to core and possible access outage.
Workaround:
No workaround
Fix:
EAM handles exceptions gracefully during the authentication process when Oracle Access Manager is used.
539130-7 : bigd may crash due to a heartbeat timeout
Component: Local Traffic Manager
Symptoms:
bigd crashes and generates a core file.
The system logs entries in /var/log/ltm that are similar to the following: sod[5853]: 01140029:5: HA daemon_heartbeat bigd fails action is restart.
This issue is more likely to occur if /var/log/ltm contains entries similar to the following: info bigd[5947]: reap_child: child process PID = 9198 exited with signal = 9.
Conditions:
External monitors that run for a long time and are killed by the next iteration of the monitor. For example, the LTM external monitor 'sample_monitor' contains logic to kill a running monitor if it runs too long.
Impact:
bigd crashes and generates a core file. Monitoring is interrupted.
Workaround:
None.
Fix:
External monitors that run for a long time and are killed by the next iteration of the monitor now recover without bigd crashing and generating a core file.
Behavior Change:
bigd now logs child process exit messages in /var/log/bigdlog (so bigd.debug must be enabled) rather than in /var/log/ltm. This allows the logging to be controllable.
Successful command exits are also logged for completeness since this the log messages only appears when debugging is enabled.
539125-1 : SNMP: ifXTable walk should produce the available counter values instead of zero
Component: TMOS
Symptoms:
The SNMP ifXTable is presenting zeros for attributes hc_in_multicast_pkts and hc_out_multicast_pkts. However, this data is available on the Big-IP and should be presented.
Conditions:
snmpwalk the ifTable and the ifXTable. The ifTable shows Counter32 values for attributes in_multicast_pkts and out_multicast_pkts, but the ifXTable shows zeros for the Counter64 equivalent attributes hc_in_multicast_pkts and hc_out_multicast_pkts (except for vlans, which are correct).
Impact:
Inability to characterize/view counts for the above-referenced multicast packets via SNMP.
Fix:
The snmp walk described in the Symptom/Known issues field gives meaningful results after application of this hotfix.
539013-2 : DNS resolution does not work on a Windows 10 desktop with multiple NICs after VPN connection has been established in some cases
Component: Access Policy Manager
Symptoms:
DNS resolution stops working on a Microsoft Windows 10 desktop when the VPN connection is established.
Conditions:
This occurs when the client system meets all of the following conditions:
- Running BIG-IP software version Hotfix-BIGIP-11.5.3.1.47.167-HF1-ENG.iso.
- Running Microsoft Windows version 10.
- Has multiple NICs and one of them is in the disconnected state, with a statically assigned IPv4 configuration.
Impact:
User cannot access resources by DNS name.
Workaround:
Disable disconnected NICs that have a statically assigned IPv4 configuration.
Fix:
After VPN connection has been established, DNS resolution works, in the case of a Windows 10 desktop with multiple NICs and one of them is in a disconnected state and has a statically assigned IPv4 configuration.
538761-1 : scriptd may core when MCP connection is lost
Component: TMOS
Symptoms:
Scriptd loses MCP connection may cause scriptd to core.
Conditions:
Unknown, Only known to reproduce in an F5 internal test.
Impact:
None known.
Fix:
A possible case of scriptd dumping core has been fixed.
538708-2 : TMM may apply SYN cookie validation to packets before generating any SYN cookies
Component: Local Traffic Manager
Symptoms:
SYN cookie validation is applied when SYN cookies are not active
Conditions:
Internal TMM clock has overflowed and is near 0
ACK packet has been received that does not match an existing connection flow
Impact:
Validation can be applied to a listener/proxy that does not support SYN cookies which can lead to a tmm core.
Fix:
SYN cookie validation will not be applied if SYN cookies have not been activated.
538603-3 : TMM core file on pool member down with rate limit configured
Component: Local Traffic Manager
Symptoms:
TMM may produce a core file when attempting to retry to calculate the rate-limit on a pool member that has gone down.
Conditions:
This occurs when the following conditions are met:
- service-down-action reselect.
- rate limit specified.
- traffic load balanced to pool members.
- traffic is over the rate for all pool members.
- all pool members go down.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove rate-limit configuration.
Fix:
TMM no longer produces a core file when attempting to retry to calculate the rate-limit on a pool member that has gone down.
538255-2 : SSL handshakes on 4200/2200 can cause TMM cores.
Component: Local Traffic Manager
Symptoms:
When processing SSL handshakes in the crypto acceleration hardware, a BIG-IP 2000 or 4000 platform might experience a TMM core.
Conditions:
This can occur when processing SSL handshakes in the crypto acceleration hardware. The issue is very unlikely to be seen other than on BIG-IP version 11.6.0 HF5 or on version 12.0.0 base install.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
The crypto acceleration hardware driver for the 2200/4200 has been fixed to avoid memory corruption.
538195-5 : Incremental Manual sync does not allow overwrite of 'newer' ASM config
Component: Application Security Manager
Symptoms:
ASM Sync was designed to only request the ASM portion of the configuration if it recognizes that a peer has a newer configuration.
This precluded the ability to 'roll back' changes on a device by pushing from the peer that still has the older configuration.
Conditions:
Devices are set up in an Incremental Manual Sync ASM-enabled group.
Impact:
User is unable to 'roll back' changes on a device by pushing from the peer that has an older configuration.
Workaround:
Make a spurious change on the device that has an older configuration and then push the changes to the peer.
Fix:
Older ASM configurations can now be pushed to a peer in an incremental sync manual device group.
538133-1 : Only one action per sensor is displayed in sensor_limit_table and system_check
Component: TMOS
Symptoms:
A list of sensors is displayed in the sensor_limit_table or by the system_check utility, with the actions taken when the sensor data exceeds its defined limit. On the affected versions, each sensor item is displayed only once, even if multiple limits and actions are defined for the sensor. Additional limits and actions defined for the sensor are not displayed.
Conditions:
This problem occurs when the affected version of the BIG-IP software is running on the following hardware platforms:
BIG-IP 2000-/4000-/5000-/7000-/10000-/12000-series appliances and VIPRION B2100, B2150, B2250 blades.
Impact:
The system does not show the complete set of defined sensor limits and corresponding BIG-IP system actions when there are multiple limits and actions defined. Only one action is displayed for each sensor.
The system_check utility will only evaluate sensor measurements against limits that appear in its sensor limit tables. Missing sensor limits will not be evaluated, and corresponding alerts will not be issued.
Workaround:
None.
Fix:
The system now shows a list of sensors in the sensor_limit_table or by the system_check utility, with the actions taken when the sensor data exceeds its defined limit.
537988-3 : Buffer overflow for large session messages
Component: Local Traffic Manager
Symptoms:
System with multiple blades may crash when when configured with functionality that utilizes SessionDB.
Conditions:
On a multi-blade machine, send an MPI message larger than 64K between blades (typically a session message).
Impact:
Core or potential data corruption.
Workaround:
None.
Fix:
There is no longer a buffer overflow for large session messages.
537964-3 : Monitor instances may not get deleted during configuration merge load
Component: Local Traffic Manager
Symptoms:
After performing a configuration merge load (for example, "tmsh load sys config merge ...") that changes an existing pool's monitor, old monitor instances may not get deleted.
This can result in a system generating monitor requests that are no longer part of the configuration. It can also result in the system logging messages such as the following:
err mcpd[8793]: 01070712:3: Caught configuration exception (0), Can't find monitor rule: 42.
Conditions:
Pools with monitors configured must exist. The merge load must replace the pool's monitor.
Impact:
Multiple monitor instances may be active on some pool members. This may result in incorrect monitoring status.
Workaround:
Once a system is affected by this issue, the misbehavior can be resolved by doing the following:
1. Save and re-load the configuration to correct the incorrect information in mcpd:
tmsh save sys config partitions all && tmsh load sys config partitions all
2. Restart bigd:
On an appliance:
bigstart restart bigd
On a chassis:
clsh bigstart restart bigd
Fix:
Ensure that all relevant monitor instances are deleted when replacing a pool's monitor.
537614-2 : Machine certificate checker fails to use Machine cert check service if Windows has certain display languages
Component: Access Policy Manager
Symptoms:
Machine certificate checker agent fails to use machine certificate checker service for Windows if it has certain display language, for example Polish.
In failed case logs contain:
2015-08-04,18:37:59:042, 924,756,, 1, , 330, CCertCheckCtrl::CheckPrivateKey, EXCEPTION caught: CCertCheckCtrl::CheckPrivateKey - EXCEPTION
2015-08-04,18:38:00:618, 924,756,, 1, \RPCConnector.cpp, 85, UCredMgrService::RpcConnect, EXCEPTION - Failed to set binding handle's authentication, authorization and security QOS info (RPC_STATUS: 1332)
2015-08-04,18:38:00:618, 924,756,, 1, \RPCConnector.cpp, 88, RPCConnector::Connect, EXCEPTION caught: UCredMgrService::RpcConnect - EXCEPTION
2015-08-04,18:38:00:618, 924,756,, 1, \MCClient.h, 86, MCClient::Verify, Failed to perform PRC-call:error=1702
Conditions:
Windows with non-english display language
Machine certificate checker is supposed to use Machine Certificate Checker service
Impact:
Machine certificate checker cannot be passed using Machine cert service.
Workaround:
Switch display language to English.
Fix:
Machine certificate checker service works now with a display language other than English.
537553-3 : tmm might crash after modifying virtual server SSL profiles in SNI configuration
Component: Local Traffic Manager
Symptoms:
Modifying a Secure Sockets Layer (SSL) profile associated with a virtual server may result in the Traffic Management Microkernel (TMM) producing a core file. As a result of this issue, you may encounter one or more of the following symptoms:
-- BIG-IP system sends an invalid memory access segmentation fault (SIGSEGV) or floating point error (SIGFPE), signal to TMM, resulting in a stack trace that appears in the /var/log/tmm file.
-- TMM restarts and produces a core file in the /shared/core directory.
-- The BIG-IP system generates an assertion failure panic string in the /var/log/tmm file that appears similar to the following example:
panic: ../kern/umem.c:3881: Assertion "valid type" failed
Conditions:
1. LTM virtual server is configured with multiple SSL profiles, one of which is the default SNI profile.
2. A configuration change is made that affects the virtual server. Among others:
-- Configuration is reloaded either manually or automatically after config sync.
-- Change is made to any of the SSL profiles configured on the virtual server.
-- SSL profiles are added or removed from the virtual server profile list.
-- Change is made to the virtual server.
-- Virtual server is deleted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Making SSL profile configuration changes now completes successfully.
537435-4 : Monpd might core if asking for export report by email while monpd is terminating
Component: Application Visibility and Reporting
Symptoms:
Core file is created by monpd if you try to export a report by email while monpd is terminating.
Conditions:
Very rare case that can happen if user asks to export report by email in the middle of monpd's graceful termination (due to restart or other reason) will cause core dump (not graceful termination).
Impact:
None
Workaround:
Fixed to code to avoid this behavior.
Fix:
Exporting a report by email in the middle of monpd's graceful termination (due to restart or other reason) will no longer cause a core dump.
537326-4 : NAT available in DNS section but config load fails with standalone license
Component: Local Traffic Manager
Symptoms:
config load fails with error:
01070356:3: NAT feature not licensed.
Unexpected Error: Loading configuration process failed.
Conditions:
A NAT object is created for GTM/LC standalone license box.
Impact:
config fails to load.
Workaround:
none.
Fix:
Configuration loading no longer fails with a NAT in DNS section.
537227-6 : EdgeClient may crash if special Network Access configuration is used
Component: Access Policy Manager
Symptoms:
EdgeClient crashes during connect or disconnect process. Exact time may differ from time to time.
Conditions:
EdgeClient may crash if Network Access contains configuration which includes:
Full-tunnel
Allow DHCP or Allow Local subnets is used
There is a proxy between client and APM
Impact:
EdgeClient crashes prevent Access Network to work
Workaround:
Remove on of conditions causing crash to happen
Fix:
BIG-IP Edge Client now correctly processes particular Network Access configurations.
537000-3 : Installation of Edge Client can cause Windows 10 crash in some cases
Component: Access Policy Manager
Symptoms:
connecting to an APM box which has support for Windows 10 can cause the OS to crash. After reboot the next attempt will be successful
Conditions:
- Windows 10
- APM box supporting Windows 10
- user installed F5 VPN driver from an APM box, not supporting Windows 10
Impact:
User can lose some data
Workaround:
Before connecting old VPN driver instances must be manually removed using Device Manager
Fix:
Installation of BIG-IP Edge Client on Windows 10 does not cause system crash anymore.
536939-1 : Secondary blade may restart services if configuration elements are deleted using a * wildcard.
Component: TMOS
Symptoms:
In certain situations a chassis based system with more than one working blade may encounter service restart on the secondary blade.
Conditions:
- Chassis system with 2 or more working blades.
- Configuration to be deleted via tmsh using a wildcard. For instance: tmsh delete ltm virtual test*
Impact:
Services will restart on the secondary blade.
Workaround:
Do not use * wildcards with tmsh when deleting configuration elements on a chassis system.
Fix:
Services no longer restart on a secondary blade when deleting configuration elements via tmsh using a * wildcard.
536868-2 : Packet Sizing Issues after Receipt of PMTU
Component: Local Traffic Manager
Symptoms:
TCP sends IP fragments in spite of PMTU message.
Conditions:
BIG-IP has received an ICMP PMTU message.
Impact:
IP fragmentation.
Workaround:
Set the MSS in the TCP profile sufficiently low to avoid inducing ICMP messages in the future.
Fix:
Properly process ICMP packets.
536746-2 : LTM : Virtual Address List page uses LTM : Nodes List search filter.
Component: TMOS
Symptoms:
LTM : Virtual Address List page doesn't have it's own filter but uses other object's filter like Node list or Access policy.
Conditions:
Specifying a search filter on the Nodes page and then navigating to the Virtual Address page.
Impact:
Displays an empty virtual server list or only the virtual address matching the node addresses.
Workaround:
Remove the filter on the LTM : Nodes List before viewing the LTM : Virtual Address List.
Fix:
Specifying a search filter on LTM : Nodes List no longer affects the output on LTM : Virtual Address List.
Virtual Address List now has its own fixed, general filter, and is not affected by filter settings on any other object.
536690-1 : Occasional host-tmm connections within a chassis will fail (affects APM processes trying to connect to a tmm)
Component: Local Traffic Manager
Symptoms:
When using features that require a process on the host to connect to a specific tmm within a chassis, those connections sometimes fail. This can result in improper behavior of the feature, such as failure to create sessions in APM.
Conditions:
Using a module and feature that requires host-tmm communication within a chassis.
Impact:
Possible service failure, such as disallowing entry to APM.
Workaround:
None.
Fix:
Host-to-tmm connections within a chassis no longer fail.
536683-1 : tmm crashes on "ACCESS::session data set -secure" in iRule
Component: Access Policy Manager
Symptoms:
You encounter a tmm crash when your configuration contains an iRule that uses "ACCESS::session data set -secure"
Conditions:
Use of "ACCESS::session data set -secure" in an iRule
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a crash related to the "ACCESS::session data set -secure" command
536575-2 : Session variable report can be blank in many cases
Component: Access Policy Manager
Symptoms:
For an access policy that includes On-Demand Cert Auth, Dynamic ACL, Per-App VPN, and other components, the Session Variable Report output can be blank.
Conditions:
On-Demand Cert Auth in an access policy.
DACL in access policy.
Per-App VPN access policy.
probably others.
Impact:
The Session Variable report is empty.
Workaround:
Check the session variable using command sessiondump.
Fix:
For an access policy that includes On-Demand Cert Auth, Dynamic ACL, or Per-App VPN, the Session Variable Report now shows session variables correctly.
536481-8 : F5 TCP vulnerability CVE-2015-8240
Vulnerability Solution Article: K06223540
536191-3 : Transparent inherited TCP monitors may fail on loading configuration
Component: Local Traffic Manager
Symptoms:
LTM monitor configuration may fail to reload from disk if the monitor name occurs alphabetically prior to the inherited-from monitor.
Conditions:
Monitor A inheriting from Monitor B, where both monitors are of type 'transparent'.
Impact:
Configuration from disk fails to load. System posts an error message similar to the following: 1070045:3: Monitor /Common/test1 type cannot have transparent attribute.
Unexpected Error: Loading configuration process failed.
Workaround:
Rename monitors so they occur in the required alphabetical order to support inheritance.
Fix:
Transparent inherited TCP monitors no longer fail on loading configuration.
535806-4 : Not enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE
Component: TMOS
Symptoms:
Not enough free disk space for live install of 12.0.0.
Conditions:
Initial install of BIG-IP VE GOOD 11.5.3. Upgrade to 12.0.0
Impact:
Unable to install 12.0.0 on 2nd slot.
Workaround:
Grow the virtual disk before installing 12.0.0.
Fix:
Increased the size of virtual disk so that there is enough free disk space for live install of BIG-IP 12.0.0 from 11.5.3 VE.
535544-7 : Enhancement: ltm virtual translate-port, translate-address are not listed if they are enabled
Component: TMOS
Symptoms:
Consider the listing of the ltm virtual vsach below.
The translate-port, translate-address properties are not listed. This implies that these properties are set to their default value of true. tmsh does not list default values. In case these are set to false, they will be listed.
(tmos)# list ltm virtual
ltm virtual vsach {
destination 1.1.1.1:http
mask 255.255.255.255
profiles {
fastL4 { }
}
source 0.0.0.0/0
vs-index 3
}
Conditions:
Presence of a ltm virtual in the configuration with its destination port any (ex: x.y.z.w:any) and translate-port enabled. When listing this ltm virtual the translate-port, translate-address are not displayed.
Impact:
Cannot know the actual value of virtual::translate-port, translate-address attributes until the workaround is applied.
Workaround:
Explicitly list the property
(tmos)# list ltm virtual sach translate-port
ltm virtual vsach {
translate-port enabled
}
Fix:
Post change the above mentioned properties will always be listed, irrespective if they have default value or not.
535246 : Table values are not correctly cleaned and can occupy entire disk space.
Component: Application Visibility and Reporting
Symptoms:
AVR data in MySQL might grow to fill all disk space.
Conditions:
This might occur when DNS table receives a large number of entries that are not being evicted when they are no longer needed.
Impact:
MySQL stops responding. Site might experience down time due to full disk.
Workaround:
If monitoring disk space and AVR data takes more than 70% of the space, reset AVR data by running the following commands sequentially: -- touch /var/avr/init_avrdb. -- bigstart restart monpd.
Fix:
In this release, the system handles AVR data in MySQL so that database size no longer grows beyond a certain point.
535188-5 : Response Pages custom content with \n instead of \r\n on policy import.
Component: Application Security Manager
Symptoms:
After importing policy with custom content on the Default Response Page, new lines are changed from \r\n to \n and it shouldn’t.
Conditions:
1. Create New Policy.
2. Go to Security : Application Security : Policy : Response Pages
3. On Default Response Page, change Response Type to 'Custom Response'.
4. Add 'Enters' to the 'Response Body' and save it.
(for example:
<html><head><title>Request Rejected</title></head><body>The requested URL was rejected.
Please consult with your administrator.<br><br>Your support
ID is: <%TS.request.ID()%></body></html>).
5. View the REST state of the response page and see that the new lines presented by '\r\n'.
6. Export the policy to XML.
7. Import the policy back (replace the old policy).
8. Now the 'new lines' in the content of the response page presented by '\n' instead of '\r\n'.
Impact:
After importing policy with custom content on Default Response Page, new lines are changed from \r\n to \n and it shouldn't.
Workaround:
In GUI, Go to Security : Application Security : Policy : Response Pages, remove and add the 'Enters' and
click on 'Save' for the default response page.
Fix:
After importing a policy with custom content on the Default Response Page, new lines are no longer changed from \r\n.
534804-3 : TMM may core with rate limiting enabled and service-down-action reselect on poolmembers
Component: Local Traffic Manager
Symptoms:
TMM may produce a core file when calculating the rate limit in certain circumstances.
Conditions:
VIP/pool configuration contains:
- Pool configured with
+ Action On Service Down is set to Reselect
- Pool members configured with
+ Connection Rate Limit is set
If all pool members go down, this can trigger the core
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove rate limit configuration.
Fix:
TMM no longer cores in certain conditions with rate limiting and service-down-action reselect on poolmembers
534795-6 : Swapping VLAN names in config results in switch daemon core and restart.
Component: Local Traffic Manager
Symptoms:
Changing names of configured VLANs directly in the configuration file and reloading results in a bcm56xxd switch daemon core and restart.
Conditions:
Applies to all switch based platforms, when modifying the VLAN names directly in the configuration file and reloading.
Impact:
Switch daemon drops core, restarts, and reconfigures the switch.
Workaround:
First delete any existing VLANs, and then recreate then with new names.
Fix:
Add additional protection and error logging for VLAN-name- and VLAN-ID-lookup failures in the switch daemon.
534755-2 : Deleting APM virtual server produces ERR_NOT_FOUND error
Component: Access Policy Manager
Symptoms:
When a APM virtual server is deleted on the active, the following error message will be seen in the APM log on the standby.
"Failed to delete profile stats namespaces"
Conditions:
This issue happens when a APM virtual is deleted on the active and the change is subsequently synced to the standby
Impact:
There is no functional impact.
Fix:
Access Filter now ignores the ERR_NOT_FOUND error when deleting the profile stats namespace.
534633-1 : OpenSSH vulnerability CVE-2015-5600
Vulnerability Solution Article: K17113
534630-3 : Upgrade BIND to address CVE 2015-5477
Vulnerability Solution Article: K16909
534582-3 : HA configuration may fail over when standby has only base configuration loaded.
Component: TMOS
Symptoms:
The active unit may fail over when only the base configuration is loaded on a standby system, and HA communications in the HA configuration is interrupted.
Conditions:
Only base configuration loaded on standby and HA communications are disrupted.
Impact:
Potential site outage.
Workaround:
Configure HA to use multiple network interfaces. Avoid loading only the base configuration on HA configurations.
Fix:
HA configuration no longer fails over when a standby system has only the base configuration loaded.
534458-4 : SIP monitor marks down member if response has different whitespace in header fields.
Component: Local Traffic Manager
Symptoms:
In certain circumstances the SIP monitor may incorrectly mark a SIP pool member down. This is due to the comparison the monitor makes of the standard header fields in the SIP monitor request to the response.
Conditions:
SIP monitor and response differ in the use of whitespace in the header fields, for example, 'field:value' and 'field: value'.
Impact:
Unable to monitor the SIP pool member accurately using the standard SIP monitor because the pool member will be marked down.
Workaround:
Use other types of monitors, e.g., UDP.
Fix:
SIP monitor now correctly processes monitor responses when the use of whitespace in header fields differ.
534246-4 : rest_uuid should be calculated from the actual values inserted to the entity
Component: Application Security Manager
Symptoms:
BIG-IP computes the case-sensitive rest_uuid values for HTTP headers but stores the headers as case-insensitive.
Conditions:
This is an example:
1. Go to Security>>Application Security>>Headers>>HTTP Headers.
2. Choose 'Custom...' for the name of the header.
3. Create a custom header as follows use name 'Abc' with Capital letter.
4. Remember the ID generated in the JSON element.
5. Delete the header.
6. Create a new custom header and use the name 'abc'.
Actual Results:
The ID of 'abc' and the ID of 'Abc' are different.
Impact:
Two identical normalized values may have different rest_uuid.
Workaround:
N/A
Fix:
The REST "id" field is now calculated from the actual values inserted to the entity, and not on the user-input values.
534111-2 : [SSL] Config sync problems when modifying cert in default client-ssl profile
Component: Local Traffic Manager
Symptoms:
Config sync problems after modifying cert in default client-ssl profile when the profile is already active and in use on members in a high availability configuration.
Conditions:
Modify cert in default client-ssl profile and perform a config sync operation.
Impact:
After config sync, units in the sync group have different cert/key settings for client-ssl profiles. You can see this in the inherit-certkeychain setting, which changes from 'true' to 'false' after syncing the configuration with the changed default value.
Workaround:
1. Remove client-ssl definitions from bigip.conf on each unit.
2. Reload the config.
3. Synchronize the config.
Fix:
The system now correctly syncs the default client-ssl profile that was modified with a new cert and key, so the active and standby unit configurations now have the correct cert/key settings after config sync.
534052-5 : VLAN failsafe triggering on standby leaks memory
Component: Local Traffic Manager
Symptoms:
Memory is leaked when VLAN failsafe is active and sending ICMP probes.
Conditions:
VLAN failsafe active and sending ICMP probes on standby and configured with failsafe-action failover.
Impact:
Memory leak causing aggressive sweeper and eventually TMM crash on standby.
Workaround:
None.
Fix:
Memory is no longer leaked when VLAN failsafe is active and sending ICMP probes.
534021-1 : HA on AWS uses default AWS endpoint (EC2_URL).
Component: TMOS
Symptoms:
HA doesn't work on Government clouds on AWS.
Conditions:
AWS endpoints for government clouds are different compared to their public offerings. Amazon recommendation is to construct the end-point (EC2_URL) dynamically based on: [<service name>.<region>.<services/domain>] construct.
Impact:
HA doesn't work on Government clouds on AWS.
Workaround:
EC2 endpoint can be constructed dynamically by:
- Query EC2 Metadata service for <DOMAIN> name (curl http://169.254.169.254/latest/meta-data/services/domain)
- Read the instance <REGION> from /shared/vadc/aws/iid-document
- Declare global variable EC2_URL by using above two values in following format:
export EC2_URL="http://ec2.<REGION>.<DOMAIN>"
Fix:
BIG-IP HA on AWS dynamically constructs the EC2 service endpoint based on the domain-name and region attached with the running instance.
533966-4 : Double loopback nexthop release might cause TMM core.
Component: Local Traffic Manager
Symptoms:
TMM might restart after logging an 'Assertion "nexthop ref valid" failed' message.
Conditions:
Traffic is sent from one tmm to a tunnel in another tmm, but the tunnel does not exist.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
There is no longer a TMM crash due to an extra loopback nexthop release.
533826-4 : SNMP Memory Leak on a VIPRION system.
Component: TMOS
Symptoms:
The snmpd image increases in size on a VIPRION system.
Conditions:
Run continuous snmpbulkwalk operations.
Impact:
The snmpd image increases, and might eventually result in a crash. The ltm log might contain an error message similar to the following: err mcpd[7061]: 01071087:3: Killed process for snmpd as current count of messages (965505855) keeps building.
Workaround:
To reset the memory usage and stop the snmpd daemon from coring, run the following command: bigstart restart snmpd.
Fix:
The snmpd image no longer increases in size on a VIPRION system processor.
533820-3 : DNS Cache response missing additional section
Component: Local Traffic Manager
Symptoms:
Resolver cache lookups are missing authority and additional sections.
Conditions:
Resolver cache lookups could be missing the authority and additional sections for A and AAAA queries if the DO bit is also not set.
Impact:
If the requesting client needs the information that would normally be included in the authority or additional sections, it would have to make additional queries to acquire that data.
Workaround:
none
Fix:
The resolver cache now correctly includes the information available for the authority and additional sections if the information is available.
533813-2 : Internal Virtual Server in partition fails to load from saved config
Component: TMOS
Symptoms:
Loading a successfully configured internal Virtual Server from the config fails with the following message:
-- 01070712:3: Values (/part2/0.0.0.0%2) specified for Virtual Server (/part2/ICAP_request): foreign key index (name_FK) do not point at an item that exists in the database.
Conditions:
This occurs when the following conditions are met:
-- You are running a BIG-IP system with no configuration.
-- You have created an external VLAN with an interface.
-- You have created a non-default route domain, and associated it with a newly created VLAN.
-- You have created a virtual server, and configured a pool in a partition other than /Common.
-- You have saved the configuration.
Here is an example of how this might occur. Run the following commands.
- tmsh
- create net vlan external interfaces add { 1.2 }
- create net route-domain 2 vlans add { external }
- create auth partition part2 default-route-domain 2
- cd ../part2
- create ltm pool icap_pool members add { 10.10.10.10:8080 }
- create ltm virtual ICAP_request destination 0.0.0.0:0 mask 0.0.0.0 internal ip-protocol tcp profiles add { tcp } pool icap_pool
- save sys config
- load sys config partitions all verify.
Impact:
The operation creates a virtual server but cannot load it from saved config.
Workaround:
To work around this issue, you can use the Common partition to complete the configuration.
Fix:
You can now configure an internal virtual server in a partition and load the config successfully.
533808-2 : Unable to create new rule for virtual server if order is set to "before"/"after"
Component: Advanced Firewall Manager
Symptoms:
Not able to create a new rule for virtual server when the order is set to "before"/"after".
Conditions:
Happens only when the order is set to "before"/"after"
Impact:
Unable to create a new rule from the virtual server page
533723-7 : [Portal Access] Client side HTML rewriter should not rewrite content within "textarea" tag.
Component: Access Policy Manager
Symptoms:
The client-side HTML rewriter rewrites content within the "textarea" tag.
Conditions:
Web-application dynamically creates HTML content on the client side that contains the textarea tag.
Impact:
Web-application misfunction is possible.
Workaround:
There is no workaround at this time
Fix:
Content rewriting is suppressed on the client side for the textarea tag.
533658-3 : DNS decision logging can trigger TMM crash
Component: Global Traffic Manager
Symptoms:
Applying load balance decision logging to the DNS profile can cause TMM to crash when a query is load balanced to a last resort pool that is unavailable.
Conditions:
-- DNS load balance decision logging is enabled on the DNS profile,
A Wide IP is configured with a last resort pool.
-- The last resort pool is unavailable.
-- A query is load balanced to the last resort pool.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable decision logging for the DNS profile, or discontinue use of the last resort pool feature.
Fix:
DNS decision logging no longer causse TMM to crash when a last resort pool is configured for a Wide IP, that last resort pool is unavailable, and a query is load balanced to that last resort pool.
533562-5 : Memory leak in CGNAT can result in crash
Component: Carrier-Grade NAT
Symptoms:
tmm leaks cmp memory, resulting in crash.
'tmctl memory_usage_stat' reports very high cmp memory utilization.
Conditions:
Configure hairpin mode or inbound connection handling set to automatic.
Impact:
BIG-IP system might run out of memory and crash.
Workaround:
Avoid hairpin mode or inbound connection handling set to automatic.
Fix:
Fixed CGNAT memory leak that occurred when configured for hairpin mode or when inbound connection handling is set to automatic.
533480-4 : qkview crash
Component: TMOS
Symptoms:
Qkview may crash or hang. You might see this error message in /var/log/ltm:
err mcpd[8003]: 0107134e:3: Failed while making snapshot:
(Failed to link files existing(/config/filestore/files_d/Common_d/...
Conditions:
Changing large configurations while running qkview or missing files from the /config/filestore/files_d/Common_d/external_monitor_d directory can cause qkview to crash or hang.
Impact:
You will be unable to generate a qkview file for support.
Workaround:
Make sure any iControl scripts that are making changes are allowed to complete.
If you deleted any external monitor files from /config/filestore/files_d/Common_d, restore the external-monitor file and re-run qkview.
Fix:
The system now handles running qkview while creating 20,000 or more pools or removing an external monitor from the /config/filestore/files_d/Common_d/external_monitor_d directory, so these conditions no longer cause qkview crash or hang issues.
533458-2 : Insufficient data for determining cause of HSB lockup.
Component: TMOS
Symptoms:
When an HSB lockup occurs only the HSB registers are dumped into the TMM log files for diagnosing the failure. There is no core file containing stats and the state of the HSB driver when the failure occurred to help diagnose the failure.
Conditions:
When an HSB lockup occurs.
Impact:
There is limited data is available for root cause analysis.
Workaround:
None.
Fix:
On HSB lockup, the system now generate a core file, which contains stats and the state of the HSB driver when the failure occurred to help diagnose the failure.
533388-8 : tmm crash with assert "resume on different script"
Component: Local Traffic Manager
Symptoms:
In a rare race condition involving stalled server-side TCP connections on which a RST is received and a asynchronously executing client-side iRule for event CLIENT_CLOSED the tmm can crash with assert "resume on different script".
Conditions:
The conditions under which this assert/crash is triggered are hard to reproduce.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid asynchronously executing CLIENT_CLOSED iRules (e.g. those that use 'after' or 'table' or 'session' commands - this is not an exhaustive list).
Fix:
tmm no longer crashes with assert "resume on different script"
533336-1 : Display 'description' for port list members
Component: Advanced Firewall Manager
Symptoms:
Descriptions for port list's members are not displayed in GUI
Conditions:
Create a port list with 'description' set for its members (using tmsh).
When the portlist list page is accessed from GUI, the description set for the members (on tmsh) is not displayed.
Impact:
Users will not be able to see the description
Workaround:
Use tmsh to view the description for portlist members on tmsh
Fix:
Descriptions for port list members are now displayed in the GUI.
533257-1 : tmsh config file merge may fail when AFM security log profile is present in merged file
Component: TMOS
Symptoms:
A config file merge into an existing config may fail with "unknown-property" message.
Conditions:
This can occur when you are doing a config file merge. The error encountered was with a parameter called "built-in enabled".
Impact:
All releases and modules are affected.
Workaround:
The offending parameter may be deleted from the merge file, however this may result in the value for the deleted parameter not set correctly in the existing config.
Fix:
Fixed a problem with tmsh config file merge failing when AFM security log profile is present in merged file.
533156-2 : CVE-2015-6546
Vulnerability Solution Article: K17386
533098 : Traffic capture filter not catching all relevant transactions
Component: Application Visibility and Reporting
Symptoms:
The traffic capture filter does not catch all relevant transactions.
Conditions:
When a traffic capture filter is set.
Impact:
Not all relevant transactions are captured.
Fix:
The traffic capture filter now catches all relevant transactions.
532799-4 : Static Link route to /32 pool member can end using dst broadcast MAC
Component: Local Traffic Manager
Symptoms:
After assigning a static route to a node on a specific VLAN, ARPs are no longer generated, and all traffic to the node uses a broadcast (ff:ff:ff:ff:ff:ff) MAC.
Conditions:
Static VLAN route to a poolmember/node with a /32 mask.
Impact:
This can cause the monitors to fail and the poolmember/node to be marked down.
Workaround:
Use a non /32 mask or use a gateway route instead.
Fix:
The BIG-IP system now correctly uses ARP to determine the destination MAC of a host routed via a /32 vlan route.
532761-1 : APM fails to handle compressed ICA file in integration mode
Component: Access Policy Manager
Symptoms:
Citrix application or desktop cannot be started in integration mode with Citrix StoreFront 3.0
Conditions:
APM is configured for StoreFront 3.0 proxy and HTTP compression is enabled on the StoreFront server.
Impact:
Citrix application or desktop cannot be started.
Fix:
Now APM supports Citrix StoreFront 3.0 in integration mode with HTTP compression enabled on the StoreFront server.
532685-5 : PAC file download errors disconnect the tunnel
Component: Access Policy Manager
Symptoms:
Any failure to download PAC file is treated as fatal error. If edge client fails to download PAC file VPN connection cannot be established.
Conditions:
-PAC file cannot be downloaded by edge client
Impact:
Tunnel disconnects in case of PAC file download errors.
Workaround:
Fix infrastructure issues that result in PAC file download failure
Fix:
PAC file download and merging issues were considered critical before and Edge Client disconnects the tunnel. This behavior is controlled by a new setting called "Ignore PAC download error" on BIG-IP now.
Behavior Change:
PAC file download and merging issues were considered critical before and BIG-IP Edge Client disconnects the tunnel. This behavior is controlled by a new setting called "Ignore PAC download error" on BIG-IP now.
532559-2 : Upgrade fails to 11.5.0 and later if 'defaults-from none' is under profile '/Common/clientssl'.
Component: TMOS
Symptoms:
If the client-ssl profile is /Common/clientssl, its parent profile is supposed to be /Common/clientssl. But the configuration could potentially use 'defaults-from none'.
Conditions:
This condition could be caused by executing the following command when generating the configuration.
'tmsh modify ltm profile client-ssl clientssl defaults-from none'
Impact:
The upgrade fails after booting into the new release, during the config loading phase. This occurs because the script extracts the line 'defaults-from none' and treats 'none' as its parent profile.
Workaround:
Edit the configuration prior to upgrading, changing the defaults-from value on the client-ssl profile to the name of that profile.
Fix:
Upgrade no longer fails if 'defaults-from none' is under profile '/Common/clientssl'.
532522-4 : CVE-2015-1793
Vulnerability Solution Article: K16937
532394-1 : Client to log value of "SearchList" registry key.
Component: Access Policy Manager
Symptoms:
n/a
Conditions:
Windows user connecting and disconnecting network access connection to BIG-IP APM server.
Impact:
n/a
Workaround:
n/a
Fix:
To provide better traceability, APM client creates log entry each time F5 software reads or writes "SearchList" or "SearchList_F5_BACKUP_VALUE" registry keys.
532340-2 : When FormBased SSO or SAML SSO are configured, tmm may restart at startup
Component: Access Policy Manager
Symptoms:
Under unlikely circumstances, tmm threads may run into synchronization issue at startup initialization, causing BIG-IP Failover
Conditions:
- SAML SSO or Form Based SSO are configured.
- TMM is in process of starting (during reboot or for any other reason).
Impact:
Impact is BIG-IP will failover at start time.
If tmm has successfully started - no further impact will be observed.
Workaround:
Remove Form Based SSO, and SAML objects from configuration.
Fix:
A thread synchronization issue that caused tmm startup issues has been fixed.
532107-5 : [LTM] [DNS] Maximum RTT value for nameserver cache still exists after nameserver cache is deleted
Component: Local Traffic Manager
Symptoms:
If RTT value for nameserver cache reached the maximum value as 120000, even after executing 'delete ltm dns cache nameserver', BIG-IP still keeps the past maximum RTT value.
Conditions:
The RTT for the nameserver cache reached the maximum value of 120000.
Impact:
This can cause dns response failure.
Workaround:
Change size for nameserver-cache-count to reset the nameserver cache.
# tmsh modify /ltm dns cache resolver my_dns_cache nameserver-cache-count 16536
Fix:
Maximum RTT value for nameserver cache is now deleted when the nameserver cache is deleted, which is correct behavior.
532096-3 : Machine Certificate Checker is not backward compatible with 11.4.1 (and below) when MatchFQDN rule is used
Component: Access Policy Manager
Symptoms:
Machine Certificate Checker (client side) is not backward compatible with BIG-IP 11.4.1 and earlier when MatchFQDN rule is used
Conditions:
Machine Certificate checker agent uses MatchFQDN rule in Access Policy of BIG-IP version 11.4.1 and earlier.
New BIG-IP Edge Client (version greater than 11.4.1) is used against old BIG-IP.
Impact:
Machine Certificate checker agent may fail. Policy goes wrong way.
Fix:
Fixed issue causing Machine Certificate checker agent backward incompatibility.
532030-2 : ASM REST: Custom Signature Set Created via REST is Different Than When Created From GUI
Component: Application Security Manager
Symptoms:
When importing a policy that utilizes a custom signature set, ASM checks whether that signature set is already exists on the system. If it does not exist, then it creates a new set.
When a set is created via REST it does not correctly set an internal field that does get set via creation by the GUI or XML import.
This causes unexpected behavior and extra signatures being created when a REST client, such as BIG-IQ, attempts to co-ordinate changes across devices utilizing import via XML and REST calls.
Conditions:
A Custom filter-based signature set is created by the GUI and then attached to a security policy.
The security is exported in XML format.
On a different device an identical signature set is created via REST.
The security policy is then imported on that device.
Impact:
Extraneous signature sets are created, and false differences appear with regards to which signature sets are attached to which policies across multiple devices.
Workaround:
As a workaround, custom filter-based signature sets should be created only via REST or only via GUI across multiple devices.
Fix:
Custom filter-based signature sets created using REST or the Configuration utility now have the same internal settings and match for XML security policy export/import.
531986-2 : Hourly AWS VE license breaks after reboot with default tmm route/gateway.
Component: TMOS
Symptoms:
In AWS Hourly instances, if a default gateway is added, the hourly license may fail, causing BIG-IP to fail to come up to a running state. Error messages will resemble the following:
Jul 6 19:26:14 ip-10-0-0-104 err mcpd[22186]: 01070734:3: Configuration error: MCPProcessor::check_initialization:
Jul 6 19:26:17 ip-10-0-0-104 err mcpd[22186]: 010717ff:3: [Licensing]: Failure in establishing instance identity.
Conditions:
Hourly instance in AWS with default tmm route added.
Impact:
BIG-IP VE will fail to fully start, rendering the instance unusable.
Workaround:
Temporary removal of default tmm route resolves this problem. The tmm route can be added back once MCPD is in the running state.
Fix:
The problem with default tmm route breaking Hourly licenses has been resolved. The default tmm route no longer affects the license check on Hourly billing Virtual Edition.
531983-4 : [MAC][NA] Routing table is not updated correctly in connected state when new adapter is added
Component: Access Policy Manager
Symptoms:
Routing table is not updated correctly in connected state when new adapter is added to the system.
Conditions:
SSL VPN tunnel is established and new adapter is added to the system. For example, Wi-Fi connected when tunnel is established already over Ethernet adapter.
Impact:
Routing table might be corrupted.
Workaround:
Restart OS X.
Fix:
Routing table now updates correctly when new adapter is added to the system while SSL VPN tunnel is already established over an network adapter.
531979-4 : SSL version in the record layer of ClientHello is not set to be the lowest supported version.
Component: Local Traffic Manager
Symptoms:
In the ClientHello message, the system is now setting the SSL version in the record layer to be the same as version value of ClientHello message, which is the highest SSL version now supported.
Although RFC 5246 appendix E.1 does not give specific advice on how to set the TLS versions, the de facto standard used by all major browsers and TLS stacks is to set the ClientHello as follows:
SSL Record:
Content Type: Handshake (22)
Version: $LOWEST_VERSION
Handshake Record:
Handshake Type: Client Hello (1)
Version: $HIGHEST_VERSION
The BIG-IP system implementation tells the SSL peer that the system supports only SSL versions from the $HIGHEST_VERSION through the $HIGHEST_VERSION instead of from the $LOWEST_VERSION through the $HIGHEST_VERSION, which effectively limits the range of SSL versions the system can negotiate with the SSL peer.
Conditions:
This issue occurs when the highest SSL version that the BIG-IP system supports does not fall into the range that an SSL peer supports.
For example, with SSL peer support configured for TLS1.0 or TLS1.1, if the BIG-IP system sets the highest SSL version to be TLS1.2, then there will be no version that the SSL peer thinks they have in common, and SSL handshake fails.
Impact:
SSL handshake fails.
Workaround:
There is no workaround for this issue.
Fix:
The SSL version in the record layer of ClientHello is now set to be the lowest supported version, which eliminates that issue that occurred when the highest SSL version that the BIG-IP system supports did not fall into the range that an SSL peer supports.
531883-3 : Windows 10 App Store VPN Client must be detected by BIG-IP APM
Component: Access Policy Manager
Symptoms:
Windows 10 App Store VPN Client is not detected by BIG-IP APM out of the box via client type agent
Conditions:
Windows 10 App Store VPN Client, BIG-IP APM , client type agent
Impact:
Windows 10 App Store VPN Client is not detected by BIG-IP APM out of the box
Fix:
Windows 10 App Store VPN Client is now detected by BIG-IP APM out of the box using the Client Type agent.
531809-1 : FTP/SMTP traffic related bd crash
Component: Application Security Manager
Symptoms:
Protocol Security: The Enforcer may crash upon FTP or SMTP traffic using remote logging.
Conditions:
FTP/SMTP traffic and remote logging assigned. Crash happens on a rare occasion.
Impact:
bd crash, traffic disturbance.
Workaround:
Remove the remote logging from FTP/SMTP.
Fix:
Protocol Security: The Enforcer no longer crashes upon FTP or SMTP traffic using remote logging.
531576-2 : TMM vulnerability CVE-2016-7476
Vulnerability Solution Article: K87416818
531526-1 : Missing entry in SQL table leads to misleading ASM reports
Component: Application Visibility and Reporting
Symptoms:
Some reports of ASM violations were generated with missing activity.
Conditions:
When there are many entities to report and some are getting aggregated, then the aggregated activity was not reported.
Impact:
Misleading reports of ASM activity.
Workaround:
None.
Fix:
Aggregated activity is now reported even when there are many entities to report and some are aggregated.
531483-1 : Copy profile might end up with error
Component: Access Policy Manager
Symptoms:
Copy profile might end up with error about two items are sharing the same agent
Conditions:
Very rare - long policy names, similar name parts
Impact:
Minor - you would need to choose different name for new policy
Fix:
Issue resolved.
530963-3 : BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms
Component: Local Traffic Manager
Symptoms:
The BIG-IP does not verify every byte in the Finished message of an TLS handshake but does properly validate the MAC of the Finished message.
Conditions:
* The BIG-IP platform contains a Cavium SSL accelerator card but the affected TLS connection is not accelerated by the Cavium SSL accelerator card.
The following list some examples when a TLS connection is not accelerated by the Cavium card:
* The ciphers used by the TLS connection are not fully accelerated in the Cavium card. For more information about ciphers that are fully hardware accelerated, refer to SOL13213: SSL ciphers that are fully hardware accelerated on BIG-IP platforms (11.x)
* The BIG-IP platform does not contain a Cavium SSL accelerator card. The following list the BIG-IP platforms that do not contain a Cavium SSL accelerator card:
* BIG-IP 2000 platforms
* BIG-IP 4000 platforms
* BIG-IP Virtual Edition
Impact:
F5 believes the reported behavior does not have security implications at this time.
Workaround:
None.
Fix:
BIG-IP TLS doesn't correctly verify Finished.verify_data on non-Cavium platforms.
530952-4 : MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'
Component: Application Visibility and Reporting
Symptoms:
MySql query fails with error number 1615 'Prepared statement needs to be re-prepared'. Errors in monpd.log similar to the following:
[DB::mysql_query_safe, query failed] Error (error number 1615) executing SQL string ...
Conditions:
This is due to a MySql bug. For information, see 'Prepared-Statement fails when MySQL-Server under load', available here: http://bugs.mysql.com/bug.php?id=42041
Impact:
Monpd loses functionality
Workaround:
Restart monpd.
Fix:
Error number 1615, 'Prepared statement needs to be re-prepared', no longer occurs in the monpd.log.
530903-5 : HA pair in a typical Active/Standby configuration becomes Active/Active after a software upgrade★
Component: TMOS
Symptoms:
HA pair should remain in active/standby state after the software upgrade but instead goes into an active/active state.
Conditions:
Occurs in an active/standby HA pair which has a medium size configuration of pools and virtual servers (at least 30 objects total). The standby device is upgraded first and then it is rebooted. After reboot, the HA pair goes into an Active/Active state. Upgrades to 11.5.0 through 11.5.3 as well as to 11.6.0 are impacted.
Impact:
Active/Standby configuration is lost.
Workaround:
Reconfigure the HA pair back to active/standby.
Fix:
HA pair in a typical Active/Standby configuration now remain Active/Standby after a software upgrade.
530865-1 : AFM Logging regression for Global/Route Domain Rules incorrectly using virtual server logging profile (if it exists)
Component: Advanced Firewall Manager
Symptoms:
Due to a related change in AFM ACL handling, global and route domain rule's were being logged (incorrectly) by the virtual server's AFM log profile (if it exists).
This is incorrect since the behavior has always been that Global and Route Domain AFM rule logging is controlled by global-network log profile only.
Conditions:
Global or Route Domain AFM ACL rule matches and logging is enabled. Also, the matched virtual server has a logging profile attached to it.
Impact:
This causes a regression (and inadvertent change in behavior) for Global and Route Domain AFM rule logging.
Workaround:
None
Fix:
With the fix, global and route domain AFM rule logging is controlled by global-network log profile (as has been the case since inception).
530829-2 : UDP traffic sent to the host may leak memory under certain conditions.
Vulnerability Solution Article: K00032124
530812-5 : Legacy DAG algorithm reuses high source port numbers frequently
Component: Local Traffic Manager
Symptoms:
A service on a pool member will receive connections frequently with a source port number above 65400, especially when the incoming connections to the Virtual IP listener are generated by test tools that increment their source port numbers sequentially. This could lead to premature SNAT port exhaustion, if SNAT is also being used.
Conditions:
The issue appears to be limited to the legacy DAG algorithm on the VIPRION PB100 and PB200 blades. All supported versions of BIG-IP will exhibit this issue on this hardware when this DAG algorithm is used. The problem is not exhibited when the incoming sessions' source port numbers have a reasonable amount of entropy (as one would normally see with real Internet traffic); however, the use of test tools, or even intentional malicious traffic may cause this issue to be seen.
Impact:
The issue could result in resource contention (such as SNAT pool port exhaustion), or problems with the pool member services distinguishing between sessions. A notable exception: Port reuse before TIME_WAIT expires is specifically NOT an impact of this issue.
Workaround:
To work around SNAT pool port exhaustion, increase the pool size, or change to auto-map. An iRule may be used to help pool member services better distinguish incoming sessions.
Fix:
The software emulation of the legacy DAG algorithm used on VIPRION PB100 and PB200 has been updated to more evenly distribute the source port numbers of sessions arriving at pool member services.
530795-1 : In FastL4 TCP virtual servers, ICMP might send wrong SEQ number/ACK number.
Component: Local Traffic Manager
Symptoms:
The BIG-IP system may send ICMP messages that contain an incorrect tcp seq ack number in the embedded msg body.
Conditions:
FastL4 TCP virtual servers. Syncookie mode.
Impact:
The TCP connflow might be aborted if an ICMP message (such as More fragment) is received.
Workaround:
None.
Fix:
The BIG-IP system sends correct SEQ and ACK number in ICMP messages.
530769 : F5 SFP+ module becomes unpopulated after mcpd is restarted in a clustered environment.
Component: Local Traffic Manager
Symptoms:
When MCPD restarts on one of the B2100 blades, trunk interfaces on the blade are not coming up.
Conditions:
MCPD restarts in a clustered environment (chassis).
Impact:
TMM will not process traffic on the blade where mcpd restarted.
Workaround:
Restart tmm (bigstart restart tmm) on the blade that shows the interface down.
Fix:
Fixed in corrections for bug 502443-9.
530761-4 : TMM crash in DNS processing on a TCP virtual
Component: Local Traffic Manager
Symptoms:
TMM can crash while processing DNS requests on a TCP virtual server.
Conditions:
A TCP DNS virtual server combined with a DNS iRule that suspends and a client that closes its connection before receiving a response to its DNS request.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
While no true workaround exists, the situation can be avoiding by removing any one of the conditions above.
Fix:
TMM now properly handles DNS requests through a TCP virtual where the client closes the connection during iRule processing.
530697-3 : Windows Phone 10 platform detection
Component: Access Policy Manager
Symptoms:
Windows Phone 10 platform is not currently detected
Conditions:
Windows Phone 10 platform , BIG-IP APM system
Impact:
Windows Phone 10 platform is not detected correctly by BIG-IP
Fix:
Windows Phone 10 platform is detected correctly now.
530622-2 : EAM plugin uses high memory when serving very high concurrent user load
Component: Access Policy Manager
Symptoms:
EAM plugin cannot sustain high concurrent user load and will be killed by memory monitors. EAM is cored and restarted. Any requests coming during restart will not be served.
Conditions:
We found this issue in stress testing and reported by customers during high concurrent user load.
Impact:
As a result, EAM cored and restarted; users cannot authenticate during process restart.
Workaround:
No workaround.
Fix:
There was a memory usage issue in the EAM plugin that was caused by a huge object allocation for each connection. This issue is fixed by reducing the default size of client cert and payload arrays.
530598-2 : Some Session Tracking data points are lost on TMM restart
Component: Application Security Manager
Symptoms:
Session Tracking data points, that are added by ASM upon traffic, based on Session Tracking thresholds configuration, are lost when TMM restarts.
Conditions:
ASM Provisioned.
Session Tracking feature is ON.
Impact:
Session Tracking data points may be added by ASM upon traffic.
These are data points with action 'Block-All'.
These data points are lost when TMM restarts.
Workaround:
None.
Fix:
This release fixes the Session Tracking data points persistence, so that the 'Block-All' Session Tracking data points, which are added by ASM upon traffic, are not lost when TMM restarts.
530505-2 : IP fragments can cause TMM to crash when packet filtering is enabled
Component: Local Traffic Manager
Symptoms:
TMM can crash when an IP fragment is received and packet filtering is enabled.
Conditions:
This issue can occur when packet filtering is enabled and an IP fragment is received on the non-owning TMM.
To determine if packet filtering is enabled, then the packetfilter setting can be queried by using the 'tmsh list sys db packetfilter' command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable packet filtering.
Fix:
When packet filtering is enabled and an IP fragment is received on the non-owning TMM, TMM forwards the IP fragment without issue.
530356-1 : Some AVR tables that hold ASM statistics are not being backed up in upgrade process.
Component: Application Visibility and Reporting
Symptoms:
Some AVR tables that hold ASM statistics are not being backed up in the upgrade process when upgrading to a new version with ASM data present in AVR stat tables.
Conditions:
Upgrading to new version.
Impact:
Some ASM data is lost after upgrade.
Fix:
We now correctly back up AVR tables that hold ASM statistics that were previously not backed up when upgrading to a new version.
530242-4 : SPDAG on VIPRION B2250 blades might cause traffic imbalance among TMMs
Component: TMOS
Symptoms:
When SPDAG is turned on VIPRION B2250 blades, the traffic imbalance among TMMs might be observed.
Conditions:
Enable SPDAG on VIPRION B2250 blades.
Impact:
The traffic imbalance can lower the throughput of VIPRION B2250 blades.
Workaround:
Adding or removing B2250 blades might mitigate the imbalance.
If you are running BIG-IP versions 11.6.1 or 11.6.1 HF1, add the following to /config/tmm_init.tcl file: dag::use_p8_sp_hash yes
Fix:
A new DAG hash is added for SPDAG on VIPRION B2250 blades, which can resolve the SPDAG traffic imbalance. The new DAG hash can be turned on by setting tmm tcl variable, dag::use_p8_sp_hash, to yes.
Add the following to /config/tmm_init.tcl file: dag::use_p8_sp_hash yes
530133 : Support for New Platform: BIG-IP 10350 FIPS
Component: TMOS
Symptoms:
Support for New Platform: BIG-IP 10350 FIPS, effective in 11.5.4 HF1
Conditions:
This details the new platform name.
Impact:
This is an added platform. There is no impact to the product.
Workaround:
None needed.
Fix:
This release provides support for New Platform: BIG-IP 10350 FIPS. You can find more information in Platform Guide: 10000 Series, available here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/pg-10200v.html.
Behavior Change:
This release provides support for New Platform: BIG-IP 10350 FIPS. You can find more information in Platform Guide: 10000 Series, available here: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/pg-10200v.html.
530122 : Improvements in building hotfix images for hypervisors.
Component: TMOS
Symptoms:
The name of HF/EHF ISOs changed recently and the filter used to locate them needs to change.
Conditions:
Building hotfix images for hypervisors.
Impact:
There are issues providing bundled images.
Workaround:
None.
Fix:
This release provides improvements for building hotfix images for hypervisors.
530109-1 : OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
Component: Access Policy Manager
Symptoms:
OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
Conditions:
-- User certificate has AIA configured.
-- Option 'Ignore AIA' is unchecked.
-- APM is configured.
Impact:
OCSP auth might fail as wrong URL is used.
Workaround:
1. Clean URL field.
2. Uncheck option 'Ignore AIA'.
Fix:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. This is correct behavior.
Behavior Change:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. To use the configured URL, the 'Ignore AIA' setting has to be checked.
529977-4 : OSPF may not process updates to redistributed routes
Component: TMOS
Symptoms:
When routes redistributed into OSPF are rapidly added and removed, OSPF may not reflect all of the updates in its LSA database.
Conditions:
External routes, such as kernel or static, redistributed into OSPF being rapidly added and removed. This my happen when using Route Health Injection and enabling/disabling a virtual address.
Impact:
The OSPF may have stale or missing LSAs for redistributed routes.
Workaround:
Identify the OSPF process ID for the affected route domain using "ps | grep ospfd" and terminate it using the kill command.
This disrupts dynamic routing using OSPF.
Fix:
The OSPF LSA database correctly reflects the state of redistributed routes after rapid updates.
529920-6 : Connection mirroring with OneConnect on a virtual server can cause TMM crash on standby unit
Component: Local Traffic Manager
Symptoms:
TMM crashes on the standby unit.
Conditions:
This is a standby-only failure. Connection mirroring on a OneConnect virtual server can lead to a TMM crash during connection establishment.
Impact:
TMM restarts, and the standby is not available for failover. When the standby unit comes back up it does not have the mirrored flows from the active unit, so failover results in loss of those connection flows.
Workaround:
None.
Fix:
Connection mirroring on a OneConnect virtual server now successfully recovers from a TMM crash during connection establishment, so no mirrored connection flows are lost.
529903-2 : Incorrect reports on multi-bladed systems
Component: Application Visibility and Reporting
Symptoms:
Reports on multi-bladed systems might contain incorrect data, if the blades are active at different times, and do not share the same level of history. A report appears on a different time range than expected.
Conditions:
Example:
A setup with 3 blades, and 2 are down while the active 1 receives traffic for a full day. Later the 2 down blades go up. The resulting report for 'last day' contains data only for the previous hour, even though traffic has been passing through it for the last day.
Impact:
Report not as expected.
Workaround:
None.
Fix:
Reports on multi-bladed systems are now displayed correctly even when the blades are active at different times, and do not share the same level of history.
529900-4 : AVR missing some configuration changes in multiblade system
Component: Application Visibility and Reporting
Symptoms:
Some DB variables affect the behavior of AVR, but if they are modified in a multiblade system, then not all blades will be aware of the change, which later leads to errors in functionality.
Conditions:
Multiblade system, having one of the following changes:
1. New primary blade is selected.
2. Change to AVR max number of entities in the DB.
Impact:
Data might not be loaded into the DB, or not be queried correctly.
Workaround:
Restart of monpd solves the problem.
Fix:
Configuration changes in multiblade systems are now treated correctly.
529899-3 : Installation may fail with the error "(Storage modification process conflict.)".★
Component: Local Traffic Manager
Symptoms:
On chassis, installation may fail with the error "(Storage modification process conflict.)".
Conditions:
This happens when deleting a boot location and then quickly installing new software to that boot location.
Impact:
Minimal; the installation can be restarted.
Workaround:
Delete the failed volume and restart the installation.
Fix:
On chassis, there was one possible case where the installation would occasionally fail with the error "(Storage modification process conflict.)". This case has been fixed.
529610-4 : On HA setups ASM session tracking page display an empty list when in fact there are asm entries in session db
Component: Application Security Manager
Symptoms:
When session tracking actions are enabled in ASM policy, an HTTP request may be blocked based on HTTP session or username and illegal traffic that has been sent from this session. The blocked request is reported in the security events log, but there is no option to release the username using the Configuration utility.
Conditions:
High availability (HA) setup, and ASM with Session tracking actions enabled.
Impact:
Usernames and HTTP sessions are blocked by ASM without an option to release them from the Configuration utility.
Workaround:
Stop and start tmm on all devices in the HA group by running the following commands:
-- bigstart stop tmm
-- bigstart start tmm
Fix:
Using the Configuration utility, BIG-IP system administrators can now release blocked usernames and sessions. This is done on the Session Tracking Status screen.
529524-5 : IPsec IKEv1 connectivity issues
Component: TMOS
Symptoms:
IPsec IKEv1 tunnels do not come up and IKE negotiations is not initiated/ or does not complete.
Conditions:
1. Configure the BIG-IP system with IPsec IKEv1 tunnel.
2. Send traffic to match the selectors, and it fails. Although it may succeed intermittently.
The following chassis scenario might also cause the issue:
1. Configure the VIPRION chassis with IPsec IKEv1 tunnel.
2. Send traffic to match the selectors, and the intended traffic is secured. IPsec IKEv1 tunnels are established.
3. Perform bigstart restart on the secondary blade.
4. Observe Traffic does not pass, and shows IKE negotiation failures.
Impact:
IPsec IKEv1 tunnels do not get established and the intended traffic is not secured. Traffic does not pass, and shows IKE negotiation failures.
Workaround:
There is a workaround for the chassis platform: Perform bigstart restart of tmm on all blades. There is no workaround for non-chassis platforms.
Fix:
BIG-IP systems and VIPRION platforms now successfully establish IPsec IKEv1 tunnels and secure and pass the intended traffic.
529509-4 : BIND Vulnerability CVE-2015-4620
Vulnerability Solution Article: K16912
529484-3 : Virtual Edition Kernel Panic under load
Component: TMOS
Symptoms:
Virtual Edition instances may crash with a kernel panic under heavy traffic load.
Conditions:
Virtual Edition instances passing 10 Gbps of traffic on interfaces that support LRO.
Impact:
When the issue occurs the Virtual Edition instance will reboot.
Workaround:
Disable LRO on the underlying hypervisor, if possible.
Fix:
Virtual Edition instances now stays active when instances passing 10 Gbps of traffic on interfaces that support LRO.
529460-5 : Short HTTP monitor responses can incorrectly mark virtual servers down.
Component: Global Traffic Manager
Symptoms:
Despite successful probe response, BIG-IP DNS marks virtual server down.
Conditions:
HTTP server sends HTTP response that is shorter than 64 bytes.
Impact:
Virtual servers are incorrectly marked down.
Workaround:
Modify server response or use a TCP monitor.
Fix:
BIG-IP DNS HTTP/1.x monitor probe now requires 17, rather than 64 bytes of response payload, so HTTP monitor responses HTTP response that is shorter than 64 bytes no longer incorrectly mark virtual servers down.
529392-3 : Win10 and IE11 is not determined in case of DIRECT rule of proxy autoconfig script
Component: Access Policy Manager
Symptoms:
Windows 10 and Internet Explorer 11 is not determined in case of DIRECT rule is used to connect to BIG-IP in proxy autoconfig script configured locally.
Conditions:
Local proxy autoconfig scrip, DIRECT rule for BIG-IP virtual server, Internet Explorer 11.
Impact:
Internet Explorer 11 is not detected properly.
Fix:
Internet Explorer 11 on Microsoft Windows 10 is detected correctly now if local proxy autoconfig script is configured with DIRECT rule for BIG-IP.
529141-4 : Upgrade from 10.x fails on valid clientssl profile with BIGpipe parsing error★
Component: TMOS
Symptoms:
Upgrade from 10.x fails with the error 'emerg load_config_files: '/usr/libexec/bigpipe load' - failed. -- BIGpipe parsing error (/config/bigpipe/bigip.conf Line 67): 012e0020:3: The requested item (myclientssl {) is invalid (profile_arg ` show ` list ` edit ` delete ` stats reset) for 'profile'."
Conditions:
Attempting to upgrade from 10.x to 11.6.1 or specific 11.5.3 and 11.5.4 engineering hotfixes with custom Certificate and Key in the clientssl profile.
Impact:
Unable to upgrade successfully and BIG-IP will be inoperative. You will be unable to log into the BIG-IP GUI. The error signature in /var/log/ltm will exist, and /config/bigip.conf will probably not exist.
Workaround:
Delete the following line from all ssl profiles in /config/bigpipe/bigip.conf: inherit-certkeychain false.
To complete the upgrade, run the following command: /usr/libexec/bigpipe load.
After config load is successful, run the following command:
tmsh save sys config && tmsh load sys config.
Fix:
Upgrade from 10.x now completes successfully with a valid clientssl profile, and produces no BIGpipe parsing error.
528955-2 : TMM may core when using Request Adapt profile
Component: Service Provider
Symptoms:
tmm core file
Conditions:
Serverside connection is detached after processing HTTP response
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Cleaned up invalid references in Adapt component after serverside connection detachment
528881-5 : NAT names with spaces in them do not upgrade properly★
Component: TMOS
Symptoms:
When upgrading to an affected version, if a NAT has a name with spaces in it, the upgraded configuration does not load.
Conditions:
The BIG-IP system must be configured with NATs that have spaces in their names. When an upgrade is performed to 11.5.0 through 11.5.3 or to 11.6.0 this can be triggered.
Impact:
The configuration does not load on the upgraded system.
Workaround:
Remove spaces in NAT names before upgrading. Specifically: the initial letter must be a letter, underscore ( _ ), or forward slash ( / ), and subsequent characters may be letters, numbers, periods ( . ), hyphens ( - ), underscores ( _ ), or forward slashes ( / ).
Fix:
NAT names with spaces in them now upgrade properly.
528808-2 : Source NAT translation doesn't work when APM is disabled using iRule
Component: Access Policy Manager
Symptoms:
Source NAT translation does not happen and server-side connection fails.
Conditions:
ACCESS::disable iRule is added to the virtual server.
Impact:
Proxy's server-side connection fails.
Workaround:
Do not use the ACCESS::disable iRule command.
Fix:
Restore the source address translation correctly even if an iRule has disabled APM.
528739-5 : DNS Cache might use cached data from ADDITIONAL sections in ANSWER responses.
Component: Local Traffic Manager
Symptoms:
DNS Caching might use cached data from ADDITIONAL sections of previous lookups in the ANSWER section of responses.
Conditions:
This occurs when using DNS Caching.
Impact:
The data from the ADDITIONAL section might be used in the ANSWER section of DNS responses. The data might be stale or incorrect.
Workaround:
None.
Fix:
The DNS Cache now correctly ignores data from the ADDITIONAL section when constructing the ANSWER section.
528734-1 : TCP keeps retransmitting when ICMP Destination Unreachable-Fragmentation Required messages are received.
Component: Local Traffic Manager
Symptoms:
In a Standard virtual server, a data segment will be retransmitted when an ICMP Type 3, Code 4, message with an MTU (greater than or equal to 0) is received. The retransmission occurs until there are no ICMP Type 3, Code 4 messages, a connection times out, or an ACK is received.
Conditions:
Router or client sends ICMP frag messages with random MTU values. It can be increasing, decreasing, same, or 0 MTU.
Impact:
Packets might fill up the pipe and cause a minor outage.
Workaround:
None.
Fix:
TCP drops the second or later ICMP Type 3, Code 4 message. If the second packet is a valid ICMP packet, the downstream router will send another ICMP Type 3, Code 4 message.
528726-2 : AD/LDAP cache size reduced
Component: Access Policy Manager
Symptoms:
When AD or LDAP Query module built a group cache, that cache contained an unnecessary attribute that was never used.
Conditions:
AD/LDAP Query module is configured with option that requires building of a local group cache.
Impact:
apd process size grows significantly after group cache is built. If several different caches are maintained at the same time, the process size can hit the 4 GB limit.
Fix:
Removed an unnecessary attribute from cache. As a result, the group cache size and APD process size have been reduced.
528675-3 : BIG-IP EDGE Client can indefinitely stay "disconnecting..." state when captive portal session expired
Component: Access Policy Manager
Symptoms:
Edge Client can stuck in "disconnecting..." state if connected through with captive portal session and captive portal session expired. This happens when BIG-IP EDGE client keep HTTP connection to captive portal probe URL alive.
Conditions:
BIG-IP EDGE Client for Windows connecting to BIG-IP APM on network with active captive portal.
Captive portal session expired before user terminate active Network Access connection.
Impact:
When user run into this condition BIG-IP EDGE client for Windows cannot connect to BIG-IP APM server without restart.
Workaround:
User can exit and restart BIG-IP EDGE client.
Fix:
Captive portal detection request modified to properly close HTTP connection.
528548-1 : @import "url" is not recognized by client-side CSS patcher
Component: Access Policy Manager
Symptoms:
Not rewriten links from CSS.
Conditions:
CSS which contains:
@import "url"
or
@import 'url'
Impact:
Unmangled requests resulting in error and customer confusion. Wrong rendering of pages.
Workaround:
Custom iRule can be used. No general workaround exists.
Fix:
Fixed CSS rewriting for:
@import "URL"
and
@import 'URL'
528498-2 : Recently-manufactured hardware may not be identified with the correct model name and SNMP OID
Component: TMOS
Symptoms:
The model names and corresponding SNMP OIDs of BIG-IP and VIPRION hardware may not be identified correctly.
1. Under the 'tmsh show sys hardware' command, the 'Type' field under 'System Information' may show the alphanumeric Platform Identifier (e.g., C113) instead of the BIG-IP/VIPRION model name (e.g., 4200v).
2. The SNMP sysObjectID OID (1.3.6.1.2.1.1.2.0) may show a value of 'F5-BIGIP-SYSTEM-MIB::unknown' instead of the model-specific identifier.
Conditions:
This problem may occur when running older BIG-IP software releases on BIG-IP or VIPRION hardware platforms that were manufactured after the BIG-IP software release.
Each BIG-IP software release contains a database used to map platform hardware part numbers to BIG-IP or VIPRION model names.
If a BIG-IP or VIPRION hardware platform is manufactured after this BIG-IP software release, this new hardware may contain updates that result in a minor revision to its platform hardware part number.
If this revised platform hardware part number is not found in the database included in the BIG-IP software release, its corresponding model name cannot be determined.
The SNMP sysObjectID OID value is based on the resolved model name. If the model name cannot be determined, the SNMP sysObjectID OID returns 'F5-BIGIP-SYSTEM-MIB::unknown'.
Impact:
Unable to identify recently-manufactured BIG-IP or VIPRION hardware platforms.
Workaround:
1. Identify the hardware platform by its Platform ID, and correlate this to the Platform Name using SOL9476: The F5 hardware/software compatibility matrix at https://support.f5.com/kb/en-us/solutions/public/9000/400/sol9476.html.
2. Query the SNMP F5-BIGIP-SYSTEM-MIB::sysPlatformInfoName.0 object to obtain the hardware identifier, and correlate this to the Platform Name (e.g., from the 'Platform support' in the appropriate BIG-IP software Release Notes).
Fix:
BIG-IP software correctly identifies recently-manufactured BIG-IP or VIPRION hardware platforms with the correct model name and SNMP sysObjectID OID.
528432-1 : Control plane CPU usage reported too high
Component: Local Traffic Manager
Symptoms:
The system CPU usage is reported as the higher of the data plane averaqe and the control plane average. In certain cases, the control plane average was being calculated at about double.
Conditions:
When the data plane CPU usage was lower than the control plane CPU usage. This can occur when there is little client traffic flowing through the BIG-IP but the control plane is busy, say installing software.
Impact:
Typically, since client traffic drives data plane CPU usage, control plane CPU usage is less than data plane CPU usage at normal client loads.
Workaround:
This can safely be ignored at low data plane usage and will not be evident when data plane usage increases.
Fix:
The calculation of the control plane CPU usage no longer includes other CPUs.
528407-6 : TMM may core with invalid lasthop pool configuration
Component: Local Traffic Manager
Symptoms:
In certain circumstances, TMM may core if the unit is configured with an invalid, non-local lasthop pool,
Conditions:
1) BIG-IP system with VIP and lasthop pool with non-local pool member.
2) Sys db tm.lhpnomemberaction set to 2.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure lasthop pool to use local members/addresses.
Fix:
TMM no longer cores with an invalid lasthop pool configuration.
528276-6 : The device management daemon can crash with a malloc error
Component: TMOS
Symptoms:
The device management daemon can core if a timeout condition occurs during an iControl query. The daemon recovers and proceeds with the operation.
Conditions:
A timeout can occur during an iControl query and in some instances this can cause a core.
Impact:
The daemon crashes and recovers.
Workaround:
This issue has no workaround at this time.
Fix:
The device management daemon no longer causes a crash when a timeout condition occurs during an iControl query.
528188-4 : Packet filters are by-passed for some fragmented ICMP echo requests to a virtual address
Component: Local Traffic Manager
Symptoms:
A packet filter is in place to block ICMP traffic to a virtual address, but the virtual address responds to ICMP echo requests.
Conditions:
A packet filter is in place to block ICMP echo request traffic to a virtual address, and a fragmented ICMP echo request is received by the BIG-IP system. If the ICMP echo request needs to be forwarded to another tmm, the packet-filter is not honored.
Impact:
Traffic is not blocked despite the existence of a packet-filter rule.
Workaround:
Use AFM rather than packet-filter. Note: This may require additional licensing.
Fix:
When a packet filter is in place to block ICMP echo request traffic to a virtual address, and a fragmented ICMP echo request is received by the BIG-IP system, the packet filter is now honored.
528139-4 : Windows 8 client may not be able to renew DHCP lease
Component: Access Policy Manager
Symptoms:
VPN disconnects after the DHCP lease expires.
Conditions:
BIG-IP Edge Client is running on Windows 8.
"Allow access to local DHCP servers" is checked in Network Access settings.
Impact:
VPN may disconnect and user must connect to VPN again.
ipconfig /renew will not work.
Workaround:
DCHP Lease timeout is automatic and works properly. Also, end users can first run ipconfig /release and then ipconfig /renew to manually renew a lease.
Fix:
DHCP lease can now be renewed correctly.
528071-2 : ASM periodic updates (cron) write errors to log
Component: Application Security Manager
Symptoms:
ASM periodic updates (run via cron) write errors to log when ASM is not provisioned.
Conditions:
ASM is not provisioned.
Impact:
Errors appears in ASM logs.
Fix:
Errors no longer appear in ASM logs when ASM is not provisioned.
528007-5 : Memory leak in ssl
Component: Local Traffic Manager
Symptoms:
An intermittent memory leak was encountered in SSL
Conditions:
This can occur under certain conditions when using Client SSL profiles
Impact:
The amount of memory leaked is quite small, but over time enough memory would leak that TMM would have to reboot.
Workaround:
none
Fix:
An intermittent memory leak in SSL was fixed
527826-1 : IP Intelligence update failed: Missing SSL certificate★
Component: Local Traffic Manager
Symptoms:
IP Intelligence is failing the update due to missing certificate. You will see these errors in /var/log/ltm:
err iprepd[5600]: 015c0004:3: Certificate verification error: 20
err iprepd[5600]: 015c0004:3: nSendReceiveSsl failed SSL handshake
The certificate of vector.brightcloud.com was changed recently.
Conditions:
This is seen when attempting to update the IP Intelligence database.
Impact:
IP Intelligence database will not update.
Workaround:
Add the new brightcloud certificate to the end of the chain.
Fix:
This release contains an updated certificate chain.
527799-10 : OpenSSL library in APM clients updated to resolve multiple vulnerabilities
Vulnerability Solution Article: K16674 K16915 K16914
527742-1 : The inherit-certkeychain field of a clientSSL profile is not synchronized correctly on a standby BIG-IP system
Component: Local Traffic Manager
Symptoms:
When creating a clientSSL profile at the active BIG-IP system, its inherit-certkeychain field is true by default, however, it appears to be false on the standby BIG-IP system.
Conditions:
BIG-IP systems are deployed as high-availability (HA) configuration.
Impact:
All units in an HA configuration should have the same configuration and the same behavior. Mismatching units in the HA configuration might lead to unexpected mismatching behavior.
Workaround:
None.
Fix:
With the fix, the inherit-certkeychain field of a newly created client SSL profile is set correctly on a standby BIG-IP system.
527649-1 : Upgrade sets client/server SSL profiles Ciphers field to DEFAULT if upgraded cipherstring effectively contains no ciphersuites.★
Component: Local Traffic Manager
Symptoms:
Upgrade sets client/server SSL profiles Ciphers field to DEFAULT if the upgraded cipherstring would effectively contain no ciphersuites.
Conditions:
This is relevant when the following conditions are met:
* Upgrading to version 12.0.0.
* Client/server SSL profile is configured with the COMPAT keyword.
Impact:
The system changes 'COMPAT' to 'DEFAULT'. Upgrade posts a warning similar to the following:
WARNING: ciphers in clientssl profile TheProfile has been reset to DEFAULT from MD5.
This occurs because the BIG-IP software version 12.0.0 COMPAT set is empty by default. To prevent security issues and upgrade failures due to an empty ciphersuite, the upgrade operation replaces 'COMPAT' with 'DEFAULT'.
This is not considered a software defect, but instead assists users with maintenance of ciphersuites. It is expected that some legacy ciphersuites will be removed from default sets in major releases of BIG-IP system software, which might require user action to account for this change.
Workaround:
Because the upgrade script replaces the configured cipherstring, you should determine whether 'DEFAULT' is a suitable set of ciphersuites, and make necessary adjustments. For more information, see SOL13156: SSL ciphers used in the default SSL profiles (11.x - 12.x), available here: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html.
Best practice recommends periodic review of the enabled cipherstrings that are considered secure, since these change over time. Such a review should prevent future occurrence of the condition.
527639-5 : CVE-2015-1791 : OpenSSL Vulnerability
Vulnerability Solution Article: K16914
527638-5 : OpenSSL vulnerability CVE-2015-1792
Vulnerability Solution Article: K16915
527637-5 : PKCS #7 vulnerability CVE-2015-1790
Vulnerability Solution Article: K16898
527633-5 : OpenSSL vulnerability CVE-2015-1789
Vulnerability Solution Article: K16913
527630-2 : CVE-2015-1788 : OpenSSL Vulnerability
Vulnerability Solution Article: K16938
527431-2 : Db variable to specify audit forwarder port
Component: TMOS
Symptoms:
You can specify an audit forwarding destination for RADIUS or TACACS accounting using sys db config.auditing.forward.destination but cannot specify a custom port.
Conditions:
This is encountered if you want to use a port other than the default TCP port 49 for TACACS+ or port 1813 for RADIUS
Impact:
Unable to configure a custom port other than the default.
Fix:
The sys db config.auditing.forward.destination db variable can now have the IP address and port specified.
For more information on RADIUS or TACACS+ accounting, see SOL13762: Configuring remote RADIUS or TACACS+ accounting at https://support.f5.com/kb/en-us/solutions/public/13000/700/sol13762
527168-3 : In GUI System :: Users : Authentication TACACS+ ports have max value of 32768 instead of 65535
Component: TMOS
Symptoms:
In the GUI, the System :: Users : Authentication TACACS+ ports have max value of 32768 instead of 65535.
Conditions:
1. Go to System :: Users : Authentication and click 'Change'.
2. For 'User Directory' choose 'Remote - TACACS+'.
3. Try to add a server with port greater than 32768 and click Create.
4. The maximum value allowed is 32768 instead of 65535.
Impact:
TACACS+ servers with port greater than 32768 cannot be created or modified using the GUI.
Workaround:
Use tmsh to modify these servers.
Fix:
In GUI System :: Users : Authentication TACACS+ ports now the have correct max value of 65535.
527145-3 : On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
Component: TMOS
Symptoms:
Occasionally SOD core dumps on shutdown during memory cleanup.
Conditions:
System shutdown. Cannot reproduce the issue reliably, so conditions for the crash are unknown.
Impact:
Minimal additional impact on services because a shutdown was already in process.
Workaround:
None.
Fix:
Daemon no longer cores on shutdown due to internal processing error.
527027-3 : DNSSEC Unsigned Delegations Respond with Parent Zone Information
Component: Local Traffic Manager
Symptoms:
When a DNSSEC zone has an unsigned delegation to a child zone, responses to the queries on the unsigned child zone do not include proper delegation records.
Conditions:
A DNSSEC zone configured on BIG-IP for a zone that delegates to an unsigned child zone.
Impact:
DNSSEC tools are unable to verify that the child subdomain is properly delegated to an insecure authoritative name server.
Workaround:
None
Fix:
Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.
527024-2 : DNSSEC Unsigned Delegations Respond with Parent Zone Information
Component: Local Traffic Manager
Symptoms:
When a DNSSEC zone has an unsigned delegation to a child zone, responses to the queries on the unsigned child zone do not include proper delegation records.
Conditions:
A DNSSEC zone configured on BIG-IP for a zone that delegates to an unsigned child zone.
Impact:
DNSSEC tools are unable to verify that the child subdomain is properly delegated to an insecure authoritative name server.
Workaround:
None
Fix:
Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.
527021-2 : BIG-IQ iApp statistics corrected for empty pool use cases
Component: TMOS
Symptoms:
BIG-IQ statistics gathering fails for HTTP iApps. The stats are collected periodically by an iCall script. A bug in the script causes a failure when the pool member count = 0.
Conditions:
The virtual has an empty pool (a common use case in SDN).
Impact:
Causes out-of-memory errors in scriptd.
Fix:
BIG-IP iApps now correctly provide statistics to BIG-IQ in empty-pool use cases.
527011-4 : Intermittent lost connections with no errors on external interfaces
Component: Local Traffic Manager
Symptoms:
Intermittent lost connections to virtual servers or pool nodes with no observable errors on external interfaces.
Errors are observed on internal interfaces using 'tmos show net interface -hidden'
Conditions:
Normal operation. This can occur on BIG-IP 8950, 11000, and 11050 platforms.
Impact:
Lost connections
Workaround:
None.
Fix:
An issue with intermittent lost connections with no errors on the external interface has been corrected.
526974-5 : Data-group member records map empty strings to 'none'.
Component: TMOS
Symptoms:
When empty string is applied to a data-group member record, it is being converted to 'none'.
Conditions:
Record type is string.
Impact:
Data-group records data is set to string 'none', literally, even though user input an empty string ''.
Workaround:
None.
Fix:
Data-group member records no longer map empty strings to 'none'.
526856-2 : "Use of uninitialized value" warning appears on UCS installation due to ASM signature inconsistency
Component: Application Security Manager
Symptoms:
"Use of uninitialized value" appears as a warning rarely upon UCS installation due to ASM signature inconsistency.
Conditions:
UCS file is installed with internal ASM signature inconsistency.
Impact:
"Use of uninitialized value" warning appears in output.
Fix:
"Use of uninitialized value" warning no longer appears upon UCS install.
526833 : Reverse Proxy produces JS error: 'is_firefox' is undefined
Component: Access Policy Manager
Symptoms:
Web application does not work. There is error in JS console: 'is_firefox' is undefined
Conditions:
Web application is running through Portal Access
Impact:
Web sites does not work
Fix:
Error is fixed. Web applications work through Portal Access.
526817-6 : snmpd core due to mcpd message timer thread not exiting
Component: TMOS
Symptoms:
snmpd might occasionally experience a thread deadlock conditions and would be restarted (with a core dump) by sod.
Conditions:
This can occur during a SNMP configuration change.
Impact:
snmpd occasionally becomes unresponsive for the duration of the configured snmpd heartbeat timeout.
Workaround:
After a SNMP configuration change on the BIG-IP system, the deadlock timing issue can avoided by manually restarting snmpd.
Fix:
snmpd no longer becomes unresponsive for the duration of the configured snmpd heartbeat timeout during configuration changes.
526810-8 : Crypto accelerator queue timeout is now adjustable
Component: Local Traffic Manager
Symptoms:
In order to diagnose crypto queue stuck errors, the timeout value for stuck crypto accelerator queues may now be adjusted using the crypto.queue.timeout DB variable.
The timeout value may be specified in milliseconds using the crypto.queue.timeout DB variable. The default value is 100 milliseconds.
Conditions:
This is only needed if you are getting errors in /var/log/ltm with this signature: crit tmm1[9829]: 01010025:2: Device error: crypto codec qa-crypto0-1 queue is stuck.
Impact:
Adjusting the queue timeout may help in certain configurations where SSL acceleration is the performance bottleneck.
Fix:
The crypto accelerator queue timeout may now be specified in milliseconds using the crypto.queue.timeout DB variable.
526754-3 : F5unistaller.exe crashes during uninstall
Component: Access Policy Manager
Symptoms:
f5unistaller.exe crashes, dmp points to a double free in SGetRegistryAsString function
Conditions:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\*\DisplayName contains 0 length data
Impact:
f5unistaller crashes
Workaround:
Using the crash dump created. PD can determine the value of * from there if data is placed into the DisplayName key - it will no longer trigger this defect
526699-5 : TMM might crash if BIG-IP DNS iRule nodes_up references invalid IP/Port.
Component: Global Traffic Manager
Symptoms:
A BIG-IP DNS system configured with an iRule that makes use of the command nodes_up in its ip_address :: port version might lead to a crash.
Conditions:
- BIG-IP DNS iRule processing traffic with nodes_up IP/Port command.
- IP/Port references an invalid LTM virtual server.
- Client sends requests to the BIG-IP DNS wide IP.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Specify correct IP/Port in the nodes_up iRule command
Fix:
TMM no longer crashes when using an incorrect IP/Port in a nodes_up BIG-IP DNS iRule.
526637-1 : tmm crash with APM clientless mode
Component: Access Policy Manager
Symptoms:
A condition that occurs when using APM in clientless mode can cause a rare tmm crash
Conditions:
Only occurs on 11.5 and later, and while using clientless mode 3. This crash has been very difficult to reproduce.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
none
Fix:
tmm will no longer crash in APM clientless mode; it now sends a reset.
526617-2 : TMM crash when logging a matched ACL entry with IP protocol set to 255
Component: Access Policy Manager
Symptoms:
When TMM finds a matching ACL entry while enforcing the ACL, and that ACL entry is configured to produce a log entry as well, and the IP protocol for that packet is 255, then TMM crashes.
Conditions:
1. Log is enabled for that ACL entry.
2. IP protocol is set to 255
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable ACL logging
Fix:
TMM no longer crashes when logging a matching ACL entry for IP datagram with protocol set to 255.
526578-2 : Network Access client proxy settings are not applied on German Windows
Component: Access Policy Manager
Symptoms:
Network Access client proxy settings are not applied on German Windows with Internet Explorer 10 under obscure conditions.
If APM address is not in the Trusted Sites List, then this issue has good reproducibility.
Windows shows empty fields in proxy settings UI of Internet Explorer.
Conditions:
Client machine has Windows with German localization.
Client machine has Internet Explorer 10.
APM is not in trusted sites list or other obscure conditions.
Impact:
Network Access works in unexpected way: client ignores proxy settings.
Workaround:
Run IE under administrator
Update to IE11
Fix:
Now proxy settings are correctly applied on client machine with German localization and Internet Explorer 10. However, Windows still shows empty fields in proxy settings GUI of Internet Explorer.
526514-2 : Open redirect via SSO_ORIG_URI parameter in multi-domain SSO
Vulnerability Solution Article: K26738102
526492-3 : DNS resolution fails for Static and Optimized Tunnels on Windows 10
Component: Access Policy Manager
Symptoms:
When Static and Optimized Tunnels are used on Windows 10 desktop, accessing a backend server by hostname will fail.
Conditions:
1. Windows 10 desktop
2. Static or Optimized Tunnels are used
Impact:
No access to backend servers using hostnames.
Workaround:
none
Fix:
DNS resolution is successful for static and optimized tunnels on Microsoft Windows 10.
526419-2 : Deleting an iApp service may fail
Component: TMOS
Symptoms:
Deleting an iApp service may fail with an error message like this:
01070712:3: Can't load node: 839 type: 4
Conditions:
Unknown.
Impact:
You can't delete an iApp.
Workaround:
Save the configuration. Edit the relevant configuration file to remove the iApp service. Reload the configuration.
Fix:
Deleting an iApp service formerly could fail with an error message like this:
01070712:3: Can't load node: 839 type: 4
This is no longer possible.
526367-2 : tmm crash
Component: Local Traffic Manager
Symptoms:
tmm cores and restarts
Conditions:
It is not known what causes this, but it is related to use of DTLS in the serverssl profile.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm crash related to dtls.
526295-4 : BIG-IP crashes in debug mode when using PEM iRule to create session with calling-station-id and called-station-id
Component: Policy Enforcement Manager
Symptoms:
When using a PEM iRule to create a session with calling-station-id and called-station-id, the BIG-IP system will crash in debug mode.
Conditions:
1. PEM is provisioned.
2. BIG-IP system is running in debug mode.
3. PEM iRule is used to create session with calling-station-id and called-station-id.
Impact:
The BIG-IP system crashes.
Workaround:
Creating PEM sessions with iRules that do not have calling-station-id and called-station-id. And add the two attributes using separately using PEM info iRule
Fix:
With the fix, the problematic iRule is now working as expected and does not cause any crash.
526275-2 : VMware View RSA/RADIUS two factor authentication fails
Component: Access Policy Manager
Symptoms:
VMware View client fails to authenticate with APM configured for RSA/RADIUS two factor authentication.
Conditions:
APM is configured for VMWare View proxy with RSA or RADIUS two factor authentication and VMware View client is used.
Impact:
User sees a confusing error message.
Workaround:
Click "OK" on an error message "The username or password is not correct. Please try again.". Enter valid AD credentials and login again.
Fix:
Now APM correctly handles VMware View RSA/RADIUS two factor authentication.
526162-6 : TMM crashes with SIGABRT
Component: Application Security Manager
Symptoms:
TMM crashes with SIGABRT (sod crashes the tmm). This error appears in the LTM logs:
HA daemon_heartbeat tmm fails action is go offline down links and restart
Conditions:
IP reputation is turned on, and the IP reputation database is reloaded.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
We fixed a rare scenario where TMM was halted when the IP reputation daemon was loading a new IP reputation database.
526084-1 : Windows 10 platform detection for BIG-IP EDGE Client
Component: Access Policy Manager
Symptoms:
The session.client.platform variable contains "Win8.1" for BIG-IP Edge Client on Windows 10.
Conditions:
n/a
Impact:
n/a
Workaround:
n/a
Fix:
BIG-IP APM was enhanced to report session.client.platform session variable for BIG-IP Edge Client on Windows 10.
525958-10 : TMM may crash if loadbalancing to node's IP in iRule routed towards an unreachable nexthop.
Component: Local Traffic Manager
Symptoms:
In a specific combination of events TMM may core.
Conditions:
This occurs when the following conditions are met:
- Load balancing a flow to an ip_tuple (e.g., the Tcl 'node' command).
- That address is not directly connected.
- The matched route is a gateway pool that contains a pool member that is not reachable.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure correct routing to all destinations with reachable next hops.
Fix:
TMM no longer cores when load balancing to a node's IP address in iRule, routed towards an unreachable nexthop.
525920 : VPE fails to display access policy
Component: Access Policy Manager
Symptoms:
VPE fails to display access policy
Server request for 'vpeDialogue' is failed: Request status=500
Conditions:
Always for certain HF
Impact:
Catastrophic - error message and no VPE working
Workaround:
No workaround, software upgrade needed
Fix:
Functionality restored
525708-2 : AVR reports of last year are missing the last month data
Component: Application Visibility and Reporting
Symptoms:
Reports are missing the latest data collected for them. Each report-type is missing a different portion of the data which is relative to the report-type. This issue becomes very noticeable when creating long-term reports. For example, a 'last-year' report might omit the last month data, 'last-month' report might omit the last week data, and so on.
Conditions:
Every report that is done on a long history time range.
Impact:
The presented data can be confusing and misleading.
Fix:
A new data aggregation mechanism was inserted, so that all reports include activity up to the last hour.
There is an option to make it available even for the last 5 minutes, although that might lead to too much CPU and disk load every 5 minutes.
There is also an option to turn off this new aggregation mechanism if you are not interested in accurate long-history reports, and the aggregation task that takes place once an hour is too heavy for this machine.
525595-1 : Memory leak of inbound sockets in restjavad.
Component: Device Management
Symptoms:
restjavad might run out of memory due to inactive sockets piling up in memory. The symptom will be 'Out of memory' messages in the /var/logrestjavad.0.log and any new rest calls will fail. The URL that fails is random.
Conditions:
Occurs after a few hours of use.
Impact:
Memory leak of inbound sockets in restjavad. restjavad becomes inoperative.
Workaround:
Restart restjavad with the following command:
bigstart restart restjavad.
Note: You can run the command periodically from a cron script.
Fix:
Inbound sockets in restjavad no longer causes a memory leak.
525562-2 : Debug TMM Crashes During Initialization
Component: Access Policy Manager
Symptoms:
Debug version of TMM (tmm.debug) generates core file and fails to start up.
Conditions:
This issue happens when running debug version of TMM on a multi-blade chassis/vCMP.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Revert to use default version of TMM (tmm.default)
Fix:
Removed unnecessary debug assert statements from TMM.
525478-3 : Requests for deflate encoding of gzip documents may crash TMM
Component: WebAccelerator
Symptoms:
When searching for documents in the gzip cache, if a document has been cached with gzip encoding but a non-deflate compression method (i.e., CM != 0x08) and the client has requested deflate compression, TMM may crash.
Conditions:
-- WAM/AAM enabled on VIP.
-- HTTP compression enabled on VIP.
-- Document served with gzip encoding and non-deflate compression.
-- Document has entered the gzip cache.
-- Client HTTP request specifies deflate encoding.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure that only the deflate method is used in gzip-compressed documents that will be cached by WAM/AAM. With most web servers this is the default behavior and cannot be changed.
Alternatively, remove the 'Accept-Encoding: deflate' header using an iRule so that no clients can request deflate encoding.
Fix:
Correctly handles requests for deflate compression of cached gzip documents with non-deflate compression methods.
525429-13 : DTLS renegotiation sequence number compatibility
Component: Access Policy Manager
Symptoms:
OpenSSL library was modified to keep it compatible with RFC 6347 complaint DTLS server renegotiation sequence number implementation.
Conditions:
The old OpenSSL library is not compatible with RFC6347, the new OpenSSL library is modified to be compatible with RFC6347.
The current APM client is compatible with old OpenSSL library, not the new OpenSSL library.
Impact:
The current APM client is not compatible with new OpenSSL libary.
Fix:
The APM client is now compatible with both the old and new OpenSSL library.
525384-3 : Networks Access PAC file now can be located on SMB share
Component: Access Policy Manager
Symptoms:
Network Access web components or Edge Client fail to download PAC file if it is located on SMB share as
file:////pac.file.hoster.local/config.pac.
Conditions:
Network Access with Client Proxy Settings Enabled,
PAC file path is set to somewhere on SMB share.
Impact:
Impossible to configure Network Access with PAC file located on SMB share.
Workaround:
Put PAC file to HTTP server, configure Network Access accordingly.
Fix:
Now Network Access components can obtain PAC file from SMB share.
525322-6 : Executing tmsh clientssl-proxy cached-certs crashes tmm
Component: Local Traffic Manager
Symptoms:
tmm crash while executing "tmsh clientssl-proxy cached-certs" command
Conditions:
ssl forward proxy virtual with a clientssl profile name longer than 32 characters which includes the partition name as well. (/Common/<profilename> -> has length more than 32 chars).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Keep the profile name lengths less than 32 chars, or do not run the command until fixed.
Fix:
The "tmsh clientssl-proxy cached-certs" command will now run successfully with profile name lengths longer than 32 characters.
525232-10 : PHP vulnerability CVE-2015-4024
Vulnerability Solution Article: K16826
524960-5 : 'forward' command does not work if virtual server has attached pool
Component: Local Traffic Manager
Symptoms:
The iRule 'forward' command does not result in connections being routed to the proper destination if the virtual server has an attached pool.
Conditions:
Virtual server with:
- Pool.
- iRule that issues 'forward' commands.
Impact:
Connections are routed to pool member instead of destination determined by network routes.
Workaround:
Remove pool assigned to virtual server and select the pool using an iRule with a 'pool' command when 'forward' command is not issued.
Fix:
'forward' command releases previously selected pool member to enabled connection to be routed based on packet destination, as expected.
524909-3 : Windows info agent could not be passed from Windows 10
Component: Access Policy Manager
Symptoms:
APM endpoint check action "Windows Info agent" was not able to detect Windows 10 clients.
Conditions:
n/a
Impact:
n/a
Workaround:
n/a
Fix:
Now BIG-IP APM support Windows Info action on Windows 10 clients.
524756-1 : APM Log is filled with errors about failing to add/delete session entry
Component: Access Policy Manager
Symptoms:
APM log is filled with the following error when the issue occurs:
May 21 16:34:16 bigip4013mgmt err tmm2[20158]: 01490558:3: 00000000: Access stats encountered error: Failed to add/delete session entry (ERR_NOT_FOUND)
Conditions:
If a session times out before it completes policy evaluation, APM will still attempt to delete its marker from the established session namespace and, hence, results in ERR_NOT_FOUND error
Impact:
There is no functional impact. However, APM log may become useless if the volume of the error is big.
Fix:
Access Filter now skips session marker deletion if the timed-out session is not in established state.
524748 : PCCD optimization for IP address range
Component: Advanced Firewall Manager
Symptoms:
Pccd blob size grow too big with large scale policy configuration. Which cause slow compilation and serialization.
Conditions:
large scale policy configuration.
Impact:
Slow compilation/serialization and large pccd blob.
Workaround:
N/A
Fix:
With PCCD ip address range optimization, PCCD will reduce it's compilation/serialization time and blob size.
524666-2 : DNS licensed rate limits might be unintentionally activated.
Component: Local Traffic Manager
Symptoms:
DNS licensed rate limits might be unintentionally activated.
Conditions:
This might occur with a license in which DNS services is unlimited, but BIG-IP DNS (formerly GTM) is limited.
Impact:
DNS licensed rate limits might be unintentionally activated. Rate counters will activate, even though rates are unlimited, which unnecessarily uses CPU cycles. Also, features that indirectly look at rate flags such as hardware DNS, might deactivate improperly even though rates are unlimited.
Workaround:
None.
Fix:
DNS licensed rate limits are now handled as expected.
524641-4 : Wildcard NAPTR record after deleting the NAPTR records
Component: Local Traffic Manager
Symptoms:
There is a dns query issue when adding/deleting a NAPTR record through the Zonerunner.
Conditions:
After deleting a specific NAPTR record, the previously added wildcard NAPTR record will fail for wildcard dig queries and the system does not show the correct subdomains.
Impact:
Wildcard NAPTR record call fails after deleting the NAPTR records.
Workaround:
None.
Fix:
Wildcard NAPTR record call now completes successfully after deleting the NAPTR records.
524490-7 : Excessive output for tmsh show running-config
Component: TMOS
Symptoms:
The tmsh show running-config displays many default configuration items. Although the output does display the user-configuration items as expected, it is not expected to include default configuration items in the output.
Conditions:
tmsh show sys running-config.
Impact:
The presence of excessive default configuration items makes the tmsh show running-config output parsing difficult.
Workaround:
None.
Fix:
tmsh show sys running-config shows minimal default configuration.
524428-2 : Adding multiple signature sets concurrently via REST
Component: Application Security Manager
Symptoms:
Adding multiple ASM signature sets concurrently in REST actions causes deadlock.
Conditions:
Multiple ASM signature sets are added concurrently using REST.
Impact:
Some signature set REST add actions will fail due to deadlock.
Workaround:
Wait until signature set add action has completed in REST before issuing the next add.
Fix:
Multiple signature sets can be added concurrently using REST.
524333-5 : iControl command pkcs12_import_from_file_v2 may fail if httpd is restarted or session times out.
Component: TMOS
Symptoms:
When pkcs12_import_from_file_v2 is used immediately after httpd is restarted, or when pkcs12_import_from_file_v2 is used after the session-timeout period, an 'Internal error' response is received.
This issue is not seen if another iControl call is made and pkcs12_import_from_file_v2 is tried after that.
Conditions:
pkcs12_import_from_file_v2 is used immediately after httpd is restarted, or when pkcs12_import_from_file_v2 is used after the session-timeout period.
Impact:
iControl command may fail if httpd is restarted or session times out.
Workaround:
None.
Fix:
iControl command pkcs12_import_from_file_v2 now completes successfully if httpd is restarted or session times out.
524326-3 : Can delete last ip address on a gtm server but cannot load a config with a gtm server with no ips
Component: TMOS
Symptoms:
Current configuration validation will allow a user to delete the last (only remaining) IP address on a GTM server. However, since a GTM server cannot be created/loaded without at least one IP address, the configuration will fail to load.
Conditions:
User has deleted the last IP address on a GTM server.
Impact:
Configuration load will fail. If the GTMs are in a sync group, this will also break sync because the config change cannot be loaded by any GTM.
Workaround:
User must either delete the server from the config if it has no more valid IPs, or must add at least one IP to the server's IP address list.
Fix:
Extended MCPD validation to ensure any deleted GTM link/GTM server addresses do not leave parent objects without addresses.
524300-1 : The MOS boot process appears to hang.
Component: TMOS
Symptoms:
When a BIG-IP 2000 series or BIG-IP 4000 series device is booted into MOS (either manually or as a result of a user running the image2disk utility), the MOS boot process appears to hang. In reality, MOS boots successfully, but loses its connection to the BIG-IP system's serial console.
Conditions:
A BIG-IP 2000 series or BIG-IP 4000 series device with a MOS version older than 2.8.9 - 587.0 is booted from MOS.
Impact:
If you booted into MOS manually, you cannot carry out the tasks that you had set out to do. You must reset the device (either physically or via the AOM menu) to recover it.
If the system booted into MOS automatically (as a result of a user running the image2disk utility to perform a clean installation), the installation completes successfully and the system reboots correctly at the end of the installation. However, you cannot see and follow the re-imaging process because of this issue. In this case, you can watch the (seemingly hung) serial console until the system reboots by itself.
Workaround:
You can work around this issue by performing a temporary installation of BIG-IP version 12.0.0 to a new boot slot.
No further action is required. This temporary installation of BIG-IP version 12.0.0 can be deleted once completed.
This temporary installation of version 12.0.0 has the effect of upgrading MOS to a version which resolves this issue.
Fix:
A BIG-IP 2000 series or BIG-IP 4000 series device with a MOS version older than 2.8.9 - 587.0 is booted from MOS now retains its connection to the serial console.
524281-1 : Error updating daemon ha heartbeat
Component: TMOS
Symptoms:
During shutdown you see the following error in /var/log/ltm: err vcmpd[8590]: 01510004:3: Error updating daemon ha heartbeat: VcmpdHeartbeat.cpp:251 error 0x01140031
Conditions:
This issue applies only on shutdown if the shutdown takes a long time.
Impact:
Error messages are displayed, but as long as this is occurring only on shutdown this means that vcmpd is unable to communicate with sod, which has already shut down.
Fix:
vcmpd will now only log "Error updating daemon ha heartbeat" if the system is not shutting down.
524279-4 : CVE-2015-4000: TLS vulnerability
Vulnerability Solution Article: K16674
524126-3 : The DB variable provision.tomcat.extramb is cleared on first boot.★
Component: TMOS
Symptoms:
You are unable to get to the GUI after upgrading to 11.5.x or 11.6.x from a prior version. The DB variable provision.tomcat.extramb is 0 (zero) after upgrading using a configuration with the variable set to a non-zero value.
Conditions:
The DB variable provision.tomcat.extramb set to a value other than 0 before installing.
Impact:
The DB value is not rolled forward, so the GUI gets less than expected amount of memory.
Workaround:
After the first boot, set the DB variable provision.tomcat.extramb to the desired amount or restore the saved UCS at /var/local/ucs/config.ucs.
Fix:
The DB variable provision.tomcat.extramb now retains the specified value when rolling forward a configuration.
524004-2 : Adding multiple signatures concurrently via REST
Component: Application Security Manager
Symptoms:
Adding multiple ASM signatures concurrently in REST actions causes deadlock.
Conditions:
Multiple ASM signatures are added concurrently using REST.
Impact:
Some signature REST add actions will fail due to deadlock.
Workaround:
Wait until signature add action has completed in REST before issuing the next add.
Fix:
Multiple signatures can be added concurrently using REST.
523922-6 : Session entries may timeout prematurely on some TMMs
Component: TMOS
Symptoms:
In certain scenarios, session entries may not be refreshed when the TMM that owns the entry is used to process the connection.
Conditions:
When the TMM owning the session entry is a different one to the TMM handling the connection and the entry is retrieved, for example via irule, "session lookup uie"; the timeout will be extended.
When the TMM owning the entry and the one handling the connection is the same, then the entry may not have its timeout changed and lead to premature removal.
Impact:
Different TMMs may behave differently and cause confusion when using the session table.
Workaround:
None
Fix:
Session table entries now consistently get their timeout values touched in all scenarios.
523867-2 : 'warning: Failed to find EUDs' message during formatting installation
Component: TMOS
Symptoms:
The following message may appear on the console:
warning: Failed to find EUDs
warning: Failed to get volume id for EUD
Conditions:
This warning occurs during a formatting installation.
Impact:
No impact. The message was intended to be logged at the 'info' level.
Workaround:
N/A
Fix:
The 'warning: Failed to find EUDs' diagnostic message during installation has been changed from a warning to info
523863-1 : istats help not clear for negative increment
Component: TMOS
Symptoms:
The help for the istats command line tool was not clear on how to specify a negative increment for a gauge iStat.
Conditions:
Try to increment a gauge iStat by a negative amount using the istats command line tool.
Impact:
Bash shell would print a cryptic error and the help did not clarify how to make it work
Workaround:
Research bash shell options for the cryptic error.
Fix:
The help for the istats command line was augmented to clearly state that the double-dash option should be specified before the negative number.
523854-4 : TCP reset with RTSP Too Big error when streaming interleaved data
Component: Service Provider
Symptoms:
RTSP connection containing interleaved streams is aborted mid-stream, causing loss of data. This occurs when there is packet loss and retransmission due to an unreliable connection. A RST is sent by BIG-IP with cause "Too big".
There is an RTSP profile parameter Maximum Header Size. When the RTSP filter receives a burst of reassembled stream data that exceeds this size, it aborts with that RST cause. When this parameter is raised above the value of parameter Maximum Queued Data, that parameter is exceeded and the RST cause is "Hudfilter abort". When both parameters are raised much higher, an abort is less likely, but can still occur with cause "Out of memory" (which is a false report as the system is not out of memory).
Conditions:
RTSP profile configured.
Interleaved stream.
Packet retransmissions due to an unreliable connection.
Impact:
RTSP traffic is interrupted or dropped
TCP session is reset with a cause of "Too Big" or "Hudfilter abort".
Workaround:
Set both the Maximum Header Size and Maximum Queued Data values to a value greater than 64 KB. This reduces the likelihood of failure, but is only a partial workaround.
Fix:
RTSP interleaved traffic passes reliably, even over an unreliable connection experiencing packet retransmission.
523642-4 : Power Supply status reported incorrectly after LBH reset
Component: TMOS
Symptoms:
On BIG-IP appliances with the Backplane Micro-Controller Hybrid (LBH) type of Always-On-Management device, Power Supply status reporting and enumeration may function incorrectly if the LBH resets due to a watchdog reboot or other cause.
Conditions:
This may occur on BIG-IP 2000-/4000-series, BIG-IP 5000-/7000-series, and BIG-IP 10000-/12000-series platforms.
Impact:
Resets of the LBH device occur very rarely.
When this issue occurs, the status reporting and enumeration of appliance power supplies may be inaccurate.
Errors may be reported when attempting to obtain sensor values from non-present power supplies.
Power supply presence, status and identification may be reported incorrectly following power supply removal or reinsertion.
Workaround:
To work around this issue and restore correct reporting of power supply status, you can restart the chmand process. To do so, perform the following procedure:
Impact of workaround: Restarting the chmand process also restarts core BIG-IP system daemons such as TMM. Running this procedure interrupts traffic processing.
1.Log in to the BIG-IP command line.
2.To restart the chmand process, type the following command:
bigstart restart chmand.
Fix:
Power Supply status is now reported correctly after LBH reset.
523527-10 : Upgrade from 10.x to 11.2.0 or later does not add existing routing protocols to RD0.★
Component: TMOS
Symptoms:
If you are directly upgrading from version 10.x to version 11.2.0 or later with a working dynamic routing protocols configuration may encounter that the routing protocol is disabled on upgrade to 11.2.0 or later.
Conditions:
- Upgrade from 10.x to 11.2.0 or later.
- Routing protocol enabled in tmrouted dbkeys.
- No route domain 0 (zero) (RD0) configuration, that is defaults of all VLANs in RD0, no comment, leading to no existing configuration in bigip_base.conf
Impact:
Routing protocol information is missing from RD0, ZebOS is not running (although configured).
Workaround:
There are several workarounds to this issue:
- Causing the RD0 configuration to exist by adding a comment to the 10.x description field and saving prior to upgrade.
- Re-adding the routing protocol to the RD0 configuration after the upgrade.
- Perform an intermediate upgrade from 10.x to 11.0.0 or 11.1.0 prior to upgrading to an 11.2.0 or later version.
Fix:
Routing protocols are now correctly configured on Route Domain 0 (zero) (RD0) after upgrade to version 11.2.0 or later.
523513-5 : COMPRESS::enable keeps compression enabled for a subsequent HTTP request.
Component: Local Traffic Manager
Symptoms:
COMPRESS::enable keeps compression enabled for a subsequent HTTP request.
The response for the first HTTP request enables the compression, but it is not used since the payload is empty. For the second HTTP request (whose URI indicates that it is not supposed to be compressed), the system still compresses the response because the first request did not disable compression.
Conditions:
Subsequent HTTP requests in the same TCP connection.
- First HTTP response contains empty payload and enabling the compression.
- Second HTTP response still gets compressed.
Impact:
Unintended compression for subsequent HTTP responses.
Workaround:
Disable compression in the else case manually in the iRule using COMPRESS::disable.
Fix:
Compression is now disabled after an HTTP response with empty payload for iRule-based enabling.
523471-3 : pkcs11d core when connecting to SafeNet HSM
Component: Local Traffic Manager
Symptoms:
Very occasionally, using the SafeNet hardware security module (HSM) results in a pkcs11d core.
Conditions:
This occurs when the SafeNet HSM is used. Because of the rare and intermittent nature of the issue, other required conditions are not known.
Impact:
pkcs11d cores, and HSM-based SSL traffic fails. This occurs as a result of the SafeNet library. It is not a BIG-IP system-specific issue.
Workaround:
None.
Fix:
The SafeNet library has been updated, and pkcs11d no longer cores intermittently.
523465-1 : Log an error message when firewall rule serialization fails due to maximum blob limit being hit.
Component: Advanced Firewall Manager
Symptoms:
Prior to fix, if AFM rule serialization fails due to OOM condition in pktclass-daemon, it's not identifiable if the failure is due to Out of Memory condition or the Max Blob limit being reached. Both the errors were logged as OOM in /var/log/ltm
Conditions:
AFM rule serialization fails due to max blob limit
Impact:
Hard to isolate the problem that serialization failed due to max blob limit
Workaround:
None
Fix:
With the fix, AFM rule serialization failure due to max blob limit is logged appropriately in /var/log/ltm making it easier to identify the cause of the failure.
523434-5 : mcpd on secondary blades will restart with an error message about a sflow_http_virtual_data_source object
Component: TMOS
Symptoms:
mcpd on secondary blades may restart and log an error of the following form: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_http_virtual_data_source) object ID (44). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_http_virtual_data_source status:13)... failed validation with error 17237812.
Conditions:
The exact conditions under which this occurs are not well understood. The immediately triggering event is a change in the cluster's primary blade.
Impact:
All services on an affected blade restart.
Workaround:
None.
Fix:
mcpd on secondary blades may restart and log an sflow_http_virtual_data_source error after a change in the cluster's primary blade.
523431-1 : Windows Cache and Session Control cannot support a period in the access profile name
Component: Access Policy Manager
Symptoms:
An access profile name containing a period will not work when using Windows Cache and Session Control. For example '/Common/test.profile' will not work. When evaluating the access policy, an end-user will be redirected to an error page.
Conditions:
Applies to any APM with Windows Cache and Session Control.
Impact:
Access Profile names cannot include a dot.
Invalid name: '/Common/profile.name'
Valid name: '/Common/profile_name'
Fix:
One of the PHP files for cache control has a regex that looks for invalid access profile names. This regex had previously flagged any profile name with a period to be invalid. The regex has been updated to allow periods.
523390-1 : Minor memory leak on IdP when SLO is configured on bound SP connectors.
Component: Access Policy Manager
Symptoms:
Several bytes of memory are leaked when SAML SSO is executed on BIG-IP system, configured as an Identity Provider (IdP), when the Service Provider (SP) connector has single logout (SLO) configured.
Conditions:
BIG-IP is used as Identity Provider, and SLO is configured for bound SP Connector.
Impact:
Several bytes of memory are leaked.
Workaround:
To work around the problem, disable SLO on SP connectors.
Fix:
Fixed memory leaks in SAML Identity Provider (IdP) when when SLO is configured in a Service Provider (SP) connector.
523329 : When BIG-IP is used as SAML Identity Provider(IdP), TMM may restart under certain conditions.
Component: Access Policy Manager
Symptoms:
TMM may restart
Conditions:
- BIG-IP is used as IdP.
- Client or Service Provider sends a number of specific invalid requests to BIG-IP
Impact:
TMM is not available while restarting
Fix:
Issue where TMM would restart as a result of invalid user request is now fixed.
523327-3 : In very rare cases Machine Certificate service may fail to find private key
Component: Access Policy Manager
Symptoms:
Non-elevated client component is able to find certificate but not the key, while machine cert service/F5 Elevation Helper fails to find certificate.
f5certhelper.txt (helper) or logterminal.txt (in windows\temp folder for service) contains:
1, , 0, , EXCEPTION - CCertInfo::FindCertificateInStore: CertFindCertificateInStore failed with error code: 80092004
Conditions:
IE/Edge Client is not running under Admin user.
Special certificate is used.
Impact:
User fails to pass access policy.
Workaround:
Run IE/BIG-IP Edge Client under administrator.
Fix:
Now both service and elevation helper can find those specific certificates.
523261-2 : ASM REST: MCP Persistence is not triggered via REST actions
Component: Application Security Manager
Symptoms:
Some REST calls that affect Security policies should be persistent to BIG-IP config files after their completion (create, delete, association to virtual servers, and changing language encoding), but are not.
Conditions:
REST API is being used to manage Security Policies.
Impact:
If the device is restarted configuration may be lost.
Workaround:
Any other action that will persist configuration (like an ASM config change through the GUI, or any LTM configuration change).
Fix:
Configuration is now correctly persisted when required after ASM REST actions.
523260-2 : Apply Policy finishes with coapi_query failure displayed
Component: Application Security Manager
Symptoms:
GUI actions to apply policy appear to fail with an error message regarding coapi_query.
Conditions:
Unknown.
Impact:
The policy is correctly applied locally, the coapi_query error message occurs after the commit.
This error, however, prevents correct behavior for device group synchronization of the change.
Workaround:
Use REST API to apply the policy:
POST https://<MGMT_IP>/mgmt/tm/asm/tasks/apply-policy
{
"policy": {
"fullPath": "/Common/<POLICY_NAME>"
}
}
Fix:
This release fixes an error that intermittently caused the Apply Policy action to fail.
523222-7 : Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.
Component: Access Policy Manager
Symptoms:
Citrix HTML5 client fails to start from Storefront in integration mode when Access Policy is configured with Redirect ending.
If an access policy has Redirect ending, the Citrix HTML5 client will fail to start with HTTP 400 error.
Conditions:
Citrix Storefront configured in integration mode through APM.
Impact:
HTML5 client not usable for this sort of integration
Fix:
Fixed Citrix HTML5 handling code so that it works fine with the Redirect endings in access policies.
523201-1 : Expired files are not cleaned up after receiving an ASM Manual Synchronization
Component: Application Security Manager
Symptoms:
If a device only receives full ASM sync files from its peers, it never performs cleanup of files that are no longer needed.
Conditions:
An ASM manual synchronization device group is being used.
Impact:
May eventually lead to disk space exhaustion.
Workaround:
None.
Fix:
Files are now correctly cleaned up after loading a new configuration.
523125-1 : Disabling/enabling blades in cluster can result in inconsistent failover state
Component: TMOS
Symptoms:
Not all blades in the cluster agree about the high availability (HA) status.
Conditions:
Disabling and enabling blades in a chassis that is configured to use HA Groups can sometimes result in a blade staying in standby even though the other blades in the chassis have gone active.
Impact:
When the blades disagree about active/standby state, traffic might be disrupted.
Workaround:
None.
Fix:
Disabling/enabling blades in cluster no longer results in inconsistent failover state.
523079-1 : Merged may crash when file descriptors exhausted
Component: Local Traffic Manager
Symptoms:
The merged daemon crashes.
Conditions:
The limit on file descriptors is exceeded.
Impact:
Merged crashes leaving a core file. The collection of system stats and merging of blade stats will not work until merged restarts.
Workaround:
Monitor the system file descriptor use and avoid exceeding the limit.
Fix:
Fixed a crash bug in Merged.
523032-5 : qemu-kvm VENOM vulnerability CVE-2015-3456
Vulnerability Solution Article: K16620
522871-4 : [TMSH] nested wildcard deletion will delete all the objects (matched or not matched)
Component: TMOS
Symptoms:
Nested wildcard deletion deletes all of the objects (matched or not matched).
Conditions:
Use deletion in a nested TMSH command. For example:
tmsh modify gtm server GTM1 virtual-servers delete {f*}
This deletes all virtual servers even if none of the servers match. The same issue applies to pool members.
Impact:
All objects are deleted, instead of those targeted for delete.
Workaround:
None.
Fix:
Nested wildcard deletion now deletes matched objects only.
522837-3 : MCPD can core as a result of another component shutting down prematurely
Component: TMOS
Symptoms:
During a small window of opportunity, mcpd can core if it is told to restart. This often occurs when another component has failed.
Conditions:
This issue generally occurs when another component has a problem which then initiates an mcpd restart.
Impact:
An mcpd core file is generated during shutdown, and it may initially appear as if mcpd coring was the cause of the restart.
Workaround:
None.
Fix:
Ensured that connections are not deleted twice when shutting down, so mcpd no longer cores.
522791-1 : HTML rewriting on client might leave 'style' attribute unrewritten.
Component: Access Policy Manager
Symptoms:
In some cases, the 'style' attribute of HTML tag containing CSS styles is not rewritten.
Conditions:
This happens when HTML is added to a page using document.write or assignment to innerHTML.
Impact:
Images added with inline CSS styles are not displayed.
Direct requests to the backend are sent from browser.
Workaround:
Use an iRule to rewrite the 'style' attribute before adding HTML to the page.
Fix:
The HTML 'style' attribute is correctly rewritten for any tag.
522784-3 : After restart, system remains in the INOPERATIVE state
Component: Local Traffic Manager
Symptoms:
After restarting, it is normal for the system to remain in some state other than "Green/Active" for a few minutes while the system daemons complete their initialization.
During this time the following advanced shell command may produce one or more lines of output:
# bigstart status | grep waiting
However, if this condition persists for more than five minutes after access to the root shell via the management interface is available, then you may be experiencing this defect.
Conditions:
BIG-IP versions 11.5.x, 11.6.x or 12.0.x that have received the fix for bug 502443 but *not* 522784, may experience this issue. There are no officially supported BIG-IP releases that have this condition.
Impact:
As long as the system remains in the INOPERATIVE state, neither LTM nor ASM will function.
Workaround:
In order to work around this problem, de-provision ASM.
Fix:
Resolves a deadlock at startup, when LTM and ASM are provisioned, that may occur as a result of the fix for 502443.
522231-2 : TMM may crash when a client resets a connection
Component: WebAccelerator
Symptoms:
When a client resets a connection while AAM is preparing to serve a response from cache TMM may crash causing failover and restart of AAM. A profile on a virtual from another BIG-IP module (other than AAM and LTM) may contribute to the issue.
Conditions:
1) AAM must be provisioned.
2) A response to the requested URL must be cached and fresh.
3) Client resets a connection immediately after the request is done and the response has not started to serve.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Install the fix.
Fix:
Fix removes the condition when AAM starts to serve the response to the already aborting connection.
522147-1 : 'tmsh load sys config' fails after key conversion to FIPS using web GUI
Component: Local Traffic Manager
Symptoms:
Web GUI does not save config after key conversion to FIPS
Conditions:
On a Cavium-FIPS BIG-IP, create a normal key and then covert to FIPS using web GUI
Impact:
'tmsh load sys config' fails
Workaround:
Two possible workarounds:
1) Run 'tmsh save sys config' after the key conversion to FIPS using web GUI
2) Convert normal key to FIPS using tmsh instead of web GUI
Fix:
Web GUI is now fixed to properly save config after key conversion to FIPS
521835-1 : [Policy Sync] Connectivity profile with a customized logo fails
Component: Access Policy Manager
Symptoms:
Policy sync failed with a customized logo in connectivity profile.
Conditions:
Configure a customized logo on the connectivity profile.
Associate the profile with the access profile through a virtual server.
Start a policy sync.
Impact:
Policy Sync fails.
Workaround:
Keep the default logo for connectivity profile. After syncing to target, customize directly on the devices.
Fix:
A user can include a customized logo in a connectivity profile and sync it.
521813-3 : Cluster is removed from HA group on restart
Component: Local Traffic Manager
Symptoms:
When the system is rebooted (or "bigstart restart" is executed), any HA groups with clusters in them will have those clusters removed.
Conditions:
Chassis-based system with an ha-group and ha-group-cluster configured. All blades have to reboot, since if a single blade is rebooted it pulls the running-config from the primary slot.
Impact:
HA cluster configuration is missing every time all the blades are rebooted.
Fix:
Reverted changes made for ID481611.
521774-2 : Traceroute and ICMP errors may be blocked by AFM policy
Component: Local Traffic Manager
Symptoms:
ICMP error packets for existing connections can be blocked by AFM policy. Diagnostics that use ICMP error messages, such as traceroute, may fail to display information beyond the AFM device.
Conditions:
The AFM policy has a rule to drop or reject that can match the IP header of ICMP messages going from a router IP address back to the client or server IP address that sent the original packet.
Impact:
Network diagnostics such as traceroute through an AFM device will not display information from routers between the AFM device and the destination IP address.
Workaround:
If possible and allowed, create an AFM rule matching the affected ICMP packets with an action of accept-decisively.
521773-1 : Memory leak in Portal Access
Component: Access Policy Manager
Symptoms:
Memory consumption of "rewrite.*" processes is growing constantly.
On manually taken core file, result of following command is large (more than 100000).
zcat <core-file.gz> | strings -n 15 | grep "^/f5-w-" | wc -l
Conditions:
Memory leaks in cases when POST request content could be modified by Portal Access (for example, xml).
Impact:
Rewrite processes may use all available memory on the box and then cause 'Out of memory' condition and failover.
Workaround:
This issue has no workaround at this time.
Fix:
Fixed a memory leak of request urls in rewrite plug-in.
521711-3 : HTTP closes connection if client sends non-keepalive request and server responds with 200 OK on One-Connect enabled virtual
Component: Local Traffic Manager
Symptoms:
If the client sends a non-keepalive CONNECT request (in HTTP 1.0 with no Connection header, in 1.1 with Connection: close) to a OneConnect-enabled virtual server, HTTP forces the connection closed by sending FIN on both client and server flows, even if the server responds with a 200. If the connect is successful, HTTP should leave flows open regardless of the HTTP headers.
Conditions:
- HTTP and OneConnect profiles are attached to the virtual server.
- Client sends a non-keepalive CONNECT request (either 1.0/no-Connection-Header request or 1.1/'Connection: close' header.
- Server responds to the CONNECT request with successful 200 OK.
Impact:
HTTP adds a Connection: close header when responding to the client after a successful response is received from the server. In addition, HTTP closes the connection by sending FIN on both client and server flows. If the server responds to the CONNECT request with 200 OK, the connection should remain open.
Workaround:
You can use the following iRule to work around this issue:
when HTTP_REQUEST {
if { [HTTP::method] eq "CONNECT" } {
HTTP::disable
}
}
Fix:
HTTP now keeps the connection open if client sends a non-keepalive request and server responds with 200 OK on One-Connect enabled virtual. This is correct behavior.
521556-2 : Assertion "valid pcb" in TCP4 with ICAP adaptation
Component: Service Provider
Symptoms:
TMM crashes with assertion "valid pcb" in tcp4.c
Conditions:
Virtual server with request-adapt or response-adapt profile.
Congested client or TCP small window (flow-control is active).
Multiple HTTP requests in a single client connection.
More likely with iRules that park.
Impact:
Intermittent crash under load.
Fix:
Assertion "valid pcb" does not occur.
521548-5 : Possible crash in SPDY
Component: Local Traffic Manager
Symptoms:
In very rare circumstances related to SPDY protocol handling together with a compression profile a crash may occur.
Conditions:
This is very rare and the exact circumstances are unclear, It involves SPDY, a compression profile and a congested client connection and a stream being reset by the browser (using a RST_STREAM frame).
Impact:
Very rarely a crash may occur.
Workaround:
Don't apply the compression profile.
Fix:
A sporadic crash when using SPDY together with a compression profile no longer occurs.
521538-3 : Keep-alive transmissions do not resume after failover of flows on an L4 virtual, when the sequence number is known
Component: Local Traffic Manager
Symptoms:
After failover of an L4 flow that is using keep-alive, the keep-alive transmissions do not resume after traffic has flowed through the BIG-IP system.
Conditions:
Using HA mirroring of L4 connections, with keep-alive enabled on the profile for TCP. After a failover, there was traffic before the flow timed out, then the traffic becomes idle. If there is no traffic after failover, the correct sequence numbers are unknown, then this is expected behavior: the flow times out due to inactivity. If there is traffic after failover, the correct TCP sequence numbers are known; if there is traffic after failover, and then the flow becomes idle, keep-alive transmissions should resume.
Impact:
Flows after failover with TCP keep-alive age out and expire even if traffic is available to set the sequence numbers. Depending on the configuration options, subsequent packets may reset or transparently create a new flow (if TCP loose initiation is enabled).
Workaround:
None.
Fix:
Keep-alive transmissions now resume after failover of flows on an L4 virtual, when the sequence number is known
521522-2 : Traceroute through BIG-IP may display destination IP address at BIG-IP hop
Component: Local Traffic Manager
Symptoms:
When performing traceroute through a BIG-IP device, the traceroute utility may display the destination IP in place of the hop where BIG-IP is located, instead of a Self IP address of the BIG-IP device at that hop.
Conditions:
No return route for the client IP address exists on the BIG-IP device.
Impact:
There is no impact to the performance of traffic through the BIG-IP device. The impact occurs only when reading and interpreting the results of a traceroute utility.
Workaround:
If possible and allowed, add route entry for the traceroute client subnet.
Fix:
Traceroute through BIG-IP now displays a Self IP address of the BIG-IP device at that hop. This is correct behavior.
521506-3 : Network Access doesn't restore loopback route on multi-homed machine
Component: Access Policy Manager
Symptoms:
Network Access on Windows doesn't restore loopback route for one adapter on multi-homed (Ethernet + Wi-Fi) machine.
Conditions:
This issue happens if:
1. Network Access was established via Ethernet
2. Ethernet cable was unplugged
3. Network Access reconnects using Wi-Fi
4. Ethernet cable is plugged in back
Impact:
Minor routing issues may occur if one special loopback is removed. To restore this route affected adapter should be disabled and enabled.
Fix:
Fixed issues causing improper routing table management.
521455-5 : Images transcoded to WebP format delivered to Edge browser
Component: WebAccelerator
Symptoms:
The Microsoft Edge browser does not support, and cannot render WebP format images. The AAM image optimization framework improperly classifies the Edge browser as being capable of supporting WebP and delivers WebP-transcoded images to such clients.
Conditions:
The AAM system's image optimization as well as the "optimize for client" setting must both be enabled, and the associated acceleration policy and application associated with one or more virtual servers.
Impact:
Some images will fail to render on the Edge browser.
Workaround:
Disable the "optimize for client" attribute in the applicable policies' acceleration assembly settings.
Fix:
Transcoded WebP images are no longer served to the Edge browser.
By default, transcoded JPEG-XR is also no longer served to the Edge browser, but the db variable ccdb.allow.edge.jpegxr may be used to override this.
521408-2 : Incorrect configuration in BigTCP Virtual servers can lead to TMM core
Component: Local Traffic Manager
Symptoms:
An incorrect configuration on an irule associated to a BigTCP virtual server can lead to TMM to core.
Conditions:
The following circumstances are needed:
- BigTCP Virtual server
- FastL4 profile with syncookies enabled.
- Invalid iRule that will fail to execute, on LB_FAILED
- Syncookie currently activated in that moment.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Correct or remove the irule event and coring will no longer occur.
Fix:
TMM now correctly handles the specific scenario to no longer core.
521336-1 : pkcs11d initialization retry might post misleading error messages and eventually result in a pkcs11d core
Component: Local Traffic Manager
Symptoms:
The retry of pkcs11d initialization might post misleading error messages and eventually result in a pkcs11d core.
Conditions:
When pkcs11d retries to wait for other services such as tmm or mcpd.
Impact:
After the system reboots, the /var/log/ltm shows initialize errors and the /var/log/daemon.log shows pkcs11_initialize messages: -- err pkcs11d[6247]: 01680002:3: Pkcs11 Initialize error (this is misleading; pkcs11d is actually retrying). -- err pkcs11d[6247]: Nethsm: pkcs11_initialize C_GetSlotList error 0x00000000, number of slots 0.
Workaround:
Retry pkcs11d restart when tmm and mcpd are both ready.
Fix:
The retry of pkcs11d initialization no longer posts misleading error messages when pkcs11d retries to wait for other services such as tmm or mcpd.
521183-3 : Upgrade from 11.2.x (or earlier) to 11.5.x/11.6.x can fail when an active DoS profile exists with 'Prevention Duration' set to a value less than 5★
Component: Application Security Manager
Symptoms:
Upgrade fails with this error:
---------------------
The de-escalation period can be either zero or greater than or equal to the escalation period
---------------------
Conditions:
ASM is provisioned.
Active DoS profile exists with 'Prevention Duration' set to a value less than 5.
Impact:
Upgrade fails with this error:
---------------------
The de-escalation period can be either zero or greater than or equal to the escalation period
---------------------
Workaround:
Set the 'Prevention Duration' to at least 'Maximum 5 seconds' in all active DoS profiles.
Fix:
We fixed the upgrade process to work with active DoS profiles that have the 'Prevention Duration' setting set to a value less than 5.
521144-7 : Network failover packets on the management interface sometimes have an incorrect source-IP
Component: TMOS
Symptoms:
After reboot, network failover packets might be transmitted with an internal source address, on the 127/8 network.
Conditions:
This problem might occur if the members of a device service clustering (DSC)/high availability (HA) device group have management ports on different IP networks, so that a management-route is necessary for them to communicate.
Impact:
If there are intervening firewalls or routers that drop packets with improper/unroutable source addresses, then the members of the device group cannot communicate on this channel.
Workaround:
Remove the management-route from tmsh, and add a static route to the Linux kernel routing table. For example:
# tmsh delete sys management-route 10.208.101.0/24
# tmsh save sys config
# echo "10.208.101.0/24 via 10.208.102.254 dev eth0" > /etc/sysconfig/network-scripts/route-eth0
# reboot
Fix:
Network failover packets on the management interface now have the correct source-IP when device service clustering (DSC)/high availability (HA) device group have management ports on different IP networks, so that a management-route is necessary for them to communicate.
521036-4 : Dynamic ARP entry may replace a static entry in non-primary TMM instances.
Component: Local Traffic Manager
Symptoms:
In a very rare occasion, a dynamic ARP entry may replace a static entry in non-primary TMM instances. When the BIG-IP system attempts to send packets to an address, "tmsh show net arp" lists two entries for the address: one static and the other shows up as "incomplete" status.
Conditions:
The issue is due to a very rare race condition, and the BIG-IP system is configured with a static ARP entry.
Impact:
The issue may impact traffic flow if traffic goes through non-primary TMM instances.
Workaround:
There is no workaround but the issue is very rare to occur.
Fix:
Dynamic ARP entry no longer replaces a static entry in non-primary TMM instances.
520924-3 : Restricted roles for custom monitor creation
Vulnerability Solution Article: K00265182
520796-2 : High ASCII characters availability for policy encoding
Component: Application Security Manager
Symptoms:
High ASCII characters are not available, for any policy encoding, in any of the character sets except 'Headers : Character Set'.
Conditions:
ASM is provisioned.
Impact:
High ASCII characters are not available, for any policy encoding, in any of the character sets except 'Headers : Character Set'.
Workaround:
none
Fix:
High ASCII characters are now available, for the relevant policy encodings, in all character sets.
520705-4 : Edge client contains multiple duplicate entries in server list
Component: Access Policy Manager
Symptoms:
Edge client contains multiple duplicate entries in the server list.
Conditions:
Edge client with duplicate entries in connectivity profile.
Impact:
Edge client shows duplicate entries.
Workaround:
Do not create duplicate entries in connectivity profile
Fix:
BIG-IP Edge Client for Mac doesn't show duplicate entries in the servers list.
Behavior Change:
BIG-IP Edge Client for Mac no longer shows duplicate entries in the servers list.
520642-2 : Rewrite plugin should check length of Flash files and tags
Component: Access Policy Manager
Symptoms:
Portal Access Flash patcher could crash or apply incorrect modifications on some malformed Flash files.
Conditions:
This occurs when a Flash file is truncated or contains incorrect length value in file or tag headers.
Impact:
It may cause a crash and restart of Portal Access services.
Fix:
Rewrite plugin now correctly processes Adobe Flash files with invalid length in file or tag header.
520640-1 : The iControl Management.Zone.get_zone() method can return zone options in a format inconsistent for use with the Management.Zone.set_zone_option() method.
Component: TMOS
Symptoms:
Using the string returned in the options_seq field by the iControl Management.Zone.get_zone method in the Management.Zone.set_zone_option method can result in an 'Invalid zone option syntax...' error.
Conditions:
Use of the string returned by the iControl Management.Zone.get_zone method in the Management.Zone.set_zone_option() method.
Impact:
Strings returned in the options_seq field by the iControl Management.Zone.get_zone method cannot be used in the Management.Zone.set_zone_option() method unless they are reformatted consistent with the format expected by the Management.Zone.set_zone_option() method.
Workaround:
Use the GUI to set the zone options. Alternatively, modify the strings returned in the options_seq field by the iControl Management.Zone.get_zone method to a format consistent with those expected by the Management.Zone.set_zone_option() method. For example, modify options_seq to have each option as a single string (rather than the masters string, which is returned as 3 separate options strings).
Fix:
The iControl Management.Zone.get_zone_v2() method returns a value in the options_seq field in a format that is consistent with the format expected by the Management.Zone.set_zone_option() method.
520585-1 : Changing Security Policy Application Language Is Not Validated or Propagated Properly
Component: Application Security Manager
Symptoms:
After changing the Application Language for a Security Policy and pushing the changes over a manual sync device group, the device group's status immediately returns to "Changes Pending".
Additionally calls through the REST interface erroneously allowed a client to change the language for a policy where it was already set.
Conditions:
A Security Policy was set to "Auto-Detect" the Application Language, and then set to a specific encoding.
Or an application language is already set and is changed through the REST API.
Issue is seen most prominently in a device group when ASM sync is enabled on a Manual Sync Failover Group
Impact:
1) The change to encoding is not seen if looking at the result in tmsh.
2) In a manual sync group, after the change has been pushed to its peers, the change is correctly written to the MCP configuration when it is loaded. This appears as a new pending change from the peer device, and the device group appears out of sync again.
Workaround:
Push another sync from the peer to the original device.
Fix:
Changes to Language encoding are now validated and propagated correctly.
520540-2 : Specific iRule commands may generate a core file
Component: Local Traffic Manager
Symptoms:
Accessing the information within a HTTP Authorization header via the HTTP::username, HTTP::password (or other method), may cause the TMM to generate a core file on some requests.
Conditions:
iRule that makes use of the HTTP::username, HTTP::password commands, or the sflow feature.
Impact:
Traffic disrupted while TMM generates a core file.
Workaround:
Modify iRule to manually truncate the size of the HTTP Authorization header.
Fix:
HTTP::username, HTTP::password iRule commands, and the sflow feature no longer generate a core file.
520466-3 : Ability to edit iCall scripts is removed from resource administrator role
Vulnerability Solution Article: K16728
520413-12 : Aberrant behavior with woodside TCP congestion control
Component: Local Traffic Manager
Symptoms:
Potential tmm core.
Conditions:
Woodside congestion control along with multiple profile options enabled and certain traffic may cause an issue where tmm may core.
Impact:
With woodside and other necessary options, TMM may core. Without woodside, or the other necessary options, which has negative performance implications and might trigger other unexpected behaviors.
Workaround:
Switching from woodside to illinois congestion control avoids issue.
Fix:
Woodside congestion control along with multiple profile options enabled and certain traffic no longer causes an issue where tmm may core.
520408-1 : TMM ASSERTs due to subkey_record field corruption in the SessionDB.
Component: TMOS
Symptoms:
TMM ASSERTs on 'Subkey is a subkey' in the SessionDB when releasing a record.
Conditions:
This is a rarely encountered issue that might require SAML traffic.
Impact:
TMM ASSERTS, and the system stops passing traffic.
Workaround:
None.
520405-2 : tmm restart due to oversubscribed DNS resolver
Component: Local Traffic Manager
Symptoms:
A max-concurrent-queries configuration setting significantly above default can lead to a situation that causes tmm to restart in certain traffic loads.
Conditions:
DNS cache resolver configured with max-concurrent-queries setting significantly above default.
Impact:
tmm is restarted.
Workaround:
Set the max-concurrent-queries configuration value closer to default.
Fix:
A max-concurrent-queries configuration setting significantly above default no longer leads to a situation that causes tmm to restart in certain traffic loads.
520390-2 : Reuse existing option is ignored for smtp servers
Component: Access Policy Manager
Symptoms:
If policy is imported with reuse existing objects option and there is appropriate SMTP server, the newly imported policy would create and use a new one instead reusing the existing one.
Conditions:
Always
Impact:
Minor - easy to fix after import
Workaround:
Open assignment and reuse existing SMTP server, then delete old one.
Fix:
Reuse existing option works properly for SMTP servers.
520380-4 : save-on-auto-sync can spawn multiple invocations of tmsh, starving system of memory
Component: TMOS
Symptoms:
Unit demonstrates behaviors consistent with out-of-memory condition. 'top' and 'ps' may show multiple tmsh processes waiting to run.
Conditions:
Enable auto-sync and save-on-auto-sync.
Impact:
Low memory condition may result in system instability.
Workaround:
None.
Fix:
Enabled auto-sync and save-on-auto-sync no longer causes out-of-memory condition.
520298-1 : Java applet does not work
Component: Access Policy Manager
Symptoms:
Web applications may work incorrectly through Portal Access if they use Java applets.
Conditions:
Website uses Java applet that is loaded with deprecated <applet> HTML tag.
Impact:
Websites can't use Java applets.
Fix:
Java applets now work correctly through Portal Access.
520280-2 : Perl Core After Apply Policy Action
Component: Application Security Manager
Symptoms:
Apply policy causes a perl core
Further apply policy do not work
Conditions:
ASM provisioned.
LTM provisioned.
An ASM policy exists that is referenced by an LTM (L7) policy which is not assigned to any LTM virtual server.
Impact:
Apply policy causes a perl core and ASM config event dispatcher crash.
ASM config event dispatcher then is not restarted and remains down.
Further apply policy do not work.
Workaround:
Make sure that if an ASM policy exists that is referenced by an LTM (L7) policy then such LTM (L7) policy is assigned to some LTM virtual server.
one can create a dummy LTM virtual server for that purpose.
Fix:
Perl no longer cores and crashes ASM config event dispatcher in the case of an apply policy to an ASM policy that is referenced by an LTM (L7) policy which is not assigned to any LTM virtual server.
520205-2 : Rewrite plugin could crash on malformed ActionScript 3 block in Flash file
Component: Access Policy Manager
Symptoms:
The rewrite plugin crashes. The following log message is in the log:
../fm_patchers/abc/abcScanner.cpp:70: void abc::abcScanner::has(size_t): Assertion `GetRemaining() >= (ssize_t)l' failed.
Conditions:
Input file is truncated or contains invalid bytecode instructions at the end of doabc/doabcdefine tag.
Impact:
Portal Access services restart.
Fix:
Rewrite plugin no longer crashes on truncated or malformed Adobe Flash files with incorrect ActionScript 3 method body blocks.
520145-2 : [Policy Sync] OutOfMemoryError exception when syncing big and complex APM policy
Component: Access Policy Manager
Symptoms:
Policy sync fails with out-of-memory error on target device with big and complex policy.
Conditions:
Profile of big size, for example, excessive use of ACL resource.
Impact:
Policy Sync fails.
Fix:
APM allows a user to sync a large and complex policy.
520118-3 : Duplicate server entries in Server List.
Component: Access Policy Manager
Symptoms:
There are multiple entries in the server list, possibly with different connection strings.
Conditions:
Client ends up with duplicate entries in the server list if it connects to different virtual servers that have the same aliases in the connectivity profile.
Impact:
Duplicate server entries in Server List.
Workaround:
Avoid duplicate aliases across connectivity profiles on servers that client connects to.
Fix:
Single entry in the server list.
520088-1 : Citrix HTML5 Receiver does not properly display initial tour and icons
Component: Access Policy Manager
Symptoms:
When trying to connect with Citrix HTML5 Receiver, the initial tour screen does not display properly.
Conditions:
APM is configured for Citrix replacement mode and Citrix HTML5 Receiver client 1.4-1.6 is used.
Impact:
Issues with GUI user experience. User is presented with an improperly formatted page without icons.
Workaround:
1. Open /config/bigip.conf for edit.
2. Replace 'content-type text/plain' with 'content-type text/css' in HTML5Client(.*).css sections.
3. Replace 'content-type text/plain' with 'content-type text/javascript' in HTML5Client(.*).js sections/
4. Save the file.
5. From the console, type the following command: tmsh load sys config.
Fix:
Now APM correctly sets content type of CSS and JavaScript files when configuring Citrix HTML5 client bundle.
519966-1 : APM "Session Variables" report shows user passwords in plain text
Component: Access Policy Manager
Symptoms:
APM Session Variables report shows user passwords in plain text.
Conditions:
Has password session variable.
Impact:
It is not safe to show users' password in plain text.
Fix:
APM Session Variables report masks user passwords, displaying ************ instead.
519877-3 : External pluggable module interfaces not disabled correctly.
Component: TMOS
Symptoms:
External pluggable module interface may show link UP status, when administratively disabled.
Conditions:
Disable any external pluggable module interface that is connected to an enabled peer interface.
Impact:
Disabled external pluggable module interface may link UP and potentially pass traffic.
Fix:
Software fix prevents disabled external pluggable module interface from being re-enabled, as a result of periodic linkscan operations.
519864-2 : Memory leak on L7 Dynamic ACL
Component: Access Policy Manager
Symptoms:
There is a memory leak on Dynamic ACL with regard for HTTP related configuration such as HTTP host name, and HTTP URI path in ACL entry. The leaks occurs for every session as these entries are generated per session bases.
Conditions:
This occurs when using L7 Dynamic Access Control Lists.
Impact:
TMM memory usage increases.
Workaround:
Use static ACL whenever possible.
Fix:
L7 Dynamic ACL is no longer leaking memory.
519746-2 : ICMP errors may reset FastL4 connections unexpectedly
Component: Local Traffic Manager
Symptoms:
FastL4 connections may be reset when receiving an ICMP packet
Conditions:
ICMP packet with an embedded TCP packet is received on an ePVA accelerated flow
Impact:
Connection is reset
Fix:
TCP sequence numbers embedded in an ICMP packet are no longer validated on ePVA accelerated flows.
519510-4 : Throughput drop and rxbadsum stat increase in tagged VLAN with LRO/GRO on BIG-IP VE running on ESX platforms with particular network hardware
Component: TMOS
Symptoms:
TCP throughput might be severely impacted for traffic traversing a tagged VLAN and BCM57800/BCM57810 NIC on BIG-IP VEs.
The 'rxbadsum' counts increase as received LRO'd traffic is ignored by TMM.
Conditions:
1. Traffic traverses a tagged VLAN.
2. This issue might be related to systems using Broadcom BCM57800 or BCM57810 NICs. However in general, the required condition is reception of packets with VLAN header are received in uNIC driver.
Impact:
Potential throughput drop during a high volume of data transfer.
Workaround:
You can use either of the following workarounds:
1. Avoid using tagged VLANs.
2. Run the following commands on the ESX hypervisor to disable LRO/GRO system-wide, followed by a reboot.
-- esxcli system settings advanced set -o /Net/Vmxnet2HwLRO -i 0.
-- esxcli system settings advanced set -o /Net/Vmxnet3HwLRO -i 0.
-- esxcli system settings advanced set -o /Net/Vmxnet2SwLRO -i 0.
-- esxcli system settings advanced set -o /Net/Vmxnet3SwLRO -i 0.
-- esxcli system settings advanced set -o /Net/VmxnetSwLROSL -i 0.
Fix:
Change in L4 packet header offset, resulting from VLAN header insertion, is being accounted for to verify checksum.
519415-4 : apm network access tunnel ephemeral listeners ignore irules (related-rules from main virtual )
Component: Access Policy Manager
Symptoms:
If you want to change timeout values for server-side initiated flows inside Network Access tunnels, ephemeral listeners ignore irules.
There seems to be a workaround for this through tmsh (not ui) by attaching iRules (related-rules) to main virtual that gets run on ephemeral listeners. (These ephemeral listeners are created by Network Access tunnels for lease-pool IPs.) The command for this is (for example):
tmsh modify ltm virtual vs_dtls related-rules { idle_time }
The problem here was APM Network Access used to ignore the related-rules on main virtual and the rules weren't triggered.
Conditions:
APM Network access use case.
Impact:
Related rules on main virtual are not applied to ephmeral listeners; (these ephemeral listeners are created by Network Access tunnels for lease-pool IPs).
Workaround:
none.
Fix:
iRules get executed on Ephemeral listeners.
519252-1 : SIP statistics upgrade★
Component: Advanced Firewall Manager
Symptoms:
SIP data is lost when upgrading.
Conditions:
Collect SIP data,
Upgrade to newer version (from 11.5.0 to 12.0.0 or beyond).
Impact:
SIP data is lost.
Fix:
After upgrading from version 11.5.3 and later, collected SIP statistics are now moved to the new version.
519217-2 : tmm crash: valid proxy
Component: Local Traffic Manager
Symptoms:
tmm might crash in extremely rare circumstances when a virtual server is used during an update. Standard process is for virtual servers to be unavailable until the configuration update is complete; there are extremely rare circumstances when it is possible for a connection to use a virtual server before it is ready.
Conditions:
This requires that traffic is running during a configuration update, including a config sync from an HA peer. There must be a virtual server or configuration that uses a second virtual server while traffic is running: these include vip-on-vip using iRules and WAM prefetch, but might include other internal conditions.
Impact:
Traffic disruption, possible failover to another device if HA is configured. If using keepalive or other means to keep the connection alive, then a long amount of time might pass between the creation of the invalid flow and any impact from the error.
Workaround:
None.
Fix:
If a virtual server is used during an update (that is, before the virtual server is ready), an error message is now posted to tmm log files, and a small amount of memory is used each time this message is logged.
519216-3 : Abnormally high CPU utilization from external SSL/OpenSSL monitors
Component: TMOS
Symptoms:
The BIG-IP system may experience high CPU utilization when SSL/OpenSSL monitors are used to obtain availability status for 30 or more pool members.
Conditions:
External SSL monitors using OpenSSL. This includes but is not limited to EAV, ldap, sip, soap, firepass, snmpdca, real-server, wmi, virtual-location.
Builtin monitors are not affected, e.g., https, inband.
Impact:
High CPU utilization reported with potential performance degradation.
Workaround:
To work around this issue, you can use a different type of monitor to obtain pool member availability status.
Impact of workaround: Performing the recommended workaround should not have a negative impact on your system.
Fix:
The CPU utilization is reduced when SSL/OpenSSL monitors are used to obtain availability status for 30 or more pool members.
519198-2 : [Policy Sync] UI General Exception Error when sync a policy in non-default partition as non-default admin user
Component: Access Policy Manager
Symptoms:
Failed to sync a policy in non-Common partition as a non-default admin user.
Conditions:
Log in as different admin user than the default "admin".
Sync a policy that was created in a non-Common partition..
Impact:
Policy Sync fails
Workaround:
Log in as default "admin" user.
Fix:
APM allows a user to log in as any admin user to sync policy in any partition.
519081-6 : Cannot use tmsh to load valid configuration created using the GUI.
Component: TMOS
Symptoms:
Cannot use tmsh to load a valid configuration created using the GUI.
Conditions:
This occurs with the following configuration: 1) Configure server with :* members. 2) Configure member-specific gateway-icmp monitor for the :* member. 3) Assign any L4/7 monitor at the server level. (http/tcp, etc., with the default '*:*' destination in the monitor).
Impact:
Although the configuration is valid, it fails to load with error: err iqsyncer[16456]: 011ae104:3: Gtm config sync result from local mcpd: result { result_code 17237538 result_message '01070622:3: The monitor /Common/my-tcp-half has a wildcard destination service and cannot be associated with a node that has a zero service.' }
Workaround:
Remove the parent TCP monitor.
Fix:
The server configuration of :* members now loads without error using tmsh.
519068-2 : device trust setup can require restart of devmgmtd
Component: TMOS
Symptoms:
Depending on the order of operations, the device trust might enter a state in which the device trust connections between devices are continuously reset and messaging about self-signed certificates.
Conditions:
This occurs when devices are being added to and deleted from the device trust.
Impact:
This prevents devices from being able to communicate with each other. The device trust goes to Disconnected and cannot synchronize.
Workaround:
A restart of the devmgmtd daemon clears any stale cached information that it has. However, the administrator may still need to reset the device trust (remove devices from the trust and re-add them).
Fix:
The system now correctly resets device trust when devices are being added to and deleted from the device trust.
519059-2 : [PA] - Failing to properly patch webapp link, link not working
Component: Access Policy Manager
Symptoms:
Any attribute URL in a HTML content is rewritten as "javascript:location=..." if is <base> tag is situated before the tag with the attribute, a content hint is not set in the HTML rules for the attribute and it's not the cookieless mode.
Conditions:
Webapp link is not properly patched.
Impact:
Rewritten links are not accessible.
Fix:
WebApp links are now properly rewritten.
519053-4 : Request is forwarded truncated to the server after answering challenge on a big request
Component: Application Security Manager
Symptoms:
Large requests (over 5K) arrive truncated to the server when web scraping bot detection is enabled, or a brute force/session opening attack is ongoing with client-side mitigation.
Conditions:
The request size is between 5k-10k.
Web scraping bot detection is turned on, or a brute force/session opening attack is ongoing with client-side mitigation.
Impact:
The client side challenge mechanism causes a truncation of the request forwarded to the server. Only the first 5k of the request arrives to the server.
Workaround:
Change the internal parameter size max_raw_request_len to 10000.
Fix:
The system's client-side challenge mechanism no longer truncates large requests (those over 5K) forwarded to the server.
519022-1 : Upgrade process fails to convert ASM predefined scheduled-reports.★
Component: Application Visibility and Reporting
Symptoms:
Upgrade from versions prior to 11.5 fail, if the scheduled report is using the predefined settings named: Top alerted and blocked policies.
Conditions:
There is a scheduled report that is using the predefined settings named: Top alerted and blocked policies. It can be triggered on upgrade to versions prior to 11.5.4, 11.6.1, and 12.0.0
Impact:
Upgrade process fails.
Workaround:
None.
Fix:
A scheduled report using the predefined settings named: 'Top alerted and blocked policies' no longer causes upgrades from versions prior to 11.5 to fail. The upgrade process now renames the predefined report-type to the correct one and thus the upgrade process does not fail anymore.
518981-1 : RADIUS accounting STOP message may not include long class attributes
Component: Access Policy Manager
Symptoms:
The class attribute should be sent back to RADIUS server unmodified.
However, if the RADIUS server is configured to send lots of long class attributes, the BIG-IP system might drop them when sending accounting stop message.
Conditions:
The BIG-IP system is configured with an Access Policy that contains RADIUS Acct agent. The
RADIUS server is configured to send class attributes with total size of greater than 512bytes.
Impact:
RADIUS Accounting server doesn't receive STOP message when user session is over.
Fix:
Previously, the BIG-IP system would not send an accounting stop message if class attributes were more than 512 bytes total size. Now, BIG-IP system sends the accounting stop message, but does not include class attributes.
518583-3 : Network Access on disconnect restores redundant default route after looped network roaming for Windows clients
Component: Access Policy Manager
Symptoms:
Windows Network Access restores redundant default route if client roaming from networks in loop e.g.:
NetworkA -> NetworkB -> NetworkA.
Conditions:
* Connect NIC to NetworkA
* Connect to VPN
* Roam to another wifi network SSID (NetworkB)
* Roam back to the original wifi SSID in step #1 (NetworkA)
Impact:
Incorrect default route may cause routing issues on client machine if metric of interfaces connected to NetworkB is lower than metric of interfaces connected to NetworkA
Workaround:
N/A
Fix:
Fixed issue causing redundant default route under described conditions.
518550-5 : Incorrect value of form action attribute inside 'onsubmit' event handler in some cases
Component: Access Policy Manager
Symptoms:
Incorrect value of 'action' form attribute may be used inside 'onsubmit' event handlers if original 'action' is an absolute path.
Conditions:
HTML form with absolute path in 'action' attribute;
'onsubmit' event handler for this form.
Impact:
Web application may work incorrectly.
Workaround:
There is no general workaround. But if 'action' value can be converted to relative path or to full URL (with host), this can be done using iRule.
Fix:
Now value of form 'action' attribute is correct inside event handlers.
518283-4 : Cookie rewrite mangles 'Set-Cookie' headers
Component: TMOS
Symptoms:
'Set-Cookie' headers are syntactically invalid.
Conditions:
Rewrite profile and 'Set-Cookie' header has 'Expires' attribute before 'Path' attribute.
Impact:
'Set-Cookie' headers in the client side become syntactically invalid (two 'Path' values that can be contradictory, plus a broken 'Expires' string).
Workaround:
Put the 'Path' attribute before 'Expires' attribute.
Fix:
The 'Expires' attribute is now properly parsed.
518275-3 : The BIG-IP system may stop the normal processing of SSL traffic and dump a TMM core file
Vulnerability Solution Article: K48042976
518260-4 : Missing NTLMSSP_TARGET_INFO flag on NTLMSSP_CHALLENGE message
Component: Access Policy Manager
Symptoms:
NTLMSSP_TARGET_INFO flag is set on NTLMSSP_CHALLENGE message that is generated by ECA, although Target Info attribute itself is included. Certain NTLM clients may ignore the target info attribute due to this issue, and fall back to use NTLM v1 authentication. With ActiveDirectory default configuration this is not an issue. However, if you had specifically required NTLMv2 in your policy, then the authentication will never succeed due to mismatch of the protocol.
Conditions:
This occurs when NTLMv2 is set to required and NTLMv1 is denied in your ActiveDirectory policy.
Impact:
Users cannot authenticate.
Fix:
NTLM client that depends on NTLMSSP_TARGET_INFO flag can complete NTLM authentication using NTLMv2 protocol.
518086-1 : Safenet HSM Traffic failure after system reboot/switchover
Component: Local Traffic Manager
Symptoms:
SafeNet hardware security module (HSM) Traffic failure after system reboot/switchover.
Conditions:
Restart of services on primary or secondary blade.
Impact:
Now traffic will fail. There will be no pkcs11 connection on new primary blade.
Workaround:
The workaround is to restart pkcs11d on the secondary blade.
Fix:
Wait and try SafeNet hardware security module (HSM) communication when MCPD is fully loaded.
518039-2 : BIG-IQ iApp statistics corrected for partition use cases
Component: TMOS
Symptoms:
When the f5.http iApp is deployed in a partition, the icall script fails to get stats because it assumes the application is in /Common.
Conditions:
iApps are running in an administrative partition.
Impact:
BIG-IQ customers fail to get statistics from iApps running on BIG-IP.
Fix:
Certain iApps deployed by BIG-IQ now provide statistics.
518020-10 : Improved handling of certain HTTP types.
Component: Local Traffic Manager
Symptoms:
Improperly formatted HTTP connection through BIG-IP may cause the connection to hang and eventually timeout.
Conditions:
If the HTTP version token in the request is improperly crafted, BIG-IP ends up treating the request as HTTP 0.9. Hence any data after the first CRLF is held back by BIG-IP due to pipeline handling, and is not passed to the backend server.
If the backend server is Apache or IIS, this improperly crafted HTTP request line causes the request to be treated as 1.1, and both the servers wait for the Host header and CRLFs. Since no data is forthcoming, the connection hangs and the backend servers timeout the connection a few seconds later.
F5 Networks would like to acknowledge Eitan Caspi, Security Researcher of Liacom Systems, Israel for bringing this to our attention.
Impact:
This has the potential to exhaust the number of connections at the backend.
Workaround:
Mitigations:
1) iRule that can drop the connections after a specified amount of idle time.
2) iRule to validate the request line in an iRule and fix it.
3) Tuning of profile timeouts
4) ASM prevents this issue.
Fix:
This release has improved handling of certain HTTP types, so that an HTTP request with a version token that is not properly crafted is no longer treated as HTTP 0.9. This has the effect of all of the request data being forwarded to the backend.
517988-1 : TMM may crash if access profile is updated while connections are active
Component: Access Policy Manager
Symptoms:
The BIG-IP system has a virtual server with an access profile. There is live traffic using that virtual. If the access profile is updated, enforcement of certain behaviors on the live traffic may end up accessing stale profile data, and result in a crash.
Conditions:
If an access profile is attached to a virtual server, and the profile is updated while the virtual has active connections.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
(These are untested...)
Without HA, (1) disable virtuals using access profile, (2) delete any active connections on the virtuals, (3) update access profile, and, (4) enable virtuals.
With HA, (1) update access profile on standby, (2) failover to the standby, and (3) sync the configuration.
Fix:
Upon access profile update, cleanup of the previous profile data is deferred until there are no active connections referencing it.
517872-2 : Include proxy hostname in logs in case of name resolution failure
Component: Access Policy Manager
Symptoms:
It's hard to troubleshoot cases when proxy name resolution failure happens.
Conditions:
Troubleshooting is required in proxy name resolution area.
Impact:
Network Engineer has problems with identifying root cause.
Fix:
Now proxy hostname is printed to logfile when resolution fails.
517790-11 : When non-HTTP traffic causes the server-side to receive unexpected data, the connection will be dropped
Component: Local Traffic Manager
Symptoms:
Non-HTTP traffic can have the server-side send data outside the usual request-response pairing. (Either before a request, or extra data after a response is complete.)
If so, HTTP will reject the connection as the server state is now unknown. However, if HTTP is acting as a Transparent proxy, switching to pass-through mode and disabling HTTP may be a better course of action.
Conditions:
Non-HTTP data sent to the server-side not belonging to a response.
Impact:
Banner protocols, where the a server will respond before seeing any data will not pass through the Transparent HTTP proxy.
Non-HTTP protocols that start with a pseudo-HTTP response, followed by extra data will reject the connection when the extra data is seen.
Workaround:
It may be possible to use HTTP::disable to disable the HTTP filter when some signature of the non-HTTP protocol is seen.
Fix:
The transparent HTTP profile's passthrough-pipeline option now allows unexpected server-side ingress to switch the Transparent HTTP proxy into pass-through mode.
517714-2 : logd core near end of its life cycle
Component: TMOS
Symptoms:
logd can core on shutdown.
Conditions:
Forcing shutdown of logd
Impact:
logd does not shut down gracefully.
Workaround:
N/A
Fix:
This is seen when forcing shutdown of logd only.
517613-2 : ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps
Component: Local Traffic Manager
Symptoms:
ClientSSL profile might have the wrong key/certificate/chain when created with a specific set of steps.
Conditions:
Create a ClientSSL profile (p1) with user-defined key/certificate/chain.
Create another clientSSL profile (p2) with all default fields.
Modify p2 to have the defaults from p1.
Impact:
GUI shows the right key/certificate/chain in p2, whereas tmsh shows p2 to have default key and certificate.
Workaround:
None.
Fix:
ClientSSL profile now has the correct key/certificate/chain when multiple profiles are created with differing key/certificate/chain values.
517590-1 : Pool member not turning 'blue' when monitor removed from pool
Component: Local Traffic Manager
Symptoms:
Pool member's status does not update when a monitor is removed from the pool.
Conditions:
Must have a pool configured with a monitor and pool members
Impact:
Traffic may be routed incorrectly
Workaround:
One may be able to update the pool member status by toggling the pool member's state down and then up again.
Fix:
The pool member's status updates when the pool's monitor is removed.
517582-5 : [GUI] [GTM] Cannot delete Region if attempting to delete another region referenced by a record.
Component: Global Traffic Manager
Symptoms:
Cannot delete a region even though it is not referenced by any record.
Conditions:
This occurs after a failed attempt to delete a region that is referenced by a record.
Impact:
Hard to manage topology regions.
Workaround:
Restart mcpd.
Fix:
Can now delete regions after failed deletion.
517580-2 : OPT-0015 on 10000-series appliance may cause bcm56xxd restarts
Component: TMOS
Symptoms:
Changing configuration (enable/disable/auto-negotiation) on copper SFPs on 10000-series appliance might cause an internal bus to hang. Symptoms are bcm56xxd process restarts, and the interfaces may show as unknown.
Conditions:
Only copper SFPs OPT-0015 on 10000-series appliances exhibit this problem.
Impact:
The bcm56xxd process restarts, and the interfaces may show as unknown.
Workaround:
To work around this issue, follow these steps:
1) Force the system offline.
2) Reboot the system.
3) Release the system's offline status.
Fix:
The bcm56xxd daemon detects a bus problem and resets the bus to recover communications with SFP transceivers.
517564-2 : APM cannot get groups from an LDAP server, when LDAP server is configured to use non-default port
Component: Access Policy Manager
Symptoms:
Starting from BIG-IP APM 11.6.0, there is a new feature called LDAP Group Resource Assign agent. The agent relies on a group list that is retrieved at AAA > LDAP Server > Groups configuration page.
AAA LDAP Server fails to update the group list when the backend LDAP server is configured to use a port other than 389 (the default port).
Conditions:
Backend LDAP server is configured to use a non-default port (a port other than 389).
LDAP Group Resource Assign agent is added to an Access Policy.
Impact:
It is impossible to update group list from LDAP server.
LDAP Group Resource Assign agent does not provide a list of LDAP groups for easy configuration.
Fix:
LDAP groups can now be retrieved from an LDAP server that uses a non-default port (a port other than 389).
517556-2 : DNSSEC unsigned referral response is improperly formatted
Component: Local Traffic Manager
Symptoms:
When DNSSEC signs an unsigned referral response, the contained NSEC3 resource record has an empty type bitmap. Type bitmap should contain an NS type.
Conditions:
DNSSEC processing an unsigned referral response from DNS server.
Impact:
DNSSEC referral response is not RFC compliant.
Workaround:
None.
Fix:
NS type added to NSEC3 type bitmap, so that DNSSEC unsigned referral response is properly formatted.
517510-5 : HTTP monitor might add extra CR/LF pairs to HTTP body when supplied
Component: Local Traffic Manager
Symptoms:
When supplying HTTP containing body text to the HTTP monitor, the system might append extra CR/LF pairs to the end.
Conditions:
HTTP monitor with text specifying HTTP body text.
Impact:
This may cause malformed POST or PUT messages.
Workaround:
Limited work-around entails providing an alternative HTTP health check that does not require PUTting or POSTing a body.
Fix:
The HTTP monitor has been fixed to avoid adding additional CR/LF pairs, except for the case where only headers are supplied and there are insufficient CR/LF supplied to terminate the headers.
517465-3 : tmm crash with ssl
Component: Local Traffic Manager
Symptoms:
Under some rare conditions, a problem with SSL might cause TMM to crash.
Conditions:
An SSL alert is sent during the SSL handshake.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None known
Fix:
A tmm crash related to alerts during a SSL handshake failure has been fixed.
517441-4 : apd may crash when RADIUS accounting message is greater than 2K
Component: Access Policy Manager
Symptoms:
If the RADIUS Acct agent is configured for an access policy, and there are a lot of attributes with total size greater than 2K, apd may crash.
Conditions:
RADIUS Acct agent is configured and an AP
with numerous attributes in RADIUS Acct request
Impact:
service becomes unavailable while restarting apd process
Fix:
The maximum size of RADIUS packet is now set to 4K (RFC2865).
If the total size of attributes is greater than 4K, the packet will be truncated to 4K.
517388-6 : Parsing the DN (for subject or issuer) in a certificate does not take into account all the possible RDNs.
Component: TMOS
Symptoms:
The system recognizes and displays to the user a few relative distinguished names (RDNs): division name, state name, locality name, organization name, country name, and common name.
Conditions:
RDNs other than those in the subject/issuer are not parsed correctly.
Impact:
Parsing the DN (for subject or issuer) might combine fields that result in RDN values that are longer than allowed. This causes issues when trying to store these in Enterprise Manager (EM) database.
Workaround:
None.
Fix:
All relative distinguished names (RDNs) are now parsed as expected. Previously, the system correctly parsed RDNs for division name, state name, locality name, organization name, country name, and common name. Now, the system correctly parses all RDNs.
517282-6 : The DNS monitor may delay marking an object down or never mark it down
Component: Local Traffic Manager
Symptoms:
The DNS monitor may not mark an object down within the monitor timeout period or may never mark the object down.
Conditions:
A DNS monitor with no configured recv string and the monitor receives an ICMP error other than port unreachable.
Impact:
The DNS monitor may not mark an object down within the monitor timeout period or may never mark the object down.
Workaround:
Supply an appropriate recv string to the monitor definition:
tmsh modify ltm monitor dns mydns recv 10.1.1.1
Or add another monitor to the object:
tmsh modify ltm pool dnspool monitor min 2 of { mydns gateway_icmp }
Fix:
DNS monitor should mark server down when getting ICMP admin prohibited error. This is correct behavior.
517209-6 : tmsh save sys config file /var/tmp or /shared/tmp can make some BIG-IP functionality unusable
Component: TMOS
Symptoms:
The tmsh save sys config file /var/tmp or /shared/tmp or a relative path to these directories (for example, /config/../shared/tmp) saves the scf with the specified real path. However, since the /var/tmp directory is used internally by BIG-IP daemons, some functionality may be rendered unusable till the /var/tmp symlink to /shared/tmp is restored.
Conditions:
Saving the sys config file /var/tmp or /shared/tmp (or a relative patch to one of these directories).
Impact:
Some system functionality may be rendered unusable.
Workaround:
Use the following commands to delete the scf and restore the symlink: -- rm -f /var/tmp. -- ln -s /shared/tmp /var/. -- bigstart restart.
Fix:
The /var/tmp or /shared/tmp are now invalid paths for the tmsh save sys config file command.
517146-2 : Log ID 01490538 may be truncated
Component: Access Policy Manager
Symptoms:
Log ID 01490538 may appear truncated in /var/log/apm. It is supposed to say "Configuration snapshot deleted by Access".
Conditions:
Access profile snapshots are timing out and being deleted by the system.
Impact:
Most likely just corrupted log messages. A very slight chance of a crash, due to the string terminator being written to the wrong location in memory.
Workaround:
No workaround.
Fix:
Log ID 01450538 prints correctly to /var/log/apm now.
517124-6 : HTTP::retry incorrectly converts its input
Component: Local Traffic Manager
Symptoms:
The HTTP::retry iRule converts its input into UTF8. If the input is a bytearray using some other locale, then bytes with the high-bit set may be corrupted.
The resulting corrupted request will then be sent to the server as the retried request.
Conditions:
The input to HTTP::retry is a TCL bytearray rather than a TCL string. The output from some commands i.e. HTTP::payload is a bytearray. Strings are in the UTF8 format, Bytearrays are not.
Impact:
Non-ascii characters may be corrupted when HTTP::retry is used.
Fix:
The HTTP::retry command no longer corrupts input that isn't in the UTF8 format.
517020-4 : SNMP requests fail and subsnmpd reports that it has been terminated.
Component: TMOS
Symptoms:
After an unspecified period of time, SNMP requests fail and subsnmpd reports that it has been terminated.
Conditions:
SNMP polls sent to a system start to fail after a few days, until subsnmpd is restarted. When in the failed state, you can determine the status of subsnmpd by running the following command: tmsh show sys services. Here is an example of the status when the system is in this state: subsnmpd run (pid 4649) 26 days, got TERM.
Impact:
Loss of snmp data set to a client. The /var/log/snmpd.log contains numerous messages similar to the following: Received broken packet. Closing session. The /var/log/sflow_agent.log contains numerous messages similar to the following: AgentX session to master agent attempted to be re-opened.
Workaround:
Restart subsnmpd using the following command: bigstart restart subsnmpd.
Fix:
SNMP requests handling has been improved to ensure that requests no longer fail after a number of days.
517013-2 : CSS minification can on occasion remove necessary whitespace
Component: WebAccelerator
Symptoms:
CSS minification can on occasion remove necessary whitespace.
Example of incorrectly minified content:
//Comment1 @import url("http://example.com/test.jpeg");
becomes
//Comment1@import url("http://example.com/test.jpeg");
Conditions:
This occurs when using minification on CSS.
Impact:
CSS minification might remove necessary whitespace.
Workaround:
Disable minification on CSS.
Fix:
Fixed an issue which was causing removal of necessary whitespaces in CSS minification.
516995-8 : NAT traffic group inheritance does not sync across devices
Component: TMOS
Symptoms:
When a NAT object is created, and its inherited-traffic-group property is set, this property does not sync to other devices.
Conditions:
This is relevant for any setup with multiple devices in a CMI failover device group.
Impact:
The inherited-traffic-group property must be manually maintained on all devices.
Workaround:
Enable the 'full sync' option instead of using incremental sync.
Fix:
NAT traffic group inheritance now syncs across devices using incremental sync.
516841-3 : Unable to log out of the GUI in IE8
Component: TMOS
Symptoms:
"Log out" button doesn't work in Microsoft Internet Explorer version 8 (IE8).
Conditions:
This occurs when clicking the "Log out" button in the GUI while using IE8.
Impact:
You cannot log out with the "Log out" button
Workaround:
Close and reopen IE8.
Fix:
You can now log out with the "Log out" button in Microsoft Internet Explorer version 8 (IE8).
516839-7 : Add client type detection for Microsoft Edge browser
Component: Access Policy Manager
Symptoms:
Microsoft Edge browser cannot be detected by Client Type action item agent in access policy.
Conditions:
Microsoft Edge browser, Client Type action item agent in access policy on BIG-IP APM.
Impact:
Microsoft Edge browser is not detected by Client Type action item and the webtop might not display properly or might display resources that are not supported.
Fix:
Improvement: Microsoft Edge browser is now detected properly and only supported resources are shown on the webtop now. All components that require ActiveX are not supported.
516816-2 : RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.
Component: Local Traffic Manager
Symptoms:
RSA key with DSA-signed or ECDSA-signed certificate silently fails handshake.
Conditions:
The key cert pair type matches one of the following combinations:
1. RSA key/DSA-signed cert.
2. RSA key/ECDSA-signed cert.
Impact:
When this kind of key/cert pair is configured in a Client SSL profile that is used by a virtual server, the SSL handshake to the virtual server fails.
Workaround:
Do not use this kind of 'hybrid' key/cert pair in the Client SSL profile. Instead, use the combination such as RSA key/RSA-signed cert, EC key/ECDSA-signed cert, or DSA key/DSA-signed cert.
Fix:
An RSA key with DSA-signed or ECDSA-signed cert no longer fails the SSL handshake. You can now configure those in the Client SSL profile and the SSL handshake completes as expected.
516685-1 : ZoneRunner might fail to load valid zone files.
Component: Global Traffic Manager
Symptoms:
ZoneRunner might fail to load valid zone files which contain two or more consecutive lines which are $TTL directives, blank lines, comment-only lines, or some combination of the above.
Conditions:
DNS : Zones : Zonerunner : Zone List: Create. Select 'Load from File' in Records Creation Method.
Impact:
The user cannot load a zone file via the GUI.
Workaround:
Workaround 1: Remove consecutive blank lines, and comment-only lines from the zone file before uploading it to the GUI. Specify the domain in the line following any $ directive lines before uploading the zone file to the GUI.
Workaround 2: 1. Freeze zones, stop zrd. 2. Copy zone file from donor GTM to new GTM. 3. Check and adjust chown of zone file. 4. Start zrd, thaw zones. 5. Restart named.
Fix:
ZoneRunner now successfully loads zone files that contain $TTL directives, blank lines, comment-only lines, or some combination of the above.
516680-1 : ZoneRunner might fail when loading valid zone files.
Component: Global Traffic Manager
Symptoms:
ZoneRunner might fail to load valid zone files which contain two or more consecutive lines which are $TTL directives, blank lines, comment-only lines, or some combination of the above.
Conditions:
DNS : Zones : Zonerunner : Zone List: Create. Select 'Load from File' in Records Creation Method.
Impact:
The user cannot load a zone file via the GUI.
Workaround:
Workaround 1: Remove consecutive blank lines, and comment-only lines from the zone file before uploading it to the GUI. Specify the domain in the line following any $ directive lines before uploading the zone file to the GUI.
Workaround 2: 1. Freeze zones, stop zrd. 2. Copy zone file from donor GTM to new GTM. 3. Check and adjust chown of zone file. 4. Start zrd, thaw zones. 5. Restart named.
Fix:
ZoneRunner will no longer crash when parsing zone files containing $TTL directives, blank lines, comment-only lines, or some combination of the above.
516669-2 : Rarely occurring SOD core causes failover.
Component: TMOS
Symptoms:
Spontaneous failover occurs rarely due to a SOD core dump.
Conditions:
Cannot reproduce the issue reliably, so conditions for the crash are unknown.
Impact:
When SOD cores, all traffic groups fail over to another device. Non-mirrored flows will be interrupted.
Workaround:
None.
Fix:
Errors in handling memory have been fixed to prevent allocation failure.
516618-4 : glibc vulnerability CVE-2013-7424
Vulnerability Solution Article: K16472
516598-6 : Multiple TCP keepalive timers for same Fast L4 flow
Component: Local Traffic Manager
Symptoms:
Multiple TCP keepalive timers for same Fast L4 flow.
Conditions:
Fast L4 profile with TCP Keepalive option enabled.
Impact:
TMM core.
Workaround:
Disable TCP Keepalive option from the Fast L4 profile.
Fix:
Prevent starting multiple TCP keepalive timer for the same fastL4 flow
516523-1 : Full ASM Config Sync was happening too often in a Full Sync Auto-Sync Device Group
Component: Application Security Manager
Symptoms:
ASM is only supposed to request a Full Sync if there has been a Manual Full Sync request, or if an incremental / auto sync indicates that the state is inconsistent with that of its peers.
The system was mistakenly requesting a Full Sync on every config change in an Auto-Sync, Full Sync group even when it was in a consistent state.
Conditions:
A Device Group is configured with Auto-Sync, Full Sync, and ASM enabled.
Impact:
Noise on the network, extra CPU usage, Policy Builder restarting on receiving peer.
Workaround:
Disable "Full Sync" on the device group
Fix:
The system no longer requests a Full ASM Configuration Sync on every full auto sync in a device group.
516522-2 : After upgrade from any pre-11.4.x to 11.4.x through 12.0.0, the configured redirect URL location is empty.★
Component: Application Security Manager
Symptoms:
After upgrade from any pre-11.4.x to 11.4.x through 12.0.0, the configured redirect URL location is empty.
Conditions:
1) ASM is provisioned and there is a redirect URL configured on any pre-11.4.x.
2) Upgrade to 11.4.x, 11.5.3, or 11.6.0. This does not occur in 11.5.4, 11.6.1, or 12.0.0 and beyond.
Impact:
The configured redirect URL location is empty.
Workaround:
None.
Fix:
The configured redirect URL location is now preserved after upgrade from any pre-11.4.x to 11.4.x through 12.0.0.
516462-3 : Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines
Component: Access Policy Manager
Symptoms:
Gateways for excluded address space routes are not adjusted correctly during roaming between networks on Windows machines.
Conditions:
Client Windows machine roams between different networks (Wi-Fi or Ethernet) when the BIG-IP system has configured split-tunneling.
Impact:
Excluded address space routes are not applied.
Fix:
Fixed reason causing this issue; now excluded address routes are applied correctly even if a client machine roams between different networks.
516432-4 : DTLS may send corrupted records when the DB variable tmm.ssl.dtlsmaxcrs is not the default value 1.
Component: Local Traffic Manager
Symptoms:
DTLS may send corrupted records when the DB variable tmm.ssl.dtlsmaxcrs is not the default value 1.
Conditions:
When DB variable tmm.ssl.dtlsmaxcrs is not 1.
Impact:
DTLS sends corrupted record.
Workaround:
Set tmm.ssl.dtlsmaxcrs to 1.
Fix:
DTLS no longer sends corrupted records when DB variable tmm.ssl.dtlsmaxcrs is not default value 1.
516322-5 : The BIG-IP system may erroneously remove an iApp association from the virtual server.
Component: TMOS
Symptoms:
The BIG-IP system may erroneously remove an iApp association from the virtual server.
Conditions:
This might occur when merging configurations in tmsh, in iControl when using Management.ChangeControl.put_config, and during incremental sync when the iApp is modified, but there is no modification to the virtual server.
There are two sets of conditions under which this issue might occur:
1. iApp, virtual server, and persistence profile are configured and associated prior to merge.
2. - High availability pair defined over a Device Group with Incremental Sync specified (that is, Full Sync is disabled).
- iApp with one or more virtual servers deployed on one or more peers.
- iApp is reconfigured on one of the peers with no modification of the Virtual Server configuration.
- Config sync to a peer unit.
Impact:
This removes iApp association with the virtual server.
Workaround:
To work around this issue, you should add the affected virtual server name to the list of commands during the merge process.
For example, you should add ltm virtual server iApp-test_vs { } to the tmsh merge script during the merge process:
cli admin-partitions { update-partition Common } ltm persistence source-addr /Common/put-config-test { app-service none defaults-from /Common/source_addr mirror enabled timeout 300 } ltm virtual iApp-test_vs { }
Fix:
Modifying a persistence profile while updating a partition during a merge config no longer disassociates the iApp from the virtual server.
516320-5 : TMM may have a CPU spike if match cross persist is used.
Component: Local Traffic Manager
Symptoms:
TMM may have a CPU spike.
A few(very few) connections may fail.
Conditions:
1) Match cross persist is used.
2) Long idle time out makes the symptom worse.
3) Persist HA makes the symptom worse.
Impact:
TMM may have a CPU spike.
A few(very few) connections may fail.
Workaround:
Avoid using match across persist.
Fix:
Match across persistence no longer causes CPU spike.
516219-2 : User failed to get profile license in VIPRION 4800 chassis if slot 1 is not enabled
Component: Access Policy Manager
Symptoms:
Connection is reset when user tries to log on to an APM virtual server. APM log shows ERR_NOT_FOUND while getting profile license.
Conditions:
The issue happens if slot 1 in a VIPRION 4800 chassis is not occupied or is occupied but not enabled.
Impact:
User logon failure.
Workaround:
Detach APM access profile from the virtual server and then reattach it.
Fix:
Access policies now work properly in VIPRION 4800 with no slot1.
516184 : IKEv1 for IPsec does not work when VLAN cmp-hash is set to non-default values
Component: TMOS
Symptoms:
When the cmp-hash of the VLAN interface used by IKEv1 is set to non-default values (dst-ip or src-ip) for load-balancing IKEv1 traffic purposes; IKEv1 will fail.
Conditions:
The VLAN interface used for IKEv1 traffic sets its cmp-hash value to non-default values.
Impact:
IPsec does not work.
Workaround:
Set the cmp-hash value of the VLAN interface for IKEv1 traffic to "default".
Fix:
IKEv1 can re-establish its IKE SAs after the VLAN with IKEv1 traffic changes its cmp-hash setting (currently available options are "default, src-ip, dst-ip).
516075-5 : Linux command line client fails with on-demand cert
Component: Access Policy Manager
Symptoms:
Linux command line client fails with On-Demand Cert Auth.
Conditions:
End user needs to be running Linux command line client and the On-Demand Cert Auth agent.
Impact:
Depending upon the access policy, the user might fail to log in and establish a Network Access connection.
Workaround:
none
Fix:
Linux command line client works with On-Demand Cert Auth now.
516057-5 : Assertion 'valid proxy' can occur after a configuration change with active IVS flows.
Component: Service Provider
Symptoms:
When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), and a new connection is initiated during the update, the TMM can assert 'valid proxy' and crash.
If there were are no preexisting active connections, the assertion does not occur, but connections initiated during the configuration update might be in a bad state and cause unpredictable effects.
Conditions:
1. Active flows exist on an internal virtual server (IVS). Necessary to trigger the assertion.
2. A configuration update or sync affecting that IVS is in
progress.
3. A new connection is initiated to that IVS during the update.
Impact:
This is intermittent and rarely encountered. When all preexisting connection flows on this IVS tear down, a 'valid proxy' assertion can trigger and cause a TMM crash and restart, resulting in lost connections across the BIG-IP system or blade. New IVS connection flows initiated during the configuration update might be in a bad state and exhibit unpredictable effects, even if there is no crash.
Workaround:
Try to avoid configuration changes affecting any IVS while connections are active. This is intermittent so most likely will not manifest, even with active connections.
Fix:
When a configuration update or sync takes place while there are active connections on an affected internal virtual server (IVS), new connections fail and log an error message indicating that the IVS is not ready for connections. If the connections are to an ICAP server, the BIG-IP system performs the service-down-action configured in the request-adapt or response-adapt profile of the virtual server that attempted to initiate the connection. There are no assertions or unpredictable effects. Any new connections that failed for this reason may be retried after the configuration update is complete.
515943-1 : "Session variables" report may show empty if session variable value contains non-English characters
Component: Access Policy Manager
Symptoms:
"Session variables" report may show empty if session variable value contains non-English characters
Conditions:
For active session only.
Impact:
User cannot see the Session Variable information for active session.
Workaround:
Use English characters for network configuration, such as host name, user name...
Fix:
"Session variables" report shows correct information for any language characters.
515797-2 : Using qos_score command in RULE_INIT event causes TMM crash
Component: Global Traffic Manager
Symptoms:
TMM crashes when the iRule with qos_score command in RULE_INIT event is added to a wide IP.
Conditions:
Configured iRule with qos_score command in RULE_INIT event that is added to a wide IP.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Mitigation: Do not use qos_score command in RULE_INIT event.
Fix:
qos_score command is disallowed in RULE_INIT event.
515759-2 : Configuration objects with more than four vlans in vlan list may cause memory utilization to increase over time
Component: Local Traffic Manager
Symptoms:
tmm memory growth over time.
Conditions:
Conditions leading to this issue include: one or more virtual servers, NATs, SNATs, or LSNs with more than four VLANS in a vlan allow or vlan deny list.
Impact:
tmm memory usage can grow over time eventually causing memory exhaustion.
Workaround:
Mitigation: Minimize the number of VLANs in the VLAN list for virtual servers, NATs, SNATs and LSNs. Minimize the number of configurations changes to Self-IPs, virtual servers, NATs, SNATs and LSNs.
Fix:
Configuration objects with more than four vlans in vlan list no longer causes memory utilization to increase over time.
515736-5 : LSN pool with small port range may not use all ports
Component: Carrier-Grade NAT
Symptoms:
When LSN pool port range is small, some ports may not be used for translation.
Conditions:
LSN pool port range is small.
Impact:
Even though free ports are available, they are not used for translation and the connection fails
Workaround:
Set the LSN pool port range to default value of 1025 - 65535
515728-4 : Repeated BD cores.
Component: Application Security Manager
Symptoms:
The bd process crashes and produces a core file in the /var/core directory.
Conditions:
It is not known what conditions trigger the crash.
Impact:
Traffic disrupted while bd restarts.
Fix:
Fixed a bd core related to tcl processing
515667-6 : Unique truncated SNMP OIDs.
Component: TMOS
Symptoms:
When a BIG-IP generates SNMP OID-required truncation in order to stay within the OID max length limit of 128, the truncated OID is not always consistent or unique.
Conditions:
An SNMP table has a unique index (key) consisting of one or more table attributes of various types. String type index attributes with values lengths approaching or exceeding 128 characters expose this truncation issue.
Impact:
SNMP get, get-next, and set commands might fail or even operate on incorrect data when the target OID is not consistent or unique.
Workaround:
The long string values triggering this issue are typically identified as user-supplied names that were introduced as part of BIG-IP configuration. Often these names can be reconfigured to a shorter length.
Fix:
Truncated OIDs are now appended with a unique check-sum value that remains unchanged from one query to the next.
515646-9 : TMM core when multiple PPTP calls from the same client
Component: Carrier-Grade NAT
Symptoms:
TMM can core when there are multiple PPTP calls arrive from the same client.
Conditions:
PPTP ALG VS with CGNAT.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores when multiple PPTP calls arrives from the same client.
515482-6 : Multiple teardown conditions can cause crash
Component: Local Traffic Manager
Symptoms:
When iRules direct the teardown of a TCP connection after some delay, another event might tear down the connection during the delay. When the iRule-directed abort finally arrives, the system crashes.
Conditions:
(1) An iRule or other cross-layer message can trigger a ABORT after teardown.
(2) The TCP profile has settings that invoke the correct TCP implementation:
(a) 11.5.x: mptcp is enabled
(b) 11.6.x: mptcp, rate-pace, or tail-loss-probe are enabled, OR TCP uses Vegas, Illinois, Woodside, CHD, CDG, Cubic, or Westwood congestion control.
Impact:
TMM crashes.
Workaround:
Suspend iRules with this behavior.
Fix:
When receiving ABORT commands, TCP catches cases where the connection is already closed.
515345-4 : NTP Vulnerability
Vulnerability Solution Article: K16505
515322-2 : Intermittent TMM core when using DNS cache with forward zones
Component: Local Traffic Manager
Symptoms:
TMM can intermittently crash when using the DNS cache resolver.
Conditions:
When a cache configuration is "removed" there are conditions where a refcount is not properly managed that would lead to memory being deleted before the last user is done with it.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
TMM will no longer intermittently core when using the DNS cache resolver.
515187 : Certain ICMP packets are evaluated twice against Global and Route Domain ACL rules.
Component: Advanced Firewall Manager
Symptoms:
Certain ICMP packets (such as ICMPv6 Destination Unreachable) match twice against Global and Route-Domain ACL rules.
Conditions:
AFM provisioned and licensed.
Create a Global and/or Route Domain ACL policy with a rule matching ICMP traffic. Send ICMP packet such as Destination Unreachable.
Impact:
Global and Route-Domain ACL rules are evaluated twice under conditions specified above. This causes the rule counters to be incremented by 2 (instead of 1) and may cause double logging if enabled.
Workaround:
None
Fix:
ICMP traffic is now evaluated only once against Global and Route-Domain ACL rules.
515139-4 : Active FTP session with inherit profile and address translation disabled may not decrement pool member current connections statistics
Component: Local Traffic Manager
Symptoms:
Current connections seen in the poolmember statistics via tmsh might show a non-decremented number over time.
Conditions:
This occurs when the following conditions are met: - FTP virtual server with address translate disabled. - FTP profile with inherit parent profile. - Active FTP session. Running the command: tmsh show ltm pool pool_name.
Impact:
The current connections statistics value does not decrement upon data connection closure. While this is primarily cosmetic, it might impact connections when used in combination with limit calculations.
Workaround:
Disable inherit parent profile in the FTP profile.
Fix:
The BIG-IP system now correctly represents the pool current connections in the specific configuration combination.
515112-2 : Delayed ehash initialization causes crash when memory is fragmented.
Component: Advanced Firewall Manager
Symptoms:
When first using a new feature (fpm, firewall) under memory fragmentation conditions, if the feature uses an ehash table, TMM may crash.
Conditions:
Severe memory fragmentation, where contiguous allocations are not satisfied, combined with initial use of a new feature.
Impact:
TMM crashes.
Workaround:
Utilize all features shortly after TMM comes up, so all initial allocations are performed.
Fix:
Certain allocations are no longer delayed. Delayed allocations which fail retry with smaller sizes, possibly reducing performance.
515072-7 : Virtual servers with priority groups reset incoming connections when a non-zero connection limit is increased
Component: Local Traffic Manager
Symptoms:
When a virtual server has priority groups and connection limit configured, if the connection limit is reached and is increased while the member is limited, then subsequent connections will be reset rather than allowed.
Conditions:
Using priority groups and a non-zero connection limit, with one of the following load balancing methods: least-connections-member, least-sessions, ratio-member, ratio-least-connections-member, ratio-session. The issue occurs when the connection limit is adjusted higher when the connection limit is reached on the high-priority pool.
Impact:
New connections are reset without being able to send traffic.
Workaround:
If it is feasible to adjust the priorities, adjust the connection limit to its initial value, and adjust the priority groups so that the traffic currently on the limited pool drains out. When the pool has no connections, increase the limit to restore the correct priorities.
Fix:
Make pool member eligible for load balancing if its not connection limited after modifying its connection limit.
515033-1 : [ZRD] A memory leak in zrd
Component: Global Traffic Manager
Symptoms:
Memory leaks for zrd when performing wide IP alias updating.
Conditions:
When an add, modification, or deletion of a GTM Wide IP Alias is made through the GUI or tmsh, there is a small memory leak in zrd. Although this memory leak is small for any one change, it could be noticeable after hundreds or thousands of changes when viewing memory consumption through 'top' or other tools.
Impact:
Memory leak after multiple wide IP alias create/update operations.
Workaround:
If the zrd memory usage is negatively impacting system performance, you can restart zrd and clear out the memory usage by running the command: bigstart restart zrd.
Fix:
Memory no longer leaks for zrd when performing wide IP alias updating.
515030-2 : [ZRD] A memory leak in Zrd
Component: Global Traffic Manager
Symptoms:
Memory leaks for zrd when performing multiple wide IP alias updating.
Conditions:
When an add, modification, or deletion of a GTM Wide IP Alias is made through the GUI or tmsh there is a small memory leak in zrd. This memory leak is not significant for any one change, but it might become noticeable after hundreds or thousands of changes when viewing memory consumption through 'top' or other tools.
Impact:
Memory leak after multiple wide IP alias updates.
Workaround:
Although there is no workaround, you can mitigate potential system performance impacts by restarting zrd, which clears out the memory usage. To do so, run the command: bigstart restart zrd.
Fix:
Memory no longer leaks in zrd when performing multiple wide IP alias updating.
514912-2 : Portal Access scripts had not been inserted into HTML page in some cases
Component: Access Policy Manager
Symptoms:
If HTML page contains forms with absolute action paths, Portal Access scripts must be inserted into this page. But if there are no other reasons to include them, these scripts were not included.
Conditions:
HTML page which consists of the form with absolute action path, for instance:
<form action='/cgi-bin/a.gci">
</form>
Impact:
The form can not be submitted because browser fires JavaScript error.
Workaround:
It is possible to use iRule to insert Portal Access scripts into rewritten HTML page.
Fix:
Now Portal Access scripts are inserted into HTML page if it contains forms with absolute action path.
514844-3 : Fluctuating/inconsistent number of health monitors for pool member
Component: TMOS
Symptoms:
The Local Traffic :: Pools :: pool_name :: Members :: pool_member_name displays an inconsistent and fluctuating number of health monitors for a pool member.
Conditions:
The customer uses partitions (i.e., folders) and route domains, and uses the GUI to display the health monitors for a pool member.
Impact:
Cannot determine the correct number health monitors for pool member correctly. For example, given a pool which was assigned two health monitors, sometimes the screen will display two health monitors, one or none at all.
Workaround:
Use tmsh to display the health monitors for a pool member.
Fix:
The system now displays the correct number of health monitors for pool members for configurations containing administrative partitions and route domains.
514785-3 : TMM crash when processing AAM-optimized video URLs
Component: WebAccelerator
Symptoms:
TMM might crash when processing HTTP requests for certain types of AAM-optimized videos.
Conditions:
AAM-enabled VIP with video optimization and IBR enabled by AAM policy.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable AAM processing of AAM-optimized video URLs.
Fix:
TMM no longer crashes when processing HTTP requests for certain types of AAM-optimized videos.
514731-4 : GTM Fails to change GTM server with IPv4 'Address Translation enabled
Component: Global Traffic Manager (DNS)
Symptoms:
Using the GUI when adding an IPv4 address translation, GTM fails to change GTM server that has IPv4 'Address Translation' enabled.
Conditions:
This occurs when using the GUI to add an IPv4 translated address that alphabetically or numerically precedes an existing IPv4 translated address. For example, there is an Address: 192.168.10.12 and Translation: 10.26.10.12, and you add IP address 11.12.10.12.
Impact:
GTM server property cannot be updated. When updating GTM server properties, the system posts errors such as the following: 01020037:3: The requested GTM IP (192.168.10.11 /Common/LTM64) already exists.
Workaround:
Use tmsh to make these types of changes.
Fix:
Using the GUI when adding an IPv4 address translation, GTM now successfully changes GTM server that has IPv4 'Address Translation' enabled.
514729-1 : 10.2.1 system with SSL profile specifying ciphers 'DEFAULT:!HIGH:!MEDIUM' fails to upgrade to 11.5.1, 11.5.2, 11.5.3, or 11.6.0.
Component: Local Traffic Manager
Symptoms:
SSL ciphers 'DEFAULT:!HIGH:!MEDIUM' is allowed in 10.2.1 but will prevent a config from loading in 11.5.1, 11.5.2, 11.5.3, or 11.6.0.
This cipher specification is not relevant for software versions 11.5.1, 11.5.2, 11.5.3, or 11.6.0, because all the DEFAULT ciphers fall within HIGH and MEDIUM ciphers. Turning off HIGH and MEDIUM effectively leaves the system with no ciphers to select from.
This is the DEFAULT for 11.5.1.
!SSLv2:!SSLv3:!MD5:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4
Conditions:
This issue occurs when a 10.2.1 system with an SSL profile specifying ciphers 'DEFAULT:!HIGH:!MEDIUM' is used on a system running version 11.5.1, 11.5.2, 11.5.3, or 11.6.0, either by upgrading, or by manual UCS installation.
This is an example of such a profile.
profile serverssl serverssl-low_encryption {
defaults from serverssl
ciphers "DEFAULT:!HIGH:!MEDIUM"
}
Impact:
Upon reboot into version 11.5.1, 11.5.2, 11.5.3, or 11.6.0, or upon load of a UCS from 10.2.1, the configuration fails to load.
The operation fails with an error similar to the following.
01070311:3: Ciphers list <list>' for profile <profile name> denies all clients
Workaround:
Search for this cipher 'DEFAULT:!HIGH:!MEDIUM' and modify before upgrading. For information about what value to use, see SOL13156: SSL ciphers used in the default SSL profiles (11.x - 12.x), available here: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html.
514726-5 : Server-side DSR tunnel flow never expires
Component: TMOS
Symptoms:
TMM cores and memory exhaustion using Direct Server Return (DSR). DSR establishes a one-way tunnel between the BIG-IP system and the back-end servers using the clients' IP addresses as the tunnel local-address on the BIG-IP system. These flows never expire.
Conditions:
BIG-IP virtual servers using DSR tunnels to send client traffic to the server.
Impact:
Server-side DSR tunnel flow never expires. Because the DSR tunnels use client's IP address as the tunnel local-address and the server's IP address as the tunnel remote-address, a single DSR setup might introduce as many tunnels as the clients' requests. When these tunnels do not expire, the BIG-IP system memory resource might be used up eventually, causing TMM cores.
Workaround:
None.
Fix:
Individual DSR tunnels are removed after the corresponding client's user flows expire.
514724-4 : crypto-failsafe fail condition not cleared when crypto device restored
Component: TMOS
Symptoms:
If a crypto device fails, the crypto-failsafe fail condition will not be cleared when the crypto device is restored.
Conditions:
This issue affects systems with failed crypto devices that are restored.
Impact:
In an HA pair, the failing unit will fail over, but it will always stay down.
Workaround:
To restore the crypto-failsafe HA fail status, restart tmm by issuing a 'bigstart restart tmm'. Note that on a VIPRION system, this command must be run on the appropriate blade.
Fix:
Allowed the crypto device to be restored and not keep the crypto-failsafe HA status in the fail state.
514651 : db variable to disable rate-tracker
Component: Advanced Firewall Manager
Symptoms:
Rate-tracker can't be disabled.
Conditions:
Internal F5 testing determined certain use cases had rate-tracker enabled when expecting the ability to disable the functionality.
Impact:
If you want to disable rate-tracker you are unable to do so.
Workaround:
None.
Fix:
Added db variable (dos.globalsflimit) to disable rate-tracker.
514604-2 : Nexthop object can be freed while still referenced by another structure
Component: Local Traffic Manager
Symptoms:
Use after free of the Nexthop object may cause memory corruption or tmm core.
Conditions:
This can happen if the proxy connection takes some time to complete, creating a large enough time window where the nexthop object might be freed.
Impact:
The BIG-IP system might crash. This is a very timing/memory-usage dependent issue that is rarely encountered.
Workaround:
None.
Fix:
Management of nexthop object reference counting is more consistent.
514450-2 : VXLAN: Remote MAC address movement does not trigger ARL updates across TMMs.
Component: TMOS
Symptoms:
In a VXLAN tunnel, a remote MAC address movement from one endpoint to another does not trigger ARL updates across all TMMs. As a result, some TMMs may contain stale ARL entries which can impact traffic forwarding. Also, when using 'tmsh show net fdb tunnel', there is a duplicated MAC address associated with different endpoints in the same tunnel.
Conditions:
When a remote MAC address is moved from one endpoint to another. For example, when a BIG-IP system in an HA setup configured with a masquerading MAC address changes its state from 'standby' to 'active'.
Impact:
This issue could impact traffic forwarding in VXLAN tunnels.
Workaround:
Although there is no complete workaround, you can mitigate the situation by making sure that the network is properly configured so that every device uses a unique MAC address. For example, in a network with an HA setup, try not to use masquerading MAC addresses.
Fix:
This version of software more consistently handles the condition of a remote MAC address being moved from one endpoint to another.
514419-7 : TMM core when viewing connection table
Component: Local Traffic Manager
Symptoms:
In very rare conditions tmm may core on viewing the connection table.
Conditions:
This occurs only when a configuration meets all of the following conditions: - A NAT. - An AFM reject rule for ICMP. The user views the connection table on the system.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not view the connection table when this configuration combination exists.
Fix:
TMM no longer cores when viewing the connection table.
514313-3 : Logging profile configuration is updated unnecessarily
Component: Application Security Manager
Symptoms:
Logging profile configuration is updated in the ASM data plane unnecessarily, due to changes in pool member state.
Conditions:
Pool member state changes frequently.
Impact:
Unnecessary logging profile configuration updates are sent to ASM data plane.
Fix:
Logging profile configuration is updated in the ASM data plane only when it is modified, and not unnecessarily.
514266 : Change firewall rules with ip-protocol ICMP and ICMP type 0, code 0 cause pccd crash
Component: Advanced Firewall Manager
Symptoms:
Change firewall rules with ip-protocol ICMP and ICMP type 0, code 0 cause pccd crash
Conditions:
Firewall rules with ip-protocol ICMP and type 0, code 0 are configured and then modified.
Impact:
pccd abort.
Fix:
Handled the insertion and deletion of icmp type 0/code 0 entries correctly when compiling the firewall rules.
514246-6 : connflow_precise_check_begin does not check for NULL
Component: Local Traffic Manager
Symptoms:
Currently connflow_precise_check_begin does not check for NULL for its parameters while hudproxy has plenty of places where it calls connflow_precise_check_begin with NULL.
Conditions:
Connection Rate Limit is configured
Impact:
This leads to NULL pointer dereference and subsequent tmm crash
Workaround:
This issue has no workaround at this time.
Fix:
Fix NULL pointer dereference in connflow_precise_check_begin
514236-2 : [GUI][GTM] GUI does not prefix partition to device-name for BIG-IP DNS Server IP addresses
Component: Global Traffic Manager (DNS)
Symptoms:
IP addresses associated with a BIG-IP DNS server object may not be viewable from the Configuration utility.
Conditions:
This issue occurs when all of the following conditions are met:
-- You use the Configuration utility to create a BIG-IP DNS server object with one or more IP addresses.
-- You then use the Configuration utility to add one or more IP addresses to a BIG-IP DNS server object.
-- You use the Traffic Management Shell (tmsh) to add one or more additional IP addresses to the BIG-IP GTM server object.
-- From the Configuration utility, you navigate to DNS :: GSLB :: Servers :: [BIG-IP DNS Server Name] and then view the BIG-IP DNS server object IP addresses in the Address List box.
Impact:
Only the BIG-IP GTM server object IP addresses that are added from the tmsh utility display in the Configuration utility. After tmsh modifies the BIG-IP DNS server by adding another IP address, the GUI fails to show those IP addresses previously added using the GUI.
Workaround:
Use tmsh to create and modify IP addresses on BIG-IP DNS servers. Or use only the Configuration utility or only the tmsh utility to create and modify BIG-IP GTM server object IP addresses.
Fix:
GUI now adds the partition prefix to device-name for BIG-IP DNS Server IP addresses, so IP addresses associated with a BIG-IP DNS server object are now viewable from the Configuration utility.
514220-2 : New iOS-based VPN client may fail to create IPv6 VPN tunnels
Component: Access Policy Manager
Symptoms:
Newer iOS-based VPN client does not provide MAC address during IPCP negotiation. This prevents the IPv6 VPN tunnel from getting established.
Conditions:
It affects only iOS-based IPv6 VPN connection requests.
Impact:
This impacts only IPv6 VPN tunnel requests from iOS-based devices.
Workaround:
None.
Fix:
Newer iOS-based VPN clients can successfully create IPv6 VPN tunnels.
514108-7 : TSO packet initialization failure due to out-of-memory condition.
Component: Local Traffic Manager
Symptoms:
TCP Segmentation Offload (TSO) packet initialization failure due to out-of-memory condition with the message: packet is locked by a driver.
Conditions:
This is related to tmm running out of memory while configured with TSO, on BIG-IP or VIPRION platforms which implement the HSB (High Speed Bridge) device in hardware.
This problem may occur on all currently-supported BIG-IP or VIPRION platforms EXCEPT the following:
BIG-IP 2000-/4000-series appliances.
BIG-IP 1600, 3600 appliances.
Impact:
TMM posts the assert message: packet is locked by a driver, then crashes.
Workaround:
Disable TSO (for more information, see SOL15609: Overview of TCP Segmentation Offload, available here: https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15609.html):
To enable or disable TSO functionality, you can use the following command syntax:
tmsh modify sys db tm.tcpsegmentationoffload value <enable | disable>
Note: After modifying the tm.tcpsegmentationoffload database variable, you must restart the TMM daemon by running the bigstart restart tmm command. Restarting TMM temporarily interrupts traffic processing. F5 recommends running this command only during a maintenance window.
Fix:
TCP Segmentation Offload (TSO) packet is now cleared correctly with no packet-locked message.
514061-1 : False positive scenario causes SMTP transactions to hang and eventually reset.
Component: Application Security Manager
Symptoms:
Upon specific SMTP traffic, connection hangs and eventually resets.
Conditions:
SMTP profile with 'protocol security' turned on is attached to the virtual server, and the response is processed in bulk.
Impact:
Connection hangs and eventually resets.
Workaround:
None.
Fix:
This release fixes a scenario in which SMTP transactions were hanging and blocked upon specific traffic.
513974-4 : Transaction validation errors on object references
Component: TMOS
Symptoms:
MCP validation error when adding/removing reference and adding/deleting an object in the same transaction.
Conditions:
During device group config sync, iControl transactions, and tmsh operations. For example, delete and create the same virtual server and specify a profile/VLAN, or remove a profile from a virtual server and then delete the profile in the same transaction.
Impact:
Validation error. The system posts an error similar to the following: transaction failed: 01020066:3: The requested virtual server profile (/Common/vs1 /Common/http1) already exists in partition Common. When deleting, the message is: 01020036:3: The requested virtual server profile (/Common/vs1 http1) was not found.
Workaround:
The removal of the object reference must be done in a separate transaction. For example, if you want to delete a profile that is being used, create one transaction removing it from virtual servers, then a second transaction deleting the profile.
Fix:
The system now supports adding/removing a reference and the object in a single transaction.
513969-2 : UAC prompt is shown for machine cert check for non-limited users, even if machine cert check service is running
Component: Access Policy Manager
Symptoms:
UAC prompt is shown for machine cert check for non-limited users, even if Machine Cert Check service is running on client Windows machine.
Conditions:
Current user is non-limited.
Machine Cert Check service is running.
User tries to pass Access Policy.
Impact:
Non-limited user has to press 'ok' in UAC window.
Fix:
Now Machine Certificate Check service is used for certificate verification even for non-limited users.
513953-2 : RADIUS Auth/Acct might fail if server response size is more than 2K
Component: Access Policy Manager
Symptoms:
RADIUS authentication or accounting fails when a response from the backend server is bigger than 2048 bytes
Conditions:
Response from backend server is bigger than 2048 bytes
Impact:
RADIUS Auth/Acct agent failed.
Fix:
Now RADIUS Auth and RADIUS Acct agents can successfully parse packets of sizes up to 4K, which is the maximum allowed RADIUS packet size. At the moment the BIG-IP system does not support RADIUS packet fragmentation.
513916-4 : String iStat rollup not consistent with multiple blades
Component: TMOS
Symptoms:
An iStat of type string does not merge consistently in a multi-bladed chassis, so the value read on different blades at the same time may differ.
Conditions:
The iStat must be of type string, and the chassis must have multiple blades.
Impact:
The value of the iStat after the merge differs on different blades.
Workaround:
Use clsh to write the string iStat value to all blades together.
Fix:
The rollup of strings is based on a timestamp of the last update, but this value was not preserved through the first level of merge so the second level done on each blade was arbitrary. Now, the value is preserved, so the iStat value for multiple blades is correct.
513706-3 : Incorrect metric restoration on Network Access on disconnect (Windows)
Component: Access Policy Manager
Symptoms:
The metric after Network Access disconnect differs from metric before Network Access for default route.
Conditions:
Using Network Access on Windows systems.
Impact:
A multi-home environment might experience routing issues after disconnecting Network Access, for example, by default traffic might go through Wi-Fi instead of wired networks.
Workaround:
Disable and enable the network adapter.
Fix:
Fixed an issue causing incorrect metric restoration on Network Access on disconnect.
513649-3 : Transaction validation errors on object references
Component: TMOS
Symptoms:
If certain objects are deleted then created within the same transaction, transaction errors might occur.
Conditions:
This is exclusive to transactions either via iControl, tmsh cli transaction, or a device group config sync. An object must be deleted and re-created in the same transaction. The object that was deleted must have configured references to other objects. For example, a virtual server can reference a profile or a VLAN. If it does, and there is a virtual server delete-and-create operation in the same transaction, mcpd fails to clean up the join reference on delete and complains when it tries to recreate it.
Impact:
Unnecessary mcpd validation failure. The system posts an error message similar to the following: 01020066:3: The requested virtual server profile (/Common/vs1 /Common/tcp) already exists in partition Common.
Workaround:
If a user needs to delete and re-create an object, perform the delete in one transaction and the create in a subsequent transaction.
Fix:
Attempts to delete and recreate objects within the same transaction now complete successfully.
513581 : Occasional TMM crash when HTTP payload is scanned through SWG
Component: Access Policy Manager
Symptoms:
TMM core might occur when SWG is provisioned and content scanning is enabled. TMM restarts automatically after the core occurs.
Conditions:
When the BIG-IP system is provisioned with SWG and content is scanned through SWG.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable content scanning in SWG as workaround.
Fix:
The timer associated with SWG content scanning is now removed properly so TMM no longer crashes.
513565-3 : AFM Kill-on-the-fly does not re-evaluate existing flows against any Virtual/SelfIP ACL policies if a Global or Route-Domain rule action is modified from Accept-Decisively to Accept.
Component: Advanced Firewall Manager
Symptoms:
Existing flows are not re-evaluated against Virtual Server AFM policies in Kill-on-the-fly if a previous Global or Route Domain AFM rule with action = Accept Decisively is modified to action = Accept.
Conditions:
AFM provisioned and licensed.
Have a Global AFM (or route domain) rule with action = Accept Decisive and also have a virtual server AFM rule.
Initial flow will be allowed due to global AFM rule action being Accept-decisively and will not be matched against Virtual Server Rule.
Now, modify the global AFM rule action to Accept. This should trigger Kill-on-the-fly to re-evaluate all existing flows against AFM policies.
Impact:
Existing flows bypass Virtual Server AFM Policy match evaluation in the sweeper under the conditions specified above.
Workaround:
None
Fix:
With this fix, existing flows will be evaluated against virtual server ACL policy if a previous Global or Route Domain AFM rule with action = Accept Decisively is modified to action = Accept.
513530-3 : Connections might be reset when using SSL::disable and enable command
Component: Local Traffic Manager
Symptoms:
Enable/disable of SSL filter in quick succession might cause connection reset.
Conditions:
SSL filter is disabled then quickly re-enabled.
Impact:
Connection is unexpectedly reset/lost.
Workaround:
Do not re-enable SSL filter immediately after disabling it.
Fix:
SSL::disable command no longer incorrectly flags a connection as disabled when enable/disable SSL filter in quick succession.
513454-2 : An snmpwalk with a large configuration can take too long, causing snmpd or mcpd restarts
Component: TMOS
Symptoms:
The snmpwalk will fail and the mcpd daemon could be restarted.
Conditions:
The configuration must be large so that the number of configured items related to the snmpwalk are in the tens of thousands.
Impact:
Failure to read SNMP data, mcpd restart and temporary loss of service.
Workaround:
Spread the configuration among more BIG-IPs or avoid running snmpwalks.
Fix:
Cache internal query data to optimize statistical queries.
513403-3 : TMM asserts when certain ICMP packets (e.g multicast echo) are classified by AFM and match rules at Global and Route Domain context with logging enabled for these rules and also log-translations is enabled in AFM Logging configuration.
Component: Advanced Firewall Manager
Symptoms:
TMM asserts when certain ICMP packets are classified by AFM and match rules at the Global and Route Domain context with logging and log-translations enabled.
Conditions:
This might occur in the following configurations: -- AFM Rule Logging is enabled and Log Translations is enabled in Log Profile, -- Server side AVR Statistics collection is enabled under Security :: Reporting. -- Certain ICMP packets (such as multicast ICMP echo) are classified and match AFM rules at Global and Route Domain contexts.
Impact:
TMM crashes (assert). Traffic disruption due to TMM process crashing.
Workaround:
Disabling log-translations in AFM Logging Profile configuration can prevent the TMM crash for these types of ICMP packets.
Fix:
TMM crash (assert) for certain ICMP packets when classified by AFM and logging is enabled with log-translations has been fixed.
513382-2 : Resolution of multiple OpenSSL vulnerabilities
Vulnerability Solution Article: K16317
513319-7 : Incorrect of failing sideband connections from within iRule may leak memory
Component: Local Traffic Manager
Symptoms:
When using sideband connections within iRules, the internal TMM memory structures might leak if the sideband destination is not reachable (routing, etc.).
Conditions:
Unreachable sideband destination that lead to failures of the sideband connection creation, e.g. destination is not reachable via routing.
Impact:
Gradual memory usage in TMM, which can lead to aggressive memory sweeper and eventual failover/outage. This might manifest in gradual increment of TMM memory usage in graphs, particularly, the following: -- High number of connfails in tmctl sb_stats. -- High number of allocated memory in tmctl sb_cache.
Workaround:
Correct possible reachability issues to the sideband destination.
Fix:
TMM no longer leaks memory when the sideband destination is unreachable.
513294-1 : LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances
Component: TMOS
Symptoms:
The following issues may be observed on BIG-IP 5000-/7000-series appliances:
1. When a system shuts down due to a over temperature condition, the name of the sensor that triggered the shutdown does not display.
2. Unable to configure AOM IP address using the DHCP Menu Option, with the system responding with the message: Error: Failed to configure AOM management port.
3. TMOS may log a critical alarm for the 0.9 volt sensor even though the voltage is in the nominal range.
Conditions:
BIG-IP 5000-/7000-series appliances with LBH firmware versions prior to v3.07 may experience each of the above issues under the following corresponding conditions:
1. Over temperature, thermal shutdown.
2. When trying to configure an IP address for AOM using the N - Configure AOM network option.
3. When the host is powered off using the AOM menu, the LBH will detect an under voltage condition for all non-standby voltage rails.
Impact:
The impacts of these issues are:
1. The user cannot determine which sensor triggered the thermal shutdown.
2. Unable to configure the AOM address using DHCP.
3. There will be a single ltm log message indicating this critical alarm, however the voltage reported in the log message will be in the nominal range.
Workaround:
Corresponding workarounds include:
1. None.
2. None.
3. Do not power cycle the host with the AOM menu. This error does not occur with an AC power cycle.
Fix:
LBH firmware v3.07 update for BIG-IP 5000-/7000-series appliances now works as expected.
513288-2 : Management traffic from nodes being health monitored might cause health monitors to fail.
Component: Local Traffic Manager
Symptoms:
Management traffic from nodes being health monitored might cause health monitors to fail.
Conditions:
Health monitor checking node_ip:port where 1024 is less than or equal to port, which is less than 65536. Node periodically connects back to management service on self IP (e.g., iControl, GUI, SSH).
Impact:
Traffic is not sent to the node while the monitor is failing.
Workaround:
None.
Fix:
Management traffic from nodes being health monitored no longer causes health monitors to fail.
513283 : Mac Edge Client doesnt send client data if access policy expired
Component: Access Policy Manager
Symptoms:
If an access policy expires (for example, if a user took too long to enter password ) then BIG-IP Edge Client displays a new page with link "Start a New session". Clicking this link causes Edge Client for Mac to be detected as browser by BIG-IP APM.
Conditions:
Edge Client fpr <ac, access policy expires.
Impact:
Edge Client is detected as browser.
Workaround:
Click disconnect button and Connect buttons on Edge Client.
Fix:
APM no longer detects BIG-IP Edge Client for Mac as a browser when a user clicks "Start a New session" on access policy expired page.
513243-5 : Improper processing of crypto error condition might cause memory issues.
Component: Local Traffic Manager
Symptoms:
Improper processing of a crypto error condition might cause memory issues.
Conditions:
Error when processing certain crypto commands.
Impact:
The error might cause TMM to crash.
Workaround:
None.
Fix:
If certain crypto commands return an error, but memory is allocated successfully, the system now completes the operation as expected.
513213-4 : FastL4 connection may get RSTs in case of hardware syncookie enabled.
Component: Local Traffic Manager
Symptoms:
Occasionally, ACK is sent to server without SYN, connection get RST.
Conditions:
1) FastL4 virtual server.
2) Hardware syncookie enabled.
3) Might more commonly occur with forwarding virtual servers.
4) Often happens when egress router has ARP timeout.
Impact:
Some connections will be dropped.
Workaround:
Configure a static ARP to all neighbors (routers) to avoid most issues.
Fix:
An issue with hardware syncookies and FastL4 connections has been resolved.
513201-5 : Edge client is missing localization of some English text in Japanese locale
Component: Access Policy Manager
Symptoms:
Edge Client is missing localization of some English text in Japanese locale.
Conditions:
Edge Client in Japanese locale
Impact:
Edge Client shows some text in english
Fix:
BIG-IP Edge Client is correctly localized for Japanese locale.
513165-1 : SAML Service Provider generated SLO requests do not contain 'SessionIndex' attribute
Component: Access Policy Manager
Symptoms:
When the BIG-IP system is used as SAML Service Provider, and SP-initiated Single Logout (SLO) is executed, the SLO request message does not contain the 'SessionIndex' attribute'. As a result, the external IdP might not be able to terminate the user's session.
Conditions:
BIG-IP is configured as SP. SLO is initiated by SP.
Impact:
External IdP may not be able to terminate user's session.
Fix:
SAML Service Provider generated SLO requests contain needed attributes
513151-7 : VIPRION B2150 blades show up as unknown when SNMP queries the OID sysObjectID.
Component: TMOS
Symptoms:
VIPRION B2150 blades with SSD show up as unknown when SNMP queries the OID sysObjectID.
Conditions:
SNMP queries the OID sysObjectID.
Impact:
You cannot identify any VIPRION B2150 blades with SDD using SNMP.
Workaround:
None.
Fix:
Added new SNMP OID for VIPRION B2150 blades with SSD.
513098-2 : localdb_mysql_restore.sh failed with exit code
Component: Access Policy Manager
Symptoms:
In certain scenarios, deleting a dynamic user entry from memory does not clear the entry from the underlying table.
Conditions:
This might occur when a dynamic user record is marked for deletion but has not yet been removed when the dynamic user representing that record is re-authenticated.
Impact:
Over time, the table grows in size due to stale records.
Fix:
Orphaned dynamic user records are now correctly deleted.
513083-2 : d10200: tmm core when using ASM-FPS-AVR-APM-DOS on virtual server.
Component: Access Policy Manager
Symptoms:
When tmm is running out of memory because of overload or other conditions and if APM is configured, tmm could potentially crash.
Conditions:
tmm is already running out of memory
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
This issue has been fixed.
513034-2 : TMM may crash if Fast L4 virtual server has fragmented packets
Vulnerability Solution Article: K17155
512954-1 : ospf6d might leak memory distribute-list is used
Component: TMOS
Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv3 and the Routing Information Base (RIB). The leak may lead to a crash unrelated to memory exhaustion.
Conditions:
OSPFv3 in use with a distribute-list, and LSAs in the database whose prefixes will be filtered by the distribute-list.
Impact:
ospf6d crashes interrupt all dynamic routing using OSPFv3.
Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.
Fix:
ospf6d no longer crashes when a distribute-list is configured.
512687-2 : Policy parameter fields minimumValue and maximumValue do not accept decimal values through REST but accept decimal through GUI
Component: Application Security Manager
Symptoms:
Create security policy named "policy1"
Send POST to
--------------------------
https://<BIG-IP>/mgmt/tm/asm/policies/<asm-policy-uuid>/parameters
--------------------------
with body:
--------------------------
{
"name": "decimal",
"dataType": "decimal",
"maximumValue": 20.1
}
--------------------------
you will get error saying:
--------------------------
"Could not parse/validate the Parameter. Field value for maximumValue must be an integer."
--------------------------
Conditions:
ASM is provisioned.
Impact:
Not able to create a decimal parameter with floating "minimumValue" and "maximumValue" properties using REST API.
Workaround:
None.
Fix:
It is now possible to create a decimal parameter with floating "minimumValue" and "maximumValue" properties using REST API.
512668-2 : ASM REST: Unable to Configure Clickjacking Protection via REST
Component: Application Security Manager
Symptoms:
The REST API for URLs was missing a field for Clickjacking Protection configuration.
When trying to configure that Rendering in Frames should only be allowed from a single URL, there is no field to specify that URL.
Conditions:
REST API is being used to configure Clickjacking Protection for URLs.
Impact:
A REST API client is unable to correctly configure protection that is meant to only be allowed from a specified URL.
Workaround:
Configure via GUI instead of REST.
Fix:
We added this missing field for REST to specify the "only-from" clickjacking URL: "allowRenderingInFramesOnlyFrom".
512618-2 : Continuous "Invalid sadb message" upon issuing "racoonctl -l show-sa esp"
Component: TMOS
Symptoms:
Racoonctl utility is not designed to display large number of SA's and it will display "Invalid sadb message" continuously.
Conditions:
If the system has large number of IPsec SA's.
Impact:
Continuous "Invalid sadb message" will be displayed upon issuing "racoonctl -l show-sa esp" and racoonctl utility will not work.
Workaround:
Use TMSH instead. "tmsh show net ipsec ipsec-sa" will provide more accurate IPsec security association information.
Fix:
This changes should provide a user to retrieve SA's based on specific addresses using racoonctl utility.
512609-2 : Firewall rules specifying wildcard IPv6 addresses match IPv4 addresses
Component: Advanced Firewall Manager
Symptoms:
A Firewall Rule with Src/Dst = ::/0 (or 0::0/0) matches any IPv6 traffic which is correct, but also matches any IPv4 traffic which is incorrect.
Conditions:
Network Firewall Rule with wildcard IPv6 source or destination address ::0 or 0::0/0.
Impact:
IPv4 traffic will match.
Workaround:
None
Fix:
A Firewall Rule with Src/Dst = ::/0 (or 0::0/0) no longer incorrectly matches any IPv4 traffic.
512490-10 : Increased latency during connection setup when using FastL4 profile and connection mirroring.
Component: Local Traffic Manager
Symptoms:
Connection setup when using FastL4 profile and connection mirroring takes longer than previous versions.
Conditions:
FastL4 profile with connection mirroring.
Impact:
Slight delay during connection setup.
Workaround:
Disable tm.fastl4_ack_mirror. Optionally, enable tm.fastl4_mirroring_taciturn for signal to noise ratio improvements. This helps resolve connection setup latency.
Fix:
Disable Nagle algorithm on TCP/HA profile to improve performance.
512485-2 : Forwarding of flooded VXLAN-encapsulated unicast frames may introduce additional forwarding
Component: TMOS
Symptoms:
In VXLAN overlays, unicast frames are flooded (via multicast or unicast replication) when the destination MAC address is known and the remote endpoint is unknown. Upon receiving a flooded unicast frame, the BIG-IP system might forward the frame again to yet another endpoint. Eventually an additional L2 hop might be introduced between the sender and the receiver. This applies to both the multicast and the multipoint (unicast replication) configurations of VXLAN.
Conditions:
This affects deployments with three or more VXLAN endpoints.
Impact:
The introduction of an additional hop adds unnecessary latency.
Fix:
In this release, the system does no L2 forwarding of encapsulated frames received from one endpoint and destined to another within the same overlay (VXLAN VNI/Tunnel), so no extra hop is added.
512383-4 : Hardware flow stats are not consistently cleared during fastl4 flow teardown.
Component: Local Traffic Manager
Symptoms:
The PVA stat curr_pva_assist_conn is not being updated properly for certain Fast L4 flows.
Conditions:
1) Fast L4 virtual server.
2) PVA-acceleration enabled.
This occurs when the connection flow is not created because UDP traffic arrives at an undefined port on the virtual server. The curr_pva_assist_conn value is incremented though there are no active PVA flows.
This can also occur when LTM gets ICMP unreachable messages from the serverside.
Impact:
Stats counts for Fast L4 virtual server, curr_pva_assist_conn value and 'Current SYN Cache', show invalid counts. If the hardware SYN cookie protection is on, the SYN cookie protection may be activated when it is not supposed to.
Workaround:
None.
Fix:
Stats counts for Fast L4 virtual server, curr_pva_assist_conn value and 'Current SYN Cache', now show the correct counts.
512345-6 : Dynamic user record removed from memcache but remains in MySQL
Component: Access Policy Manager
Symptoms:
When the system fetches a dynamic user record from MySQL and places the record into memcache, the record might remain there in an unmodified state for ten days.
Conditions:
This occurs when a dynamic user record is removed from memcache but remains in MySQL, due to an intermittent race condition between apmd/memcache and localdbmgr.
Impact:
Dynamic user, if locked out, remains in memcache for ten days. During this interval, the dynamic user record is unusable.
Workaround:
The Admin can remove the user by deleting the associated memcache record.
Fix:
Now APM handles the condition in which a dynamic user record is removed from memcache but remains in MySQL due to an intermittent race condition between apmd/memcache and localdbmgr.
512245 : Machine certificate agent on OS X 10.8 and OS X 10.9 uses local host name instead of hostname
Component: Access Policy Manager
Symptoms:
Machine certificate agent checker on client might extract wrong certificate based on LocalHostName if it is not same as hostname. Machine certificate agent checker might fail.
Conditions:
BIG-IP APM with machine certificate agent.
Impact:
Machine certificate check might fail
Fix:
Machine Cert Auth agent passes on OS X 10.8 and OS X 10.9.
512148-7 : Self IP address cannot be deleted when its VLAN is associated with static route
Component: Local Traffic Manager
Symptoms:
A self IP address cannot be deleted when its VLAN is associated with a static route
Conditions:
The self IP address' VLAN is associated with a static route.
Impact:
Self IP address cannot be deleted.
Workaround:
Temporarily remove the static route entries, delete the self IP, and then add the static route entries again.
Fix:
A self IP now can be deleted even when its VLAN is associated with a static route, as long as at least one self IP exists on that VLAN. If the static route is IPv4, then an IPv6 self IP does not meet the requirement, and vice versa.
512119-3 : Improved UDP DNS packet truncation
Component: Local Traffic Manager
Symptoms:
UDP responses from the DNS cache were not truncated properly. This is primarily seen in DNS tools, such as dig or Wireshark that would mark the response as malformed. Regular resolver clients handled the responses correctly noting the tc bit in the response header.
Conditions:
UDP DNS responses larger than the size requested by the client, typically 512 bytes.
Impact:
Packets may be flagged as malformed by DNS packet analyzers. There are no known issues with regular DNS client resolvers.
Workaround:
None
Fix:
The DNS Cache now properly fills in response data and handles truncation as expected.
512054-4 : CGNAT SIP ALG - RTP connection not created after INVITE
Component: Service Provider
Symptoms:
The client has no audio when it makes a call.
Conditions:
This occurs when a client initiates a call with a CSeqID value greater than 64 KB.
Impact:
The BIG-IP system fails to create a media channel for audio/video traffic.
Workaround:
None.
Fix:
The BIG-IP system now correctly creates a media channel for audio/video traffic when the CSeqID value greater than 64 KB.
511961-2 : BIG-IP Edge Client does not display logon page for FirePass
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client cannot display FirePass logon page: "Connecting..." status; instead, Edge Client displays blank pages. As a result, clients cannot use the latest BIG-IP Edge Client for Mac with FirePass.
Conditions:
Firepass and APM-supplied build of BIG-IP Edge Client for Mac.
Impact:
User cannot log in to Firepass if using BIG-IP Edge Client for Mac.
Workaround:
Update to latest client
Fix:
Clients using the BIG-IP Edge Client for Mac supplied with this APM release can continue to log in and do not get stuck at a "Connecting..." screen.
511893 : Client connection timeout after clicking Log In to Access Policy Manager on a Chassis
Component: Access Policy Manager
Symptoms:
Clients connecting via Edge Client or Network Access to Access Policy Manager running on a chassis will experience a connection timeout after clicking Log In
Conditions:
1. Two or more blades chassis with APM provisioned
2. Create Portal Access/NA. start > logon page > portal resource (portal webtop, resource)> Allow.
3. Create access session using browser.
Impact:
Access session never finishes and browser does not render portal.
Workaround:
None
Fix:
BIG-IP Access Policy Manager running on a chassis will correctly process the client's Log In command.
511854-3 : Rewriting URLs at client side does not rewrite multi-line URLs
Component: Access Policy Manager
Symptoms:
Exception posted when rewriting multi-line URLs on the client side.
Conditions:
Using multi-line URLs in client-side JavaScript code.
Impact:
Web-application logic might not work as expected. The system might post a message similar to the following: Unable to get property '2' of undefined or null reference.
Workaround:
None.
Fix:
This release fixes client-side URL rewriting for multi-line URLs.
511818-5 : Support RSASSA-PSS signature algorithm in server SSL certificate
Component: Local Traffic Manager
Symptoms:
The SSL handshake will fail if the certificate configured in client SSL profile cert-key-chain is signed by RSASSA-PSS.
Conditions:
A certificate with signature algorithm RSASSA-PSS is used in client SSL profile.
Impact:
SSL handshake between the client and BIG-IP SSL will fail.
Workaround:
Don't use certificate with signature algorithm: rsassaPss.
Fix:
SSL handshake will succeed when using a certificate signed by RSASSA-PSS in the client SSL profile.
Behavior Change:
Before the change: SSL handshake would fail if the certificate configured in the client SSL profile cert-key-chain was signed by RSASSA-PSS. The system does not support a certificate with RSASSA-PSS signature algorithm.
After the change: SSL handshake will succeed when using a certificate signed by RSASSA-PSS in the client SSL profile.
This doesn't fix the case when the client auth. has PSS in the X.509 cert chain neither add PSS support to the TLS portion (only to "our" X.509 server cert chain).
511651-2 : CVE-2015-5058: Performance improvement in packet processing.
Vulnerability Solution Article: K17047
511648-3 : On standby TMM can core when active system sends leasepool HA commands to standby device
Component: Access Policy Manager
Symptoms:
On standby system TMM can core after it comes up when the active system sends leasepool HA commands to the standby device.
Conditions:
This occurs on standby systems when the active system sends it leasepool HA commands.
Impact:
Traffic disrupted while tmm restarts.
Fix:
On a standby system, TMM no longer cores after it comes up when an active system sends leasepool HA commands to the standby device.
511559-6 : Virtual Address advertised while unavailable
Component: TMOS
Symptoms:
An unavailable virtual address is advertised after a load sys config.
Conditions:
The configuration contains a virtual-address with 'enabled' set to 'yes', 'route-advertisement' set to 'enabled', and the 'server-scope' set to 'any'. The BIG-IP system already has the same virtual-address configured with 'server-scope' as 'any'.
Impact:
Routes appear available on the route table when they are not, which might result in traffic being routed to unavailable servers.
Workaround:
Modify the virtual-address' 'server-scope' from the current value to another value and then back to the original value.
Fix:
Virtual address status is updated after load, so no unavailable virtual address is advertised.
511534-2 : A large number of regular expressions in match rules on path-segments may cause an AAM policy to take too long to load,
Component: WebAccelerator
Symptoms:
When loading an AAM policy, the tmm compiles the rules to an internal structure that is efficient for execution. Some conditions however may cause this process to take too long and the tmm gets halted before the system has finished compiling the policy.
Conditions:
The compilation time increases dramatically when regular expressions are used on more than one or 2 operands.
Since you can have conditions on many different path-segments (e.g. the 1st, 2nd, 3rd, etc), using regular expression on path-segments are a likely way to trigger this condition.
Impact:
The compilation time increases dramatically when regular expressions are used on more than one or two operands.
Since conditions might exist on many different path-segments (e.g., the 1st, 2nd, 3rd, etc.), using regular expression on path-segments is a likely way to trigger this condition.
Workaround:
None.
Fix:
Now, you can prevent AAM policy compilation from taking too long by turning the regular expression into plain matches using the '\' character to escape those symbols that turn a string into a regular expression. For example, previously, 'favicon.ico' was treated as a regular expression because '.' means 'any character'. Now the user can specify 'favicon\\.ico' (double '\' required by tmsh), which causes the '.' to mean the period character, thus avoiding the (unintended) regular expression.
511517-8 : Request Logging profile cannot be configured with HTTP transparent profile
Component: Local Traffic Manager
Symptoms:
Cannot configure both a Request Logging profile and an HTTP transparent profile on the same virtual server.
Conditions:
HTTP transparent profile is attached to a virtual server.
Impact:
Request Logging profile cannot be configured on the same virtual server.
Fix:
The system now supports a simultaneously configuring both a Request Logging profile and an HTTP transparent profile on a single virtual server.
511478-1 : Possible TMM crash when evaluating expression for per-request policy agents.
Component: Access Policy Manager
Symptoms:
TMM might crash when evaluating expressions in per-request policy agents and possible loss of service.
Conditions:
APM is licensed and per-request policy is attached to the virtual. Per-request policy have agents which have configured expressions.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove expressions from agent in per-request policy.
Fix:
Applied a different mechanism to evaluation agent's expression to fix this possible crash.
511477 : Manage ASM security policies from BIG-IQ
Component: Application Security Manager
Symptoms:
Certain aspects of ASM Security Policies on BIG-IP 11.5.2 could not be managed by BIG-IQ Security.
Conditions:
New ASM security policies can now be created by BIG-IQ version 4.5. Currently it's disabled by default, and can be turned on by changing the rest_api_extensions option to "1" on the Advanced Configuration/System Variables page in the ASM GUI, and then restarting httpd.
Impact:
BIG-IQ Security cannot effectively manage ASM on BIG-IP 11.5.2.
Workaround:
None.
511441-2 : Memory leak on request Cookie header longer than 1024 bytes
Component: Access Policy Manager
Symptoms:
Memory leak on request Cookie header longer than 1024 bytes.
Conditions:
Client is sending 'Cookie' request header with more than 1024 bytes of data to APM Portal Access host.
Impact:
Memory used by 'rewrite' process keeps increasing and leads to 'out of memory' logs and possibly failover.
Fix:
Portal Access no longer leaks memory on large Cookie request headers from the client.
511406 : Pagination issue on firewall policy rules page
Component: Advanced Firewall Manager
Symptoms:
Firewall policy rules page shows only the first 100 rules in the policy.
Conditions:
This is an issue when there are more than 100 rules configured in a policy.
Impact:
User is only able to see the first 100 rules in the policy
Fix:
Firewall policy rules page is now able to view more than 100 rules.
511332-1 : Customer cannot view Pools list by Address
Component: TMOS
Symptoms:
Customer cannot view Pools page after attempting to sort Nodes by the Address column.
Conditions:
User sorts by the Address column on the Nodes page and then navigates to the Pools page. The system posts the error: General database error retrieving information. This error persists until you either delete the JSESSIONID cookie or navigate back to the Nodes page and sort by Name.
Impact:
Receive error navigating to the Pools page in this case.
Workaround:
Use one of the following workarounds: (1) Delete the JSESSIONID cookie. (2) Sort by Name on the Node page before navigating to the Pools page.
Fix:
Correct the cookie name to avoid naming conflicts between node list page and pool list page.
511326-3 : SIP SUBSCRIBE message not forwarded by BIG-IP when configured as SIP ALG with translation.
Component: Service Provider
Symptoms:
The BIG-IP system does not forward messages when configured as SIP ALG with translation.
Conditions:
The BIG-IP system is configured as SIP ALG with translation, and the subscriber sends a SUBSCRIBE message to receive a notification.
Impact:
The Subscriber does not receive any notification regarding the subscribed events.
Workaround:
None.
Fix:
The BIG-IP system now correctly forwards messages when configured as SIP ALG with translation.
511145-2 : IPsec Policy Link not functional.
Component: TMOS
Symptoms:
The IPsec Policy Link on the Network :: IPsec :: Traffic Selectors :: List page is not functional.
Conditions:
IPsec Traffic Selectors configured.
Impact:
Inability to manage IPsec via the GUI.
Workaround:
Use the main navigation menu on the left of the screen to go to Network :: IPsec :: Traffic Selectors :: List, and select the desired IPsec Policy.
Fix:
The IPsec Policy Link on the Network :: IPsec :: Traffic Selectors :: List page now functions as expected.
511130-2 : TMM core due to invalid memory access while handling CMP acknowledgement
Component: Local Traffic Manager
Symptoms:
Rarely, TMM might core due to invalid memory access while handling a CMP acknowledgement.
Conditions:
Memory is not validated before handling a CMP acknowledgement.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Memory is now validated before handling a CMP acknowledgement.
511064-2 : Repeated install/uninstall of policy with usage monitoring stops after second time
Component: Policy Enforcement Manager
Symptoms:
Usage monitoring as required by the policy stops working.
Conditions:
Policy configured with usage monitoring is installed/uninstalled multiple times within a session.
Impact:
Usage reporting stops working.
Workaround:
None.
Fix:
The system now correctly handles the case in which a policy with usage monitoring is installed and removed multiple times.
511057-7 : Config sync fails after changing monitor in iApp
Component: Local Traffic Manager
Symptoms:
Unable to modify a pool monitor and delete it in the same transaction.
Conditions:
A pool must have the monitor associated with it before the tmsh transaction, and must be the same as the monitor being deleted in the transaction.
Impact:
Unable to submit multiple changes in a single transaction.
Workaround:
Modify the pool monitor and delete it in separate transactions.
Fix:
Monitor modification and deletion can now happen in the same transaction.
511029 : "selfLink" for ASM Policy was incorrect for iControl REST
Component: Application Security Manager
Symptoms:
After using iControl REST to assign a policy to a virtual server, the JSON response had an incorrect selfLink for the policy.
Conditions:
Using iControl REST to assign a policy to a virtual server.
Impact:
API Clients depending on the correct selfLink being returned may experience issue.
Workaround:
None.
Fix:
Previously, if you used iControl REST to assign a policy to a virtual server, the JSON response had an incorrect selfLink for the policy. This issue has been fixed.
510979-2 : Password-less SSH access after tmsh load of UCS may require password after install.
Component: TMOS
Symptoms:
Should an account such as admin have password-less SSH access, after loading the UCS config or doing a live install and moving the config, SSH access no longer works without a password.
Conditions:
User has .ssh/authorized_keys file owned with uid=0.
Impact:
tmsh load sys ucs config replaces the uid ownership of /home/user_name/.ssh/authorized_keys incorrectly, which prevents SSH access without passwords.
Workaround:
Create a directory in /var/ssh for each user, move .ssh/authorized_keys there, and then link to the moved file in the ~/.ssh directory. In that case, UCS load affects the link, but not the linked file, so password-less SSH access is maintained.
Note: A UCS file taken after the workaround will not include the file /var/ssh/<username>/authorized_keys. If you have a plan to load the UCS on a different unit, for example, for the purposes of RMA, please save the file individually.
Fix:
Password-less SSH access is now maintained after tmsh load (or install and move config) of UCS.
510921-6 : Database monitors do not support IPv6 nodes
Component: Local Traffic Manager
Symptoms:
Unable to monitor IPv6 nodes.
Conditions:
Pool configured with a DB monitor (MySQL, MSSQL, Oracle or Postgres) and IPv6 nodes.
Impact:
IPv6 nodes are reported down and do not receive traffic.
Fix:
Database monitors now support monitoring IPv6 nodes.
510888-8 : [LC] snmp_link monitor is not listed as available when creating link objects
Component: Global Traffic Manager
Symptoms:
GUI: snmp_link is not listed from Available monitor list when creating link objects. TMSH: snmp_link is not shown when using TAB to show monitor options when creating link objects.
Conditions:
When creating GTM link objects.
Impact:
Cannot determine whether snmp_link monitor can be used. Must manually input snmp_link to associate snmp_link to a link object.
Workaround:
Through tmsh, manually type snmp_link as monitor when creating link objects.
Fix:
snmp_link monitor is now listed as available when creating link objects.
510828 : Manage ASM security policies from BIG-IQ
Component: Application Security Manager
Symptoms:
Certain aspects of ASM Security Policies on BIG-IP 11.5.2 could not be managed by BIG-IQ Security.
Conditions:
New ASM security policies can now be created by BIG-IQ version 4.5. Currently it's disabled by default, and can be turned on by changing the rest_api_extensions option to "1" on the Advanced Configuration/System Variables page in the ASM GUI, and then restarting httpd.
Impact:
BIG-IQ Security cannot effectively manage ASM on BIG-IP 11.5.2.
Workaround:
None.
Fix:
This is a part of ID 498361.
510818 : Manage ASM security policies from BIG-IQ
Component: Application Security Manager
Symptoms:
Certain aspects of ASM Security Policies on BIG-IP 11.5.2 could not be managed by BIG-IQ Security.
Conditions:
REST shows redirect URL in Response Page in case action type "redirect".
Impact:
BIG-IQ Security cannot effectively manage ASM on BIG-IP 11.5.2.
Workaround:
None.
Fix:
New ASM security policies can now be created by BIG-IQ version 4.5. Currently it's disabled by default, and can be turned on by changing the rest_api_extensions option to "1" on the Advanced Configuration/System Variables page in the ASM GUI, and then restarting httpd.
510720-2 : iRule table command resumption can clear the header buffer before the HTTP command completes
Component: Local Traffic Manager
Symptoms:
iRule table command resumption can clear the header buffer before the HTTP command completes.
Conditions:
An HTTP request was attempted with an iRule table command that resumed after parking.
Impact:
Results in a SIGABRT. The header names might intermittently output incorrectly, and report empty names and/or parts of the request line.
Workaround:
This issue has no workaround at this time.
Fix:
iRule resumption after halting now works correctly.
510709-3 : Websso start URI match fails if there are more than 2 start URI's in SSO configuration.
Component: Access Policy Manager
Symptoms:
If more than 2 start URIs are configured, start URI parsing does not work correctly. This results in no start URI match and websso failure.
Conditions:
SSO error happens only if there are more than 2 start URIs configured in the SSO configuration.
Impact:
SSO V1(websso) fails for configured start URI due to start URI mismatch.
Workaround:
No workaround
Fix:
Websso config start URI parsing was wrong when there are multiple lines in start URI configuration. Websso start URI parsing is fixed.
510638-2 : [DNS] Config change in dns cache resolver does not take effect until tmm restart
Component: Local Traffic Manager
Symptoms:
Config change in DNS cache resolver does not take effect until tmm restart.
Conditions:
Make changes to LTM DNS cache resolver.
Impact:
Changes made to DNS cache resolver are not in effect until tmm restarts. For example, changes to the DNS cache resolver's parameters Max. Concurrent Queries and Allowed Query Time
do not load into the system until tmm restarts.
Workaround:
Restart tmm after making changes, or create a new DNS cache profile.
Fix:
Config change in DNS cache resolver now take effect immediately and no longer require tmm restart.
510596-5 : Broken DNS resolution on Linux client when "DNS Default Domain Suffix" is empty
Component: Access Policy Manager
Symptoms:
DNS resolution can break for a Linux client when the "DNS Default Domain Suffix" setting is empty in a Network Access configuration in APM.
Conditions:
BIG-IP Edge Gateway, Linux CLI and empty "DNS Default Domain Suffix" in Network Access configuration
Impact:
DNS resolution might not work on Linux
Workaround:
Configure "DNS default domain suffix" in network access configuration
Fix:
DNS resolution on Linux works now even when the "DNS Default Domain Suffix" setting in the Network Access configuration is empty.
510580-3 : Interfaces might be re-enabled unexpectedly when loading a partition
Component: TMOS
Symptoms:
Loading of a set of partitions not including Common might re-enable interfaces that were previously disabled.
Conditions:
Loading of a set of partitions not including Common.
Impact:
Interfaces might be unexpectedly reenabled. (It is expected that 'load sys config partitions { anotherpartition }' will only affect objects in the /anotherpartition folder.)
Workaround:
None.
Fix:
Loading of a set of partitions not including Common no longer re-enables interfaces that were previously disabled.
510559-5 : Add logging to indicate that compression engine is stalled.
Component: TMOS
Symptoms:
Hardware compression slowly and progressively fails to handle compression operations. The system posts the following errors in ltm.log: crit tmm3[14130]: 01010025:2: Device error: n3-compress0 Nitrox 3. If the compression engine stalls, there is no logging-trail to indicate there is a problem.
Conditions:
This occurs when the system encounters errors during hardware compression handling and the compression engine stalls.
Impact:
Compression completely stalls, or CPU can be driven up by software-based compression. No indication of what the issue is.
Workaround:
Disable compression, or select 'software only' compression.
Fix:
Previously, if the compression engine stalled, there would be no logging-trail to indicate there was a problem. This release adds logging and stats for detecting a compression engine stall.
510499-1 : System Crashes after Sync in an ASM-only Device Group.
Component: Application Security Manager
Symptoms:
System crashes after an ASM Sync in an ASM-only Device Group.
Conditions:
This occurs when the following conditions are met:
1) Two devices with both a full-sync device group, and a sync-only, ASM-enabled device group. Both manual sync groups.
2) Have a policy active on a virtual server on both devices.
3) Deactivate the policy on one device.
4) Push the ASM config from that device to another device.
Impact:
Peer Device is left in an inconsistent state and BD crashes.
Workaround:
None.
Fix:
ASM Configuration Sync now will gracefully handle being unable to deactivate when it conflicts with LTM config.
510459-2 : In some cases Access does not redirect client requests
Component: Access Policy Manager
Symptoms:
A client may receive the following error message upon request: "The requested file could not be found on the server. Please contact system administrator."
Conditions:
Client requests received by Access running on BIG-IP versions 11.4.0 to 11.6.0 may encounter this issue.
Impact:
Client request is not fulfilled and error message received.
Workaround:
None
Fix:
Resolved issue in which clients receive a file not found message from Access due to out of date White List entry in OPSWAT.
510425-7 : DNS Express zone RR type-count statistics are missing in some cases
Component: TMOS
Symptoms:
When displaying DNS zone data with multiple instances, if one has no resource record data, the following instance also displays an empty resource record data even there is something to display.
Conditions:
When displaying DNS zone data with multiple instances, and one has no resource record data.
Impact:
Missing Resource Record data when the data is not empty.
Workaround:
Query the specific DNS Zone data instance instead of the 'query all'.
Fix:
DNS Express zone RR type-count statistics now display correctly.
510393-2 : TMM may occasionally restart with a core file when deployed VCMP guests are stopped
Component: TMOS
Symptoms:
VCMP guest shutdown can interfere with execution of the VCMP hypervisor TMM, causing 'Clock advanced' messages and TMM restarts wit corresponding core files.
Conditions:
vCMP guests in state 'deployed' are modified to state 'provisioned' or 'configured', or are deleted entirely. The likelihood of a TMM restart increases with the number of guests that are stopping at the same time.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Shut down vCMP guests one at a time to reduce the likelihood of encountering this issue.
Fix:
Resolved occasional TMM restarts when stopping vCMP guests on 12050 and 10350N appliances
510381-5 : bcm56xxd might core when restarting due to bundling config change.
Component: TMOS
Symptoms:
A race condition exists where bcm56xxd might core while restarting due to a bundling configuration change if it is still processing other config messages from MCP. This affects all platforms that support interface bundling.
Conditions:
Interface bundling change requiring a restart while still processing configuration messages.
Impact:
Unnecessary core file produced since the daemon is restarting anyway.
Workaround:
None.
Fix:
Fixed possible race condition which resulted in a bcm56xxd core.
510287 : Create ASM security policy by BIG-IQ
Component: Application Security Manager
Symptoms:
Certain aspects of ASM Security Policies on BIG-IP 11.5.2 could not be managed by BIG-IQ Security.
Conditions:
New ASM security policies can now be created by BIG-IQ version 4.5. Currently it's disabled by default, and can be turned on by changing the rest_api_extensions option to "1" on the Advanced Configuration/System Variables page in the ASM GUI, and then restarting httpd.
Impact:
BIG-IQ Security cannot effectively manage ASM on BIG-IP 11.5.2.
Workaround:
None.
Fix:
New ASM security policies can now be created by BIG-IQ version 4.5. Currently it's disabled by default, and can be turned on by changing the rest_api_extensions option to "1" on the Advanced Configuration/System Variables page in the ASM GUI, and then restarting httpd.
510264-2 : TMM core associated with smtps profile.
Component: Local Traffic Manager
Symptoms:
tmm can core when the smtps profile is enabled.
Conditions:
This is an intermittent core seen when the smtps profile is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
n/a
Fix:
tmm will no longer core from using the smtps profile.
510226-1 : All descriptions for ports-list's members are flushed after the port-list was updated
Component: Advanced Firewall Manager
Symptoms:
'Description' for port-list entries created from tmsh gets deleted when the corresponding port-list object is updated from GUI.
Conditions:
When a user updates an port-list object with member's description set, it gets deleted.
Impact:
User will lose the description value set for its members.
Workaround:
Not update the port list entry from GUI when its members have a 'description', or use tmsh to update port list
Fix:
Descriptions created for port list members from tmsh no longer get deleted when a user updates the port list object.
510224-1 : All descriptions for address-list members are flushed after the address-list was updated
Component: Advanced Firewall Manager
Symptoms:
'Description' for address-list entries created from tmsh gets deleted when the corresponding address-list object is updated from GUI.
Conditions:
When a user updates an address-list object with member's description set, it gets deleted.
Impact:
User will lose the description value set for its members.
Workaround:
Not update the address list entry from GUI when its members have a 'description.'
Fix:
Descriptions created for address list members from tmsh no longer get deleted when a user updates the address list object.
510164-4 : DNS Express zone RR statistics are correctly reset after zxfrd restart
Component: Local Traffic Manager
Symptoms:
After restarting zxfrd, the RR type-count statistics are not correctly reset when doing an incremental zone transfer to the BIG-IP system on DNSX zones with capital letters in their name.
Conditions:
Restart zxfrd, or reboot the BIG-IP system. The RR type-count statistics is reset to 0.
Impact:
DNS Express zone RR type-count statistics are inaccurate after zxfrd restart for DNSX zones with capital letters in their name.
Workaround:
There are two workarounds: -- Remove /var/db/tmmdns.bin and restart zxfrd. -- Recreate the DNSX zone names to use all lowercase.
Fix:
DNS Express zone RR type-count statistics are correctly set after restarting zxfrd.
510162 : potential TMM crash when AFM DoS Sweep & Flood is configured
Component: Advanced Firewall Manager
Symptoms:
TMM could crash and restart.
Conditions:
If you have AFM DoS Sweep & Flood vector configured and incoming traffic at such a rate that this vector is being triggered then there is a possibility of getting this crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not configure the AFM Sweep & Flood DoS vector.
Fix:
Codefix has been checked in to resolve the crash bug.
510119-3 : HSB performance can be suboptimal when transmitting TSO packets.
Component: TMOS
Symptoms:
For heavily fragmented TSO packets, it is possible to populate a high percentage of the HSB's transmit ring.
Conditions:
This can happen when transmitting large fragmented TSO packets.
Impact:
Suboptimal behavior might be seen when transmitting large fragmented TSO packets. There is a rare chance it can lead to a full or stuck transmit ring.
Workaround:
Disable TSO.
509968 : BD crash when a specific configuration change happens
Component: Application Security Manager
Symptoms:
A reconfiguration or security application attaching to a VIP or a new security policy or other big config change followed by a traffic halting/resetting, a shrinking message in the bd.log followed by A BD crash.
Conditions:
Remote logger with "report anomalies" attached to the virtual, a session transaction attack is on-going and a configuration change of the session transaction configuration together with a custom header (for XFF) configuration. This can happen also when adding new web applications to existing virtual server or attaching existing web application to a virtual server while there is a session transaction attack on a virtual server.
Impact:
Traffic halted, a failover and traffic resets. BD will startup with the updated configuration in place.
Workaround:
Don't add security policies or attach security policies to a virtual server or reconfigure security policy or change the session transaction configuration together with the custom header configuration while there is a session transaction attack going on a virtual that has remote logger attached.
Fix:
A crash that happens upon a specific configuration change was fixed.
509956-5 : Improved handling of cookie values inside SWG blocked page.
Component: Access Policy Manager
Symptoms:
Certain components of cookies are not escaped and might negatively impact functionality.
Conditions:
Use of a reject ending in a per-request access policy.
Impact:
Potential disruption of functionality.
Workaround:
None.
Fix:
Improved the way that we process cookie values in an SWG blocked page.
509919-1 : Incorrect counter for SelfIP traffic on cluster
Component: Advanced Firewall Manager
Symptoms:
SelfIP traffic is always handled on the primary blade on a cluster and if it's disaggregated to non-primary blade, it gets internally forwarded to the primary blade.
Due to this, AFM was double classifying this traffic (only on cluster) causing incorrect AFM ACL/IPI counts.
Conditions:
SelfIP traffic is disaggregated to non-primary blade on a cluster and AFM is enabled
Impact:
Incorrect AFM ACL/IPI rule counters due to internal forwarding of SelfIP traffic on a cluster from non-primary to primary blade causing AFM to match/classify these packets twice.
Workaround:
None
Fix:
With the fix, self IP traffic on a cluster is counted correctly for AFM ACL/IPI matches.
509782-2 : TSO packets can be dropped with low MTU
Component: TMOS
Symptoms:
If an interface is configured with a low MTU, it is possible for the system to drop TSO packets. This can be observed looking at the tx_drop_tso_bigpkt stat in the tmm/hsb_internal_fsc table.
Conditions:
The interface is configured with a low MTU, usually 750 or lower. If TMM then attempts to use TSO for a packet, there is a chance this packet will be dropped.
Impact:
Large TSO packets are dropped.
Workaround:
Increase the MTU or disable TSO.
If TSO is not disabled, three related fixes are needed to fully address the issue:
-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:
-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html
Fix:
Three related fixes are needed to fully address the issue:
-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:
-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html
509758-3 : EdgeClient shows incorrect warning message about session expiration
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client shows an incorrect warning message once a network access connection is established.
Conditions:
Access Policy has disabled Maximum Session timeout (set to 0) and
Network Access webtop is used.
Impact:
Versions that have session expiration timeout display all zeroes instead of the timeout value. This is a cosmetic issue that does not indicate incorrect system functionality.
Workaround:
None.
Fix:
Now, the BIG-IP Edge Client does not show an incorrect cosmetic warning message.
509663 : asm restart periodically with errors in asm_config_server.log: ASM Config server died unexpectedly
Component: Application Security Manager
Symptoms:
ASM restarts periodically with the following error in the asm_config_server.log: ASM Config server died unexpectedly.
Conditions:
ASM provisioned
Impact:
ASM restarts periodically with the following error in the asm_config_server.log: ASM Config server died unexpectedly.
Workaround:
None
Fix:
We fixed a syntax error that caused the system to periodically restart.
509646-6 : Occasional connections reset when using persistence
Component: Local Traffic Manager
Symptoms:
Occasional connections will be reset when using persistence. If tracking reset causes, the reset cause will be "Persist add entry not found."
Conditions:
This occurs only within the first 32 seconds of a tmm receiving traffic after startup. The client request further has to arrive on the exactly correct tmm on a chassis. This does not reproduce on non-chassis devices.
Impact:
Occasional reset connections. After 32 seconds of receiving traffic, the issue abates.
Fix:
Spurious resets of new persistent connections no longer occur.
509600-5 : Global rule association to policy is lost after loading config.
Component: TMOS
Symptoms:
The association of a global rule to a policy appears to be lost after loading a config by directly loading, saving, upgrading, and config syncing. As a result of this issue, you may encounter the following symptom:
After re-enabling a global policy and waiting for an unspecified period of time, you observe that the policy is disabled again.
Conditions:
This occurs when you associate a global rule with a policy, and then initiate an operation that causes config load.
Impact:
Policies are removed from enforcement in the global context.
Workaround:
To work around this issue, you can add back the rules manually, or, if you have not configured a route domain, you can apply route domain rules to Route Domain 0, which is effectively the same as the global rule context when no other route domains are configured.
Impact of workaround: If you have other route domains configured, Route Domain 0 is no longer usable as a global context.
Fix:
The association of a global rule to a policy is now retained after loading a config by directly loading, saving, upgrading, and config syncing.
509504-4 : Excessive time to save/list a firewall rule-list configuration
Component: TMOS
Symptoms:
A configuration containing a large number of firewall rule-list::rules might take an excessively long time to save. Similarly, excessive times are seen for listing the firewall configuration.
Conditions:
Large number of AFM rules.
Impact:
A long time to save or list the configuration. While this issue was noticed for a firewall rule-list::rules configuration, the same issue might occur for deeply nested configurations.
Fix:
The save and list times for the numerous firewall rules/deeply nested configurations [example: firewall rule-list::rules] is significantly reduced.
509503-3 : tmsh load sys config merge file 'filename' takes signficant time for firewall rulelist configuration
Component: TMOS
Symptoms:
For certain configurations with deeply nested structures in it ex: some of the firewall rule rule-list configuration, requires excessive time for the tmsh load config file merge operation.
Conditions:
Configurations containing deeply nested structures.
Impact:
The time for the merge is significantly more than the time needed for load operation.
Workaround:
If you are affected of long load times during merging a configuration file into existing one, you can instead append the config file to the respective bigip_base.conf or bigip.conf file manually.
Fix:
The tmsh load sys config merge operation performance was optimized. With this optimization the time for merge operation is slightly greater than the load operation.
509490-1 : [IE10]: attachEvent does not work
Component: Access Policy Manager
Symptoms:
Websites are broken in Internet Explorer if they use postMessage to send objects. There could be errors in the JavaScript console.
Conditions:
Web application in Internet Explorer 8, 9 or 10 that uses window.postMessage() and recieves message with handler added through window.attachEvent() working through Portal Access.
Impact:
Web-Application cannot use Window.postMessage() to send data with Portal Access in Internet Explorer.
Workaround:
No
Fix:
The 'onmessage' handler added with window.attachEvent() now correctly recieves data sent through window.postMessage().
509416-4 : Suspended 'after' commands may result in unexpected behaviors
Component: Local Traffic Manager
Symptoms:
Unexpected iRule behavior, crashes or aborts.
Conditions:
Can occur when a virtual server has a OneConnect profile and an iRule using the 'after' command.
Impact:
tmm crash.
Fix:
Connections are ineligible for re-use while there is still a pending, suspended or in-progress 'after' iRule. This is correct behavior.
509310-1 : Bad outer IPv4 UDP checksum observed on egressing VxLAN traffic on VIPRION chassis and 5000 series appliances
Component: Local Traffic Manager
Symptoms:
The egress VxLAN traffic on VIPRION chassis and 5000 series appliances has bad UDP checksum in its outer UDP header. The BIG-IP hardware does not support UDP checksum offload for VxLAN traffic if the outer UDP header is IPv4. The BIG-IP hardware uses UDP destination port 4789 to identify VxLAN traffic.
Conditions:
The outer UDP header of egress VxLAN traffic on VIPRION chassis and 5000 series appliances is IPv4 and has destination port equal to 4789.
Impact:
The egress VxLAN traffic is dropped due to bad UDP checksum.
Workaround:
Set db variable iptunnel.vxlan.udpport to 0. So the BIG-IP system hardware does not classify UDP destination port equal to 4789 as VxLAN traffic.
Fix:
VIPRION chassis and 5000 series appliances no longer generate bad bad outer IPv4 UDP checksums on egressing VxLAN traffic.
509276-3 : VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on standby device
Component: TMOS
Symptoms:
VXLAN tunnels with floating local addresses generate incorrect gratuitous ARPs on the standby device.
Conditions:
A VXLAN tunnel with a floating local address on the standby device.
Impact:
Incorrect gratuitous ARPs are generated on the standby device.
Fix:
VXLAN tunnels with floating local addresses no longer generate incorrect gratuitous ARPs on the standby device.
509273-3 : hostagentd consumes memory over time
Component: Device Management
Symptoms:
The hostagentd process on a vCMP host might consume more memory over time.
Conditions:
BIG-IP appliance or VIPRION blade/cluster with vCMP guests.
Impact:
Rarely, the vCMP host might run out of memory.
Workaround:
To work around this issue, you can disable guest health statistic collection on the vCMP host. To do so, perform one of the following procedures:
Option 1: Disabling statistic collection for the tmsh show vcmp health command.
Impact of workaround: This procedure affects values returned by the tmsh show vcmp health stats command.
1. Log in to the command line of the vCMP host appliance or primary blade of the cluster.
2. To disable statistic collection, type the following command:
tmsh modify vcmp guest all capabilities add { stats-isolated-mode }.
3. To restart the hostagentd process, type the following command:
a. On a BIG-IP appliance:
bigstart restart hostagentd.
b. On a blade in a VIPRION cluster:
clsh bigstart restart hostagentd.
Option 2: Disabling the hostagentd process
Impact of workaround: This procedure affects health statistic collection, as well as the ability for guests to install from a host-provided ISO.
1. Log in to the command line of the vCMP host appliance or primary blade of the cluster.
2. To disable the hostagentd process, type the following command:
a. On a BIG-IP appliance:
bigstart stop hostagentd.
b. On a blade in a VIPRION cluster:
clsh bigstart stop hostagentd.
3. To exclude the hostagentd process from starting up after rebooting the system, type the following command:
a. On a BIG-IP appliance:
bigstart disable hostagentd.
b. On a blade in a VIPRION cluster:
clsh bigstart disable hostagentd.
Fix:
Fixed a rare vCMP host memory growth issue.
509120-1 : BIG-IQ is unable to discover older BIG-IP versions due to over-zealous grooming★
Component: Device Management
Symptoms:
BIG-IQ attempts to discover a BIG-IP, during the discovery process the BIG-IQ attempts to perform a REST framework upgrade on the BIG-IP.
On versions of BIG-IP without this fix the '/tmp' directory is groomed, or removed, which causes framework upgrade to fail, which in turn causes the entire discovery process to fail.
Conditions:
BIG_IQ must be version X or higher
BIG_IP must be version 11.5.x
Impact:
Users managing 11.5.x BIG-IPs with a Big-IQ .
Fix:
BIG-IQ attempts to discover a BIG-IP, during the discovery process the BIG-IQ attempts to perform a REST framework upgrade on the BIG-IP device. We removed the grooming of the '/tmp' directory so that framework upgrade and discovery complete successfully, and the BIG-IP device can be managed using the BIG-IQ.
509063-1 : Creating or loading guest on cluster with empty slot 1 can result in error
Component: TMOS
Symptoms:
Creating or loading guest on a cluster on which slot 1 is empty can result in error.
Conditions:
This only occurs on clustered BIG-IP systems when slot 1 is empty (unpopulated) with no 'cores-per-slot' attribute explicitly set.
Impact:
The guest create command fails or the config fails to load, and the system posts the error: Unable to find default core count for guest on this hardware.
Workaround:
Explicitly set the 'cores-per-slot' attribute in the guest create command or in the guest config.
Fix:
Creating or loading a guest config on a clustered BIG-IP with an empty slot 1 no longer results in an error, and the default cores-per-slot value is correctly used for the guests.
508908-2 : Enforcer crash
Component: Application Security Manager
Symptoms:
A bd crash. Connections reset until the system restarts or a failover completes.
Conditions:
A multipart request with specific syntax error.
Impact:
A bd process crash, failover. Will reset connection until the system restarts/ failover finishes.
Workaround:
No workaround
Fix:
An Enforcer crash was fixed.
508719-7 : APM logon page missing title
Component: Access Policy Manager
Symptoms:
The title might be missing from a logon page.
Conditions:
Logon page uses field filled with dynamically assigned session variable.
Impact:
No title displays on the logon page.
Workaround:
Modify page logon.inc using customization panel.
*Add function:
function getSoftTokenPrompt()
{
if ( softTokenFieldId != "" && edgeClientSoftTokenSupport()) {
var div = document.getElementById("formHeaderSoftToken");
if (div) {
return div.innerHTML;
}
}
return null;
}
*Replace code:
function OnLoad()
{
var header = document.getElementById("credentials_table_header");
var softTokenHeaderStr = getSoftTokenPrompt();
if ( softTokenHeaderStr ) {
header.innerHTML = softTokenHeaderStr;
}
By:
function OnLoad()
{
var header = document.getElementById("credentials_table_header");
var softTokenHeaderStr = "<? echo $formHeaderSoftToken; ?>"
if ( softTokenFieldId != "" && softTokenHeaderStr != "" && edgeClientSoftTokenSupport()) {
header.innerHTML = softTokenHeaderStr;
} else {
header.innerHTML = "<? echo $formHeader; ?>";
}
* Replace code
<td colspan=2 id="credentials_table_header" ></td>
By
<td colspan=2 id="credentials_table_header" ><? echo $formHeader; ?></td>
* Add code before </body> tag:
<div id="formHeaderSoftToken" style="overflow: hidden; visibility: hidden; height: 0; width: 0;"><? echo $formHeaderSoftToken; ?></div>
Fix:
The title displays on the logon page now.
508716-3 : DNS cache resolver drops chunked TCP responses
Component: Local Traffic Manager
Symptoms:
DNS cache resolver drops chunked TCP responses
Conditions:
If the cache resolver uses TCP to resolve a query, and a nameserver does not include the complete reply in the first TCP segment.
Impact:
The response will be discarded, the connection dropped, and the query retried
Fix:
DNS cache resolver no longer drops chunked TCP responses
508630-3 : The APM client does not clean up DNS search suffixes correctly in some cases
Component: Access Policy Manager
Symptoms:
The APM client does not clean up DNS search suffixes correctly when the DNs suffixes configured on a client contain names configured in an APM Network Access resource.
Conditions:
The problem occurs when a suffix name that is configured in a Network Access resource matches the suffix configured locally on the user's machine.
Impact:
As a result, DNS suffixes are not restored correctly.
Fix:
An additional fix was made to restore DNS suffixes correctly.
508519-1 : Performance of Policy List screen
Component: Application Security Manager
Symptoms:
There is a performance issue with the Policy List/Import Policy/PCI report configuration utility screens.
Conditions:
20+ active security policies in the system
Impact:
With 160 active security policies it took about 10 second to load Policy List/Import Policy/PCI report configuration utility screens.
Workaround:
There is no workaround at this time.
Fix:
We fixed a performance issue with the Policy List/Import Policy/PCI report configuration utility screen.
508486-1 : TCP connections might stall if initialization fails
Component: Local Traffic Manager
Symptoms:
TCP connections might stall if initialization fails
Conditions:
TCP connections fail to initialize if the tmm hud message queue is full. If these connections are flagged to not expire then they will linger forever.
Impact:
TCP connections that never expire. Increased memory usage. tmm logs containing 'hud queue full' errors.
Fix:
Return status of queued TCP initialization messages allowing cleanup upon failure.
508338-2 : Under rare conditions cookies are enforced as base64 instead of clear text
Component: Application Security Manager
Symptoms:
False positive "modified domain cookie" violation or false positive "illegal base64 value" violation created.
Conditions:
No specific condition, rare.
Impact:
The violation "illegal base64 value" on a cookie appears on transactions, even for cookies that are not marked as base64 value cookies.
Workaround:
No workaround
Fix:
We fixed an issue that rarely caused a false positive illegal base64 value, or false positive modified domain cookie violation.
508337-5 : In Chrome, parent.document.write() from frame may cause errors on pages accessed through Portal Access
Component: Access Policy Manager
Symptoms:
document.write() operation on parent window called from script in frame may cause errors on pages accessed through Portal Access. This issue is specific to Google Chrome browser and derivatives.
Impact:
Web application does not work through Portal Access with Google Chrome browser.
Fix:
Fixed a JavaScript error occurring on call of document.write() on opened document. The issue was happening when accessing pages through Portal Access with Google Chrome browser.
508076-1 : Cannot successfully create a key/cert via tmsh or the GUI of the form name.key1, where extension is in the name.
Component: TMOS
Symptoms:
Unable to create SSL Certificate or Key if the name extension starts with a special extension.
Conditions:
When creating a certificate or key, if the certificate/key name has an extension starts with one of (".key", ".crt", ".csr", ".crl", ".der", ".exp", ".pem"), then the creation will fail.
For example, it is an error to create a key named "test.key1". In this case, the key extension ".key1" starts with ".key".
Impact:
Key creation or Certificate creation will fail.
The following example command will fail with error.
tmsh create sys crypto key test.key1
tmsh create sys crypto cert test.key1 key test.key1.key common-name test
Error: Key management library returned bad status: 02, Not Found
Workaround:
do not create a key or certificate with name extension starts with one of (.key .crt .csr .crl .der .exp .pem).
Fix:
With this fix, certificate/key extension can start with one of these special extensions.
508057-2 : MySQL Vulnerability CVE-2015-0411
Vulnerability Solution Article: K44611310
507919-2 : Updating ASM through iControl REST does not affect CMI sync state
Component: Application Security Manager
Symptoms:
Updates through REST in a manual sync CMI device group do not change the sync status to PENDING.
Conditions:
ASM is configured in a manual sync group and REST API is utilized.
Impact:
Sync status will now be changed after updates through REST in a manual sync CMI device group.
Workaround:
There is no workaround at this time.
Fix:
Sync status is now changed after updates through REST in a manual sync CMI device group.
507905-1 : Saving Policy History during UCS load causes DB deadlock/timeout★
Component: Application Security Manager
Symptoms:
Loading a UCS from an older version for upgrade can cause DB timeouts. /var/log/ltm has this error signature: DBD::mysql::db do failed: Lock wait timeout exceeded; try restarting transaction at /usr/lib/perl5/site_perl/F5/DbUtils.pm
Conditions:
This is a rare issue that occurs when two devices with different versions installed on them are in a CMI device group. It seems to be triggered if a sync is triggered from the device running the older version. This occurs while a device group is in the middle of an upgrade, the newer version being pre 11.6.0 HF5 or 11.5.2 HF1
Impact:
UCS load fails and multiple error messages are logged.
Workaround:
Do not have BIG-IP devices with different versions in the same DSC device group
Fix:
We corrected an intermittent issue where an error state was received during the upgrade of a DSC device group.
507853-10 : MCP may crash while performing a very large chunked query and CPU is highly loaded
Component: TMOS
Symptoms:
MCP crashes while performing a chunked query (such as 'tmsh show sys connection) that returns a large result if a connection to a TMM is severed (due to a zero-window timeout).
Conditions:
CPU is highly loaded.
Impact:
Failover (in a device cluster) or temporary outage (in a standalone system). A core file is generated that has a stack trace that includes a message similar to the following: error reading variable: Cannot access memory at address 0x1.
Workaround:
None.
Fix:
Ensured that MCP no longer crashes when performing a large chunked query and a connection to a TMM is severed.
507842-4 : Patch for BIND Vulnerability CVE-2015-1349
Vulnerability Solution Article: K16356
507782-6 : TMM crashes for Citrix connection when Address field in the ICA file has non-patched/invalid data
Component: Access Policy Manager
Symptoms:
TMM crashes on an attempt to open Citrix connection
Conditions:
Unpatched/malformed ICA file received by the client
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed validation for the input data sent in the ICA connection so that for the invalid/non-patched Address it will reject the connection instead of crashing.
507681-9 : Window.postMessage() does not send objects in IE11
Component: Access Policy Manager
Symptoms:
Websites are broken if they use postMessage to send objects in Internet Explorer 11. There could or could not be error in JavaScript console based on web application.
Conditions:
Web-Application that uses Window.postMessage() with Portal Access working in Internet Explorer 11.
Impact:
Web-Application can't use Window.postMessage() to send non-string data with Portal Access in Internet Explorer 11.
Workaround:
No
Fix:
Window.postMessage() now works in Internet Explorer 11.
507611-1 : On BIG-IP 2000- and 4000-series platforms BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors.
Component: Local Traffic Manager
Symptoms:
BGP sessions with TCP MD5 enabled might fail to establish connection to neighbors.
Conditions:
BGP, TCP-MD5 on BIG-IP 2000- and 4000-series platforms.
Impact:
BGP session is not established.
Workaround:
Disable TCP-MD5 for neighbor.
Fix:
BGP sessions with TCP MD5 enabled now establish connection to neighbors as expected on BIG-IP 2000- and 4000-series platforms.
507602-4 : Data packet over IPsec tunnel might be looping between cores after rekey if IPsec lifebyte is enabled
Component: TMOS
Symptoms:
IPsec lifebyte might cause inconsistent Security Association state among different cores. This might cause a memory leak and in some case data packets going through the IPsec tunnel can be looping between cores.
Conditions:
IPsec lifebyte is enabled in IPsec Policy configuration object on BIG-IP system or 3rd party IPsec device.
Impact:
Possible data packets looping and memory leak.
Workaround:
Disable lifebyte on IPsec devices on both end of the IPsec tunnel.
Fix:
IPsec lifebyte functions properly and leaves no inconsistent state on the BIG-IP device after rekey.
507575-3 : An incorrectly formated NAPTR creation via iControl can cause an error.
Component: TMOS
Symptoms:
NAPTR records are somewhat complicated and if an incorrect set of string arguments are passed to iControl, the string parsing can fail and generate unhelpful error messages.
Conditions:
Specifically, it is valid to have empty strings as some of the fields of a NAPTR record.
However, these empty strings must be quoted as empty strings.
An example of a valid empty string parameter
foo.example.com. 19799 IN NAPTR 100 7 "u" "good" "" bar.example.com.
Not quoting the empty parameter (after "good") confuses the parser into thinking that not enough parameters were passed.
This causes a segfault and the error.
Impact:
Potential failure of iControl parsing.
Workaround:
Use quotes around empty strings such as:
foo.example.com. 19799 IN NAPTR 100 7 "u" "good" "" bar.example.com.
Fix:
The string parser has been made tolerant of missing parameters for these records and will now report an error.
507529 : Active crash with assert: tmm failed assertion, non-zero ha_unit required for mirrored flow
Component: Local Traffic Manager
Symptoms:
A blade on the active system crashes in a configuration containing a performance layer 4 virtual server with connection mirroring enabled.
Conditions:
The chassis is configured for network mirroring within cluster.
There is more than one blade installed in the system or vcmp guest.
A virtual server has connection mirroring enabled and is associated with a virtual address that is not assigned a traffic-group (traffic-group is none).
Impact:
When the crash occurs, the blade posts the following assert: 'tmm failed assertion, non-zero ha_unit required for mirrored flow' and crashes.
Workaround:
Ensure that mirrored virtual servers are utilizing virtual addresses that are associated with a traffic group.
507499-2 : TMM can watchdog under extreme memory pressure.
Component: TMOS
Symptoms:
The TMM can become unresponsive and then be killed by SOD under extreme memory pressure.
Conditions:
Under extremely high memory pressure, linux will page out anything that isn't nailed down, including the shared memory containing the system-wide logging configuration. When this happens, and something in the TMM considers logging, the TMM will be de-scheduled while the linux kernel tries to swap something else out and swap the configuration page back in. Under such conditions, several seconds may go by before the memory can be swapped back in. SOD detects that the TMM is unresponsive and restarts the TMM.
Impact:
The TMM is restarted; flows that can't failover to a backup node are disrupted. If the killed TMM was not the source of the memory pressure, there may not be enough memory for a new TMM instance to come up.
Workaround:
A release that locks the logging configuration into RAM is required to correct the poor response to being out of memory.
Note: this change improves system handling in out-of-memory conditions -- it does NOT address any of the potential sources of the out-of-memory condition.
Fix:
The logging configuration is now locked into RAM.
507487-3 : ZebOS Route not withdrawn when VAddr/VIP down and no default pool
Component: TMOS
Symptoms:
The BIG-IP system continues announcing RHI routes when Virtual Servers and Virtual Addresses are down.
Conditions:
The issue occurs in the following case: -- Have a VIP with pool selection via iRule. -- Configure RHI on the VAddr corresponding to the VIP. -- Down the pools (for example, toggling between HTTP monitor (up) and UDP monitor (down)). -- VIP, VAddr, and pools are red. -- Run the imish command.
Impact:
The kernel route still is announced, which might cause other network devices to be confused on the network status, so the impact varies.
Workaround:
Configure virtual server with default pool instead of iRule.
Fix:
Added validation for virtual server iRule pools.
507461-2 : Net cos config may not persist on HA unit following staggered restart of both HA pairs.
Component: TMOS
Symptoms:
The net cos global-settings may be cleared on a HA unit, as a result of a HA pair configuration sync.
Conditions:
With fully synced pair of HA chassis, restart active chassis blade and then restart standby chassis blade.
Impact:
Portion of cos config information on active chassis blade is missing, resulting in incongruent cos behavior between active and standby.
Workaround:
None.
Fix:
The system no longer resets active net cos settings during device/group HA configuration sync operations.
507331-6 : Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be enabled.
Component: TMOS
Symptoms:
If a saved configuration from an earlier version is used when launching an instance of BIG-IP v11.5.2 on AWS, then SSLv3 may be enabled on the management interface.
Conditions:
Using configuration saved with version 11.5.2 (and earlier) on AWS.
Impact:
There are known security issues with SSLv3 and the BIG-IP software disables it by default with v11.5.2 on AWS. An enabled SSLv3 on the management interface might make the instance open to an attack, so after upgrading, configurations in which SSLv3 is enabled should be disabled before deploying.
Workaround:
Disable SSLv3 as documented here: https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip, and in and in SOL15702: https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15702.html.
Fix:
SSLv3 is no longer enabled after loading a configuration saved with BIG-IP v11.5.2 or earlier, even if SSLv3 was enabled in the original configuration.
507327-2 : Programs that read stats can leak memory on errors reading files
Component: TMOS
Symptoms:
Daemons that read statistics might leak memory over time so the amount of memory they use continues to grow.
Conditions:
There is an error reading a statistics file. For example, permissions on the file or directory prohibit access.
Impact:
Eventually the daemon or system might run out of memory.
Workaround:
Remove anything causing an error reading a stats file such as deleting unneeded files or fixing permissions.
Fix:
A memory leak reading stats has been fixed.
507321-2 : JavaScript error if user-defined object contains NULL values in 'origin' and/or 'data' fields
Component: Access Policy Manager
Symptoms:
If JavaScript application uses user-defined object which contains 'origin', 'source' and 'data' fields with NULL values, any attempt to get these values fires an error.
Conditions:
User-defined JavaScript object with 'origin', 'source' and 'data' fields and with NULL value in any of these fields, for example:
var a = { origin: null , data:null , source:null };
Any attempt to read these values leads to JavaScript error in Portal Access scripts.
Impact:
Web application does not work correctly.
Fix:
Now user-defined JavaScript objects with 'origin', 'source' and 'data' fields may contain any values in these fields.
507318-2 : JS error when sending message from DWA new message form using Chrome
Component: Access Policy Manager
Symptoms:
When using Chrome to send a new message on DWA, a JavaScript 'toString' error occurs.
Conditions:
If user clicks on the Send button on the new message form, then JavaScript errors appear: -- cache-fm.js:5 Uncaught TypeError: Cannot read property 'toString' of undefined
?. -- OpenDocument&Form=l_ScriptFrame&l=en&CR&MX&TS=20140915T180028,72Z&charset=UTF-8&charset=UTF-8&KIC&…:37 Uncaught TypeError: Cannot read property 'EgI' of undefined.
Impact:
The message is sent, but the tab is not closed.
Workaround:
None.
Fix:
When using Chrome to send a new message on DWA, a JavaScript error occurred. The message was sent but the tab did not close. This no longer occurs.
507289-1 : User interface performance of Web Application Security Editor users
Component: Application Security Manager
Symptoms:
Slow GUI performance for Web Application Security Editor users
Conditions:
At least 100 active security policies in the system
Impact:
Most ASM pages takes more than 5 seconds to load for Web Application Security Editor users
Workaround:
There is no workaround at this time.
Fix:
ASM Configuration utility pages load faster than they did previously for Web Application Security Editor users.
507143-2 : Diameter filter may process HUDCTL_ABORT message before processing previously queued events leading to tmm assertion
Component: Service Provider
Symptoms:
tmm cores due to 'valid pcb' assertion.
Conditions:
This can happen when the Diameter filter:
- Receives and queues HUDCTL_SHUTDOWN event.
- Receives a HUDCTL_ABORT event before HUDCTL_SHUTDOWN has been unqueued.
Impact:
tmm abort and restart.
Fix:
Diameter filter will now queue HUDCTL_ABORT events to prevent leapfrogging previously queued events.
507127-1 : DNS cache resolver is inserted to a wrong list on creation.
Component: Local Traffic Manager
Symptoms:
When a DNS cache resolver is created, it should be added to the cache resolver linklist. However, it is instead added to an incorrect linklist.
Conditions:
When creating a new DNS cache resolver.
Impact:
Unable to find the DNS cache resolver when search the resolver link list.
Workaround:
None.
Fix:
DNS cache resolver is added to the correct linklist on creation and removed from the correct linklist on deletion.
507116-3 : Web-application issues and/or unexpected exceptions.
Component: Access Policy Manager
Symptoms:
Web-application issues and/or unexpected exceptions.
Conditions:
Undisclosed conditions related to web-applications.
Impact:
Unexpected web-application functionality.
Workaround:
None.
Fix:
Web-application issues have been fixed.
507109-6 : inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade★
Component: Local Traffic Manager
Symptoms:
The inherit-certkeychain attribute of a child Client SSL profile can unexpectedly change after upgrade.
Conditions:
This issue occurs when all of the following conditions are met:
-- You create a Client SSL profile that does not inherit the certificate, key, and chain certificate settings from the parent profile.
-- You upgrade to BIG-IP 11.5.1 (HF6 or later), 11.5.2, 11.5.3, or 11.6.0.
Impact:
An incorrect cert key chain is used in the profile.
Workaround:
Manually edit bigip.conf to contain the correct value. To do so, add the following line into child client ssl profile:
inherit-certkeychain false
Run the command:
tmsh load sys config
Fix:
The certificate, key, and chain certificate settings in a Client SSL profile no longer change after an upgrade.
506702-2 : TSO can cause rare TMM crash.
Component: Local Traffic Manager
Symptoms:
TSO can cause rare TMM crash.
Conditions:
When TSO is used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TSO no longer causes rare TMM crash.
506557-5 : IBR tags might occasionally be all zeroes.
Component: WebAccelerator
Symptoms:
IBR tags might occasionally be all zeroes.
Conditions:
This might occur when requests to OWS to update cached, expired content, receive updated content from OWS that has no Content-Length header and is uncacheable (that is, served with X-WA-Info code S10206).
Impact:
The content hash for that URL can be incorrectly set to all zeroes, causing an incorrect IBR for that item until it is recached.
Workaround:
Avoid the specific preconditions, or disable IBR-TO for the specific content meeting the preconditions.
Fix:
Uncacheable updates from OWS will no longer set IBR tags to zero.
506470 : Reduce pccd OOM probability with port expansion change
Component: Advanced Firewall Manager
Symptoms:
PCCD Blob size grows when applied large rule sets.
Conditions:
when the rule sets contains same ip address but different ports.
Impact:
AFM PCCD
Workaround:
NONE
Fix:
This feature enhances PCCD rule sets with port range which reduces blob size.
506452-1 : Issues with firewall rules configured with a source or destination IPv6 address whose most significant bit is 1
Component: Advanced Firewall Manager
Symptoms:
Sometime the firewall rule matching result is wrong if there are firewall rules configured with source or destination IPv6 address whose most significant bit is 1. Below are some examples of those IPv6 address: dfdf::/128, bbbb://64.
Conditions:
Firewall rules are configured with source or destination IPv6 address whose most significant bit is 1.
Impact:
The firewall rule with those IPv6 addresses may accept or deny packets that do not match the rule.
Fix:
Fixed the firewall rule compilation module to properly handle the processing of those IPv6 addresses whose most significant bit is 1.
506407-1 : Certain upgrade paths to 11.6.x lose the redirect URL configuration for Alternate Response Pages★
Component: Application Security Manager
Symptoms:
Redirect Response pages become 'invalid' and lose their redirect URL configuration after upgrade.
Conditions:
1) In 11.2.x a policy existed with a redirect response page where the Response Header had a 'Location' command in it.
2) Policy or device is upgraded to 11.4.x or 11.5.x (pre 11.5.3 HF2)
3) Policy or device is upgraded to 11.6.0 (pre 11.6.0 HF5).
Impact:
The Alternate Response Page is no longer valid and no longer redirects users to the desired URL.
Workaround:
Before upgrade, ensure the redirect URL is correctly configured.
Fix:
Upgrade to 11.6.x now correctly retains redirect URLs for Alternate Response Pages.
506386-1 : Automatic ASM sync group remains stuck in init state when configured from tmsh
Component: Application Security Manager
Symptoms:
When a failover device group (without ASM enabled) is in a fully synchronized state, and then ASM and auto-sync are enabled on the device group through tmsh, the units sit waiting for an "initial sync" event which never comes. All subsequent sync events are Incremental and never Full.
Conditions:
A failover device group (without ASM enabled) is in a fully synchronized state, and then ASM and auto-sync are enabled on the device group through tmsh.
Impact:
Infrequently an initial sync event fails after ASM and auto-sync are enabled on a failover device group that did not have ASM enabled.
Workaround:
ASM device sync flag should be configured before initial sync, or from GUI.
Fix:
We fixed an issue that occurred rarely when an initial sync event did not occur after ASM and auto-sync were enabled on a failover device group that did not have ASM enabled.
506355-2 : Importing an XML file without defined entity sections
Component: Application Security Manager
Symptoms:
Importing an XML file without entity sections defined will not create default wildcard entities in the security policy.
Conditions:
Importing a partially defined XML security policy file.
Impact:
Policy was not created with default entities as expected.
Workaround:
Add the missing entities after importing the incomplete XML file.
Fix:
Previously, importing an XML file without defining the entity sections resulted in an empty URL wildcard list. Now, this process creates default wildcard entities in the security policy, as expected.
506349-5 : BIG-IP Edge Client for Mac identified as browser by APM in some cases
Component: Access Policy Manager
Symptoms:
APM sometimes determines that BIG-IP Edge Client for Mac is a browser. This can happen if user connects again using the link on the logout page that says "Click here to open new session"
Conditions:
APM, MAC Edge client
Impact:
Impact depends upon access policy but user might not be able to connect.
Workaround:
Click the Disconnect/Connect buttons on BIG-IP Edge Client instead of clicking the links on the logout page.
Fix:
APM now correctly identifies BIG-IP Edge Client for Mac as an Edge Client even if the user opens a new session by clicking the link on the logout page that says "Click here to open new session".
506315-10 : WAM/AAM is honoring OWS age header when not honoring OWS maxage.
Component: WebAccelerator
Symptoms:
WAM/AAM policy is configured to ignore OWS maxage header values, but the policy does not ignore the OWS Age header.
Conditions:
BIG-IP system with AAM provisioned, content matching a policy node not honoring OWS headers maxage and or s-maxage, and a large 'Age' value.
Impact:
This results in WAM/AAM improperly reducing the lifetime of OWS responses by the amount of the Age header, and more frequent WAM/AAM revalidation of the affected content (possibly on every request if the Age header is larger than the policy-specified cache lifetime).
Workaround:
You can use any one of the following as a workaround:
-- Honor OWS lifetime headers (s-maxage and max-age).
-- Use an iRule to delete OWS Age header.
-- Increase cache AAM/WAM cache lifetime for that content to compensate.
Fix:
When WAM/AAM policy is configured not to honor OWS maxage, it also does not honor OWS Age headers, which is correct behavior.
506304-3 : UDP connections may stall if initialization fails
Component: Local Traffic Manager
Symptoms:
UDP connections that never expire. tmm logs containing 'hud queue full' errors.
Conditions:
UDP connections fail to initialize if the tmm's hud message queue is full. If these connections are flagged to not expire then they will linger forever.
Impact:
Stalled connections. Increased memory usage.
Fix:
UDP connections no longer stall if initialization fails.
506290-3 : MPI redirected traffic should be sent to HSB ring1
Component: Local Traffic Manager
Symptoms:
The MPI redirected traffic is the traffic between two TMMs. It is currently sent to HSB ring0. HSB ring0 has small packet buffers and is used to handle the traffic of highest priority. Large amount of MPI redirect traffic can cause packet drops on HSB ring0.
Conditions:
Large amount of MPI redirect traffic.
Impact:
Potential packet drops on HSB ring0.
Workaround:
None.
Fix:
Send MPI redirected traffic to HSB ring1, which is correct behavior.
506282-5 : GTM DNSSEC keys generation is not sychronized upon key creation
Component: Local Traffic Manager
Symptoms:
DNSSEC key generation is not synchronized upon key creation.
Conditions:
This occurs when creating LTM DNSSEC keys on one unit of a sync group.
Impact:
The keys are synced, but the key generation information is not.
Workaround:
Modify another parameter on the GTM system after DNSSEC key generation to trigger the sync operation.
Fix:
DNSSEC key generation is now synchronized upon key creation.
506235-4 : SIGSEGV caused by access_redirect_client_to_original_uri
Component: Access Policy Manager
Symptoms:
TMM might core, possibly more than once in quick succession (within a few minutes).
Conditions:
BIG-IP v11.5.1 HF6 or later with APM provisioned.
Impact:
TMM core: -- Failover to standby (if applicable). -- Possible additional TMM cores on active and Standby units. If the BIG-IP system is configured in an HA pair, TMM might core on the Standby unit shortly after the Active unit. The TMM log entries reporting the TMM core might not include any stack trace details.
Fix:
This release fixes a TMM core that occurred with APM provisioned.
506223-1 : A URI in request to cab-archive in iNotes is rewritten incorrectly
Component: Access Policy Manager
Symptoms:
There are direct (not rewritten) requests in web application traffic (iNotes 8.5, 9)
Conditions:
Web application runs through Portal Access
Impact:
Installation of iNotes plug-ins is impossible.
Some resources may be not loaded.
Fix:
Portal Access rewrites URIs correctly.
506199-8 : VCMP guests on VDAG platforms can experience excessive tmm redirects after multiple guest provisioning cycles
Component: TMOS
Symptoms:
When multiple VCMP guests are configured on a VDAG platform, It is possible through cycles of provisioning and deprovisioning the guests to cause switch rules that play a role in disaggregation to be programmed in an order that causes packets to reach the wrong TMM in a guest, thus causing lower dataplane performance.
Conditions:
On a configuration with at least two VCMP guests that share at least one blade on a VDAG-based platform, change the vCMP state to provisioned, then to configured, then to provisioned, and so on.
Impact:
The potential for decreased dataplane performance. In addition to potentially lower performance, the guest's tmm flow redirect statistics increment quickly in conjunction with traffic. To determine these stats, run a command similar to the following: config # tmctl -d blade tmm/flow_redir_stats. This presents results similar to the following:
pg pu redirect_pg redirect_pu packets
-- -- ----------- ----------- -------
0 0 0 1 636991
Also, VDAG statistics on the host might show an imbalance in destination port hits for those assigned to a single guest. To determine these stats, run a command similar to the following: config # tmctl -d blade switch/vdag_dest_hits -w 200. This presents results similar to the following:
slot dst_mod dst_port dst_trunk hits red_hits
---- ------- -------- --------- ------ --------
1 1 0 0 0 0
1 7 0 0 0 0
1 13 0 0 0 0
1 19 0 0 0 0
1 0 0 0 0 0
1 1 5 0 509100 0
1 1 6 0 0 0
Workaround:
During a window in which a brief traffic interruption is acceptable, restart bcm56xxd on each effected blade in the host. On the host, run a command similar to the following: clsh bigstart restart bcm56xxd
Fix:
The system now ensures that VDAG entries get ordered correctly to avoid cases where VCMP guests on VDAG platforms might experience excessive TMM redirects after multiple guest provisioning cycles
506041-5 : Folders belonging to a device group can show up on devices not in the group
Component: TMOS
Symptoms:
All folders and partitions always get synced regardless of whether they are in the device group. If a user wants to utilize the same folder/partition scheme across multiple devices, this can lead to conflicts. In particular it can clobber the default route domain on a partition or rewrite the device group of a folder.
Conditions:
This only occurs during a full sync.
This can occur if two different device groups use the same folder or partition names. For example, if there are two separate failover-sync groups in the same trust and they both sync a different set of objects in /MyHAFolder.
This can also occur if a device has a local folder or partition with the same name as one in a device group.
Impact:
If a conflicted partition uses different default route domains, they will be overridden and may result in a sync error.
Conflicted folders will inherit the configuration of the source of the config sync. This can override the device group, traffic group, and iApp reference of the folder.
Workaround:
Use unique partition and folder names across all devices in the trust group.
Fix:
Only folders and partitions in the device group will get synced. However, since multiple device groups can still share the same partition, there is still a chance that the route domain on the partition could get overridden if the two device groups use different route domains.
506034-5 : NTP vulnerabilities (CVE-2014-9297,CVE-2014-9298)
Vulnerability Solution Article: K16393
505964-3 : Invalid http cookie handling can lead to TMM core
Component: Local Traffic Manager
Symptoms:
If an http cookie is invalid, then subsequent modifications to http cookie entries can result in a TMM core.
Conditions:
This issue can occur with an HTTP virtual server that performs cookie processing (either via an iRule, profile configuration, or as a result of persistence) and also performs header manipulation.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
A crash in the HTTP profile implementation of cookie handling has been fixed.
505755-4 : Some scripts on dynamically loaded html page could be not executed.
Component: Access Policy Manager
Symptoms:
Some scripts on dynamically loaded HTML page might not execute.
Conditions:
Dynamically loaded HTML page
Impact:
Web application accessed via Portal Access does not work as expected.
Workaround:
None.
Fix:
Fixed an issue in Portal Access that could affect script execution in documents.
505705-6 : Expired mirrored persistence entries not always freed using intra-chassis mirroring
Component: Local Traffic Manager
Symptoms:
When using persistence mirroring, it is possible for the mirror owner of a persistence record to also be the proxying tmm for the connection. In this case, depending on timing of the connection and timeouts configured, it is possible for a persistence record to not be released when the connection is terminated and persistence timeout expires.
Conditions:
* VIPRION chassis with 2 or more blades installed.
* Mirroring is set to "intra-chassis".
* Mirroring is enabled on one or more persistence profiles.
* The records appear in tmsh show sys persistence persist-records all-properties, with an age always set to zero but no connection and no other persistence records for the same persistence key.
Impact:
Possible memory growth. This is not a leak, in that the memory can be recovered when subsequent requests reach different tmms that might need the same persistence record.
Workaround:
None.
Fix:
Both the local and mirrored owner persistence record are properly removed.
505624-2 : Remote logger will continue to get DoS L7 messages after it was removed from the virtual server configuration
Component: Advanced Firewall Manager
Symptoms:
A remote logger will continue to get DoS layer 7 messages after it was removed from the virtual server configuration.
Conditions:
A remote logger was connected to a virtual server and the user removed it from the virtual server configuration.
Impact:
That remote logger will continue to get DoS layer 7 messages.
Workaround:
bigstart restart dosl7d
Fix:
An issue where the DoS profile continued to write to a removed logging profile was fixed.
505452-1 : New db variable to control packet priority for TMM generated packets
Component: Local Traffic Manager
Symptoms:
For TMM generated packets (such as ICMP request), the existing behavior is TMM would use hard code value 3 for the packet priority.
Conditions:
Packets are generated internally by TMM.
Impact:
No way to control those packets's priority.
Fix:
A new db variable tm.egress.pktpriority is added to set packet priority
of TMM generated egress packets. Default 3 with range 0-7.
505222-3 : DTLS drops egress packets when traffic is large
Component: Local Traffic Manager
Symptoms:
DTLS drops egress packets when traffic is large
Conditions:
DTLS has egress queue with maximum elements 127(default).
When traffic is large enough, the queue reaches the maximum limit and some packets are dropped.
Impact:
DTLS drops egress packets.
Workaround:
We can change the maximum elements from 127 to some bigger value by DB variable.
Fix:
In current implementation, DTLS sends CN requests one by one. DTLS sends one request, waits for the response and then sends another one.
The fix is sending multiple requests currently to CN.
505101-4 : tmm may panic due to accessing uninitialized memory
Component: Access Policy Manager
Symptoms:
tmm panics with the message "memory owned by current process"
Conditions:
SAML plugin encounters an internal error and attempts to free an uninitialized memory region.
Impact:
tmm restarts
Workaround:
none
Fix:
Initialized SAML memory region to prevent tmm panic.
505089-3 : Spurious ACKs result in SYN cookie rejected stat increment.
Component: Local Traffic Manager
Symptoms:
Sending unsolicited ACK to a virtual server increments the counter 'Total Software Rejected' from tmsh show ltm virtual 'name_of_virtual_server' when syn cookie status is not activated.
Conditions:
This has been observed under the following conditions: 1. The client sends a SYN, the LTM sends an SYN/ACK and then the client sends a bad ACK. 2. A client sends an ACK for a connection that does not exist in the connection table (either it never existed or had been closed).
Impact:
Potentially inaccurate statistics in tmsh show ltm virtual.
Workaround:
None.
Fix:
In this release, the system increments the syncookie reject stat only if a bad ACK could correspond to a syncookie the system issued.
505071-2 : Delete and create of the same object can cause secondary blades' mcpd processes to restart.
Component: TMOS
Symptoms:
A single transaction containing both a delete and a create of the same object can, for certain types of objects, cause the secondary blades' mcpd processes to restart because of validation failure. The validation error appears similar to the following: 01020036:3: The requested object type (object name) was not found.
Conditions:
This has been seen to occur when an APM policy agent logon page is modified, and the error reports that its customization group cannot be found.
In BIG-IP v11.6.0 HF6 and BIG-IP v11.5.4 and BIG-IP v11.5.4 HF1, this can also occur when an iApp creates a virtual server.
Impact:
mcpd restarts on every secondary blade, causing most other system services to restart as well. This might result in a temporary loss of traffic on all secondary blades. After mcpd restarts, the new configuration is accepted and the system returns to normal operation.
Workaround:
None.
Fix:
For certain types of objects, an incorrect message was sent to the secondary blades' mcpd processes if an object of that type was deleted and then recreated within a single transaction. This caused mcpd to restart on every secondary blade. The correct message is now sent, even for this type of object.
505056-3 : BIG-IP system might send an egress packet with a priority different from that of ingress packet on the same flow.
Component: Local Traffic Manager
Symptoms:
When the hardware COS queue feature is enabled, in some cases the BIG-IP system sends an egress packet with a priority different from that of ingress packet on the same flow.
Conditions:
Hardware COS queue feature is enabled.
Impact:
Egress packets are sent with an incorrect packet priority and delivered on the incorrect switch COS queues, resulting in lower performance.
Workaround:
None.
Fix:
Packet priority passthrough mode is now sending correct packet priority and delivering on the correct switch COS queue.
504973-2 : Configuring a route domain with 32 bit subnet mask, 128 bit mask saved instead
Component: Application Security Manager
Symptoms:
When creating a policy using a route domain and a full 32 bit subnet mask, the ASM saves it as a 128 bit mask.
Conditions:
Provisioned ASM
Impact:
Wrong 128 bit subnet mask is saved instead of the configured 32 bit mask.
Fix:
When creating a security policy using a route domain and a full 32 bit subnet mask, ASM no longer saves it as a 128 bit mask.
504899-1 : Duplicated snat-translation addresses are possible (a named and an anonymous (created by snatpool) one)
Component: Local Traffic Manager
Symptoms:
It is possible to have duplicated snat-translation addresses if one is explicitly created (named one) and the other is implicitly created when adding anonymous addresses to a snatpool.
Conditions:
No special conditions required other than to perform the configuration changes.
Impact:
As duplicated snat-translation addresses may exist, any change to an address entry which is assigned to an snatpool may not be affecting the right entry, this is:
we have the following snat-addresses:
snat_address_01 address 1.2.3.1
1.2.3.1(anonymous) address 1.2.3.1
And the following snatpool:
snat_pool { 1.2.3.1 1.2.3.2 }
If there is a change in snat_address_01 (which address is part of snat_pool (1.2.3.1)), then the actual snat_pool member (anonymous 1.2.3.1) will not be updated with the new setting and there will be no effect.
504827-3 : Use of DHCP relay virtual server might result in tmm crash 'top filter'.
Component: Local Traffic Manager
Symptoms:
tmm crash with panic string 'top filter' appearing in tmm log.
Conditions:
Configure DHCP relay virtual server that conflicts with other virtual server address/port.
Impact:
A rarely encountered tmm crash, which might result in network outage. The system posts a message similar to the following: notice panic: ../modules/hudfilter/hudnode.c:310: Assertion 'top filter' failed.
Workaround:
Avoid configuring virtual servers that share address:port with DHCP relay virtual server.
In releases prior to version 11.6.0, use regular IP forwarding virtual servers if the virtual server is not for Relay but just for 'forwarding'. When the virtual server destination is not 255.255.255.255, it is typically for forwarding, not for Relay.
Fix:
Verify existing serverside flows are actual relay flows before reusing it.
504803-4 : GUI Local Traffic Pool list does not show certain Pools with name containing 'mam'.
Component: TMOS
Symptoms:
Local Traffic Pool list does not show Pools with names that contain the characters 'mam' starting at the 5th position of the name.
Conditions:
This occurs using the GUI.
Impact:
Cannot see these pools in the GUI.
Workaround:
Use tmsh to list pools with mam in the name.
Fix:
Pools with a name that end in mam are now showing up in the Pools list in the GUI.
504633-7 : DTLS should not update 'expected next sequence number' when the record is bad.
Component: Local Traffic Manager
Symptoms:
DTLS updates the 'expected next sequence number' even if the record is bad. This might cause the unexpected sequence number of good records dropping.
Conditions:
DTLS receives a bad record with a very large sequence number.
Impact:
DTLS might drop the good records that have smaller sequence number packets than the bad records.
Workaround:
None.
Fix:
The system now updates the 'expected next sequence number' only when the record is good.
504606-6 : Session check interval now has minimum value
Component: Access Policy Manager
Symptoms:
Session check interval can be changed or turned off completely for debug purposes.
Conditions:
Using the session check interval.
Impact:
Session check interval may be set to excessively short value.
Workaround:
None.
Fix:
Session check interval now has a minimum (5000 msec), which prevents the value from being too small.
504572-3 : PVA accelerated 3WHS packets are sent in wrong hardware COS queue
Component: TMOS
Symptoms:
Under full ePVA acceleration, 3WHS (3-way handshake) packets from VIP to node will always egress on hardware COS queue 3, regardless of COS queue mapping configured on the system.
Conditions:
The packets needs to be fully accelerated by ePVA.
Impact:
Potential performance downgrade.
Workaround:
None.
Fix:
PVA accelerated 3WHS packets are new egressed on correct hardware COS queue.
504508-4 : IPsec tunnel connection from BIG-IP to some Cisco ASA does not stay up when DPD (Dead Peer Detection) is enabled
Component: TMOS
Symptoms:
When establishing IPsec tunnel from the BIG-IP system to some Cisco devices enabled with an older Dead Peer Detection (DPD) implementation, IPsec tunnel does not stay up because of a mismatched Cookie field in the DPD message.
Conditions:
An IPsec tunnel connection from a BIG-IP system to certain Cisco ASA configurations does not stay up when DPD is enabled
Impact:
IPsec tunnel goes down, traffic stops.
Workaround:
Disable Dead Peer Detection for the Ike Peer configuration to the Cisco devices exhibiting this issue.
Fix:
IPsec Tunnel between the BIG-IP system and CISCO devices with older Dead Peer Detection (DPD) are no longer brought down because of mismatched Cookie Field in the DPD messages.
504496-4 : AAA Local User Database may sync across failover groups
Component: TMOS
Symptoms:
APM units that are not in the same BIG-IP Sync-Failover group are sharing local user entries. The system may possibly also experience higher management CPU load as a result of frequently syncing the local user database.
Conditions:
There is at least one sync-failover group in the Device Management :: Device Groups list, and there are devices listed in Device Management :: Devices list that are not members of that sync-failover group (either standalone or members of another device group), and those devices are provisioned with APM.
Impact:
Unwanted sharing of local user database between sync-failover groups and/or standalone devices. The system may also experience higher management CPU load as a result of frequently syncing the local user database. Under severe conditions where the database is synced multiple times per minute continually for hours or days, the rapid syncing of the database may result in unexpected failover.
Fix:
AAA Local User Database now syncs correctly.
504494-4 : Upgrading to 11.5.0 and later might associate a disabled HA group to traffic groups.★
Component: TMOS
Symptoms:
If the BIG-IP system has a disabled HA Group and is upgraded to 11.5.x or later, the disabled group might be associated with traffic groups on upgrade.
Conditions:
Pre-upgrade there is exists a HA Group that is disabled.
Upgrade to 11.5.x or later from 10.2.x or 11.x (pre-11.5.0) to a version earlier than 12.0.0, 11.5.4, or 11.6.1.
Impact:
If the BIG-IP system is rebooted after the upgrade, it's possible that the switch will fail over because the HA group score is used even though the HA group is disabled.
Workaround:
After the upgrade, check all traffic groups and ensure that none of them are configured to use a disabled HA Group.
Fix:
Upgrading to 11.5.0 and later no longer associates a disabled HA group to traffic groups. This is correct behavior.
504461-3 : Logon Page agent gets empty user input in clientless mode 3 when a Variable Assign agent resides in front of it.
Component: Access Policy Manager
Symptoms:
APM is unable to complete the access policy when there is a Variable Assign agent in front of a Logon Page agent.
Conditions:
Access policy has a Variable Assign agent in front of a Logon Page agent.
Impact:
APM is unable to complete the access policy.
Fix:
Now APM can successfully run access policies where a Variable Assign agent resides in front of a Logon Page agent.
504396-3 : When a virtual's ARP or ICMP is disabled, the wrong mac address is used
Component: Local Traffic Manager
Symptoms:
When we use tmsh to modify icmp_enabled or arp_enabled property of a virtual address object from true to false, tmm does not reset internal state properly. This results in a tmm using the VLAN's true mac as the source mac instead of the traffic group's mac masquerade address.
Conditions:
Using mac masquerading in a HA traffic group.
Impact:
Packets may be dropped by switches or routing tables improperly updated.
Workaround:
None.
Fix:
When a virtual server's ARP or ICMP is disabled, the correct mac address is now used.
504384-3 : ICMP attack thresholds
Component: Advanced Firewall Manager
Symptoms:
ICMP flood protection triggers at an earlier than expected threshold if all of the ICMP attack traffic contains the same ID. This is because all traffic is sent to the same tmm when it contains the same ID but the threshold takes into account the number of tmms.
Conditions:
When ICMP traffic is sent with the same ICMP id, and the DoS threshold was configured assuming the ICMP traffic would be spread across all tmms.
Impact:
The forwarded ICMP traffic has higher priority that regular traffic causing normal traffic to potentially get dropped sooner as compared to forwarded traffic.
Workaround:
None
Fix:
ICMP attack traffic with same ID being forwarded to a single TMM for processing is now tagged with the correct priority.
504306-7 : https monitors might fail to re-use SSL sessions.
Component: Local Traffic Manager
Symptoms:
SSL handshakes for https monitors might fail to correctly re-use SSL session IDs.
Conditions:
A configuration that utilizes https monitors to servers that implement an SSL session cache. More servers utilizing the same https monitor make the problem more likely to occur.
For the monitor flapping or false negative symptom in 11.5.0 or higher, a monitor must be configured for a combination of TLS 1.0 and TLS 1.2 servers.
Impact:
The bigd process might consume more CPU than necessary because it might always be performing complete SSL handshakes with monitored servers.
BIG-IP version 11.5.0 or higher in environments with both TLS 1.0 and TLS 1.2 servers that perform SSL session caching may experience monitor flapping or servers that are marked down unexpectedly.
Workaround:
None.
Fix:
https monitors now properly perform SSL session re-use.
504225-1 : Virtual creation with the multicast IPv6 address returns error message
Component: Local Traffic Manager
Symptoms:
When LTM has DHCPv6 profile attached to a virtual server with relay mode configured with multicast IPv6 address, it will return error message, '01020064:3: IPv6 Address ff02::1:2 is invalid, Multicast address not allowed.'
Conditions:
Create an IPv6 virtual with multicast IPv6 address with DHCPv6 profile (relay mode) attached.
Impact:
Cannot create a IPv6 virtual server with multicast IPv6 address and DHCPv6 relay mode profile attached.
Workaround:
None.
Fix:
Can now create an IPv6 virtual with multicast IPv6 address with DHCPv6 profile (relay mode) attached.
504182-2 : Enforcer cores after upgrade upon the first request★
Component: Application Security Manager
Symptoms:
If an ASM security policy contains entities with invalid configuration from a previous version, UCS load will fail and leave the device in an inconsistent state, leading to BD crash.
Conditions:
An ASM security policy contains entities with invalid configuration from a previous version. This can occur on an upgrade from 11.5.x to 11.6.0 prior to HF5.
Impact:
UCS load will fail and leave the device in an inconsistent state, leading to BD crash.
Workaround:
Correct ASM entity configuration before upgrade.
Fix:
We fixed an upgrade issue where the Enforcer crashed after the upgrade upon the first request (this was due to a missing data protection configuration).
504105-3 : RRDAG enabled UDP ports may be used as source ports for locally originated traffic
Component: Local Traffic Manager
Symptoms:
RRDAG enabled UDP ports may be used as the source port on locally originated connections.
Conditions:
RRDAG is enabled
Impact:
Connections may be forwarded between tmms resulting in a performance impact
Fix:
RRDAG enabled ports can no longer be selected as a source port for locally originated connections.
503979-3 : High CPU usage when DNS cache resolver sends a large number of DNS queries to the backend name server.
Component: Local Traffic Manager
Symptoms:
When DNS cache resolver is resolving a DNS query, it might send queries to the backend name server iteratively. If the name server is responding slowly and the cache resolver is sending queries to name servers at a high rate, the CPU usage of the BIG-IP system might be vary high.
Conditions:
(1) Configure the cache resolver to have a large value (, for example, 40 KB) for both max-concurrent-queries and max-concurrent-udp.
(2) The cache resolver sends queries to the name servers at a high rate.
(3) The backend name server is responding slowly to the cache resolver.
Impact:
The CPU usage might be extremely high. Site might be unstable.
Workaround:
Configure the cache resolver to have a default value for both max-concurrent-queries and max-concurrent-udp.
Fix:
The CPU usage does not increase unexpectedly when the cache resolver sends a large number of DNS queries to slow backend name servers.
503841-4 : Slow performance with delete_string_class_member in iControl-SOAP
Component: TMOS
Symptoms:
Starting 11.5.1 HF6, deleting ~9000 strings takes about 60 seconds to complete.
Conditions:
Delete a large number of strings with the delete_string_class_member API in iControl-SOAP.
Impact:
Poor performance and can cause time out
Fix:
With the fix in place, deleting ~9000 strings take about 5 seconds.
503741-14 : DTLS session should not be closed when it receives a bad record.
Component: Local Traffic Manager
Symptoms:
According to RFC6347: 4.1.2.7. Handling Invalid Records:
'Unlike TLS, DTLS is resilient in the face of invalid records (e.g., invalid formatting, length, MAC, etc.). In general, invalid records SHOULD be silently discarded, thus preserving the association; however, an error MAY be logged for diagnostic purposes. Implementations which choose to generate an alert instead, MUST generate fatal level alerts to avoid attacks where the attacker repeatedly probes the implementation to see how it responds to various types of error. Note that if DTLS is run over UDP, then any implementation which does this will be extremely susceptible to denial-of-service (DoS) attacks because UDP forgery is so easy. Thus, this practice is NOT RECOMMENDED for such transports.'
In the BIG-IP implementation, DTLS chooses to disconnect the session when it receives invalid record.
Conditions:
DTLS receives a bad record packet.
Impact:
DTLS disconnects the session.
Workaround:
None.
Fix:
The system now silently discards all of the invalid records and preserves the association. This is correct behavior.
503676-5 : SIP REFER, INFO, and UPDATE request do not trigger SIP_REQUEST or SIP_REQUEST_SEND iRule events
Component: Service Provider
Symptoms:
SIP REFER, INFO, and UPDATE requests do not trigger iRule events.
Conditions:
The occurs when the following conditions are met: -- Virtual server has a SIP profile. -- Virtual server has iRule(s) containing SIP_REQUEST or SIP_REQUEST_SEND events. -- SIP REFER, INFO, or UPDATE request is received on the virtual server.
Impact:
iRule event is not executed.
Workaround:
none
Fix:
SIP REFER, INFO, and UPDATE requests now trigger the SIP_REQUEST and SIP_REQUEST_SEND iRule events. This is the correct behavior.
503652-1 : Some SIP UDP connections are lost immediately after enabling a blade on the Active HA unit.
Component: Service Provider
Symptoms:
When a blade is enabled on a cluster while it is actively processing SIP UDP traffic, some packets might be lost.
Conditions:
This occurs in an Active HA cluster containing VIPRION B2100 blades with the udp.hash value set to 'ipport' and client-side round robin TMM disaggregation enabled.
Impact:
Some SIP UDP traffic packets might be lost.
Workaround:
Do not enable a blade in a cluster while the blade is processing SIP UDP traffic.
Fix:
Some SIP UDP connections are now retained after enabling a blade on the Active HA unit.
503620-2 : ECDHE_ECDSA and DHE_DSS ciphers do not work with OpenSSL 1.0.1k and later
Component: Local Traffic Manager
Symptoms:
BIG-IP SSL when using ciphers ECDHE_ECDSA and DHE_DSS does not work consistently with OpenSSL clients using OpenSSL versions 1.0.1k or later.
Conditions:
When the ciphers used are ECDHE_ECDSA or DHE_DSS, and the OpenSSL clients have versions later than OpenSSL 1.0.1k.
Impact:
SSL handshake failed. The OpenSSL clients might encounter a decryption error while reading the server key exchange.
Workaround:
Use OpenSSL versions earlier than OpenSSL 1.0.1k.
Fix:
BIG-IP SSL now works well with ciphers ECDHE_ECDSA or DHE_DSS with OpenSSL client version OpenSSL 1.0.1k and later.
503604-2 : Tmm core when switching from interface tunnel to policy based tunnel
Component: TMOS
Symptoms:
When the configuration is changed from interface tunnel to policy based tunnel, tmm crashes.
Most likely this is a timing issue where the pnh is not updated while the policy was updated. So the policy_type (policy_interface vs policy_ipsec) mismatched.
Conditions:
Traffic passing in the background and change the configuration from interface tunnel to policy based tunnel.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround
Fix:
When switching from interface tunnel to policy based tunnel, tmm cores.
503600-3 : TMM core logging from TMM while attempting to connect to remote logging server
Component: TMOS
Symptoms:
TMM crash and coredump while logging to remote logging server.
Conditions:
The problem might occur when a log message is created as the result of errors that can occur during log-connection establishment. The crash specifically occurs when an error occurs while attempting to connect to the remote logging server.
Impact:
TMM runs out of stack and dumps core. Stack trace shows recursion in errdefs. The system cannot function under these conditions. This is an issue that might occur anytime logs are generated when managing resources that are also used by the logging system itself.
Workaround:
Two possible workarounds are available:
1) Create a log filter specifically for message-id :1010235: that either discards or directs such messages to local syslogs.
2) If the problem occurs on TMM startup, disable and then re-enable the corresponding log source once the TMM starts up.
Fix:
TMM no longer crashes and coredumps while logging to remote logging server.
503560-5 : Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server.
Component: Local Traffic Manager
Symptoms:
Statistics profiles cannot be configured along with HTTP transparent profile on the same virtual server.
Conditions:
HTTP transparent profile is attached to a virtual server. Statistics profile now cannot be attached to the same virtual server.
Impact:
Only a Statistics profile or an HTTP transparent profile may be assigned to a single virtual server.
Workaround:
None.
Fix:
The validation logic is now changed so as to allow a Statistics profiles and an HTTP transparent profile to be attached to the same virtual server simultaneously.
503541-3 : Use 64 bit instead of 10 bit for Rate Tracker library hashing.
Component: Advanced Firewall Manager
Symptoms:
Rate Tracker 10 bit hashing may cause inaccurate rate-limits by the Sweep & Flood DoS vectors.
Conditions:
When Sweep and Flood vector is enabled in AFM module.
Impact:
Impact to Sweep and Flood detection rate accuracy.
Workaround:
None.
Fix:
The system now uses 64 bit instead of 10 bit for Rate Tracker hashing, which results in more accuracy in attack detection and mitigation.
503471-2 : Memory leak can occur when there is a compressed response, and abnormal termination of the connection
Component: Application Visibility and Reporting
Symptoms:
Memory utilization grows over time.
Conditions:
This issue occurs when the BIG-IP system sends a compressed response, and an abnormal termination of the connection occurs.
Impact:
Memory leak in TMM that grows over time.
Workaround:
Avoid configuration of Application DoS with Client-side mitigation.
Fix:
A memory leak has been fixed that occurred when there was a compressed response and an abnormal termination of the connection.
503343-9 : TMM crashes when cloned packet incorrectly marked for TSO
Component: Local Traffic Manager
Symptoms:
TMM cores
Conditions:
1. Clone pool configured
2. Clone MTU > Client or Server MTU
3. tm.tcpsegmentationoffload db var in "disable" state
4. TSO enabled in client or server side interface
5. TSO disabled in clone interface
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove the configured clone pool
Fix:
Prevent TMM crash due to cloned packet incorrectly marked for TSO.
503319-5 : After network access is established browser sometimes receives truncated proxy.pac file
Component: Access Policy Manager
Symptoms:
On MAC OSX platform, After network access is established, poxy.pac received by the browser is truncated.
Conditions:
This occurs if proxy.pac file is larger than 65535 bytes (~65 KB).
Impact:
Large proxy.pac file might not be downloaded or might be truncated.
Workaround:
Reduce proxy.pac file size so that merge file is less than ~65 KB.
Fix:
Merged (by F5 tunnel server) proxy.pac is now NOT truncated when sent to the browser even if its size is greater than ~65 KB.
503257-13 : Persistence, connection limits and HTTP::respond or HTTP::redirect may result in RST
Component: Local Traffic Manager
Symptoms:
Client connections to a virtual server with persistence, connection limits, and an iRule that issues an HTTP response may receive a RST with a cause of "pmbr enqueue failed" even though connection queuing is not enabled.
Conditions:
This can happen if the connection makes an HTTP request and an iRule directly responds to the first request on the connection. A future request on that TCP connection would be reset if it is persisted to a pool member that is at its connection limit. The iRule would use HTTP::respond (without "connection close") or HTTP::redirect.
Impact:
Clients may receive a RST and fail to connect to an available pool member under some traffic patterns.
Workaround:
If using HTTP::respond or HTTP::redirect in an iRule, change to HTTP::respond with the "Connection close" option in order to force the connection to terminate and the client to start a new connection after the redirect is sent.
Fix:
Persistence, connection limits and HTTP::respond or HTTP::redirect no longer result in RST.
503214-11 : Under heavy load, hardware crypto queues may become unavailable.
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system is under heavy load, it may erroneously determine that the hardware crypto queues are unavailable and trigger an HA failover event.
Conditions:
BIG-IP system under heavy load and using hardware crypto.
Impact:
HA failover. You might see messages similar to the following:
-- crit tmm2[22560]: 01010025:2: Device error: crypto codec cn-crypto-2 queue is stuck.
-- warning sod[6892]: 01140029:4: HA crypto_failsafe_t cn-crypto-2 fails action is failover.
-- notice sod[6892]: 010c0052:5: Standby for traffic group /Common/traffic-group-1.
Workaround:
None.
Fix:
BIG-IP system now performs an extra check to determine whether the crypto hardware queues are available.
503118-1 : clientside and serverside command crashes TMM
Component: Local Traffic Manager
Symptoms:
When parking command is used inside clientside or serverside, tmm crashes.
Conditions:
Parking command, e.g., the table command, is used inside clientside or serverside command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Move the parking command outside clientside or serverside command.
Fix:
Parking command can run inside clientside and serverside.
The client side connection must exist when clientside command runs; the server side connection must exist when serverside command runs; otherwise the clientside and serverside commands fail.
503085-2 : Make the RateTracker threshold a constant
Component: Advanced Firewall Manager
Symptoms:
Dynamic detection threshold may impact Sweep and Flood detection rate accuracy under high traffic conditions.
Conditions:
When Sweep and Flood is enabled in AFM module.
Impact:
Some Sweep and Flood functionality might not provide sufficient detection rate accuracy.
Fix:
The RateTracker threshold is now a constant, which improves detection rate accuracy.
502959-3 : Unable get response from virtual server after node flapping
Component: Local Traffic Manager
Symptoms:
If persistence is used, and a node is marked down and then up in quick succession (less than about 7 seconds), then persistence may act inconsistently.
Conditions:
Persistence, rapid node flapping, new connection (via a TMM with an existing connection) after node has been re-marked as up.
Impact:
Persistence may act inconsistently (meaning, not all connections expected to persist to a server will do so). In certain circumstances, requests may hang (the client is connected, waiting for a response).
Workaround:
None.
Fix:
The system now deletes a persist entry from all peer TMMs when it is deleted in any TMM, so no conflicts occur.
502852-4 : Deleting an in-use custom policy template
Component: Application Security Manager
Symptoms:
If a user tries to delete a custom policy template while there are still security policies in the system that were created from that template, the delete will fail. This also leaves the custom template in an unusable state that can neither be used to create further Policies nor can it ever be deleted.
Conditions:
A security policy exists on the system that was created from a custom template. The user then tries to delete the template before removing the policy from the system.
Impact:
The custom template becomes unusable for creating new policies, and cannot be deleted even after there are no longer any policies created from it left on the system.
Workaround:
Contact support for a script that will disassociate all user defined policy templates from existing policies.
This will allow any user defined template to be successfully deleted.
Fix:
If you fail to delete a custom policy template because an existing security policy refers to it, it no longer leaves the custom policy template in an unusable state.
502770-3 : clientside and serverside command crashes TMM
Component: Local Traffic Manager
Symptoms:
When the parking command is used inside clientside or serverside, tmm crashes.
Conditions:
Parking command, e.g. table command, is used inside clientside or serverside command.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Move the parking command outside clientside or serverside command.
Fix:
Parking command can run inside clientside and serverside.
The client side connection must exist when clientside command runs; the server side connection must exist when serverside command runs; otherwise the clientside and serverside commands fail.
Behavior Change:
clientside and serverside command error out if client side or server side connection does not exist at the time the command runs. Here is an example of where this might occur: clientside { SSL::disable }. This script fails if the client side connection does not exist. To work correctly, change the script to: SSL::disable clientside.
502747-13 : Incoming SYN generates unexpected ACK when connection cannot be recycled
Component: Local Traffic Manager
Symptoms:
Incoming SYN causes the BIG-IP system to generate ACK instead of SYN-ACK.
Conditions:
This can occur when the following conditions are met:
- IP addresses and ports of SYN match an existing connection;
- Sequence number of the SYN is greater than 2^31+ from previously sent FIN;
- Existing connection is in TIME_WAIT state;
- Virtual server has time_wait_recycle enabled.
Impact:
Client will generate RST and connection must be re-tried.
Workaround:
Set time-wait-timeout to 1 millisecond per SOL12673.
Fix:
The BIG-IP system will no longer generate an ACK to incoming SYNs which match an existing connection that cannot be recycled.
502714-6 : Deleting files and file object references in a single transaction might cause validation errors
Component: TMOS
Symptoms:
Deleting files and file object references in a single transaction can lead to a validation error.
This might occur during device group configuration sync, an iApp, a tmsh cli transaction, or an iControl transaction.
Conditions:
A file object is deleted in the same transaction that its references are also deleted.
Impact:
This can cause an invalid validation error, including during a config sync.
Workaround:
In the case of iControl and tmsh, file object references must first be deleted/removed in a separate transaction. In the case of config sync, perform a full sync.
Fix:
File objects properly resolve references within the transaction, so there are no validation errors when deleting files and file object references in a single transaction.
502683-6 : Traffic intermittently dropped in syncookie mode, especially when hardware syncookie is on
Component: Local Traffic Manager
Symptoms:
In certain corner cases, BIG-IP software rejects valid SYN-Cookie responses due to incorrect hardware algorithm masking on the software side.
Conditions:
This issue appears only on hardware-SYN-Cookie-capable platforms when running the hardware SYN-Cookie algorithm.
Impact:
Intermittent connection failures.
Workaround:
Run software SYN-Cookie algorithm. Use the DB variable.
This makes sure software is running correct generation and validation algorithm.
Fix:
Traffic is now handled correctly in certain corner cases involving hardware syncookies.
502443-9 : After enabling a blade/HA member, pool members are marked down because monitoring starts too soon.
Component: Local Traffic Manager
Symptoms:
The external monitoring daemon (bigd) sends monitoring traffic before tmm is ready to receive those responses. The response traffic is routed to a tmm on another blade/HA member. This tmm responds to the server with an ICMP "Unreachable" message. Meanwhile, the originating tmm on the new blade/HA member marks the pool member "down" because it never received the server's response.
Conditions:
Start with at least 1 blade enabled in a chassis or one HA member configured, and pass traffic constantly through a virtual server with a monitor-enabled pool attached. Then, enable a new blade in the cluster or a new HA member.
Impact:
Some packets are lost for several seconds. It can be longer depending on the total number of pool members.
Workaround:
Before adding a new blade to a chassis or a member to the HA configuration that is actively processing traffic, temporarily remove the monitor(s) from the pool. Once the new blade/HA member is up, manually add the monitor(s) back to the pool.
Fix:
When a VIPRION blade or BIG-IP HA member comes on-line, the bigd process on the blade/HA member no longer starts health monitors prematurely, which could have caused some monitored objects to be marked down incorrectly.
Behavior Change:
The external monitoring daemon (bigd) no longer sends monitoring traffic while the blade (cluster member) is offline or disabled, or while the HA member (chassis or appliance) is offline (including forced offline).
502441-7 : Network Access connection might reset for large proxy.pac files.
Component: Access Policy Manager
Symptoms:
Network Access connection might reset when large proxy.pac files are configured in the access policy.
Conditions:
MAC Edge client, browsers, Network Access, large proxy.pac file.
Impact:
Network Access connection might reset.
Workaround:
Reduce the proxy.pac file size to be less than 10 KB.
Fix:
Network Access connection does not reset if a large proxy.pac file is configured.
502414-3 : Make the RateTracker tier3 initialization number less variant.
Component: Advanced Firewall Manager
Symptoms:
Sweep and Flood vectors may exceed configured rate limit values by 10%-30$.
Conditions:
When Sweep and Flood vector is enabled in AFM module.
Impact:
Sweep and Flood attack detection at higher than configured levels.
Workaround:
None.
Fix:
An optimization was made to Rate Tracker that makes attack detection more accurate.
502269-2 : Large post requests may fail using form based SSO.
Component: Access Policy Manager
Symptoms:
SSOV2 modifies the payload for big post requests and since the server does not understand this, so all such transactions fail.
Conditions:
Large post requests using form based SSO.
Impact:
SSOV2 is a very common use case for APM. Many applications are configured with SSOV2. Any large post in such case will fail.
Workaround:
This issue has no workaround at this time.
Fix:
The fix essentially does not modify the payload so the applications have no problem.
502238-2 : Connectivity and traffic interruption issues caused by a stuck HSB transmit ring
Component: TMOS
Symptoms:
BIG-IP can experience sudden and permanent traffic interruption, impacting all traffic through TMM.
Conditions:
With TCP Segmentation Offload (TSO) enabled, it is possible to fill up the High-Speed Bridge (HSB) transmit ring, resulting in a stuck transmit ring.
The exact conditions under which this occurs is unknown, but it requires sudden transmission of a number of large packets that require TSO in order to result in a full transmit ring.
Impact:
The HSB's transmit ring becomes stuck. This requires a TMM restart in order to clear.
Workaround:
Disable TSO. This can be done using the following steps:
1. tmsh modify sys db tm.tcpsegmentationoffload value disable
2. bigstart restart tmm.
If TSO is not disabled, three related fixes are needed to fully address the issue:
-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:
-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html
Fix:
Three related fixes are needed to fully address the issue:
-- ID 466260, covered in SOL15953: TMM may produce a core file with the 'Assertion we always have room in tx ring! failed' error message.
-- ID 502238, covered in SOL16736: The BIG-IP system may lose connectivity and fail to process all traffic through TMM if the HSB is overloaded.
-- ID 509782, covered in SOL16780: The BIG-IP system may drop TSO packets. The Solutions are available here:
-- https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15953.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16736.html
-- https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16780.html
502174-6 : DTLS fragments do not work for ClientHello message.
Component: Local Traffic Manager
Symptoms:
DTLS fragments do not work for ClientHello message.
Conditions:
DTLS ClientHello splits into multiple fragments.
Impact:
Both first handshake and renegotiation are affected.
Fix:
DTLS ClientHello fragments are now handled.
502149-2 : Archiving EC cert/key fails with error 'EC keys are incompatible for Webserver/EM/iQuery.'
Component: Local Traffic Manager
Symptoms:
When archiving cert/key via GUI, the following error message is displayed : 'EC keys are incompatible for Webserver/EM/iQuery.'
Conditions:
When archiving cert/key via GUI.
Impact:
Intermittently, an error is received when trying to archive key or certificates via GUI.
Workaround:
None.
Fix:
iControl stores the mode info and set a default value to it, so no error is reported..
502049-3 : Qkview may store information in the wrong format
Component: TMOS
Symptoms:
When creating a new monitor, some information may be stored in the wrong format.
Conditions:
Create a new monitor. Run qkview.
Impact:
Occasionally, some information stored for the new monitor will be in the incorrect format.
Workaround:
None.
Fix:
Monitor information is now stored in the correct format.
502048-3 : Qkview may store information in the wrong format
Component: TMOS
Symptoms:
When creating a new monitor, some information may be stored in the wrong format.
Conditions:
Create a new monitor. Run qkview.
Impact:
Occasionally, some information stored for the new monitor will be in the incorrect format.
Workaround:
None.
Fix:
Monitor information is now stored in the correct format.
501986-2 : Add a sys db tunable to make Sweep and Flood vectors be rate-limited per TMM process
Component: Advanced Firewall Manager
Symptoms:
There is a need for Sweep and Flood vectors to be very accurate (+-5%). To ensure that Sweep and Flood can be very accurate we have to add a mode in which the Sweep and Flood vectors work per TMM process. In this case the traffic must be very well distributed for it to be effective.
So, now we have a sys db tunable which is: dos.globalsflimits which is true by default. If the tunable is set to false then the Sweep and Flood vectors work per TMM process. The limits that have been configured by the user are divided up equally among the various TMM processes, and because the traffic is well-distributed among the TMM processes we will get close to the limits specified.
Conditions:
When Sweep and Flood vector is enabled in AFM module.
Impact:
If the db variable is changed to false, the incoming traffic must be well distributed.
Workaround:
None.
Fix:
Add a sys db tunable to make Sweep and Flood vectors be rate-limited per TMM process.
501953-1 : HA failsafe triggering on standby device does not clear next active for that device.
Component: TMOS
Symptoms:
An HA failsafe triggering on a standby device that is marked at next active for a traffic group does not clear the next active setting for that device. This leaves the system in a state when the device designated as next active cannot take over for the active device in the case of a failure.
Conditions:
HA setup with two or more devices in a device trust and device group. HA failsafes are configured on one or more devices in the device group. The HA failsafes are triggered on a device that is currently in the standby state and designated next active for a traffic group.
Impact:
A device marked as next active for a traffic group with a triggered HA failsafe does not take over a traffic group in the case of a failure on the active switch.
Workaround:
Workaround is to force the device in question offline, so that another device is marked as next active.
Fix:
The fix correctly removes the next active setting for a device when it is in standby mode and a HA failsafe triggers. This causes a new device to be picked as next active if one is in standby mode and capable of running the traffic group.
501714-4 : System does not prevent low quality JPEGs from optimizing to higher quality (becoming larger) does not work when AAM image optimization enabled and JPEG quality in policy is higher than JPEGs on OWS.
Component: WebAccelerator
Symptoms:
The test to prevent JPEGs on OWS with low quality from being 'optimized' to higher quality (if the quality setting in WAM policy is higher than in the file on OWS) is not working.
Conditions:
AAM image optimization enabled and the JPEG quality in AAM policy is higher than the JPEGs on OWS.
Impact:
image optimization can make the file significantly bigger.
Workaround:
Add the line below to /service/wamd/settings (create the file if it does not exist):
export WAMD_OPT_IMAGES_NO_BIGGER=all
Note this will return the original file if the 'optimized' one comes out bigger: subtly different behavior than making any other requested changes but leaving the quality the same as the file on OWS.
Fix:
The test to prevent low quality JPEGs from optimizing to higher quality (becoming larger) is fixed.
501690-7 : TMM crash in RESOLV::lookup for multi-RR TXT record
Component: Local Traffic Manager
Symptoms:
TMM crashes with a specific ASSERT-based backtrace.
Conditions:
Requires an LTM listener with an iRule that has a RESOLV::lookup command querying for a TXT record and receiving multiple RRs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes due to the behavior of the LTM listener with an iRule that has a RESOLV::lookup command when parsing its return values.
501612-5 : Spurious Configuration Synchronizations
Component: Application Security Manager
Symptoms:
Some items (for example, Incidents) were considered to be config elements that require synchronization when their status changes (such as being read), but are not actually synchronized in a device group.
Conditions:
Event Correlation Incidents occur and are read by the user while in a manual sync device group for ASM.
Impact:
The synchronization state of a device group erroneously changes to "Pending"
Workaround:
None.
Fix:
Items that are not synchronized across a device group no longer cause changes to the synchronization state.
501517-5 : Very large configuration can cause transaction timeouts on secondary blades
Component: TMOS
Symptoms:
Messages with 'end_transaction message timeout on connection 0x5ea9a9c8 (user mcpd-primary)' in them in the ltm log after a secondary blade is inserted or restarted.
Conditions:
A multi-bladed system with a very large configuration that takes more than a minute to transfer to secondary blades.
Impact:
mcpd's transaction does not complete and the configuration is not loaded properly.
Workaround:
None.
Fix:
Increased the transaction timeout to accommodate very large configuration transfers.
501516-4 : If a very large number of monitors is configured, bigd can run out of file descriptors when it is restarted.
Component: Local Traffic Manager
Symptoms:
When using a very large number of monitors, bigd may run out of file descriptors when it is restarted.
Conditions:
A system with a large number of monitors configured.
Impact:
bigd cores and gets into a restart loop; monitors no longer work properly. The ltm log might contain error messages similar to the following: socket error: Too many open files.
Workaround:
Reduce the number of monitors on the system.
Fix:
bigd no longer runs out of file descriptors during restart when using a very large number of monitors.
501498-4 : APM CTU doesn't pick up logs for Machine Certificate Service
Component: Access Policy Manager
Symptoms:
CTU report does not contain logs from Machine Certificate Service.
Conditions:
When the CTU report is run, it does not contain data in the logs.
Impact:
Logs are not available to technical staff
Workaround:
You can pick up logs manually from C:\Windows\Temp\logterminal.txt.
Fix:
CTU correctly pick ups logs for Machine Cert service.
501480-2 : AFM DoS Single Endpoint Sweep and Flood Vectors crash TMM under heavy traffic.
Component: Advanced Firewall Manager
Symptoms:
With AFM DoS Single Endpoint Sweep and Flood Vectors configured, TMM might crash while processing a huge amount of the configured attack traffic.
Conditions:
AFM DoS Single Endpoint Sweep and Flood attack vector is enabled in the AFM module.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not configure the AFM DoS Single Endpoint Sweep and Flood Vector.
Fix:
AFM DoS Single Endpoint Sweep and Flood Vectors now correctly handles traffic so that TMM does not crash.
501437-6 : rsync daemon does not stop listening after configsync-ip set to none
Component: TMOS
Symptoms:
If a device is not in a CMI configuration, but has configsync-ip set on its self device object, and this configsync-ip is set to none, an rsync daemon continues to listen on the old configsync-ip.
Conditions:
This occurs when the following conditions are met: -- Device is not in a CMI configuration. -- Self device has a configsync-ip set.
Impact:
The rsync server may continue to listen even after it is expected that it will not listen.
Workaround:
None.
Fix:
The rsync daemon is now shut down properly when the configsync-ip is set to none, and no longer listens on configsync-ip.
501371-2 : mcpd sometimes exits while doing a file sync operation
Component: TMOS
Symptoms:
mcpd exits randomly. If mcpd debug logging is enabled, the system might post an operation similar to the following: Received request message from connection 0x5fe47008 (user %cmi-mcpd-peer-/Common/LNJDCZ-VPN1.example):
query_all {
sync_file {
sync_file_file_to_sync "/var/apm/localdb/mysql_bkup.sql"
sync_file_target_dg "/Common/HA_Rhodes_APM"
sync_file_postprocess_action "/usr/libexec/localdb_mysql_restore.sh"
sync_file_originator "/Common/LNJDCZ-VPN1.example"
}
}
Conditions:
mcpd is performing a file sync.
Impact:
Randomly, mcpd exits, triggering a failover.
Workaround:
None.
Fix:
Ensured mcpd no longer exits while performing a file sync.
501343-2 : In FIPS HA setup, peer may use the FIPS public-handle instead of the FIPS private-handle
Component: TMOS
Symptoms:
In FIPS HA setup when the FIPS private handle of x.key on Device A is a FIPS public handle of x.key on Device B, Device B (the HA peer) gets the configuration from Device A and operates as if the handle is correct because the modulus matches, but it actually is the public-handle and not the private-handle.
Conditions:
FIPS HA setup and FIPS private handle of x.key on Device A is a FIPS public handle of x.key on Device B.
Impact:
With this configuration, when the device fails over, it can lead to traffic failure. This occurs because TMM tries to use the public-handle when it should be using the private-handle.
Fix:
FIPS HA peer verifies the FIPS handle type to confirm that it uses only the private FIPS handles.
500938-4 : Network Access can be interrupted if second NIC is disconnected
Component: Access Policy Manager
Symptoms:
Networks Access connection breaks if second NIC disconnects.
Both NICs should be connected to same network. This happens for a specific Network Access configuration.
Conditions:
Network Access configuration:
* Full tunnel with "Prohibit routing table changes during Network Access connection" set to true.
* Split tunneling with "Prohibit routing table changes during Network Access connection" set to true, Address space is 0.0.0.0/0.
Client with 2 NICs both connected to the same network.
Impact:
NA is interrupted.
500925-2 : Introduce a new sys db variable to control number of merges per second of Rate Tracker library.
Component: Advanced Firewall Manager
Symptoms:
The accuracy of the rate limit for the Sweep and Flood vectors is affected by the number of merges per second in Rate Tracker library.
Conditions:
When sweep and flood vector is enabled in AFM module.
Impact:
No way to control number of merges per second of Rate Tracker, which could help in Rate Tracker libray accuracy.
Workaround:
None.
Fix:
Introduce a new sys db variable to control number of merges per second of Rate Tracker library.
500786-4 : Heavy memory usage while using fastL4/BIGTCP virtual with HTTP profile
Component: Local Traffic Manager
Symptoms:
When a FastL4/BIGTCP virtual with HTTP profile is used, certain kinds of traffic may cause huge memory growth and result in out-of-memory situation.
Conditions:
If the FastL4 virtual with HTTP profile handles HTTP cloaking traffic, that starts up as HTTP and then switches over to non-HTTP data, memory growth could grow unbounded due to lack of flow control. This may lead to out of memory conditions eventually.
Impact:
Out of memory conditions affecting the availability/stability of the BIG-IP system.
Workaround:
1.) Avoid using FastL4 with HTTP profile, unnecessarily.
2.) If it could not be avoided, use FastL4 + HTTP-Transparent profile combination instead AND set http-transparent profile attribute enforcement.pipeline to "pass-through". This would allow HTTP filter to run in "passthrough" mode. Hence avoid the excessive memory consumption.
Fix:
If the FastL4 virtual with HTTP profile handles HTTP cloaking traffic, that starts up as HTTP and then switches over to non-HTTP data, memory growth no longer grow unbounded due to lack of flow control.
This prevent from out of memory conditions eventually.
500640-2 : TMM core could be seen if FLOW_INIT iRule attached to Virtual server
Component: Advanced Firewall Manager
Symptoms:
TMM core is seen when FLOW_INIT iRule is applied to Virtual server for global rule
Conditions:
When logging is enabled and FLOW_INIT rule is applied and we get packets where we cannot the find Virtual Server, TMM could crash
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no work around
Fix:
Added check for NULL context in connflow to avoid rare crash bug.
500452-3 : PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware
Component: TMOS
Symptoms:
PB4300 blade tries to disaggregate the ESP traffic based on the IPsec ESP Security Parameter Index (SPI) value in hardware. But the blade used doesn’t have that capability, which causes ESP traffic being sent to one HSB and results in throughput degradation.
Conditions:
When PB4300 receives ESP traffic.
Impact:
Throughput degradation.
Workaround:
None.
Fix:
The PB4300 blade now uses IP addresses to disaggregate ESP traffic in hardware, so throughput is no longer impacted.
500450-2 : ASM and APM on same virtual server caused Set-Cookie header modification done by ASM not honored by APM websso.
Component: Access Policy Manager
Symptoms:
With APM and ASM configured on the same virtual server, cookie validation on ASM could modify the Set-Cookie header sent by the application server or inject another Set-Cookie header. APM websso module does not honor the Set-Cookie modification, nor the injection. ASM subsequently causes the connection to reset.
Conditions:
With APM and ASM configured on the same virtual server, if cookie validation on ASM modifies the Set-Cookie header sent by the application server or injects another Set-Cookie header, then APM websso module does not honor this.
Impact:
Connection reset on the above condition.
Workaround:
Use layered virtual servers with an iRule virtual command to send traffic from the ASM virtual server to an APM virtual server with ARP disabled instead of having everything on one virtual server.
Fix:
The APM websso module is modified to handle an ASM use case. Now the websso reparses the HTTP 401 response header from the server at the client side in addition to the current parsing at server-side processing.
With this fix any Set-Cookie modification or addition by ASM is sent to server in the response to 401 header.
500424-5 : dnatutil exits when reverse mapping one of the snippet results in "No tmms on the blade" error
Component: Carrier-Grade NAT
Symptoms:
DNATutil exits with the error "dnatutil: No tmms on the blade."
Conditions:
A DNAT state log entry that is interpreted as invalid
Impact:
DNATUtil will not be able to parse the whole log file for reverse mappings
Workaround:
remove the DNAT state chunk that produces the error.
Fix:
DNATUtil will continue on even if it encounters an error. It will report the error but not exit.
500365-5 : TMM Core as SIP hudnode leaks
Component: Service Provider
Symptoms:
There is a memory leak when using SIP in TCP/ClientSSL configurations.
Conditions:
The leak occurs when the clientside flow is torn down in response to the SSL handshake not completing.
Impact:
Because the SSL handshake is not complete, the SIP handler cannot complete the operation as expected, which results in an error and a memory leak of the SIP handler. The tmm memory increases, which eventually requires restarting tmm as a workaround.
Workaround:
Although there is no workaround to prevents the issue, you can recover from the memory-leak condition by restarting tmm.
Fix:
This release fixes a memory leak that occurred when using SIP in TCP/ClientSSL configurations, when the clientside flow was torn down in response to the SSL handshake not completing. The system now frees the SIP handler upon receiving the notification of a failed SSL handshake, so that the connection is rejected, the system performs the proper cleanup of the SIP handler, and no memory leak occurs.
500303-11 : Virtual Address status may not be reliably communicated with route daemon
Component: Local Traffic Manager
Symptoms:
Occasionally, when the Virtual Server status changes, the Virtual Address status may not me communicated to the routing services (that is, the tmrouted service).
This can result in incorrect routes.
Conditions:
Exact conditions unknown, but it can occur when the Virtual Server status changes.
Impact:
Virtual Addresses may have advertised routes when they are down, or vice versa.
Workaround:
None.
Fix:
The Virtual Address state change code was improved in multiple areas:
1. GTM is checked for provisioning.
2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast.
3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority.
4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3.
5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations.
Behavior Change:
The Virtual Address state change code was improved in multiple areas:
1. GTM is checked for provisioning.
2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast.
3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority.
4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3.
5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations.
500234-3 : TMM may core during failover due to invalid memory access in IPsec components
Component: TMOS
Symptoms:
TMM cores when transitioning from standby to active.
Conditions:
This might occur when the following conditions are met: -- An IPsec tunnel is enabled. -- The BIG-IP system is a member of an HA pair. -- The BIG-IP system transitions from standby to active.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a race condition that might have caused IPsec components to access previously freed memory.
500091-3 : CVE-2015-0204 : OpenSSL Vulnerability
Vulnerability Solution Article: K16139
500088-10 : OpenSSL Vulnerability (January 2015) - OpenSSL 1.0.1l update
Vulnerability Solution Article: K16123
500034-2 : [SMTP Configuration] Encrypted password not shown in GUI
Component: Application Visibility and Reporting
Symptoms:
Under SMTP configuration, when authentication is enabled (the "use authentication" check box is checked) and a user name and password are configured, the password field is empty in the configuration utility when accessing the newly created SMTP object. TMSH shows the password in hash format.
Conditions:
1. authentication is enabled.
2. username and password are configured.
Impact:
SMTP authentication fails.
Workaround:
After saving the SMTP configuration for the first time using the configuration utility, use only TMSH, REST API, or iControl to edit it or re-enter the password.
Note: This will not fix sending AVR e-mails. The only way to send e-mail before this fix is using a non-authenticated SMTP server.
Fix:
Under SMTP configuration, when authentication is enabled (the "use authentication" check box is checked) and a user name and password are configured, the password is correctly decrypted using standard BIG-IP tools.
500003-3 : Incoming NTP packets from configured NTP server to non-local IP breaks outgoing NTP
Component: Local Traffic Manager
Symptoms:
When incoming NTP packets from the configured NTP server arrive for a non-local IP on a BIG-IP system that is either a Virtual Edition (VE) guest, an appliance, or a vCMP guest on an appliance host, an iptables rule is triggered that results in further outgoing packets to the NTP server to have their destination IP addresses changed to 127.3.0.0, which is not routable and thus causes NTP time syncs to stop.
Conditions:
An NTP server is configured on a BIG-IP system that is either a VE, an appliance, or a vCMP guest on an appliance host, and packets arrive from the configured NTP server destined for an IP address belonging to another machine on the network. This can happen for several reasons:
1) The customer has a device on the same management network doing very low-to-zero volume of traffic over its management port. NTP syncs time less often than the L2 FDB expiration time.
2) The customer is using a L2 topology that uses redundant switches with NIC teaming / bonding, and one of the hosts cuts over to the other switch. This also causes transmits of packets that have no valid L2 FDB entry.
3) An STP topology change occurs in a given network, causing switches to drop L2 FDB entries for relevant hosts and flood unknown unicast destination traffic to all ports of a given VLAN.
4) Any unicast misdirection of NTP traffic to the management port not covered above.
Impact:
NTP time syncing stops on affected BIG-IP systems.
Workaround:
To remove the iptables rule that is causing the problem:
# iptables -t nat -D bpnet-in -p udp --dport 123 -j DNAT --to-destination 127.3.0.0.
Comment out the following line in the function setup_virtual_backplane() in the file /etc/init.d/cluster to prevent the rule from coming back upon reboot:
iptables -t nat -A bpnet-in -p udp --dport 123 -j DNAT --to-destination $int_mgmtip.
Fix:
Incoming NTP packets from configured NTP server to non-local IP now works correctly with outgoing NTP.
499950-6 : In case of intra_cluster ha, node flapping may still lead to inconsistent persistence entries across TMMs
Component: Local Traffic Manager
Symptoms:
Inconsistent persistence entries across TMMs.
Conditions:
This occurs under the following conditions are met: -- intra_cluster HA configuration. -- node flapping.
Impact:
Inconsistent persistence behaviors.
Workaround:
Add an iRule command to the PERSIST_DOWN event that deletes the persistence entry for this connection. One example might be:
when PERSIST_DOWN {
persist delete source_addr [IP::client_addr]
}
For more information, see SOL14918: Node flapping may cause inconsistent persistence records, available here: http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14918.html.
Fix:
An issue involving inconsistent behavior of persistence across TMMs is fixed.
499947-3 : Improved performance loading thousands of Virtual Servers
Component: TMOS
Symptoms:
In v11.5.1 and newer, when loading thousands of Virtual Servers, mcpd might become overloaded, causing loads to take a long time, or fail entirely when mcpd times out and is restarted.
This might be more severe if GTM was enabled.
Conditions:
Thousands of Virtual Servers, GTM enabled. The problem is caused when tracking the state of Virtual Address changes and broadcasting those state changes under certain circumstances.
Impact:
Might cause long load times or configuration load failure because of mcpd timeout and restart.
Workaround:
Disable GTM. Reduce the number of Virtual Addresses.
Fix:
The Virtual Address state change code was improved in multiple areas:
1. GTM is checked for provisioning.
2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast.
3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority.
4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3.
5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations.
Behavior Change:
The Virtual Address state change code was improved in multiple areas:
1. GTM is checked for provisioning.
2. Each individual Virtual Address is checked for GTM association before assuming it needs to be broadcast.
3. Virtual Address changes caused by the Virtual Server, Pool, or Virtual Address changes are processed at a higher priority.
4. Virtual Address changes caused by a GTM state change are processed after the Virtual Server changes in #3.
5. All Virtual Address changes are processed on a queue that limits the number per mcpd event loop, preventing Virtual Address status changes from blocking normal mcpd operations.
499946-2 : Nitrox might report bad records on highly fragmented SSL records
Component: Local Traffic Manager
Symptoms:
When using an AES-GCM cipher on highly fragmented SSL records, platforms with Cavium Nitrox cards might report Bad records.
Conditions:
The negotiated cipher is one of the AES-GCM ciphers, and the MTU is such that the SSL records are highly fragmented.
Impact:
The BIG-IP system disconnects Client SSL connections prematurely. The SSL profile shows a number of Bad records.
Workaround:
None.
Fix:
The processing buffers reserve the proper number of subsequent parameters.
499795-3 : "persist add" in server-side iRule event can result in "Client Addr" being pool member address
Component: Local Traffic Manager
Symptoms:
When using Universal Persistence, depending on how an iRule is implemented, the Client Addr field in persist records may be the selected pool member's address, instead of the client address.
Conditions:
Universal Persistence
Impact:
The "Client Address" field in persistence records may be wrong. Note that this field is not used for anything in the data path, so this issue is purely cosmetic.
Fix:
Persist record now has correct "Client Addr" even when the owner for the persist record is in different TMM.
499701-6 : SIP Filter drops UDP flow when ingressq len limit is reached.
Component: Service Provider
Symptoms:
UDP stats shows increase in the number of flows and valid SIP messages are dropped.
Conditions:
This occurs when an iRule processing delay occurs (session db operations) combined with increase in the SIP incoming flow.
Impact:
SIP UDP flows are dropped.
Workaround:
None.
Fix:
The SIP UDP flow now remains when the ingress len limit is reached.
499620-8 : BIG-IP Edge Client for MAC shows wrong SSL protocol version; does not display the protocol version that was negotiated.
Component: Access Policy Manager
Symptoms:
The BIG-IP Edge Client for Mac shows the wrong SSL protocol version in Details; it does not display the protocol version that was negotiated.
Conditions:
BIG-IP Edge Client for Mac.
Impact:
The BIG-IP Edge Client for Mac displays the incorrect SSL protocol version now in Details.
Workaround:
None.
Fix:
The BIG-IP Edge Client for Mac displays the correct SSL protocol version now in Details.
499537-2 : Qkview may store information in the wrong format
Component: TMOS
Symptoms:
When creating a new monitor, some information may be stored in the wrong format.
Conditions:
Create a new monitor. Run qkview.
Impact:
Occasionally, some information stored for the new monitor will be in the incorrect format.
Workaround:
None.
Fix:
Monitor information is now stored in the correct format.
499478-3 : Bug 464651 introduced change-in-behavior for SSL server cert chains by not including the root certificate
Component: Local Traffic Manager
Symptoms:
Bug 464651 fixed a loop issue that occurred when building a certificate chain caused by an invalid configuration in certificates.
That fix unintentionally excluded the root certificate in the chain. While it is still a valid certificate chain, it does result in a change-in-behavior issue that is unacceptable in certain cases.
Conditions:
This occurs in versions containing the fix for Bug 464651 (11.4.1, 11.5.4).
Impact:
In some instances, the root certificate must be included in the certificate chain. In other cases, the certificate validation fails.
Workaround:
None.
Fix:
This fix restores the previous behavior by including the root certificate in the chain.
499430-6 : Standby unit might bridge network ingress packets when bridge_in_standby is disabled
Component: Local Traffic Manager
Symptoms:
On a standby unit with a vlangroup configured with multiple VLAN members and bridge_in_standby attribute set to false, the unit might still bridge network ingress packets across the vlangroup, if those packet happen to match the host monitor traffic flows.
Conditions:
This occurs when the following conditions are met: Configure a vlangroup with multiple VLAN members in HA configuration and set vlangroup's bridge_in_standby attribute to false. Configure monitors to use non-default monitor rules (ICMP, etc.).
Impact:
This results in a traffic bridging loop among active and standby unis. Excessive traffic load might take down monitors on the BIG-IP system.
Workaround:
None.
Fix:
Standby unit no longer bridges network ingress packets when bridge_in_standby is disabled. This is correct behavior.
499427-4 : Windows File Check does not work if the filename starts with an ampersand
Component: Access Policy Manager
Symptoms:
Windows File Check does not work if the filename starts with an ampersand.
Conditions:
Run Windows file check and add a file name that starts with an ampersand.
Impact:
Depends upon access policy, but in the worst case a user might be allowed to log in.
Fix:
Access policy Windows File check now works with a file name that starts with an ampersand (&).
499422-2 : An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm.
Component: Local Traffic Manager
Symptoms:
An optimistic ACK sent by a server in response to a BIG-IP FIN/ACK packet result in a FIN/ACK storm.
Conditions:
When an ACK with an "invalid" sequence number is received, the resulting calculations involving the incoming seqno and rcv_nxt causes an outgoing ACK to be generated which will repeat if the server behavior repeats.
Impact:
Many connections delayed and CPU usage is very high, peak usage is around 90%. Traffic suffer a severe deterioration.
Fix:
This problem is now corrected by ensuring that when outgoing ACK is being generated that the FIN is stripped if it is not a retransmission of the FIN.
499347 : JSON UTF16 content could be blocked by ASM as Malformed JSON
Component: Application Security Manager
Symptoms:
When JSON UTF16 content is handled by ASM and the content includes one of the characters below, the request could be blocked by ASM policy.
XML_CHAR_BACKSLASH
XML_CHAR_LEFT_CURLY_BRACKET
XML_CHAR_RIGHT_CURLY_BRACKET
Conditions:
ASM policy assigned to a virtual server and the policy configured to enforce JSON content.
Impact:
False positive request blocking.
Workaround:
None.
Fix:
JSON unicode_charmap table has been fixed, thus UTF16 characters are interpreted correctly.
499260-2 : Deleting trust-domain fails when standby IP is in ha-order
Component: TMOS
Symptoms:
Deleting trust-domain fails when the ha-order traffic group contains a standby unit's IP address.
Conditions:
This occurs when there is a non-local device that is used by the HA order in one of the traffic groups.
Impact:
Unable to delete trust domain. The tmsh command 'delete cm trust-domain all' intermittently hangs. Pressing Ctrl + C shows: Unexpected Error: Could not reset trust-domain (error from devmgmtd): Error reading from server...' In the /var/log/ltm the system posts the message: 'err devmgmtd[7887]: 015a0000:3: -unknown- failed on -unknown-.devicegroup: 01071761:3: Cannot delete device (bigipsystem.example.com) from device group (/Common/sync-failover-1) because it is used by HA order on traffic group (/Common/traffic-group-2)'.
Workaround:
Retrying sometimes succeeds. Removing the ha-order traffic group also allows the operation to succeed.
Fix:
Deletion of a device trust domain now completes successfully when the BIG-IP system is a member of a device trust domain configured with a traffic group high-availability order that references a device other than the local system.
499150-2 : OneConnect does not reuse existing connections in VIP targeting VIP configuration
Component: Local Traffic Manager
Symptoms:
Significant increase in Active Connections and Connections per Second for virtual servers that receive connections from another virtual server with the Policy action 'virtual' or iRule command 'virtual' and the client virtual server has a OneConnect profile. The connections per second will match the rate of HTTP requests sent to the server virtual server.
A packet capture would reveal that OneConnect is not reusing previously opened connections, and previously opened connections remain idle until timeout.
Conditions:
This occurs when either of the following conditions are met:
-- Virtual-to-virtual configuration with OneConnect profile.
-- iRule contains the following command: node <ip> <port>.
Impact:
An increase in CPU and memory resources occurs due to the increase in connections established and connections that remain in memory.
Workaround:
If not required, remove the OneConnect profile from the client virtual server.
Fix:
Connections are correctly reused even with VIP on VIP configuration.
498992-9 : Troubleshooting enhancement: improve logging details for AWS failover failure.
Component: TMOS
Symptoms:
Logging information on BIG-IP VE for Failover on AWS was inadequate and did not provide the reason for failures in Failover.
Conditions:
Traffic-group failover sometimes failed without providing specific reason for the failure.
Impact:
The lack of logging messages that could pin-point the mis-configuration or connectivity issues on AWS makes it difficult to determine what is causing the Failover to fail.
Workaround:
None
Fix:
Added more logging details for AWS failover failure to assist in detecting problems in failover.
Behavior Change:
Previously, the following AWS permissions were required when running failover: ec2:AssignPrivateIpAddresses and ec2:DescribeNetworkInterfaces. Failover could fail because of region or key issues, and so an additional AWS permission, ec2:DescribeInstanceStatus, is now also required for running failover.
498782-5 : Config snapshots are deleted when failover happens
Component: Access Policy Manager
Symptoms:
When failover occurs, the config snapshots on the new active node might be deleted during the HA state transition. As a result, a user might encounter one of the errors below:
1. Login failure/denied.
2. Some webtop resources are missing after successful login.
Conditions:
When the standby node switches to active.
Impact:
User cannot login or access some resources after login.
Workaround:
Restart APD by running the command: bigstart restart apd.
Fix:
Now APD uses a short time interval for periodic checking of config snapshots right after failover happens. If config snapshots are found to be missing, APD recreates them. After a few such cycles, APD reverts to using a long time interval for the check.
498704-1 : Module provisioning doesn't properly account for disk space
Component: TMOS
Symptoms:
You are able to provision modules, but module daemons fail to start.
Conditions:
Low free disk space on HD1 as reported by tmsh list sys disk logical-disk
Impact:
The module(s) provisioned may not function.
Workaround:
None
498597-8 : SSL profile fails to initialize and might cause SSL operation issues
Component: Local Traffic Manager
Symptoms:
When the SSL profile fails to initialize, it causes the SSL enter pass-through mode instead of rejecting traffic.
Conditions:
SSL profile fails to initialize, for example, due to failure to load cert/key files.
Impact:
SSL enters pass-through mode instead of rejecting traffic. As a side effect, ConfigSync might fail, as the communication channel does not establish because of a hung SSL connection.
Workaround:
Make sure cert/key is available and has the proper grant access mode.
Fix:
When the SSL profile fails to initialize, it now causes the SSL to reject traffic correctly.
498469-8 : Mac Edge Client fails intermittently with machine certificate inspection
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Mac fails intermittently with machine certificate inspection when "Match CN with FQDN" setting is configured.
Conditions:
The problem occurs with BIG-IP Edge Client for Mac and machine certificate agent when in the access policy "Match CN with FQDN" is set.
Impact:
Edge ClienT fails to pass machine certificate inspection.
Fix:
BIG-IP Edge Client for Mac does not fail intermittently with machine certificate inspection agent.
498361 : Manage ASM security policies from BIG-IQ
Component: Application Security Manager
Symptoms:
Certain aspects of ASM Security Policies on BIG-IP 11.5.2 cannot be managed by BIG-IQ Security.
Conditions:
Using BIG-IQ Security to manage ASM on BIG-IP 11.5.2.
Impact:
BIG-IQ Security cannot effectively manage ASM on BIG-IP 11.5.2.
Workaround:
None.
Fix:
New ASM security policies can now be created by BIG-IQ version 4.5. Currently, discovery of 11.5.2 HF1 by a 4.5 BIG-IQ is disabled by default on the BIG-IP system, and can be turned on by changing the rest_api_extensions option to '1' on the Advanced Configuration/System Variables screen in the ASM user interface (navigate to Security: Options: Application Security: Advanced Configuration: System Variables) on the BIG-IP system. After saving the change, the user is instructed to do a 'tmsh restart sys service asm'. Additionally, the user should restart the httpd service via: 'bigstart restart httpd'.
498334-6 : DNS express doesn't send zone notify response
Component: Local Traffic Manager
Symptoms:
When a virtual server on the BIG-IP system receives a zone notify message, it does not send a response message back. Instead, it sends the original notify message back to the remote name server.
Conditions:
A zone notify message is sent to a virtual server with a DNS profile. The zone is configured to allow notify from the sender and the notify action is set to be consumed.
Impact:
The remote name server sends the notify message to the BIG-IP system several times since the remote name server does not receive a response message.
Workaround:
None.
Fix:
TMM will correctly send a response message back when processing a zone notify message from a remote name server.
498227 : Incorrect AFM firewall rule counter update after pktclass-daemon restarts.
Component: Advanced Firewall Manager
Symptoms:
Incorrect firewall rule counters are updated upon classifying traffic when rules are re-ordered AND pktclass-daemon is also restarted.
Conditions:
pktclass-daemon restarts and there are active firewall rules present (at any context).
Impact:
While there is no incorrect behavior in matching/classifying traffic, updating incorrect rule counter may lead to impression that traffic is being classified incorrectly.
Workaround:
None
Fix:
The issue regarding update of incorrect rule counter (after pktclass-daemon restarts) has been fixed.
498189-6 : ASM Request log does not show log messages.
Component: Application Security Manager
Symptoms:
The request log does not show log messages related to ASM.
Conditions:
This occurs when first assigning the application logging profile, and then assigning the DOS logging profile on the same virtual server.
Impact:
There will not be log messages related to ASM.
Workaround:
Remove the ASM logging profile, apply and re-add the application logging profile.
Fix:
ASM request log now shows log messages related to ASM, even if the application logging profile was assigned to the virtual server before the DOS logging profile was assigned to it.
498005-1 : The HTTP:payload command could cause the TMM to crash if invoked in a non-HTTP event
Component: Local Traffic Manager
Symptoms:
The HTTP::payload command could cause the TMM to crash if invoked when HTTP had already started egressing data to other filters.
This could only happen if HTTP::payload was used in a non-HTTP event.
Conditions:
HTTP::payload is used in a non-HTTP iRule.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use i.e. ASM::payload if you want the payload within an ASM event.
Fix:
HTTP::payload will no longer cause a TMM crash if invoked in a non-HTTP event. Instead, an error will be returned to the iRule.
497769-2 : Policy Export: BIG-IP does not export redirect URL for "Login Response Page"
Component: Application Security Manager
Symptoms:
ASM does not export redirect URLs in "Login Response Page" for XML policies.
Conditions:
Redirect URL in "Login Response Page" is used in ASM security policy.
Impact:
We fixed an issue with XML policy export where the redirect response page was missing from the security policy.
Workaround:
Use binary policy export for exporting redirection response pages for login url.
Fix:
We fixed an issue with XML policy export where the redirect response page was missing from the security policy.
497742-5 : Some TCP re-transmits on translucent vlangroup skip bit-flip on source MAC address
Component: Local Traffic Manager
Symptoms:
Some packets re-transmitted as part of a full-proxy, non-SNAT'd TCP virtual server on a translucent-mode vlangroup do not correctly have the translucent-mode bit-flip applied.
Conditions:
This occurs with a translucent vlangroup and full virtual server with no SNAT.
Impact:
Egressing traffic with the source-MAC of another host can potentially lead to traffic loops.
Workaround:
Enable SNAT on the virtual server.
Fix:
All TCP re-transmits have the proper source MAC address.
497732 : Enabling specific logging may trigger other unrelated events to be logged.
Component: Advanced Firewall Manager
Symptoms:
When logging is enabled for TCP events some internal traffic like UDP could be logged.
Conditions:
When logging is enabled in AFM for TCP events.
Impact:
Some unwanted log messages with show up
Workaround:
There is no work around.
Fix:
Fixed a bug where undesired traffic was logged when TCP events logs were enabled.
497719-12 : NTP vulnerability CVE-2014-9293, NTP vulnerability CVE-2014-9294, NTP vulnerability CVE-2014-9295, and NTP vulnerability CVE-2014-9296
Vulnerability Solution Article: K15934
497681-3 : Tuning of Application DoS URL qualification criteria
Component: Application Visibility and Reporting
Symptoms:
Application DoS can not be tuned in order to tell which transactions are qualified for client side mitigation.
Conditions:
1. Create new L7-DoS profile, enable CS injection prevention
2. Sent more than 10 requests to qualified URL. Make sure that URL detected as qualified (I used avrstat tool)
3. Send 1 request with HEAD or TRACE methods. URL will be detected as non-qualified.
Impact:
AVR didn't qualify URLs according to the system's qualification criteria.
Workaround:
N/A
Fix:
We tuned the Application DoS URL qualification criteria.
497671 : iApp GUI: Unable to add FW Policy/Rule to context via iApp
Component: Advanced Firewall Manager
Symptoms:
Unable to add FW Policy/Rule to context via iApp. Error message appears: "General database error retrieving information."
Impact:
Unable to create FW rules via iApp.
Workaround:
The issue is fixed. But could configure via tmsh.
Fix:
Fixed
497667 : Configuring of ICMPv4/ICMPv6 ip-protocol in mgmt port ACL Rules generated error
Component: Advanced Firewall Manager
Symptoms:
PCCD gives error exhausted; causes inability to activate new mgmt port rules.
Conditions:
The mgmt port is configured as an IPV4 interface and an ICMPv6 protocol rule is applied with the action set to reject or vice-versa.
Impact:
error: resources exhausted; causes inability to activate new mgmt port rules
Fix:
Validation added to block invalid application of management firewall rule specifying ICMPv6 when management interface is configured with only IPv4 address. Validation also detects the reverse condition (IPv6 management address, ICMPv4 firewall rule). A descriptive error message is added.
497662-4 : BIG-IP DoS via buffer overflow in rrdstats
Component: Access Policy Manager
Symptoms:
BIG-IP DoS via buffer overflow in rrdstats
Conditions:
rrdstats given malformatted input
Impact:
Crash in rrdstats - some services unavailable while rrdstats down
Workaround:
No workaround. rrdstats will be restarted by BIG-IP
Fix:
Improved request parsing to make it more robust against invalid formats.
497627-2 : Tmm cores while using APM network access and no leasepool is created on the BIG-IP system.
Component: Access Policy Manager
Symptoms:
TMM cores in Network Access scenario when no leasepool is created on the BIG-IP system and IP address assignment is done through the Variable Assign agent (mcget {session.ldap.last.attr.vpnClientIp}).
Conditions:
APM network access and no leasepool is created on the BIG-IP system.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
To work around the problem, create a leasepool on the BIG-IP system; it does not need to be attached to an access policy.
Fix:
TMM does not core now when using APM network access and no leasepool is created on the BIG-IP system.
497619-7 : TMM performance may be impacted when server node is flapping and persist is used
Component: Performance
Symptoms:
TMM consumes a higher percentage of the CPU resources when handling traffic.
Conditions:
This intermittent issue occurs when a pool members goes up and down when using source_addr persistence.
Impact:
System performance is impacted.
Workaround:
This issue has no workaround at this time.
Fix:
The intermittent performance impact no longer occurs when a pool members goes up and down when using source_addr persistence.
497584-5 : The RA bit on DNS response may not be set
Component: Local Traffic Manager
Symptoms:
Under some circumstances, the recursion available (RA) bit may be unset in responses from DNS cache.
Conditions:
If the system caches a message from the authoritative server without the rd bit, and subsequent queries with rd set find that message, the first message will not be used because the rd bit is not set. In this case, the operation falls back to the rrset cache and composes a message, but leaves the RA bit unset. This is appropriate for the transparent cache, but not the non-transparent cache.
Impact:
The impact of this issue is that recursion available is not signaled to clients so they may not treat the DNS cache as an available resolver.
Workaround:
To work around this issue, write an iRule to set the RA bit when the cache is a resolver. Must also check origin for CACHE.
Fix:
The RA bit is set for the response when the cache resolver answers the query from the fast path.
497564-5 : Improve High Speed Bridge diagnostic logging on transmit/receive failures
Component: TMOS
Symptoms:
When an HSB transmitter or receive failure occurs, no information is provided on the state of the HSB transmit/receive rings prior to the failure.
Conditions:
The HSB experiences a transmitter or receive failure.
Impact:
The unit is rebooted.
Workaround:
None.
Fix:
Improved High Speed Bridge diagnostic logging on transmit/receive failures.
497436-3 : Mac Edge Client behaves erratically while establishing network access connection
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Mac does not establish a network access connection, or if it can establish a connection, then it drops the connection. A user might see a cycle of connect/re-connect again.
Conditions:
OS X Yosemite, network access, BIG-IP Edge Client for Mac.
Impact:
User cannot establish network access connection.
Workaround:
None.
Fix:
BIG-IP Edge Client for Mac can now establish a connection correctly. An issue with routing table patch coding deleting an essential route has been resolved.
497389-2 : Extraneous dedup_admin core
Component: Wan Optimization Manager
Symptoms:
There have been some extraneous dedup_admin cores generated during system shutdown.
Conditions:
Race condition during shutdown of vcmp with 2 blades.
Impact:
Extraneous dedup_admin core generated.
Workaround:
None
Fix:
Missing virtual destructor was added.
497342-2 : TMM crash while executing FLOW_INIT event (with multiple commands that abort the connection) in an iRule attached to an AFM firewall rule.
Component: Advanced Firewall Manager
Symptoms:
Critical system failure due to TMM process restarting.
Conditions:
Following conditions will trigger the TMM crash:
i) AFM rule match triggers an iRule execution.
ii) iRule has one (or more) FLOW_INIT event with 2 (or more) commands that result in aborting the connection (e.g. 'drop' followed by 'reject')
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
The aforementioned TMM crash has been fixed.
497325-5 : New users cannot log in to Windows-based systems after installing BIG-IP EDGE client in certain deployment
Component: Access Policy Manager
Symptoms:
New users cannot log in to Windows-based systems after installing BIG-IP Edge client in certain deployments.
Conditions:
This is a rare, environment-based issue.
Impact:
New users cannot log in to Windows-based systems
Workaround:
Remove \F5 Networks\VPN\client.f5c file.
Fix:
A rare, environment-based issue that prevented new users from logging in to Windows-based systems has been fixed.
497311-1 : Can't add a ICMPv6 type and code to a FW rule.
Component: Advanced Firewall Manager
Symptoms:
Can't add a ICMPv6 type and code to a FW rule
Conditions:
choose the protocol as ICMPv6 and try to add a type and code.
Impact:
Firewall Rule Creation Page gets affected.
Workaround:
Use tmsh to add ICMPv6 type and code to a FW rule.
Fix:
GUI now accepts firewall rules specifying ICMPv6 with type and code.
497304-10 : Unable to delete reconfigured HTTP iApp when auto-sync is enabled
Component: TMOS
Symptoms:
When deleting an HTTP iApp, the system posts errors similar to this in the LTM log, along with similar sync errors in the GUI:
-- err mcpd[6629]: 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16).
-- err mcpd[6629]: 01071488:3: Remote transaction for device group /Common/HA_Group to commit id 895 6070871290648001573 /Common/cr-ltm-bb2.ns.uwaterloo.ca 0 failed with error 01070265:3: The HTTP Profile (/Common/http-test-farm1.app/http-test-farm1_http) cannot be deleted because it is in use by a sflow http data source (16).
Conditions:
Auto-sync must be enabled. HTTP iApp must have been reconfigured prior to deleting the iApp.
Impact:
Sync failure. Cannot delete the iApp manually after the error occurs.
Workaround:
Do not use auto-sync. If the sync failure has already occurred, refer to SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) for information on how to restore configuration sync.
Fix:
Ensure the sFlow data source is removed from an HTTP profile when it is deleted.
497299-7 : Thales install fails if the BIG-IP system is also configured as the RFS
Component: Local Traffic Manager
Symptoms:
Thales install fails.
Conditions:
This occurs when the BIG-IP system is also configured as the RFS.
Impact:
Cannot use Thales HSM with the BIG-IP system.
Workaround:
In the following procedure, when running nethsm-thales-rfs-install.sh, the script returns the IP address used by the RFS server. Use that IP address when running the 'rfs-setup' command. When prompted with: Did you successfully run the above 'rfs-setup' command on the RFS server? (Yes/No), perform the following steps: 1. Open a new SSH connection to the BIG-IP system. 2. Run the following command: /opt/nfast/bin/rfs-setup --force -g --write-noauth x.x.x.x. 3. Return to nethsm-thales-install.sh SSH screen and answer 'Yes'. The script should now exit with a success message.
Fix:
Thales install script now runs successfully when the BIG-IP system is also configured as the RFS.
497263-2 : Global whitelist count exhausted prematurely
Component: Advanced Firewall Manager
Symptoms:
You receive an error message with this signature: error 0107181d:3: Cannot create white list entry, maximum limit 8 entries reached.
Conditions:
This can occur when configuring entries on both BIG-IP's in a sync group and syncing them. The whitelist count may be less than 8 but the error is still generated.
Impact:
You may receive an error message while creating a whitelist telling them they've exceeded the global whitelist count limit.
Workaround:
None
Fix:
An internal inconsistency with the system that oversees the whitelist count has been fixed.
497118-6 : Tmm may restart when SAML SLO is triggered
Component: Access Policy Manager
Symptoms:
Tmm restarts when SLO is executed.
Conditions:
BIG-IP is used as SAML SP or IdP, single logout is configured on appropriate objects.
Impact:
tmm may restart
Workaround:
Disable SAML SLO
Fix:
TMM will no longer restart when SAML SLO is triggered.
496998-2 : Update offenders more aggressively. Increase batch size for Dwbld processing.
Component: Performance
Symptoms:
Offenders are not blacklisted fast enough.
Conditions:
DoS configured with auto-blacklisting
Impact:
When DoS doesn't track offenders aggressively, it doesn't report them. Once reported, Dwbld processes the offenders in smaller batches. This impacts how soon an offender is blacklisted.
Workaround:
None
Fix:
DoS code reports offenders more aggressively. Dwbld processes offenders with bigger batches.
496849-2 : F5 website update retrievals vulnerability
Vulnerability Solution Article: K16090
496845-2 : NTP vulnerability CVE-2014-9296
Vulnerability Solution Article: K15933
496817-7 : Big-IP Edge client for Windows fails to connect to Firepass server if tunnel is established through a proxy
Component: Access Policy Manager
Symptoms:
In a reconnect scenario, Big-IP Edge Client cannot connect to a FirePass server if the tunnel was established through a proxy server.
Conditions:
Proxy is used to create VPN tunnel.
The server is FirePass.
Impact:
The client fails to restore the VPN connection to the FirePass server.
Workaround:
Restart client.
Fix:
Added backward compatibility changes to BIG-IP Edge Client for Windows to work properly with FirePass.
496775-6 : [GTM] [big3d] Unable to receive mark LTM virtual server up if there is another VS with same ltm_name for the bigip monitor
Component: Global Traffic Manager
Symptoms:
[GTM] [big3d] Unable to mark LTM virtual server up if there is another virtual server with same ltm_name for the bigip monitor.
Conditions:
LTM (running BIG-IP software older than v11.2.0) with a virtual server: /Common/http_vip with destination /Common/192.168.10.34:80.
GTM (running BIG-IP software newer than v11.5.0) with this LTM as a BIG-IP Server. Two virtual servers on LTM: One with the original LTM virtual server address, and the other with the translated address: 1. name ltm_http_vip :: destination 192.168.10.34:80 :: monitor /Common/bigip. 2. name ltm_http_trans_vip :: destination 10.10.10.34:80 :: translation-address 192.168.10.34:80 :: monitor /Common/bigip.
Impact:
Both virtual servers are marked up for a brief interval. After a few minutes, one of them is marked down.
Workaround:
You can use either of the following workarounds:
-- Use a monitor other than bigip.
-- Replace /shared/bin/big3d on the LTM system with a copy of a version v11.2.1 or later big3d.
Fix:
The BIG-IP health monitor no longer incorrectly marks down virtual servers with a duplicate ltm-name when there are BIG-IP GTM systems with differing software versions monitoring BIG-IP LTM virtual servers using the bigip monitor.
496758-4 : Monitor Parameters saved to config in a certain order may not construct parameters correctly
Component: Local Traffic Manager
Symptoms:
When configuring both a monitor and a child monitor, if the two monitors are saved in reverse order, the default monitor parameters will not be created.
For example:
ltm monitor tcp /Common/child {
defaults-from /Common/parent
destination *.990
interval 5
ip-dscp 0
time-until-up 0
timeout 16
}
ltm monitor tcp /Common/parent {
defaults-from /Common/tcp
destination *:*
interval 5
ip-dscp 0
time-until-up 0
timeout 16
}
Some of the default parameters for the above configuration will not be created upon loading config.
Conditions:
This occurs when there are at least two monitors, and the child custom monitor appears before the parent monitor. Must have a parent that derives from a root monitor, and a child that derives from the parent monitor.
Impact:
Possible undefined behavior in bigd, and failing iControl calls. On performing a 'tmsh load sys config verify' the system posts an error message similar to the following: 01070740:3: Performance monitor /Common/http-a may not have the manual resume feature. Unexpected Error: Validating configuration process failed.
Workaround:
A possible workaround involves switching the order of the monitors in the config file. This can either be accomplished manually, or by naming things in alphabetical order, such that the parent precedes the child:
ltm monitor tcp /Common/aaa_parent {
defaults-from /Common/tcp
destination *:*
interval 5
ip-dscp 0
time-until-up 0
timeout 16
}
ltm monitor tcp /Common/bbb_child {
defaults-from /Common/aaa_parent
destination *.990
interval 5
ip-dscp 0
time-until-up 0
timeout 16
}
Fix:
The system now handles a configuration in which a child custom monitor precedes the parent's, so that monitor parameters are constructed properly.
496679-3 : Configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.★
Component: TMOS
Symptoms:
After renaming a CM device object, or performing an upgrade from a version prior to 11.4.0, configuration loads may fail because the 'default-device' on a traffic-group object does not contain a valid value.
Conditions:
This issue occurs when one of the following conditions is met:
-- You load the BIG-IP configuration.
-- You upgrade the BIG-IP system software.
-- You perform a configuration synchronization (ConfigSync) operation for the device group.
The 'default-device' attribute has been deprecated beginning in 11.4.0 in favor of new functionality. Prior to 11.4.0, default-device was used to specify the device-group member that failback tries to make active.
From 11.4.0 and later, when auto-failback is enabled, the system uses the first member of the 'Failover Order' ('ha-order' in tmsh).
In 11.4.0 and later, this field is not used, but will fail validation if it contains a value that does not reference the name of an existing device-group member, or the value 'none'.
Impact:
Although the configuration can be saved, it fails when being loaded (for example, in response to a ConfigSync operation, during software upgrade, or when running the command: 'tmsh load sys config').
Workaround:
Modify any traffic-group default-device attributes that refer to the now-deprecated, default-device name.
Note: The system does not use this value, regardless of how you set it.
To work around this issue, you can modify the traffic-group default-device attribute to refer to default-device none. To do so, perform the following procedure:
1. Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh
2. To list the configured default device for a traffic group, use the following command syntax:
list /cm traffic-group <traffic group name>
For example, to list the configured default device for traffic-group-1, type the following command:
list /cm traffic-group traffic-group-1
3. Use none as the default device for your traffic group using the following command syntax:
modify cm traffic-group <traffic group name> default-device <default device name>.
For example, to modify your default device to none for traffic-group-1, type the following command:
modify cm traffic-group traffic-group-1 default-device none
4. Save the configuration changes by typing the following command:
save /sys config
Fix:
Renaming a device also renames the associated traffic-group's default device, so configuration load now completes successfully.
496588-2 : HTTP header that is larger than 64K can be analyzed incorrectly, leading to TMM crash
Component: Local Traffic Manager
Symptoms:
TMM may restart
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround.
Fix:
Fixed a problem that occurred when extracting request headers. This problem could sometimes cause TMM to crash.
496565-2 : Secondary Blades Request a Sync
Component: Application Security Manager
Symptoms:
Secondary blades requesting ASM sync "ASM is now entering sync recovery state. Requesting complete configuration from" noise in the logs, and needless sync work done.
This issue does not affect enforcement or the actual sync state of the devices, it is just requesting extra synchronizations when they may not be needed.
Conditions:
Secondary blade restarts in unsynchronized mode.
Impact:
Unnecessary sync events are created
Workaround:
Restarting the asm_config_server process on the secondary blade should alleviate the issue, but it may recur.
Fix:
To optimize the system, DSC synchronization is no longer requested from secondary blades. This issue did not affect enforcement or the actual synchronization state of the devices.
496278 : Disabling/enabling Rule within Rule List causes disabling/enabling of other Rule with the same name
Component: Advanced Firewall Manager
Symptoms:
Disabling/enabling Rule within Rule List causes disabling/enabling of a different but same-named Rule in a single Policy on the Active Rule Page in the GUI.
Conditions:
Only happens it the Rule names are the same with a single policy.
Impact:
Potentially, the incorrect Rule is disabled.
Workaround:
Make sure Rules have different names.
Fix:
The system now enables/disables only the selected Rule, regardless of the existence of other, same-name Rules in the policy.
496011-2 : Resets when session awareness enabled
Component: Application Security Manager
Symptoms:
A connection reset may occur when a transaction takes a long time (more than 10 seconds together from the request start till the response end).
Conditions:
The session tracking feature is turned on and long transaction occurs.
Impact:
A connection reset.
Workaround:
Turn off session tracking.
Fix:
Connection resets no longer occur when session awareness is enabled and the server response takes a long time.
495928-4 : APM RDP connection gets dropped on AFM firewall policy change
Component: Advanced Firewall Manager
Symptoms:
An active RDP connection over APM VPN tunnel gets dropped when administrator makes a change to the AFM firewall policy.
Conditions:
APM tunnel and its application connections are subject to AFM firewall policy.
Impact:
RDP session disconnects and automatically reconnects.
Workaround:
Add an Allow rule to the firewall policy for destination TCP port 3389.
Fix:
RDP connections no longer get dropped during AFM firewall policy changes.
495913-3 : TMM core with CCA-I policy received with uninstall
Component: Policy Enforcement Manager
Symptoms:
If a CCA-I is received with Charging-Rule-Remove AVP for the session then TMM will core.
Conditions:
CCA-I message received with charging-rule-remove AVP
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed the tmm crash when CCA-I with policy uninstall is received.
495901-4 : Tunnel Server crash if probed on loopback listener.
Component: Access Policy Manager
Symptoms:
VPN client might disconnect and reconnect.
Conditions:
Unexpected request is sent on tunnel server loopback listener.
Impact:
Tunnel server crashes resulting in VPN disconnection and reconnection.
Workaround:
None.
Fix:
Additional check implemented in tunnel server before accepting incoming connection.
495865-4 : iApps/tmsh cannot reconfigure pools that have monitors associated with them.
Component: TMOS
Symptoms:
iApps are unable to reconfigure pools that have monitors associated with them.
Conditions:
Using tmsh or iApps in the GUI to re-configure the pool monitor (for example, changing the monitor from 'http' to 'none').
Impact:
Monitor change does not occur. GUI or tmsh might post an error similar to the following: Monitor rule not found.
Workaround:
None.
Fix:
Users can now remove a monitor from a pool / set it to 'none' through tmsh or a GUI iApp transaction.
495862-7 : Virtual status becomes yellow and gets connection limit alert when all pool members forced down
Component: TMOS
Symptoms:
Invalid display of virtual status.
Conditions:
When all pool members forced down and the pool member's connection limit has been reached.
Impact:
Virtual monitor status becomes yellow and receives the following connection limit alert: The pool member's connection limit has been reached.
Workaround:
None.
Fix:
Virtual status now stays red if all the pool members are down.
495702-3 : Mac Edge Client cannot be downloaded sometimes from management UI
Component: Access Policy Manager
Symptoms:
Sometimes BIG-IP Edge Client for Mac cannot be downloaded from the management GUI.
Conditions:
Mac Edge Client, BIG-IP management UI.
Impact:
Mac Edge Client cannot be downloaded.
Workaround:
None.
Fix:
BIG-IP Edge Client for Mac can now be downloaded from the connectivity profile screen of the APM GUI.
495698 : iRule can be deleted even though it exists in a rule-list
Component: Advanced Firewall Manager
Symptoms:
The rule-list will reference a non existent iRule.
Conditions:
Have a rule-list that contains an iRule, and then delete that iRule.
Impact:
iRule will no longer have an effect, even though it still appears to be contained in the rule-list.
Workaround:
Do not delete an iRule if it is referenced by a rule-list.
Fix:
Introduced validation to ensure that a referenced iRule cannot be deleted.
495588-4 : Configuration fails with Syntax Error after upgrading from pre-11.5.0 releases★
Component: Local Traffic Manager
Symptoms:
Configuration fails with Syntax Error after upgrading to 11.5.0 from pre-11.5.0 releases.
Conditions:
When upgrading from a pre-11.5.0 release to version 11.5.0, the key/cert have an extra period in the name (for example mykey..key and mycert..crt). Beginning with version 11.5.0, multiple key/cert pairs are associated with one clientssl, so each key/cert pair has a name. During upgrade, the system provides a name for each key/cert, which can cause problems if the existing key/cert name contains a period character.
Impact:
Configuration load fails, and the system posts the alert: Syntax Error:(/config/bigip.conf at line: 12) one or more configuration identifiers must be provided.
Workaround:
Manually edit the bigip.conf to add a title for the cert-key-chain, and then run the command: tmsh load sys config.
Fix:
Before v11.5.0, Clientssl profile only supports one key/cert pair, no name associated with the key/cert pair. In v11.5.0, multiple key/cert pairs are associated with one clientssl, so each key/cert pair has a name.
495574-6 : DB monitor functionality might cause memory issues
Component: Local Traffic Manager
Symptoms:
TMM restarts continuously.
Conditions:
DB monitors configured
Impact:
System stops responding. System posts message: notice panic: FATAL: mmap of: /dev/mprov/tmm/tmm.4 length 1480589312 offset 4441767936 failed 12 (Cannot allocate memory).
Workaround:
Either kill the DB monitor java process or issue a bigstart restart.
Fix:
DB monitor functionality might cause memory issues.
495526-2 : IPsec tunnel interface causes TMM core at times
Component: TMOS
Symptoms:
If users choose to modify the tunnel interface attributes, such as MTU value, TMM cores. This can occur regardless if traffic has flowed through the tunnel.
Conditions:
When IPsec tunnel interface has its configuration modified.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid modifying IPsec tunnel interface. Configure IPsec tunnel interface in one shot, using either create or delete.
Fix:
TMM no longer cores if users choose to modify the tunnel interface attributes, such as MTU value.
495443-3 : ECDH negotiation failures logged as critical errors.
Component: Local Traffic Manager
Symptoms:
When a failure occurs in an SSL negotiation involving Elliptic Curve Diffie-Hellman (ECDH) key agreement, a critical error may be logged. However, an SSL negotiation failure is not a critical issue.
Conditions:
An SSL negotiation failure involving ECDH key agreement.
Impact:
Spurious critical error logs.
Workaround:
Treat SSL ECDH negotiation failures as non-critical errors.
Fix:
These ECDH failures are now logged as non-critical errors.
495432-1 : Add new log messages for AFM rule blob load/activation in datapath.
Component: Advanced Firewall Manager
Symptoms:
Prior to fix, as AFM rule blob is compiled/serialized by pktclass-daemon and TMM is notified to activate it in datapath, there is no visibility to identify if the activation failed or succeeded.
Conditions:
AFM rule serialization message is processed by TMM
Impact:
End user lacks any visibility if the AFM rule serialized blob is successfully being used in the data path.
Workaround:
None
Fix:
With the fix, now we log message (in /var/log/ltm) as AFM rule serialized blob is activated in data path.
495390-2 : An error occurs on Active Rules page after attempting to reorder Rules in a Policy
Component: Advanced Firewall Manager
Symptoms:
An error occurs on Active Rules page after attempting to reorder Rules in a Policy: "An error has occurred while trying to process your request."
Conditions:
Attempting to reorder rules if they span more than one page
Impact:
You cannot reorder the rules, and an error message is displayed, "An error has occurred while trying to process your request."
Fix:
Reordering of rules is now working.
495336-5 : Logon page is not displayed correctly when 'force password change' is on for local users.
Component: Access Policy Manager
Symptoms:
Logon page is not displayed correctly when 'force password change' is on for local users.
Conditions:
When more than one logon page is configured in the Access policy, and the administrator sets 'Force Password Change' in the local user account database.
Impact:
Although it is correct behavior to require an initial password change and to require a logon after changing the password, the expected first page is a one-time password-change request, instead of the same change-password change page displayed twice.
Workaround:
The current workaround is to add 'Variable Assign' agent in the LocalDB Auth Successful branch with a custom variable, for example: session.logon.page.challenge = expr { 0 }.
Fix:
The system now shows the correct logon page after the successful password change.
495335-4 : BWC related tmm core
Component: TMOS
Symptoms:
tmm coredumps while BWC is processing packets.
Conditions:
BWC is being enabled on a virtual server that does not have any BWC iRules enabled. Reasons for this are being investigated.
Impact:
Traffic disrupted while tmm restarts.
Fix:
Avoid a divide by zero while computing average packet size.
495319-9 : Connecting to FP with APM edge client is causing corporate network to be inaccessible
Component: Access Policy Manager
Symptoms:
Connecting to FirePass with a BIG-IP Edge Client for Mac that was downloaded from APM might not provide complete network access.
Conditions:
APM Edge Client, Firepass server, network access connection.
Impact:
Incomplete network access.
Workaround:
None.
Fix:
All configured networks are now reachable when connecting to FirePass using a BIG-IP Edge Client for Mac downloaded from APM.
495265-6 : SAML IdP and SP configured in same access profile not supported
Component: Access Policy Manager
Symptoms:
SLO might not work properly under certain conditions.
When a user attempts to start SLO, the connection gets reset. The system logs messages such as the following: RST sent from x.x.x.x:433 to x.x.x.x:xxxx, [0xxxxxx:xxx] Internal error ((APM::SSO) Error in reading sp info from session db failed)
Conditions:
All conditions must be met:
1. Both BIG-IP as SP and BIG-IP as IdP are configured on the same access profile.
2. SLO is configured for both BIG-IP as IdP and BIG-IP as SP.
3. SLO is executed in multiple TCP sessions between the user's browser and the BIG-IP system.
Impact:
SLO is not properly executed; users's session might not be terminated.
Workaround:
None.
Fix:
A problem with SAML single-logout has been fixed.
495253-5 : TMM may core in low memory situations during SSL egress handling
Component: Local Traffic Manager
Symptoms:
TMM may core in low memory situations during SSL egress handling.
Conditions:
This occurs when the following conditions are met: -- Low memory. -- SSL connections
Impact:
Traffic disrupted while tmm restarts.
Fix:
TMM no longer cores in low-memory situations during SSL egress handling.
495030-3 : Segfault originating from flow_lookup_nexthop.
Component: Local Traffic Manager
Symptoms:
Segfault originating from flow_lookup_nexthop when neighbor_resolve is not able to determine the next hop.
Conditions:
Memory pressure or error condition.
Impact:
tmm core and tmms restart.
Fix:
Segfault originating from flow_lookup_nexthop problem has been corrected.
494743-8 : Port exhaustion errors on VIPRION 4800 when using CGNAT
Component: Carrier-Grade NAT
Symptoms:
You may see the following on a VIPRION 4800 platform configured to use LSN deterministic NAT:
crit tmm3[12240]: 01010201:2: Inet port exhaustion on ...
Conditions:
VIPRION 4800 platform with multiple blades with LSN deterministic NAT
Impact:
DNAT port exhaustion alert,
Workaround:
Change LSN Pool members for LSN deterministic NAT pools, which will trigger a deterministic NAT data rebuild.
Fix:
TMM translations after blade failure or startup can be properly reverse-mapped by dnatutil, which fixes the port exhaustion alerts.
494637-6 : localdbmgr process in constant restart/core loop
Component: Access Policy Manager
Symptoms:
The localdbmgr process keeps crashing repeatedly.
Conditions:
The issue is caused by corruption in the contents stored in the memcache. Although the conditions under which the memory corruption occurs are not reproducible, this is a rarely occurring issue.
Impact:
The localdbmgr process crashes repeatedly.
Workaround:
None.
Fix:
The localdbmgr process has been updated in order to gracefully handle corruption in the memcache contents.
494565-3 : CSS patcher crashes when a quoted value consists of spaces only
Component: Access Policy Manager
Symptoms:
CSS content that contains some spaces between quotes leads to rewrite crash.
Example:
...
background: url(' ') // some spaces between quotes
...
Conditions:
Conditions leading to this problem include any case when CSS content contains a quoted value which consists of spaces only.
Impact:
The impact of this issue causes a rewrite crash which leads to a possible web application malfunction.
Workaround:
To work around this issue, create a particular iRule that removes mentioned spaces between quotes.
494367-4 : HSB lockup after HiGig MAC reset
Component: TMOS
Symptoms:
HSB lockups can occur after a HiGig MAC reset on BIG-IP 5000/7000-series and 10250 platforms.
Conditions:
-- HiGig MAC reset.
-- BIG-IP 5000/7000-series and 10250 platforms.
Impact:
An HSB lockup results in a NIC failsafe and reboot of the unit.
The system posts messages similar to the following in the LTM log:
-- bcm56xxd[8161]: 012c0015:6: Link: 4.1 is DOWN.
-- bcm56xxd[8161]: 012c0012:6: Reset HSBe2 (bus 1) HGM0 MAC completed on higig2 link 4.1 down event.
-- bcm56xxd[8161]: 012c0015:6: Link: 4.1 is UP. ...
-- tmm2[13842]: 01230111:2: Interface 0.3: HSB DMA lockup on transmitter failure.
Workaround:
None.
Fix:
HSB lockups no longer occur after a HiGig MAC reset on BIG-IP 5000/7000-series and 10250 platforms.
494322-5 : The HTTP_REQUEST iRule event may cause the TMM to crash if the explicit proxy is used
Component: Local Traffic Manager
Symptoms:
If the flow inside a HTTP_REQUEST event raised by the explicit proxy is expired, the TMM may crash.
Conditions:
The explicit proxy is configured for HTTP, and the HTTP_REQUEST iRule event is used.
Impact:
If state-changing commands are used within the HTTP_REQUEST event raised by the explicit proxy, they may not work correctly, and TMM might crash.
Workaround:
Avoid the HTTP_REQUEST event if possible.
Fix:
The TMM no longer crashes when under load when the HTTP_REQUEST iRule handler is used with the explicit proxy. HTTP state-changing commands used within HTTP_REQUEST on the explicit proxy works correctly.
494305-6 : [GUI] [GTM] Cannot remove the first listed dependent virtual server from dependency list.
Component: Global Traffic Manager (DNS)
Symptoms:
Cannot use the GUI to remove the first virtual server listed in alphabetical order from the dependent list of virtual server if there are multiple virtual servers in the dependency list.
Conditions:
Virtual server with several dependency virtual servers configured.
Impact:
Cannot manage virtual server dependency list using GUI as expected.
Workaround:
Use the corresponding tmsh commands to manage the virtual server dependency list.
Fix:
You can now use the GUI to remove the alphabetically first virtual server from the dependent list of virtual servers.
494284-10 : Mac Edge Client, with primary language of German shows unneeded text shown under disconnected status.
Component: Access Policy Manager
Symptoms:
With BIG-IP Edge Client for Mac, when primary language is set to German on the Mac, the text shown under the disconnected status contains extra, unneeded text wording.
Conditions:
Edge Client for Mac, when primary language is set to German on the Mac.
Impact:
Shows the following message: 'Um eine Verbindung herzustellen, wählen Sie aus dem Menü oben einen Server aus, und klicken Sie dann auf die Schaltfläche 'Auto-Verbindung' oder 'Verbinden' sichern und Werner der Seite standen aufs Auge drücken als Schadenersatz einer Woche kein Telefonat erneute.'
Workaround:
None.
Fix:
For BIG-IP Edge Client for Mac with primary language of German, the content that displays under disconnected status is now correct, without any unneeded text.
494189-3 : Poor performance in clipboard channel when copying
Component: Access Policy Manager
Symptoms:
JavaRDP client hangs when user tries to copy very large text fragment into clipboard.
Conditions:
User tries to copy very large text fragment.
Impact:
JavaRDP client lags or hangs on copying. In the worst case, user should close and reconnect JavaRDP client.
Workaround:
None
Fix:
Clipboard channel has significantly better performance now.
494176-1 : Network access to FP does not work on Yosemite using APM Mac Edge Client.
Component: Access Policy Manager
Symptoms:
If APM BIG-IP Edge Client for Mac on OS X Yosemite attempts to connect to FirePass, network access cannot be established.
Conditions:
APM Edge Client for Mac on OS X Yosemite connecting to FirePass.
Impact:
Network access cannot be established with FirePass.
Workaround:
None.
Fix:
Network access can now be established with FirePass using APM BIG-IP Edge Client for Mac on OS X Yosemite.
494122-6 : Deterministic NAT state information from HSL is not usable on VIPRION B4300 blades
Component: Carrier-Grade NAT
Symptoms:
Deterministic NAT HSL state information is not useable by dnatutil, resulting in "Unparseable line" error.
Conditions:
Deterministic NAT and HSL logging for LSN pool on a VIPRION B4300 blade.
Impact:
Cannot use the HSL logged state information for dnatutil.
Workaround:
Use LTM logged deterministic NAT state information.
Fix:
Deterministic NAT state information from HSL is now usable on VIPRION B4300 blades.
494098-9 : PAC file download mechanism race condition
Component: Access Policy Manager
Symptoms:
PAC file download mechanism might encounter a race condition if /etc/hosts is patched with the static entry of the host that contains PAC file.
Conditions:
The /etc/hosts is patched with the static entry of the host that contains PAC file.
Impact:
Proxy PAC file fails to download.
Workaround:
Add delay in proxy PAC file download to avoid race condition.
Fix:
PAC file download mechanism now avoids a race condition if /etc/hosts is patched with the static entry of the host that contains PAC file.
494088-5 : APD or APMD should not assert when it can do more by logging error message before exiting.
Component: Access Policy Manager
Symptoms:
APD or APMD asserts and exits without logging error messages to aid in debugging the error.
Conditions:
In some rare situation apmd (for example, access 'profile not found', failure in 'loading policy object'), APD, APMD assert. This results in dumping core.
Impact:
Restarting of APD, APMD and core file.
Workaround:
None.
Fix:
Now, in some rare situations where previously APD or APMD would assert, the system logs proper error messages before exiting. This results in restarting APD or APMD.
494070-4 : BIG-IP DNS cannot use a loopback address with fallback IP load balancing
Component: Global Traffic Manager
Symptoms:
BIG-IP DNS cannot use a loopback address with fallback IP load balancing.
Conditions:
BIG-IP DNS pool using fallback IP load balancing.
Impact:
Cannot configure a loopback address using fallback IP load balancing.
Workaround:
None.
Fix:
Now, a BIG-IP DNS Pool fallback IP address can be localhost.
494008-4 : tmm crash while initializing the URL filter context for SWG.
Component: Access Policy Manager
Symptoms:
tmm crash while initializing the URL filter context for SWG.
Conditions:
It is not known what triggers this crash. It may be connected to BIG-IP being unable to update the SWG database.
Impact:
Traffic disrupted while tmm restarts.
Fix:
tmm no longer crashes while initializing the URL filter context for SWG.
493807-4 : TMM might crash when using PPTP with profile logging enabled
Component: Carrier-Grade NAT
Symptoms:
TMM might crash when using PPTP with profile logging enabled.
Conditions:
This occurs when the following conditions are met: -- PPTP-ALG with log profile enabled. -- CGNAT configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable logging from the PPTP profile.
Fix:
Using PPTP with profile logging now works correctly and no longer causes TMM to crash.
493673-5 : DNS record data may have domain names compressed when using iRules
Component: Local Traffic Manager
Symptoms:
Some DNS record types forbid dns name compression in their record data, e.g., the NAPTR Replacement field. For certain parts of the DNS feature set, some of these record datum may have compressed names, e.g., DNS iRules, DNSSEC, GTM.
Conditions:
Using iRules.
Impact:
Some clients may expect uncompressed names and may not be able to follow compression pointers. This may cause the client to fail to use the RR.
Workaround:
None.
Fix:
Fields are properly not compressed, e.g., the NAPTR Replacement field.
493558-3 : TMM core due to SACK hole value mismatch
Component: Local Traffic Manager
Symptoms:
TMM cores with 'sack scoreboard population counts valid' assert. The TMM core occurs due to lost-packet retransmitted packet value mismatch.
Conditions:
This occurs when processing retransmitted packets configured for selective acknowledgement (SACK), when multipath TCP (MPTCP) and selective negative acknowledgement (SNACK) are enabled with a SNACK-supporting client.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There are two possible workarounds: -- Disable MPTCP. -- Disable the SNACK option in the TCP profile.
Fix:
TMM handles the case, and no longer cores due to lost-packet retransmitted packet value mismatch.
493487-5 : Function::call() and Function::apply() wrapping does not work as expected
Component: Access Policy Manager
Symptoms:
Function::call() and Function::apply() wrapping does not work as expected.
Conditions:
This occurs when using an indirect method call.
Impact:
Possible Adobe Flash web application malfunction, but the symptoms can vary.
Fix:
Indirect method call using Function::call() or Function::apply() works properly now.
493401-3 : Concurrent REST calls on a single endpoint may fail
Component: Application Security Manager
Symptoms:
Concurrent REST PATCH calls on a particular endpoint, or configuration by BIG-IQ, may fail due to database deadlocks.
Conditions:
Concurrent REST PATCH calls were made on a particular endpoint, or device was configured by BIG-IQ.
Impact:
Configuration changes fail due to database deadlock.
Workaround:
Return values from REST calls should be checked before proceeding to next call.
Fix:
Fixed a MySQL deadlock that occurred when using REST API to send several patch requests to parameters of a security policy.
493385-9 : BIG-IP Edge Client uses generic icon set even if F5 icon set is configured
Component: Access Policy Manager
Symptoms:
BIG-IP Edge client uses generic icon set even if F5 icon set is configured.
Conditions:
BIG-IP MAC Edge client customized for a specific language.
Impact:
The UI might show the generic icon set for MAC edge client in the system menu.
Workaround:
Remove customization for that language.
Fix:
Now BIG-IP Edge Client uses the set of icons that the configuration specifies. Also, F5 icons no longer display for a split second during application launch when the configuration specifies the generic set of icons.
493360-4 : Fixed possible issue causing Edge Client to crash during reconnect
Component: Access Policy Manager
Symptoms:
Edge Client may rarely crash during reconnect.
Conditions:
Session reconnection using Edge Client. When APM session closes on BIG-IP (by a timeout, or by other options, for example, 'Restrict to Single Client IP') the Edge Client starts new session. Occasionally when reestablishing connection to the BIG-IP system, the Edge Client crashes.
Impact:
Rarely encountered crash.
Workaround:
None.
Fix:
Fixed possible issue that could cause BIG-IP Edge Client for Windows to crash during reconnect.
493246-1 : SNMP error: Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot
Component: TMOS
Symptoms:
An SNMP query for sysCpuSensorSlot 0 returns 'Unknown Object Identifier (Index out of range:0 ) for sysCpuSensorSlot'.
Conditions:
SNMP query for sysCpuSensorSlot 0.
Impact:
SNMP MIB variable sysCpuSensorSlot 0 is not available.
Workaround:
Use the command 'tmctl cpu_info_stat' on the BIG-IP system to retrieve the sysCpuSensorSlot value.
Fix:
The software that generates the F5 BIG-IP MIBs has been updated to allow a slot 0 return value.
493223-2 : syscalld core dumps now keep more debugging information
Component: TMOS
Symptoms:
syscalld has a fixed-size queue of jobs. If this fills up, then it will intentionally dump core, but this core dump has little visibility into what commands were being run at the time.
Conditions:
syscalld is mostly invoked by the GUI or CMI sync to trigger the configuration being saved.
Impact:
syscalld core dumps will occur and generate customer cases, but it is difficult for a developer to obtain any useful information.
Workaround:
None.
Fix:
syscalld has a fixed-size queue of jobs. If this fills up, then it will intentionally dump core, but this core dump used to have little visibility into what commands were being run at the time. It now maintains a list of the most recently run commands that will be written into the core file.
493164-4 : flash.net.NetConnection::connect() has an erroneous security check
Component: Access Policy Manager
Symptoms:
Accessing some content in a different domain does not work as expected because of an erroneous security check.
Conditions:
This occurs when getting a URI property immediately after calling the connect() method.
Impact:
Possible Flash web application malfunction, but symptoms vary.
Fix:
The erroneous security check has been fixed, so accessing some content in a different domain now works as expected.
493140-6 : Incorrect persistence entries are created when invoking cookie hash persistence within an iRule using offset and length parameters.
Component: Local Traffic Manager
Symptoms:
When using a cookie hash persistence profile and an iRule to provide finer granularity using offset and length parameters to calculate the hash, the system creates incorrect persistence entries.
Conditions:
Cookie hash persistence profile and iRule on top of that specifies offset and length of the cookie to be used for hashing is needed.
Impact:
Incorrect persistence entries are created.
Fix:
Using cookie hash persistence and invoking cookie hash persistence from within an iRule now works as expected.
493117-12 : Changing the netmask on an advertised virtual address causes it to stop being advertised until tmrouted is restarted
Component: Local Traffic Manager
Symptoms:
After changing the netmask of an advertised virtual address, the address is no longer advertised.
Conditions:
Must have an advertised virtual address, and change its netmask.
Impact:
tmrouted must be restarted whenever the netmask of an advertised virtual address is changed.
Workaround:
Restart tmrouted whenever the netmask of an advertised virtual address is changed.
Fix:
Now, an advertised route remains advertised after its netmask is changed.
493006 : Export of huge policies might endup with 'too many pipes opened' error
Component: Access Policy Manager
Symptoms:
Export of huge policies might endup with 'too many pipes opened' error. Policy must be >321 element
Conditions:
Huge policy (300+ elements i.e. ~100 items)
Impact:
It's not possible to export access policy
Workaround:
N/A
Fix:
Extra huge policies are exportable
492780-3 : Elliptic Curves Extension in ServerHello might cause failed SSL connection.
Component: Local Traffic Manager
Symptoms:
Supported Elliptic Curves Extension is present in ServerHello, but some clients cannot process it. So we remove it.
Conditions:
The issue occurs when Supported Elliptic Curves Extension is present in ServerHello when presented to a client that cannot process it.
Impact:
Failed SSL connection.
Workaround:
None.
Fix:
Elliptic Curves Extension has been removed to support more types of clients.
492701-2 : Resolved LSOs are overwritten by source device in new Policy Sync with new LSO
Component: Access Policy Manager
Symptoms:
Previously resolved Location-Specific Object (LSO) on target devices are overwritten by values on source device in a new Policy Sync operation with new LSO to resolve.
Conditions:
Perform a Policy Sync on a profile with LSO, make changes to the LSO on resolution.
Perform another Policy Sync on the same profile with new LSO that requires resolution
Impact:
Previously customized values for LSO on target device are lost.
Workaround:
Config the value back on target device after the new sync.
Fix:
Customized LSO values on target device from previous Policy Sync will be retained after a new Policy Sync with new LSO.
492422-3 : HTTP request logging reports incorrect response code
Component: TMOS
Symptoms:
HTTP request logging reports 200/OK response code before any response has been received.
Conditions:
HTTP request logging enabled.
Impact:
Misleading messages in the logs. These messages are benign and can safely be ignored.
Fix:
Response code now reported only in HTTP response logs.
492368-10 : Unbound vulnerability CVE-2014-8602
Vulnerability Solution Article: K15931
492305-2 : Recurring file checker doesn't interrupt session if client machine has missing file
Component: Access Policy Manager
Symptoms:
If file required for recurring file checker agent is deleted on client machine when session already established - session would not be interrupted.
Conditions:
File checker agent is used.
Recurring check is enabled for it.
Impact:
Session is not interrupted when it should be.
Fix:
Now session is interrupted when file required for recurring file check is missing.
492238-9 : When logging out of Office 365 TMM may restart
Component: Access Policy Manager
Symptoms:
TMM may restart when a user initiates single logout (SLO) from Microsoft Office 365 configured as a SAML Service Provider (SP).
Conditions:
The problem occurs under these conditions: 1. The BIG-IP system is configured as a SAML Identity Provider (IdP) with Office 365 configured as a SAML Service Provider (SP).
2. Single logout (SLO) is configured on the BIG-IP system.
3. As a part of a SLO request, the SP sends unsupported query parameters.
Impact:
Under certain conditions TMM may restart.
Workaround:
To work around the problem, disable SLO on the BIG-IP system.
Fix:
TMM no longer restarts when a user initiates single logout (SLO) from Microsoft Office 365 configured as a SAML Service Provider (SP).
492163-6 : Applying a monitor to pool and pool member may cause an issue.
Component: TMOS
Symptoms:
Typically, when applying a monitor to pool and a monitor to pool member, there are no issues. In a scenario where the pool monitor is incompatible with the pool member, it can cause validation issue.
Conditions:
A scenario where the pool monitor is incompatible with the pool member, it can cause validation issue. For example, a pool with an http monitor and a wildcard pool member (even if pool member had its own monitor).
Impact:
Failed transaction or configuration load.
Workaround:
Remove the pool monitor, load, then add pool monitor back.
Fix:
Instances in which the pool monitor is incompatible with the pool member are now validated correctly.
492153-7 : Edge clients shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel, changes to deprecated.
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client shuts down the DTLS channel if the state of IP address on the adapter that was used to build the tunnel changes to deprecated.
Conditions:
BIG-IP Edge Client monitors the state of IP address for the DTLS tunnel, so the system can react quickly to any network connectivity issues. The monitor correctly disconnects the tunnel if the adapter loses the IP address. However, there is an issue that causes the tunnel to shut down when the state of IP address is changed to deprecated.
Impact:
Tunnel processing halts.
Fix:
BIG-IP Edge Client now keeps the DTLS connection until the IP address becomes invalid, as expected.
492149-2 : Inline JavaScript with HTML entities may be handled incorrectly
Component: Access Policy Manager
Symptoms:
If JavaScript code is included into an HTML page and contains HTML entities inside, it may be processed incorrectly by Portal Access.
Conditions:
HTML page which contains inline JavaScript code with HTML entities inside.
Impact:
Web application does not work as expected.
Workaround:
Use an iRule for each individual case to correct this behavior.
Fix:
Now JavaScript code with HTML entities inside is processed correctly.
492122-4 : Now Windows Logon Integration does not recreate temporary user for logon execution each time
Component: Access Policy Manager
Symptoms:
Temporary user 'f5 Pre-Logon User' is created and deleted each time it is used which prevents the performance of domain operations like adding that user to specific domain group or setting properties because the SSID changes every time.
Conditions:
This happens when both of these conditions exist:
1. Windows Logon Integration is used.
2. Enforce access policy execution option is selected.
Impact:
As a result, it is impossible to manage the temporary user 'f5 Pre-Logon User'.
Fix:
Now the 'f5 Pre-Logon User' is created only once, which allows a Domain or System Administrator to manage it, because the SSID does not change. When the user is no longer required (that is, when the logon process is complete), 'f5 Pre-Logon User' is disabled and remains disabled until the next usage.
491791-2 : GET on non-existent pool members does not show error
Component: TMOS
Symptoms:
Performing a GET on nonexistent pool members does not show an error.
Conditions:
This occurs when using iControl REST with nonexistent pool members.
Impact:
The returned response typically indicates an almost-empty resource instead of a not-found error.
Workaround:
Use members GET for all members and iterate through the items returned to determine if a pool member exists.
Fix:
Performing a GET on nonexistent pool members now shows an error when using iControl REST with nonexistent pool members.
491771-1 : Parking command called from inside catch statement
Component: Policy Enforcement Manager
Symptoms:
If inside a proc or control statement (if, for, while) and a parking command (like table, session, open, send, RESOLVE::lookup) which is called from catch statement followed by a command which results in TCL error (caught), TMM will core with SIGFPE panic and this message:
panic: TclExecuteByteCode execution failure: end stack top < start stack top
Example (THIS CODE MAY CAUSE TMM TO CRASH if this procedure is called):
proc id491771 {
# WILL CAUSE TMM TO CRASH
catch { [table lookup "key"] }
}
The correct usage of "catch" is without the brackets:
proc id491771 {
catch { table lookup "key" }
}
Conditions:
1) A parking command like "table"
2) The very next operation generates an error
3) Both commands are inside a "catch" block
4) And this catch block exists within a proc or control statement (e.g., if, for, while)
Impact:
TMM cores with a SIGFPE and this panic string:
panic: TclExecuteByteCode execution failure: end stack top < start stack top
Workaround:
Any command which completes without parking after the parking command but before the error will prevent the issue. For instance
set A "a"
Another solution is to move "catch" statement outside of proc or control statement into body of script.
Alternately remove the square brackets that indicate that the result of the command should be evaluated in this specific case. The use of brackets in this way is likely a mistake in coding of the iRule.
491716-3 : SNMP attribute type incorrect for certain OIDs
Component: TMOS
Symptoms:
The following OIDs have an incorrect setting of Gauge when they should be Integer:
sysIntfMediaIndex
sysIfIndex
sysPacketFilterAddrIndex
sysPacketFilterVlanIndex
sysPacketFilterMacIndex
sysStpBridgeTreeStatIndex
sysStpInterfaceTreeStatIndex
sysHostCpuIndex
sysIntfMediaSfpIndex
Conditions:
SNMP queries to some F5 enterprise OIDs.
Impact:
The attribute type mismatch may cause some MIB browsers to report errors because of a failure to strictly adhere to the SNMP standard.
Fix:
All F5 enterprise MIB attribute which include a limited value range have been changed to type Integer.
491556-10 : tmsh show sys connection output is corrected
Component: TMOS
Symptoms:
tmsh show sys connection output is corrupted for certain user roles.
Conditions:
This occurs for users with user roles that do not have access to all partitions.
Impact:
The output from tmsh show sys connection is corrupted. After issuing this command, the output of subsequent tmsh commands might not be correct or complete.
Workaround:
Quit out of tmsh. Restart the shell. Do not use the show sys connection command for users that do not have access to all partitions. Use the GUI instead to get this information.
Fix:
tmsh show sys connection output is correct for users that do not have access to all partitions.
491554-5 : [big3d] Possible memory leakage for auto-discovery error events.
Component: Global Traffic Manager
Symptoms:
The big3d process may leak memory.
As a result of this issue, you may encounter one or more of the following symptoms:
You notice a progressive increase in the amount of memory that the big3d process uses.
The big3d process produces a core file in the /shared/core directory.
The BIG-IP system unexpectedly fails over to another system in the device group.
The monitoring system marks the monitored device as unavailable.
Conditions:
This issue occurs when all of the following conditions are met:
Your system is actively monitored by a BIG-IP GTM or Enterprise Manager system.
The monitoring system is configured with discovery enabled.
The big3d process returns error messages to monitor requests.
Impact:
Memory usage for the big3d process increases, and may eventually affect other services and overall system performance.
Workaround:
None.
Fix:
big3d no longer leaks memory during auto-discovery failure events.
491518-5 : SSL persistence can prematurely terminate TCP connection
Component: Local Traffic Manager
Symptoms:
SSL [session id] persistence might prematurely close (FIN) a TCP connection before forwarding all data.
Conditions:
SSL persistence must be in use. A slow client side (WAN) exacerbates the issue.
Impact:
Premature close of TCP connection and potential data loss.
Workaround:
Disable SSL persistence.
Fix:
SSL [session id] persistence no longer prematurely terminate TCP connection.
491454-8 : SSL negotiation may fail when SPDY profile is enabled
Component: Local Traffic Manager
Symptoms:
SSL handshake fails when SPDY profile is attached.
Conditions:
This occurs when the following conditions are met: -- Client (i.e., Chrome for Android) attempts to use SPDY protocol using Next Protocol Negotiation (NPN) during SSL handshake. -- BIG-IP system has a Cavium Nitrox card.
Impact:
SSL handshake or other connection failure.
Workaround:
Remove SPDY profile.
Fix:
SSL handshake now completes successfully when a SPDY profile is attached when Next Protocol Negotiation (NPN) is detected on a BIG-IP system with a Cavium Nitrox accelerator.
491406-2 : TMM SIGSEGV in sctp_output due to NULL snd_dst
Component: TMOS
Symptoms:
Crash in tmm sctp_output routine.
Conditions:
SCTP incorrectly processes a duplicate or unexpected COOKIE_ECHO following association shutdown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Fixed a tmm crash.
491371-4 : CMI: Manual sync does not allow overwrite of 'newer' ASM config
Component: Application Security Manager
Symptoms:
ASM Sync was designed to only request the ASM portion of the configuration if it recognizes that a peer has a newer configuration.
This precludes the ability to 'roll back' changes on a device by pushing from the peer that still has the older configuration.
Conditions:
Devices are set up in a Manual Sync ASM-enabled group.
Impact:
User is unable to 'roll back' changes on a device by pushing from the peer that has an older configuration.
Workaround:
Make a spurious change on the device that has an older config and then push the changes to the peer.
Fix:
An older ASM configuration can now be manually pushed to a peer in a device group.
491352-4 : Added ASM internal parameter to add more XML memory
Component: Application Security Manager
Symptoms:
It is not possible to add more than 1.2 GB of memory to the XML parser.
Conditions:
More than 1.2 GB of XML memory is needed.
Impact:
XML out of memory messages, traffic dropped.
Fix:
We added the internal parameter additional_xml_memory_in_mb that enables an additional amount of XML memory (in MB).
491233-9 : Rare deadlock in CustomDialer component
Component: Access Policy Manager
Symptoms:
Windows 7 systems hang at a black screen after a reboot. This requires a hard boot to resolve.
Conditions:
CustomDialer component.
Impact:
Cannot log in. Requires hard boot to resolve.
Fix:
The CustomDialer component has been updated to prevent a rarely occurring deadlock.
491185-3 : URL Latencies page: pagination limited to 180 pages
Component: Application Visibility and Reporting
Symptoms:
When there is a lot of information in URL Latencies with paging being available for more than 180 pages, no data is being displayed when switching to any of the pages above 180
Conditions:
URLs count exceeds 1800
Impact:
Not all URLs will be visible
Workaround:
Filtering can be used to limit the number of results below 1800.
Fix:
Number of reported URLs is now limited to 1000 (100 pages), consistent with other reporting pages.
491080-2 : Memory leak in access framework
Component: Access Policy Manager
Symptoms:
When multiple concurrent attempts are made to access a resource protected by APM, one of these attempts proceeds to policy execution and the rest get a message stating that session evaluation is in progress. The page that delivers this message has a unique identifier in the URL that causes the caching of this page to be ineffective. Multiple cache entries are created and these entries present themselves as a leak.
Conditions:
Use of APM.
Multiple concurrent accesses to a resource protected by a virtual server with an APM profile attached.
Note that no prior established sessions must exist for that client for this to happen.
Impact:
A memory leak occurs.
Workaround:
None.
Fix:
The APM page caching now omits the unique identifier in the key. As a result, a single page, or a small fixed number of pages, can serve a multitude of clients without an increase in memory usage.
490936-1 : SSLv2/TLSv1 based handshake causing handshake failures
Component: Local Traffic Manager
Symptoms:
You are experiencing SSL handshake failures. /var/log/ltm contains error messages that read tmm[16895]: 01260009:7: Connection error:9044: invalid pre-master secret (40)
Conditions:
This occurs with clientssl profiles enabled and a client sends a CLIENTHELLO containing a SSLv2 or TLSv1 version in the handshake message.
Impact:
SSL connection unable to establish; error generated. Note this only occurs for clients that send SSLv2 or TLSv1 in the hello.
490893-9 : Determinstic NAT State information incomplete for HSL log format
Component: Carrier-Grade NAT
Symptoms:
Deterministic NAT state information incomplete for HSL log format, could possibly result in incorrect reverse and forward map for dnatutil when using with HSL logged state information.
Conditions:
Found to affect VIPRION B2250 blades with HTSPLIT enabled, when using dnatutil with HSL logged deterministic NAT state for reverse map.
Impact:
Reverse and forward map could be incorrect when use with HSL logged deterministic NAT state information.
Workaround:
Use LTM logged deterministic NAT state information for reverse or forward map.
Fix:
HSL logged deterministic NAT state information can be use to correctly forward and reverse map.
490844-2 : Some controls on a web page might stop working.
Component: Access Policy Manager
Symptoms:
Some controls on a web page might stop working.
Conditions:
Some events with that execute in web applications.
Impact:
Unexpected web application malfunctions.
Workaround:
Create an iRule specific to each case.
Fix:
Problems with EventTarget.addEventListener() new feature support were fixed.
490830-3 : Protected Workspace is not supported on Windows 10
Component: Access Policy Manager
Symptoms:
APM does not support Protected Workspace on Windows 10
Conditions:
Protected Workspace action configured on BIG-IP APM server.
Users connecting to BIG-IP APM using Windows 10 client.
Impact:
Users cannot use Protected Workspace feature on Windows 10.
Workaround:
n/a
Fix:
Protected Workspace disabled on Windows 10 client.
490801-3 : mod_ssl: missing support for TLSv1.1 and TLSv1.2
Component: TMOS
Symptoms:
This is due to using older versions of httpd
(which includes mod_ssl ...). Newer versions
of httpd as of 2.2.15-39 include the necessary
support for TLSv1.1 and TLSv1.2.
Conditions:
Any older versions of httpd which are not
upgraded to 2.2.15-39 or selectively patched
for the mod_ssl component will not be able
to provide support for TLSv1.1 and TLSv1.2.
Note that in older releases, there is
a dependency on openssl 1.0.1 for a backport
of the mod_ssl changes to actually support
TLSv1.1 and TLSv1.2.
Impact:
No support is provided for TLSv1.1 and TLSv1.2.
Workaround:
Upgrade to one of the following:
12.0.0-hf1 - includes changes to mod_ssl
12.1.0 - includes update to httpd 2.2.15-39
Fix:
Upgrade to httpd 2.2.15-39 (from el6.6)
provides the needed changes to mod_ssl
to support TLSv1.1 and TLSv1.2.
490740-9 : TMM may assert if HTTP is disabled by another filter while it is parked
Component: Local Traffic Manager
Symptoms:
If HTTP is parked in an iRule, if it is disabled by another filter on the client-side it will assert with the message:
TCL passthrough switch state only valid server-side.
Conditions:
A HTTP iRule on the client side parks. Another filter tells HTTP to disable itself.
Impact:
The impact of this issue is that the TMM will crash.
Workaround:
Avoid using HTTP::disable in iRules that can run simultaneously with with iRules triggered by the HTTP filter.
Instead, disable
Fix:
HTTP will no longer crash if HTTP is disabled while it is parked on the client side.
490713-5 : FTP port might occasionally be reused faster than expected
Component: Local Traffic Manager
Symptoms:
FTP port is randomly selected and occasionally might be reused quickly.
Conditions:
FTP active mode. Source Port is set to change.
Impact:
FTP port might occasionally be reused faster than expected.
Fix:
FTP port selection uses a round robin method to avoid quick-reuse as much as possible.
490681-5 : Memcache entry for dynamic user leaks
Component: Access Policy Manager
Symptoms:
A race condition causes a memcache entry to remain in memcache forever.
Conditions:
Due to a race condition between identifying dynamic users in MySQL and removing them from memcache (based on timestamp), some memcache entries remain. Although the entry is removed from MySQL, it remains in memcache.
Impact:
The user state information for the user remains unchanged. If the user is locked out in memcache, the user state remains locked out.
Workaround:
The only way to recover is to remove the user using telnet to access memcache (which is not a typical operation and is difficult to perform).
Fix:
Now a self expiry is set for each memcache object (which is configurable). With this change, each user remains in the cache only for the configured duration.
490675-5 : User name with leading or trailing spaces creates problems.
Component: Access Policy Manager
Symptoms:
User creates dynamic user with leading and trailing spaces. In the case user name will look like " user1 ". When the user entry gets created in MySQL it treats the user name " user1 " same as "user1", by eliminating the spaces at the beginning and the end. The memcache entry does not do the same.
Conditions:
Create a dynamic user with a regular name. Then retry the same username with leading and trailing spaces. There will be multiple entries for the same user (one regular and another with spaces). When the dynamic user gets deleted, the regular user name is deleted from memcache and from MySQL; the other user entry remains in memcache.
Impact:
Unnecessary memcache entries.
Workaround:
This issue has no workaround at this time.
Fix:
In this fix, we trim leading and trailing spaces from the user name before using it. So the user name is uniform everywhere.
490537-4 : Persistence Records display in GUI might cause system crash with large number of records
Component: TMOS
Symptoms:
Using the GUI to view Persistence Records statistics in GUI when there are a large number of records might crash the system. (Persistence Records are available for LTM and GTM by navigating to Statistics :: Module Statistics, clicking on Local Traffic, DNS Delivery, or DNS GSLB and then selecting 'Persistence Records' for Statistics Type.)
Conditions:
This occurs when viewing statistics in the GUI for a large number of Persistence Records (approximately 100,000 but the number might depend on system configuration and capacity)
Impact:
The system runs out of memory and fails over.
Workaround:
Use TMSH to see Persistence Records and associated statistics.
For LTM and GTM Delivery: tmsh show ltm persistence persist-records.
For GTM GSLB: tmsh show gtm persist destination | level | target-name | key | max-results | target-type.
Fix:
In this release, you can manage visibility of Persistence Records using a db variable: ui.statistics.modulestatistics.<localtraffic | dnsdelivery | dnsgslb>.persistencerecords. A db variable setting of "false" prevents the potential system crashes with a large number of persistence records.
To set the db variable:
-- for LTM Persistence Records, run the command: modify sys db ui.statistics.modulestatistics.localtraffic.persistencerecords value true
-- for DNS Delivery Persistence Records, run the command: modify sys db ui.statistics.modulestatistics.dnsdelivery.persistencerecords value true
-- for DNSGSLB, run the command: modify sys db ui.statistics.modulestatistics.dnsgslb.persistencerecords value true
Important: When you enable the db variable, the GUI-specific out-of-memory condition might occur if you have a large number of records. In that case, you should use TMSH to see Persistence Records and associated statistics.
For LTM and GTM Delivery: tmsh show ltm persistence persist-records.
For GTM GSLB: tmsh show gtm persist destination | level | target-name | key | max-results | target-type.
Behavior Change:
Beginning in version 12.0.0, the db variable ui.statistics.modulestatistics.<localtraffic | dnsdelivery | dnsgslb>.persistencerecords defaults to "false". In previous versions, the default was "true." That means that Persistence Records are no longer visible by default in the GUI. This prevents potential system crashes with a large number of persistence records. You can manage visibility of Persistence Records using the db variable.
Important: When you enable the db variable, the GUI-specific out-of-memory condition might occur if you have a large number of records. In that case, you should use TMSH to see Persistence Records and associated statistics. For example, for LTM, you can use the following command: tmsh show ltm persistence persist-records.
To set the db variable:
-- for LTM Persistence Records, run the command: modify sys db ui.statistics.modulestatistics.localtraffic.persistencerecords value true.
-- for DNS Delivery Persistence Records, run the command: modify sys db ui.statistics.modulestatistics.dnsdelivery.persistencerecords value true.
-- for DNSGSLB, run the command: modify sys db ui.statistics.modulestatistics.dnsgslb.persistencerecords value true.
490429-4 : The dynamic routes for the default route might be flushed during operations on non-default route domains.
Component: Local Traffic Manager
Symptoms:
The dynamic routes for the default route might be flushed during operations on non-default route domains. For example when non-default route domain is deleted TMM, the operation also removes routes in the default route domain.
Conditions:
This happens on configuration changes and failover.
Impact:
Routing in default route domain might be impacted until tmrouted is restarted.
Workaround:
Avoid deleting non-default route domains. Issuing a bigstart restart tmrouted returns the system to a consistent state.
Fix:
The dynamic routes for the default route are no longer flushed during operations on non-default route domains.
490284-6 : ASM user interface extremely slow to respond (e.g. >2 minutes to render policy list)
Component: Application Security Manager
Symptoms:
ASM screens take a long time to load, MySQL spikes in usage.
Conditions:
Occurs after several thousand policy configuration changes have been made to the system.
Impact:
Slow ASM user interface pages.
Workaround:
There is no workaround at this time.
Fix:
We reduced the time it takes for ASM screens to load.
490174-3 : Improved TLS protocol negotiation with clients supporting TLS1.3
Component: Local Traffic Manager
Symptoms:
When a TLS client connects to a BIG-IP TLS server requesting TLS1.3, the handshake will fail. A message will be logged in the Local Traffic Manager (LTM) log about a handshake failure.
The estimated deployment of clients supporting TLS1.3 is 2016.
Conditions:
A TLS client handshake with the protocol version set to TLS1.3 in the ClientHello.
Impact:
Lower performance is the most likely outcome. The hanshake requesting TLS1.3 will fail, after which a client will reconnect with a TLS 1.2 hanhdshake and succeed.
The worst case scenario is inability to establish a connection for clients that only implement standard TLS version negotiation mechanism.
The estimated deployment of clients supporting TLS1.3 is 2016.
Workaround:
This issue has no workaround at this time.
Fix:
TLS server code can now handle ClientHello.protocol_version that is higher than TLS1.2, according to the TLS1.2 specification.
489957-8 : RADIUS::avp command fails when AVP contains multiple attribute (VSA).
Component: Service Provider
Symptoms:
The RADIUS::avp command fails when AVP contains multiple attributes (VSA) within an AVP.
Conditions:
One AVP contains multiple attributes (VSA).
Impact:
RADIUS::avp command fails.
Workaround:
None.
Fix:
RADIUS::avp command now completes successfully when AVP contains multiple attribute (VSA).
489845-1 : Sometimes auto-blacklisting will not function after the provisioning of AFM and APM modules
Component: Advanced Firewall Manager
Symptoms:
occasionally dwbl will crash after the provisioning of AFM and APM modules
Conditions:
provisioning of AFM and APM modules in BIG-IP at same time
Impact:
sometimes auto-blacklisting will not function because of the crash
Workaround:
NONE
Fix:
Fixed rare crash bug that could occur when provisioning AFM and APM modules at the same time.
489750-2 : Deletion of FIPS keys by-handle may delete key in FIPS-card even if key exists in BIG-IP config
Component: TMOS
Symptoms:
11.4.0 onwards, deletion of FIPS keys by-handle is expected to throw error if the BIG-IP config contains that key object. However, if the key name is different from the FIPS-label of the key, such deletion by-handle will delete key from FIPS card without checking BIG-IP config. It will not delete that key from BIG-IP config.
Conditions:
Delete FIPS key by-handle using tmsh when the key name is different from the FIPS-label of the key.
Impact:
FIPS key deletion by-handle may not throw expected error when the FIPS handle corresponds to a key in the BIG-IP config and will delete the key from FIPS card without deleting the key in the BIG-IP config.
Workaround:
First, FIPS key deletion by-handle should be used only for FIPS key handles that don't have corresponding key objects in the BIG-IP config.
If the FIPS key deletion was desired and by-handle deletion is already performed which did not delete the key from BIG-IP config, then follow the below workaround:
After executing:
'tmsh delete sys crypto fips by-handle <handle-number>'
check if the corresponding key still exists in BIG-IP config by executing:
'tmsh list sys crypto key'
If the concerned key did not get deleted, execute:
'tmsh delete sys crypto key <keyname>'
Fix:
The system now handles the case in which deleting FIPS key by-handle using tmsh when the key name is different from the FIPS-label of the key.
489705-3 : Running out of memory while parsing large XML SOAP requests
Component: Application Security Manager
Symptoms:
Running out of memory while parsing large XML SOAP requests.
Conditions:
System parses as XML a large multipart file upload.
Impact:
Unnecessary memory allocations which could cause the Enforcer to run out of memory. The system posts an error similar to the following: 'ASM out of memory error: event code X239 Exceeded maximum memory assigned for XML/JSON processing'.
Fix:
We fixed an issue where the system parsed as XML a large multipart file upload. Doing that caused unnecessary memory allocations which could cause the Enforcer to run out of memory. The following error message was displayed "ASM out of memory error: event code X239 Exceeded maximum memory assigned for XML/JSON processing".
489682-4 : Configuration upgrade failure due to change in an ASM predefined report name★
Component: Application Visibility and Reporting
Symptoms:
A configuration load failure occurs after creating an ASM predefined report in a previous version and upgrading.
Conditions:
Define scheduled report on top of "Top alerted URLs" on 11.3.0 and upgrade the version.
Impact:
Version upgrade fails (the BIG-IP becomes unusable).
Workaround:
Change the "/Common/Top Alerted URLs" reference in the bigip.conf file of the UCS to "/Common/Top Alarmed URLs", and then load the modified UCS.
Fix:
If an ASM predefined report was created in a previous version and the system was updated, it could have caused the configuration upgrade to fail. This failure no longer occurs.
489451-2 : TMM might panic due to OpenSSL failure during handshake generation
Component: Local Traffic Manager
Symptoms:
TMM might panic due to OpenSSL failure during handshake generation.
Conditions:
Low memory. Software-based SSL handshake generation.
Impact:
TMM outage.
Fix:
The system now checks for OpenSSL failures during SSL handshake generation, so TMM no longer panics.
489382-8 : Machine Cert allows mismatched SubjectCN and FQDN for browsers in case of valid cert
Component: Access Policy Manager
Symptoms:
Browser clients allow Machine Cert Auth agent to pass even if the match SubjectCN and FQDN criteria is not satisfied.
It only happens if the selected certificate is recognized by the BIG-IP system but does not fit the Machine Cert Auth selection criteria.
Conditions:
The problem occurs with a Mac and the browser client, with the Machine Cert Auth agent in the access policy, and a valid certificate.
Impact:
Browser allows network access to be established even though it should not
Workaround:
To work around the problem, add more search criteria in the Machine Cert Auth agent.
Fix:
Browser client now selects the appropriate certificate when the match SubjectCN and FQDN criteria is specified in the Machine Cert Auth agent.
489364-6 : Now web VPN client correctly minimizes IE window to tray
Component: Access Policy Manager
Symptoms:
An Internet Explorer window remains on taskbar on Network Access connect even if 'minimize to tray' option is enabled.
Conditions:
Internet Explorer is used and 'minimize to tray' option is enabled
Impact:
IE window stays on desktop
Fix:
Now an Internet Explorer window is correctly minimized to tray.
489328-8 : When BIG-IP virtual accessed with multiple tabs with long initial URLs before session creation can cause TMM crash.
Component: Access Policy Manager
Symptoms:
If a BIG-IP virtual server is accessed from multiple tabs with long initial URLs before session creation, this might cause TMM to crash.
Conditions:
Rare condition: a user opens the browser and different tabs in the browser pointing to BIG-IP APM virtual server and they cause the access policy to run from both tabs. If the length of the encoded URL falls into 4K boundary then TMM might crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Proper checks were added before processing the URL so that, if there is a long initial URL, the BIG-IP system does not process it, and a user might see a reset. After establishing the session in other tabs, the user can access the long URL again.
489323-6 : Out-of-bounds memory access when 'remotedesktop' profile is assigned to a virtual server.
Vulnerability Solution Article: K43552605
489259-2 : [AFM] packets from good ip's are being dropped by DoS Sweep & Flood logic
Component: Performance
Symptoms:
Rate tracker library is not accurate.
Conditions:
When traffic is at very low rate.
Impact:
Traffic from good IP addresses could end up being dropped.
Workaround:
None
Fix:
AFM no longer drops packets from good IP addresses during sweep and flood.
489113-7 : PVA status, statistics not shown correctly in UI
Component: TMOS
Symptoms:
When affected versions of BIG-IP are running on VIPRION B2250 blades, the PVA status and statistics are not displayed correctly (missing entirely) from the user interface.
Conditions:
VIPRION B2250 blades running affected versions of BIG-IP.
Impact:
PVA appears to be disabled/unavailable.
PVA statistics are not available.
PVA functionality is actually enabled and operating in the data plane.
Workaround:
Example of incorrect display:
# guishell -c 'select name,has_pva,pva_version from platform'
--------------------------------
| NAME | HAS_PVA | PVA_VERSION |
--------------------------------
| A112 | false | | <<< incorrect
--------------------------------
# tmsh show ltm virtual
------------------------------------------------------------------
Ltm::Virtual Server: vs1
------------------------------------------------------------------
Status
Availability : unknown
State : enabled
Reason : The children pool member(s) either don't have service checking enabled, or service check results are not available yet
CMP : enabled
CMP Mode : all-cpus
Destination : 30.30.30.1:80
<<< missing 'PVA Acceleration' item
Fix:
PVA status and statistics are displayed correctly for VIPRION B2250 blades.
488989-4 : AVRD does not print out an error message when the external logging fails
Component: Application Visibility and Reporting
Symptoms:
External logging of AVR statistics is done by HSL framework, if a message is failed to be sent to the syslog server, then AVR does not log this error.
Conditions:
If network is under stress, there is a possibility that the external logging will not be 100% transmitted
Impact:
The logging application will not receive all log entries.
Fix:
AVR is logging about HSL sending error.
It is important to notice that it is still not 100% sure that the message will arrive to the destination, since an application level ack does not exist in syslog, but this by definition.
488986-13 : Access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and edge client.
Component: Access Policy Manager
Symptoms:
An access policy cannot enter Windows Protected Workspace on Internet Explorer versions 10 and 11, and Windows Edge client.
Conditions:
Internet Explorer versions 10 and 11.
Impact:
Access policy cannot enter Windows Protected Workspace.
Workaround:
Use a browser other than Internet Explorer versions 10 and 11.
Fix:
An access policy can now enter Windows Protected Workspace on Internet Explorer versions 10 and 11.
488917-1 : Potentially confusing wamd shutdown error messages
Component: WebAccelerator
Symptoms:
When shutting down, wamd might log debug messages that appear serious.
Conditions:
wamd shutdown.
Impact:
Unnecessary log messages generated, similar to the following:
-- WA Debug (17637): * WARNING: The server encountered an unexpected condition. -- WA Debug (17637): * Contact F5 support if you are experiencing problems and include -- WA Debug (17637): * the following diagnostic information. These messages are cosmetic and do not indicate a problem with the system.
Workaround:
None.
Fix:
The wamd process no longer generates potentially alarming debug log messages when shutting down.
488892-4 : JavaRDP client disconnects
Component: Access Policy Manager
Symptoms:
JavaRDP client disconnects user's session when user interacts before the handshake is complete.
Conditions:
The might occur when the network connection is slow but the user is fast enough to click the mouse within the client area or press a key on the keyboard. In this case the RDP client attempts to send this input event to the server.
Impact:
Because the RDP handshake is not completed at this point, the server aborts the connection.
Workaround:
Do not interact within the client area before the window fills with an image from the server. When that occurs, the connection is clearly established and all handshakes are completed.
Fix:
JavaRDP client session starts correctly now, and the system does not process extraneous input that occurs before the handshake completes.
488811-4 : F5-prelogon user profile folder are not fully cleaned-up
Component: Access Policy Manager
Symptoms:
When a user logs on using Network Logon in Windows, it triggers access policy execution, and the policy creates a temporary user, f5 Pre-Logon User. This causes the operating system to create a profile folder on the computer. After several executions, these folders start to accumulate because they are not removed properly after policy execution is complete.
Each time the access policy runs, it creates a user folder of the form f5 Pre-Logon User.<HOSTNAME>.xyz in the C:\Users folder.
Conditions:
A user logs on to the computer using Network Logon in Windows. (Windows Logon Integration)
Impact:
Disk runs out of space and user is confused.
Workaround:
To work around the problem, delete folders manually.
488736-6 : Fixed problem with iNotes 9 Instant Messaging
Component: Access Policy Manager
Symptoms:
iNotes 9 IM (Sametime) is not working. There are errors in JS Console.
Conditions:
User is connected to iNotes 9 through Portal Access.
Impact:
Sametime in iNotes 9 is not accessible.
Workaround:
No
Fix:
iNotes 9 Sametime (instant messaging) is working now.
488686-4 : Large file transfer hangs when HTTP is in passthrough mode
Component: Local Traffic Manager
Symptoms:
Large file transfer hangs when HTTP is in passthrough mode. The HTTP profile may switch into passthrough mode for a number of reasons, including enforcement (the http-transparent profile options), the CONNECT HTTP method, iRule, unknown method detection, or switching protocols.
Conditions:
-- Virtual server with HTTP profile configured.
-- HTTP profile goes into passthrough mode.
-- Large file transfer occurs.
Impact:
File transfer hangs.
Workaround:
None.
Fix:
Flow control implemented in HTTP profile when in passthrough mode.
488600-1 : iRule compilation fails on upgrade★
Component: Local Traffic Manager
Symptoms:
While upgrading, the configuration load fails and you see an error similar to the following:
localhost emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all" - failed. -- Syntax Error:(/config/bigip.conf at line: 40) "{" unknown property
Conditions:
Upgrade to 11.6.x versions may cause iRule compilation failures if the iRule contains whitespace instead of an opening brace after the event.
For example:
when CLIENT_ACCEPTED
{
Impact:
Configuration will fail to load on upgrade.
Workaround:
You can edit bigip.conf and manually correct the line in the iRule by putting the opening brace on tbe same line as the event, then reload the configuration with tmsh load sys config.
Example:
when CLIENT_ACCEPTED {
Fix:
Fix tcl parsing if there is a whitespace before the new line.
488374-3 : Mismatched IPsec policy configuration causes racoon to core after failed IPsec tunnel negotiation
Component: TMOS
Symptoms:
Mismatched IPsec policy configuration causes racoon to core intermittently after failed IPsec tunnel negotiation.
Conditions:
During IPsec Tunnel negotiation, IKE Phase 1 negotiation succeeds and ISAKMP security association is created, but phase 2 (Quick mode) for IPsec security associations fails due to mismatched IPsec policy configuration. This intermittent error occurs because of a memory issue that causes heap corruption.
Impact:
Intermittently, the racoon daemon cores and crashes when there are earlier failed phase 2 negotiations.
Workaround:
Make sure IPsec policies such as encryption/authentication algorithms for the data going through IPsec tunnel on the remote device match the IPsec policy configured on the BIG-IP system for the same IPsec Tunnel.
Fix:
The racoon daemon no longer crashes due to mismatched IPsec policy configuration.
488105-2 : TMM may generate core during certain config change.
Component: Access Policy Manager
Symptoms:
While the sandbox file is being used by data-plane, if the admin changes configuration to delete this sandbox file, the TMM may generate core due to accessing freed up memory.
Conditions:
While data-plane is handling requests for the sandbox files, if admin deletes it from the control plane.
Impact:
TMM may core, which may cause APM service to become unavailable for some time.
Fix:
Access whitelist entries are refcount-ed to prevent freeing of the memory while it is still being used.
487859-2 : Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI.
Component: Access Policy Manager
Symptoms:
Importing local db users from a CSV file that has no UID set, displays incorrect information in the GUI.
Conditions:
When importing the local DB user from the CSV file, with no UID value provided.
Impact:
All users imported without UIDs will be mapped to one user's detail entry (that is, fname, lname, email, and so on). So all such users show the same first name, last name, email, and other user details.
Workaround:
There is no workaround.
Fix:
Importing local db users with no UID set now generates a Unique ID and stores each user's details in the database.
487660-1 : LSN translation failures when persistence is enabled, cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN and using a small port range
Component: Carrier-Grade NAT
Symptoms:
LSN Translation failures in persistence mode when cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN.
Conditions:
Persistence is enabled on the LSN pool, and cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN, when the lsn-pool port range is relatively small (under 1000), or a blade is added or removed. Translation mode is NAPT or PBA.
Impact:
Translation failures. The system posts an error similar to the following: debug tmm9[25268]: 01670012:7: [0.9] Translation failed client 200.200.200.101,10096.
Workaround:
Adequately provision the LSN pool.
Fix:
This release resolves CGNAT translation failures in persistence mode when cmp-hash is set to src-ip on ingress VLAN and to dst-ip on egress VLAN.
487625-4 : Qkview might hang
Component: TMOS
Symptoms:
A corrupted filestore causes qkview to hang.
Conditions:
This occurs due to filestore mapping issues. This might also occur when there are files listed in the filestore are missing.
Impact:
Qkview hangs and sync attempts silently fail due to filestore mapping issue. The system might post error messages similar to the following: err mcpd[4596]: 0107134e:3: Failed while making snapshot: (Failed to link files existing(/config/ssl/ssl.crt/ca-bundle.crt) new(/config/.snapshots_d/certificate_d/1389867940_:Common:ca-bundle.crt_1) errno(2)(No such file or directory).) errno(2) errstr(No such file or directory).
Workaround:
None.
Fix:
A corrupted filestore no longer causes qkview to hang.
487567-3 : Addition of a DoS Profile Along with a Required Profile May Fail
Component: TMOS
Symptoms:
Certain DoS Profiles require a preliminary profile to be attached as well. For example DNS enabled DoS profile may require DNS profile to be attached first. However in cases where both profiles are being attached at the same time, an error may be thrown telling the user that the required profile is not attached.
Conditions:
A DoS profile needs to be attached at the same time with its required profile. For example, Application DoS Profile requires HTTP profile to be attached as well.
Impact:
If you have such DoS profiles in use and attach such profiles in single transaction you may be affected (GUI operations or iControl REST api).
Workaround:
None
Fix:
It is now possible to attach a DoS Profile and a required supporting profile in a single transaction.
487420-3 : BD crash upon stress on session tracking
Component: Application Security Manager
Symptoms:
An ASM bd process crash occurs in a specific scenario that involves system stress and session tracking, or the crash can be reached rarely from slow responses/servers with session tracking.
Conditions:
ASM under heavy load, session tracking is running.
Impact:
A bd process crash, failover, and/or traffic resets.
Workaround:
None.
Fix:
This release fixes a system crash scenario that occurred with session tracking.
487399-3 : VDI plugin crashes when View client disconnects prematurely
Component: Access Policy Manager
Symptoms:
VDI plugin crashes when View client disconnects prematurely
Conditions:
View client disconnects prematurely
Impact:
VDI plugin crash
Fix:
VDI plugin does not crash when View client disconnects prematurely
487144-1 : tmm intermittently reports that it cannot find FIPS key
Component: Global Traffic Manager
Symptoms:
You may see the following critical error message in /var/log/ltm: "FIPS acceleration device failure: cannot locate key"
Conditions:
There is FIPS card in the BIG-IP and the key is retrieved. It is not known the exact conditions that cause this, but it seems to be related to GTM being enabled.
Impact:
SSL can not locate the key from the FIPS card, and SSL will not function properly.
Workaround:
None known, but restarting tmm or rebooting might correct the condition.
Fix:
SSL can now correctly locate the key from the FIPS card, and SSL will function properly.
486791-3 : Resolution of multiple wireshark vulnerabilities
Vulnerability Solution Article: K16939
486762-2 : lsn-pool connection limits may be invalid when mirroring is enabled
Component: Carrier-Grade NAT
Symptoms:
A client may not be able to create as many connections as allowed because mirroring may cause a connection to be counted more than once against the connection limit.
Conditions:
An lsn-pool with connection limits enabled, assigned to a virtual server.
Impact:
Clients may not be able to open as many connections as they should be able to open. The connections will fail.
Workaround:
This issue has no workaround at this time.
Fix:
With the fix in place, clients may open the full number of allowable connections.
486758-6 : Management port unreachable after install★
Component: TMOS
Symptoms:
Management port IP address does not respond to pings after upgrade/reboot.
Conditions:
Install upgrade to 11.2.1-hf-tmos build 1454 (a pre-release build of 11.2.1 HF14).
Impact:
Problems in build 1454 prevent the correct initialization of the management interface. This build should not be installed.
Workaround:
Install 11.2.1 HF14 or later.
Fix:
Resolved installation error in a pre-release build of 11.2.1 HF14 that caused the system to fail to initialize the management port. The officially released 11.2.1 HF14 does not have this problem.
486725-1 : GUI creating key files with .key extensions in the name causing errors
Component: TMOS
Symptoms:
When using the GUI, if a user adds a '.key' extension to the name, the file will be created with an extra .key extension to the file.
Conditions:
When a key file name is 'test.key' entered from the GUI it is created with 'test.key.key'.
Impact:
The extra '.key' extension causes problems with deletion/Archive etc. GUI posts the following error: Not Found.
Workaround:
Delete the key and recreate without the .key in the name.
Fix:
The GUI will prevent names with reserved extensions such as '.key'.
486597-7 : Fixed Network Access renegotiation procedure
Component: Access Policy Manager
Symptoms:
Network Access reconnects on every SSL renegotiation attempt on Windows 7 for TLS1.2 and TLS1.1 if client cert is requested.
Conditions:
This occurs when the following conditions are met: Windows 7. -- TLS 1.1/TLS1.2. -- Client cert set to 'required' at Virtual Server's Client Cert profile.
Impact:
Reconnect on every SSL renegotiation attempt.
Workaround:
None.
Fix:
Fixed Network Access renegotiation procedure on TLS1.1 and TLS1.2 for Microsoft Windows 7.
486512-8 : audit_forwarder sending invalid NAS IP Address attributes
Component: TMOS
Symptoms:
Forwarded auditing messages contain the incorrect nas-ip-address attribute. It should be the local IP of the box. Instead nas-ip-address is another, random IP address.
Conditions:
This seems to work fine when the BIG-IP is a virtual machine.The issue reproduces only on the actual hardware.
Impact:
Cannot pass certification because config auditing is not working as expected (invalid NAS IP Address).
Workaround:
None.
Fix:
Forwarded auditing messages now contain the correct nas-ip-address attribute, so config auditing is now working as expected.
486485-2 : TCP MSS is incorrect after ICMP PMTU message.
Component: Local Traffic Manager
Symptoms:
After ICMP PMTU message, new TCP packets are well below the maximum size.
Conditions:
After receiving ICMP PMTU messages, which leads to use of undersized TCP packets.
Impact:
Reduced throughput of TCP connections.
Workaround:
Configure TCP MSS to the true value.
486450-5 : iApp re-deployment causes mcpd on secondaries to restart
Component: Local Traffic Manager
Symptoms:
iApp redeployment causes mcpd on secondaries to restart.
Conditions:
This occurs when redeploying iApps with the locally cached files in place.
Impact:
mcpd restarts on secondaries.
Fix:
iApp redeployment now works correctly, and no longer causes mcpd on secondaries to restart.
486346-2 : Prevent wamd shutdown cores
Component: WebAccelerator
Symptoms:
Under some circumstances, wamd cores while trying to exit.
Conditions:
wamd during shutdown.
Impact:
Unnecessary core files generated consuming some resources.
Workaround:
None.
Fix:
wamd no longer cores and now exits gracefully when shutting down.
486344-4 : French translation does not properly fit buttons in BIG-IP Edge client on Windows
Component: Access Policy Manager
Symptoms:
French translation does not properly fit buttons in BIG-IP Edge Client on Windows-based systems.
Conditions:
French translation in BIG-IP Edge Client on Windows.
Impact:
Text does not fit buttons.
Fix:
Translated French text has been corrected to properly fit buttons in BIG-IP Edge Client on Windows-based systems.
486268-7 : APM logon page missing title
Component: Access Policy Manager
Symptoms:
On the BIG-IP APM logon page, a title may not appear.
Conditions:
RSA error message contains newline symbols. (For example RSA 8.1 uses such message)
Impact:
May cause usability issues.
Fix:
Now the title displays correctly on the logon page; RSA error messages are now sanitized.
485939-8 : OSPF redistributing connected subnets that are configured in the network element with infinity metric in a HA pair.
Component: TMOS
Symptoms:
In a HA pair setup, the active node is sending an As_External Link-State Advertisement (LSA) with infinity metric value for the redistributed connected subnets that are configured in the network element of the OSPF.
Conditions:
HA pair with redistributed connected subnets and subnets configured in the network element in the OSPF.
Impact:
The active node in the HA pair sends an LSA with infinity metric that gets exchanged in the other networks affecting the routing process.
Workaround:
Clear ip ospf process fixes the issue. However, it is not an effective solution in a production environment.
Fix:
OSPF sessions in an HA pair doesn't send an As_External LSA for the subnets that are configured as network element and redistributed as connected subnets.
485917-5 : BIG/IP is vulnerable to Path MTU discovery attack (CVE-2004-1060)
Vulnerability Solution Article: K15792
485880-3 : Unable to apply ASM policy with forwarding CPM policy via GUI, generic error
Component: Advanced Firewall Manager
Symptoms:
When attempting to apply an ASM policy to a virtual server that is using LTM forwarding, the user interface spits back an error: "an error has occurred while trying to process your request."
Conditions:
Happens only in rare situations.
Impact:
Local Traffic Virtual Servers : Virtual Server List <http_vip> >> Security >> Policies...
Receive ERROR: "An error has occurred while trying to process your request"
Workaround:
This issue has no workaround at this time.
485771-2 : TMM crashes while executing multiple FLOW_INIT events and one of the event triggers an abort.
Component: Advanced Firewall Manager
Symptoms:
Critical system failure due to TMM process restarting.
Conditions:
Following conditions may suffice to trigger the TMM crash:
AFM rule match triggers an iRule execution with multiple FLOW_INIT events and one of the events will cause the connection to be aborted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
A crash bug when executing multiple FLOW_INIT events has been fixed.
485764-4 : WhiteHat vulnerability assessment tool is configured but integration does not work correctly
Component: Application Security Manager
Symptoms:
When the WhiteHat vulnerability assessment tool is configured on an already existing policy the proper response headers are not added to traffic that are needed for full integration.
Conditions:
The WhiteHat vulnerability assessment tool is configured on an already existing policy.
Impact:
Proper response headers are not added to traffic to integrate fully.
Workaround:
This issue has no workaround at this time.
Fix:
The system now adds correct response headers to traffic after the WhiteHat vulnerability assessment tool is configured.
485702-7 : Default SNMP community 'public' is re-added after the upgrade
Component: TMOS
Symptoms:
If the SNMP default community (public) has been removed from the configuration, and a new version of the software is installed, the default community will be added to the new configuration.
Impact:
The impact of this issue is that the SNMP default community will be added to the new configuration.
Workaround:
After upgrading to versions after 11.4.0, delete the default 'public' community again.
Fix:
The default community string 'public' is not add to the SNMP configuration on upgrade if it has been deleted in the previous software configuration
485472-4 : iRule virtual command allows for protocol mismatch, resulting in crash
Component: Local Traffic Manager
Symptoms:
iRule 'virtual' command allows for protocol mismatch.
Conditions:
A virtual server with an iRule which leverages the 'virtual' command targeting a virtual server that differs in protocol. For example, a UDP virtual server targeting a TCP virtual server.
Impact:
tmm might crash with assert: 'Must be syncookie'. Traffic is interrupted.
Workaround:
This is the result of a misconfiguration. Modify iRules to ensure L4 protocols match between virtual servers.
Fix:
Resolved issue where TMM might crash with assert: 'Must be syncookie' when the iRule 'virtual' command leads to a protocol mismatch.
485355-4 : Click-to-Run version of Office 2013 does not work inside PWS (Protected WorkSpace)
Component: Access Policy Manager
Symptoms:
Click-to-Run Office 2013 applications fail to start inside Microsoft Windows Protected Workspace without any error message.
Conditions:
Click-to-Run version of Office 2013 is used under PWS
Impact:
Click-to-Run version of Office 2013 does not work inside PWS
Workaround:
To work around the problem, use the full installation of Office 2013.
Fix:
Click-to-Run Office 2013 applications can start inside Microsoft Windows Protected Workspace (PWS) now.
485182-4 : wom_verify_config does not recognize iSession profile in /Common sub-partition
Component: Wan Optimization Manager
Symptoms:
The wom_verify_config does not recognize iSession profile in /Common sub-partition.
Conditions:
iApps creates some objects (virtual, profiles) under /Common/DMZPrimary.vysbank.com.app/. These objects are invisible to wom_verify_config.
Impact:
wom_verify_config cannot verify the system configuration.
Fix:
The wom_verify_config now recognizes objects in sub-partitions.
485176-5 : RADIUS::avp replace command cores TMM when only two arguments are passed to it
Component: Local Traffic Manager
Symptoms:
The RADIUS::avp replace iRule command will core when only two arguments are passed to it.
Conditions:
Must be running an iRule that executes a RADIUS::avp replace command with only two arguments.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores when only two arguments are passed to the RADIUS::avp replace command.
484861-10 : A standby-standby state can be created when auto failback acts in a CRC disagreement scenario
Component: TMOS
Symptoms:
A standby-standby state can occur after a failback if there is a CRC disagreement between peers.
Conditions:
HA pair using auto failback. There must be a CRC disagreement between peers. The failback preferred system must have a lower traffic group score than its peers. NOTE: CRC disagreements may lead to other issues and the customer is strongly advised to sync the devices to remove the disagreement.
Impact:
It's a site down situation as all the objects in the traffic group will become unreachable.
Workaround:
Sync devices to remove the CRC disagreement.
Fix:
Ensure that the preferred system goes active after auto failback, even if its traffic group score is lower than that of its peers.
484847-13 : DTLS cannot be disabled on Edge Client for troubleshooting purposes
Component: Access Policy Manager
Symptoms:
There is no client side option to disable DTLS. This option can be very useful in troubleshooting client connectivity issues.
Conditions:
It is required to debug DTLS versus TLS connections.
Impact:
Troubleshooting connectivity issues becomes difficult.
Workaround:
Disable DTLS on server side.
Fix:
Now you can add new registry keys and use them to disable DTLS on both BIG-IP Edge Client and browsers. Using these keys, you can disable DTLS on a particular client without changing the BIG-IP system configuration.
To disable DTLS on a client machine:
Create registry DWORD value (keys are both valid for both x64 and x86 systems):
HKEY_LOCAL_MACHINE\Software\F5 Networks\RemoteAccess\EnableDTLSTransport
or
HKEY_CURRENT_USER\Software\F5 Networks\RemoteAccess\EnableDTLSTransport
and set to 0
484733-5 : aws-failover-tgactive.sh doesn't skip network forwarding virtuals
Component: TMOS
Symptoms:
When there are forwarding virtual servers with SNATs defined in the configuration, the reassignment of IP addresses for virtual servers does not happen correctly in Amazon Web Services (AWS).
Conditions:
Forwarding virtual servers with SNATs defined.
Impact:
HA failover is impacted.
Fix:
The reassignment of IP addresses for forwarding virtual servers with SNATs defined in the configuration now occurs as expected in Amazon Web Services (AWS).
484706-7 : Incremental sync of iApp changes may fail
Component: TMOS
Symptoms:
Incremental sync of the deletion of an iApp instance may fail, with the error message indicating that certain objects owned by the application are still in use. Alternatively, child objects that should have been deleted when reconfiguring an iApp instance may remain on peer devices after incremental sync has completed.
Conditions:
Incremental sync of the deletion of an iApp instance. Incremental sync of deleting a child object, if the iApp implementation script creates the parent object without child objects, and then separately adds the replacement child objects.
Impact:
An attempt to delete an iApp may cause a sync failure. An attempt to reconfigure an iApp without a previously existing child object (pool member, etc.) may cause the object to continue to exist on peer devices.
Workaround:
Full load sync (either the 'Overwrite Configuration' option on the Device Management Overview page, or temporarily setting the device group to full load only), and then performing the sync operation completes successfully.
Fix:
Incremental sync of the deletion of an iApp instance now completes successfully. Incremental sync of iApp changes, where the iApp template creates a parent object separately from child objects now syncs correctly.
484582-3 : APM Portal Access is inaccessible.
Component: Access Policy Manager
Symptoms:
APM Portal Access is inaccessible.
Conditions:
One of sessions reaches 64 KB of Portal Access application cookie storage.
Impact:
Rewrite plugin crashes; APM Portal Access becomes inaccessible. Shortly after this plugin crashes with *** glibc detected *** memory-corruption-message. The rewrite daemon log contains following lines:
- notice rewrite - cookie.cpp:543 : updateCookieSessionStore : expiring cookie ...
Workaround:
None.
Fix:
Rewrite plugin no longer crashes when Portal Access application cookies require more than 32 KB of storage.
484534-5 : interface STP state stays in blocked when added to STP as disabled
Component: TMOS
Symptoms:
When two interfaces are disabled and added to Spanning Tree Protocol (STP) in the VLAN configuration, the second interface stays in 'blocked' STP state.
Conditions:
At least two interfaces exist in disabled state, added to STP.
Impact:
The blocked port does not send out data.
Workaround:
If the STP flag is disabled and re-enabled on the blocked interface, after the port is enabled, the port STP status is re-evaluated to the correct state.
Fix:
Spanning Tree Protocol (STP) now checks for the disabled state of the port before adding it as an STP member.
484454-7 : Users not able to log on after failover
Component: Access Policy Manager
Symptoms:
Users fail the access policy check after failover happens. The command 'configdump -allkeys' does not display any entry for the access profile.
Conditions:
The issue will show up after the following events:
1. The TMM on the active node restarts or crashes, the node become standby.
2. TMM and APD restart. APD re-creates config snapshots in the SessionDB.
3. The snapshots just created get deleted.
4. Failover happens again and the node becomes active.
5. Users fail to log on
Impact:
Users cannot log on
Workaround:
Run 'bigstart restart apd' to re-create config snapshots.
Fix:
APM checks config snapshots periodically and recreates them if any are missing.
484305-5 : Clientside or serverside command with parking command crashes TMM
Component: Local Traffic Manager
Symptoms:
Any parking iRule command used inside clientside or serverside crashes TMM.
Conditions:
Parking command used inside clientside or serverside.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
See if you really need to run the parking command inside clientside/serverside, if not, move the command outside.
Fix:
TMM no longer crashes when an iRule executes a parking command inside a 'clientside' or 'serverside' context-switching command.
484278-3 : BIG-IP crash when processing packet and running iRule at the same time
Component: Policy Enforcement Manager
Symptoms:
The BIG-IP system sometimes crashes if it is processing packets and iRules at the same time.
Conditions:
Conditions leading to this issue include having iRule scripts and processing iRule tasks, and processing incoming traffic along with the iRule tasks.
Impact:
The impact of this issue is that the BIG-IP system goes to crash intermittently.
Workaround:
This issue has no workaround at this time.
Fix:
Fixed the iRule processing problem that is causing the BIG-IP to crash while processing incoming packets.
484214-3 : Nitrox got stuck when processed certain SSL records
Component: Local Traffic Manager
Symptoms:
During decryption, Nitrox queue got stuck when processed certain SSL records.
Conditions:
Nitrox device is used to decrypt SSL records.
Impact:
The Nitrox device queue got stuck.
Fix:
Ensure SSL record is not malformed before sending it to Nitrox for decryption.
484079-5 : Change to signature list of manual Signature Sets does not take effect.
Component: Application Security Manager
Symptoms:
When the signature list of a manual Attack Signature Set is modified, the change does not affect enforcement or remote logging.
Conditions:
The signature list of a manual Attack Signature Set is modified (with no other change to the Signature Set).
Impact:
The change does not take effect in signature enforcement or remote logging.
Workaround:
Any spurious change to the signature set (such as unchecking/checking 'Assign to Policy by Default'), or unassigning and reassigning the signature set to the affected policy.
Fix:
When the signature list of a manual Attack Signature Set is modified, enforcement and remote logging are now updated correctly.
483792-6 : when iSession control channel is disabled, don't assign app tunnel, MSRDP, opt tunnel resources
Component: Access Policy Manager
Symptoms:
Customers running into iSession related issues.
Conditions:
This happens when APM has been running.
Impact:
Some of the Network Access resources may not run properly when iSession control channel is disabled.
Workaround:
None
Fix:
When the iSession control channel is disabled through db variable, then some of the Network Access resources, including App tunnel, Microsoft RDP, and optimized tunnel resources, will not be assigned to the session.
483719-4 : vlan-groups configured with a single member VLAN result in memory leak
Component: Local Traffic Manager
Symptoms:
If a vlan-group contains only a single member VLAN, tmm begins to leak memory as observed in 'tmctl memory_usage_stat'.
Conditions:
Configure a vlan-group with a single member VLAN.
Impact:
Continuous memory leaks might eventuallyresult in traffic disruptions.
Workaround:
Remove vlan-groups containing a single member VLAN or configure at least two member VLANs per vlan-group
Fix:
Single-member vlan-groups no longer leak memory.
483699-5 : No Access error when trying to access iFile object in Local Traffic :: iRules : iFile list
Component: TMOS
Symptoms:
After uploading a file to the system and creating the iFile object, the user is unable to access the object.
Conditions:
Uploading a file to the system and creating the iFile object.
Impact:
The system posts a No Access error, and the user is unable to access the iFile object
Workaround:
This issue has no workaround at this time.
Fix:
Accessing iFile object in Local Traffic :: iRules : iFile list now works correctly and no longer produces No Access error.
483683-7 : MCP continues running after "Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error
Component: TMOS
Symptoms:
"Unexpected exception caught in MCPProcessor::rm_DBLowHighWide" error on secondary blades when starting up. When this happens, MCP is left in a bad state and several issues (not obviously related to this error) can occur.
Conditions:
Only occurs on a chassis system, and only on secondary blades.
Impact:
This error is the precursor to bad behavior on the system. The exact issues seen are hard to quantify, as they vary depending on what state MCP's database is in when the exception is thrown.
Fix:
Added code to catch exceptions in rm_DBLowHighWide. We now delete the binary MCP database when an exception is caught, and restart MCP. This restart without a binary database bypasses rm_DBLowHighWide and allows the secondary MCP to receive its configuration from the primary MCP.
483665-3 : Restrict the permissions for private keys
Component: Local Traffic Manager
Symptoms:
Use security best practices for keys on BIG-IP.
Impact:
Protected keys to industry best practices.
Fix:
The permissions for SSL keys are more restricted.
483601-4 : APM sends a logout Bookmarked Access whitelist URL when session is expired.
Component: Access Policy Manager
Symptoms:
You will see a logout page for bookmarked APM whitelist URL after session is expired.
Conditions:
This condition will occur if the user has bookmarked a APM whitelist entry and tries to access this bookmarked URL after some time (Access session is expired).
Impact:
User sees a logout page instead of a logon to revalidate themselves.
Workaround:
This issue has no workaround at this time.
Fix:
If a session is expired and a query is made with an Access whitelist and query parameters, APM code did not handle the case properly and sent a logout page. APM now enables the user to revalidate by starting the Access policy again.
483539-6 : With fastL4, incorrect MSS value might be used if SYN has options without MSS specified
Component: Local Traffic Manager
Symptoms:
Due to the incorrect MSS value, TMM might core because based on the MSS value the outgoing packet attempts to use TSO, which is not correct. This can result in a crash.
Conditions:
A virtual using fastL4 where a SYN packet with options is received, but the SYN packet does not contain an MSS option.
Impact:
If this issue occurs, then TMM will core resulting in a failover/reboot of the system.
Workaround:
None.
Fix:
The correct MSS value is now used when SYN has options without MSS specified, so TMM no longer cores.
483373-1 : Incorrect bash prompt for created admin role users
Component: TMOS
Symptoms:
Users created with admin or resource-admin roles with access to bash shell might show an incorrect prompt on the bash command line.
Conditions:
Created user with:
- admin or resource-admin roles
- Bash command line access.
Impact:
Users might see the command line prompt referring to 'root' instead of the created user.
Workaround:
None.
Fix:
The BIG-IP system now shows the correct bash prompt for admin and resource admin roles for created users on the bash command line.
483286-2 : APM MySQL database full as log_session_details table keeps growing
Component: Access Policy Manager
Symptoms:
APM stores session reporting data in "apm" MySQL database, under log_session_details table, but never does any cleanup. This causes the table to continuously grow. Eventually this consumes all disk, potentially corrupting the SQL data, and stopping services on the BIG-IP system that rely on MySQL.
Conditions:
Conditions leading to this issue include: APM is provisioned; and 350M APM sessions are created over any period of time (each row in log_session_details consumes ~20 bytes).
Impact:
MySql volume (12G) will fill with data, potentially stopping or degrading services in the box that rely on MySQL. Including: ASM, AVR, APM Reporting, Web UI, and QkView.
Workaround:
Workaround is to manually clean up the log_session_details table in MySQL database.
First, retrieve the randomly generated MySQL password per box, using the following shell command as the root user. For example,
# perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw
PjL7mq+fFJ
where PjL7mq+fFJ is the random password at MySQL installation in this example. Use this password in the following command for clean-up.
# /usr/bin/mysql -uroot -pPjL7mq+fFJ --database=apm -e "delete from log_session_details where active = 'N';"
This will delete all those rows that are referred to by an inactive session.
483257-2 : Cannot delete keys without extension .key (and certificates without .crt) using iControl SOAP
Component: Local Traffic Manager
Symptoms:
Cannot delete keys without extension .key (and certificates without extension .crt) using iControl SOAP.
Conditions:
You attempt to delete SSL certificates or keys without the .crt or .key extensions. Such objects may have been previously created using the tmsh utility.
Impact:
Cannot delete keys without extension .key (and certificates without extension .crt) using iControl SOAP.
Workaround:
Delete affected certificates or keys using the tmsh utility, with commands similar to the following example:
tmsh delete sys crypto cert example
tmsh delete sys crypto key example
Fix:
It is now possible to delete keys without extension .key (and certificates without extension .crt) using iControl SOAP.
483228-8 : The icrd_child process generates core when terminating
Component: TMOS
Symptoms:
A race condition in the terminate handler of the icrd_child process causes it to crash and generate a core.
Conditions:
This is an intermittent issue that is caused by a race condition.
Impact:
This does not impact functionality, but the system posts messages to icrd log similar to the following: notice icrd: 5823,14414, RestServer, INFO, Connection idle too long fd:11.
Workaround:
None.
Fix:
This release fixes an intermittent race condition in the terminate handler of the icrd_child process, so the process no longer crashes and generates a core.
483104-6 : vCMP guests report platform type as 'unknown'
Component: TMOS
Symptoms:
vCMP guests report 'unknown' as platform type.
Conditions:
This occurs on vCMP guests.
Impact:
You will be unable to remotely determine exactly which platform is being monitored.
Workaround:
None.
Fix:
vCMP guests now report bigipVcmpGuest as platform type, which is correct behavior.
482915-7 : Learning suggestion for the maximum headers check violation appears only for blocked requests
Component: Application Security Manager
Symptoms:
There are no learning suggestions for the Maximum headers sub-violation if the HTTP protocol compliance violation is in Alarm only (not in Blocking).
Conditions:
If the HTTP compliance is in Alarm only (not in Blocking) and the Maximum number of headers sub-violation is enabled, and there is a violation for the maximum number of headers (which is not blocking) and no other violation in the request is blocking.
Impact:
There will not be a learning suggestion for this violation and no automated learning will happen for the number of headers.
Workaround:
This issue has no workaround at this time.
Fix:
Previously, manual learning of the sub-violation Maximum number of headers happened only for blocked requests. The system now produces learning suggestions for the Maximum number of headers sub-violation even if the HTTP protocol compliance violation is in Alarm only (not in Blocking).
482699-2 : VPE displaying "Uncaught TypeError"
Component: Access Policy Manager
Symptoms:
VPE displaying "Uncaught TypeError"
Conditions:
While editing on Chrome ver >=37
Impact:
Really hard to Edit VPE on chrome
Workaround:
Use different browser
Fix:
Visual policy editor works correctly on Google Chrome.
482436-9 : BIG-IP processing of invalid SIP request may result in high CPU utilization
Component: Service Provider
Symptoms:
See SOL16973: BIG-IP processing of invalid SIP request may result in high CPU utilization, available here: https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16973.html.
Conditions:
See SOL16973: BIG-IP processing of invalid SIP request may result in high CPU utilization, available here: https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16973.html.
Impact:
See SOL16973: BIG-IP processing of invalid SIP request may result in high CPU utilization, available here: https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16973.html.
Fix:
See SOL16973: BIG-IP processing of invalid SIP request may result in high CPU utilization, available here: https://support.f5.com/kb/en-us/solutions/public/16000/900/sol16973.html.
482373-5 : Can not delete and re-create a new virtual server that uses the same virtual address in the same transaction
Component: TMOS
Symptoms:
A create followed by a delete of a virtual server in a transaction fails
Conditions:
A virtual server must be deleted in the same transaction as another virtual server being created where both share the same destination address. This applies to operations performed via iControl REST and tmsh.
Impact:
Transaction may fail
Workaround:
Use create and delete in separate transactions
Fix:
Transactions where virtual servers are deleted and re-created with the same virtual IP address will now complete successfully.
482269-2 : APM support for Windows 10 out-of-the-box detection
Component: Access Policy Manager
Symptoms:
APM does not support out-of-the-box detection for Windows 10 in visual policy editor configuration.
Conditions:
Windows 10, APM
Impact:
Windows 10 cannot be detected in visual policy editor rules.
Fix:
APM now supports out-of-the-box detection of Microsoft Windows 10 in visual policy editor action items, such as, Client OS and Client Type.
482266-1 : Windows 10 support for Network Access / BIG-IP Edge Client
Component: Access Policy Manager
Symptoms:
Connection fails with "Network Access Connection Device was not found." message.
Conditions:
1. Clean installation of Windows 10 (not upgrade)
OR
2. Windows has been upgraded from previous version of Windows OS and it did not have NA driver installed.
Impact:
User running Windows 10 can not establish a VPN connection.
Fix:
Users running on Windows 10 running the BIG-IP Edge Client will no longer see a "Network Access Connection Device was not found." error message.
482251-2 : Portal Access. Location.href(url) support.
Component: Access Policy Manager
Symptoms:
Some pages cannot be loaded in specific web applications.
Conditions:
This happens in Microsoft Internet Explorer browser-specific code that contains: Location.href(some_url).
Impact:
Web application cannot load some web pages.
Workaround:
None.
Fix:
The Microsoft Internet Explorer browser-specific code Location.href(some_url) now works correctly, so web applications can load previously unloadable web pages.
482241-5 : Windows 10 cannot be properly detected
Component: Access Policy Manager
Symptoms:
Windows 10 cannot be properly detected by BIG-IP
Conditions:
Windows 10 desktop operating system and BIG-IP APM access policy with client OS and Windows info agents.
Impact:
Windows 10 will not be detected out-of-the-box by BIG-IP client OS and Windows info agents.
Workaround:
User agent can be parsed in access policy for windows 10 tokens.
Fix:
Windows 10 can now be detected out-of-the-box by Client OS and Windows Info agents.
482202-2 : Very long FTP command may be ignored.
Component: Carrier-Grade NAT
Symptoms:
FTP commands are delimited with carriage returns. If the BIGIP receives a large buffer with no carriage return then it passes the data through without inspecting for or acting on commands. Since the only commands we act on should be delimited within a reasonable size this does not affect FTP behavior and protects the BIGIP against large amounts of data that is not FTP command data is passed across FTP.
Conditions:
If the FTP profile encounters command buffers that contain many carriage returns without valid command data then the buffers are passed on without inspection.
Impact:
Under normal conditions there is no impact. If there is invalid data followed by valid data then the valid data may be ignored.
Workaround:
Do not use the FTP profile for traffic other than FTP.
Fix:
The FTP profile does not process invalid command data
482177-2 : Accessing Sharepoint web application portal interferes with IdP initiated SAML SSO
Component: Access Policy Manager
Symptoms:
Accessing SharePoint web application portal with SSO configured for path /* (as part of portal access resource item) first will break IdP intiated Security Assertion Markup Language (SAML) single sign-on (SSO).
Conditions:
Having SharePoint Portal Access resource as well as SAML resource on full webtop. Access SharePoint application by clicking first on SharePoint icon on full webtop and then SAML resource causes SAML SSO to break.
Impact:
End user will see 404 NotFound page.
Workaround:
Disable SSO to Portal Access application SharePoint.
Fix:
Accessing a SAML resource on the webtop after a SharePoint resource no longer causes SSO to break.
482145-4 : Text in buttons not centered correctly for higher DPI settings
Component: Access Policy Manager
Symptoms:
When high DPI setting are used in Windows, text in buttons is not centered correctly and may run outside the boundaries of buttons.
Conditions:
User interface is displayed and user has set a higher DPI setting for Windows.
Impact:
Button text does not look correct.
Workaround:
Set DPI settings back to default.
Fix:
Buttons are now correctly scaled for Windows DPI setting.
482134-6 : APD and APMD cores during shutdown.
Component: Access Policy Manager
Symptoms:
When apd and apmd shutdown while they are still processing, the system cores while accessing policy configuration data.
Conditions:
This occurs with a second apd or apmd process while an apd or apmd process is already running. The second apd or apmd process goes down (because one process is already up).
Impact:
During this shutdown process, the system cores.
Workaround:
None.
Fix:
APD and APMD no longer core during shutdown of a second occurrence of APD or APMD.
481844-4 : tmm can crash and/or use the wrong CRL in certain conditions
Component: Local Traffic Manager
Symptoms:
tmm can crash and/or use the wrong certificate revocation list (CRL) in certain conditions.
Conditions:
Several client-ssl profiles are configured with different CRLs. Then, either the CRLs are configured or the client-ssl profiles are deleted.
Impact:
tmm might crash and/or use the wrong CRL. Traffic disrupted while tmm restarts.
Fix:
When adding and deleting multiple client-ssl profiles configured with differing certificate revocation lists (CRLs), tmm no longer crashes and/or uses the wrong CRL.
481806-4 : Java Runtime Environment vulnerability CVE-2013-4002
Vulnerability Solution Article: K16872
481696-5 : Failover error message 'sod out of shmem' in /var/log/ltm
Component: TMOS
Symptoms:
You might see a failover error message 'sod out of shmem' in /var/log/ltm.
Conditions:
The conditions under which this occurs vary based on the configured shared memory usage.
Impact:
Failover might not function fully. System posts the message 'err sod[6300]: 01140003:3: Out of shmem, increment amount' in /etc/ha_table/ha_table.conf.
Workaround:
Manually modify /etc/ha_table/ha_table.conf as follows: Change this line: 'ha segment path: /sod table pages: 2' to this: 'ha segment path: /sod table pages: 4'. Save the file and reboot the system.
Fix:
Amount of shmem for sod has been increased.
481677-5 : A possible TMM crash in some circumstances.
Component: Local Traffic Manager
Symptoms:
If TCP::Close is called during the SSL handshake, the TMM might crash.
Conditions:
TCP::close is called during an SSL handshake
Impact:
Traffic disrupted while tmm restarts.
Workaround:
When closing the connection before or during an SSL/TLS handshake, use the "drop" or "reject" command instead of the TCP::close command.
Fix:
TMM no longer produces a core file when the TCP::close iRule command is executed during an SSL handshake.
481476-10 : MySQL performance
Component: Application Security Manager
Symptoms:
MySQL usage would spike to 100% for extended periods of time.
Conditions:
Occurs after several thousand policy configuration changes have been made to the system.
Impact:
Slow ASM GUI pages.
Workaround:
There is no workaround at this time.
Fix:
A MySQL performance issue was fixed.
481216-5 : Fallback may be attempted incorrectly in an abort after an Early Server Response
Component: Local Traffic Manager
Symptoms:
After an Early Server Response, the BIG-IP system might attempt to generate a fallback response if an error occurs. However, the response has already partially egressed, so this does not work correctly.
Conditions:
Fallback configured or enabled by an iRule. An early server response triggers an error that leads to an Abort being raised. The Abort triggers a fallback response inappropriately.
Impact:
The server-side might read HTTP data structures after they have already been freed. A fallback can be generated on the server-side, leading to a use-after-free if the client side has already aborted.
Fix:
A fallback response is no longer inappropriately generated after an error after an Early Server Response.
481162-6 : vs-index is set differently on each blade in a chassis
Component: Local Traffic Manager
Symptoms:
The vs-index field on virtual servers differs on each blade in a chassis.
Conditions:
This occurs on chassis systems when creating a virtual server on a multi-blade VIPRION and on multi-blade vCMP guests.
Impact:
The recently created virtual server holds different vs_index across blades (typically, the virtual servers differ by one, when compared with the active blade). From that point on, every newly created virtual server carries that inconsistency, so that vs-index is set differently on each blade in a chassis.
Workaround:
Follow the procedure in SOL13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13030.html) to clear the configuration cache and reload configuration after reboot.
Fix:
The vs-index is now the same on each blade in a chassis on a multi-blade VIPRION and on multi-blade vCMP guests.
481089-6 : Request group incorrectly deleted prior to being processed
Component: TMOS
Symptoms:
After performing a full sync, sometimes the BIG-IP systems remain out of sync.
Conditions:
A full sync must be performed. There must be more than one active connection to mcpd, and one of them must get disconnected before the sync completes.
Impact:
The BIG-IP systems remain out of sync even after a sync operation.
Workaround:
There are 2 possible workaround: 1) Reset device trust and then re-associate peer devices. 2) Set sync-leader using the following tmsh command. (You might need to run the command more than once until the cid.id of the lagging device is equal or greater than the peer unit.) 'tmsh modify cm device-group fail_over_group_name devices modify { name_of_standby_device { set-sync-leader } }'.
Note: You can run the following command from the active device to view any cid.id mismatch, and if further set-sync-leader commands are necessary: 'tmsh run cm watch-devicegroup-device'.
Fix:
After performing a full sync, BIG-IP systems remain in sync as expected, even when active mcpd connections are deleted before the sync completes.
481003-1 : 'General database error' trying to view Local Traffic :: Pools :: Pool List.
Component: TMOS
Symptoms:
'General database error' trying to view Local Traffic :: Pools :: Pool List.
Conditions:
Be in the Nodes List section with columns ordered by Address, and then navigate to Local Traffic :: Pools :: Pool List.
Impact:
Cannot view pool list. System posts 'General database error'.
Workaround:
Order the Nodes List by a column other than Address.
Fix:
'General database error' no longer occurs when trying to view Local Traffic :: Pools :: Pool List from Nodes List when the nodes are sorted by address.
480817-4 : Added options to troubleshoot client by disabling specific features
Component: Access Policy Manager
Symptoms:
It is impossible to turn off specific features on specific clients for troubleshooting purposes.
Conditions:
Always using Edge client
Impact:
Lack of these options made client troubleshooting difficult as the options could only be set on the server.
Fix:
Added following features:
DWORD key Default value HKLM only
------------------------------------------------------------------
UseLocalProxy false yes
EnableEdgeClientUpdate true yes
EnableWebComponentsUpdate true yes
EnableDTLSTransport (Bug484847) true no
EnableNACompression true no
EnableOptimizedTunnelCompression true no
SessionChecksInterval 10000 no
------------------------------------------------------------------
("false" == 0, "true" - any value except 0);
Key: HKLM( or HKCU)\Software\F5 Networks\RemoteAccess
Zero value for SessionChecksInterval disables this features completely.
"HLKM only" means that that feature can be only be disabled/enabled by value located at HKLM sub-tree, features with "no" can be disabled using both HKLM (Local Machine) and HKCU (current User).
CLIENT control channel is not yet implemented
480761-2 : Fixed issue causing TunnelServer to crash during reconnect
Component: Access Policy Manager
Symptoms:
TunnelServer may crash in rare conditions during reconnect.
Conditions:
Crash may happens when PC wakes up after hibernate
Impact:
User sees confusing message about crashed TunnelServer.
Workaround:
This issue has no workaround at this time.
Fix:
Fixed issue that caused TunnelServer to crash during reconnect.
480370-7 : Connections to virtual servers with port-preserve property will cause connections to leak in TMM
Component: Local Traffic Manager
Symptoms:
Connections leak, exhausting the memory over time and causing TMM to re-start.
Conditions:
Virtual server with port-preserve setting. Tunneled APM connections in a CMP environment (many TMM processes).
Impact:
TMM process re-starts causing traffic disruption. Low performance is also seen due to the high number of leaked connections.
Workaround:
None.
Fix:
The internal listeners that are created to forward the connections between TMM processes are now deleted when no longer needed, so new connections are not created, which prevents a memory leak.
480311-4 : ADAPT should be able to work with OneConnect
Component: Service Provider
Symptoms:
The request-adapt and response-adapt profiles are unable to work with the OneConnect profile, and so those combinations are not allowed in the same virtual server.
Conditions:
Attempt to combine request-adapt or response-adapt profile with OneConnect profile on the same virtual server.
Impact:
When adaptation is being used, the connection cannot be kept open and reused for multiple HTTP transactions.
Fix:
The OneConnect profile can be combined with either or both of request-adapt and response-adapt profiles on a virtual server. Both client and server HTTP connections are reused.
480272-8 : During OAM SDK initialization, ObConfig initialization returns wrong accessgate ID
Component: Access Policy Manager
Symptoms:
OAM ObConfig Initialization returns wrong accessgate ID, and that resulted in EAM setting wrong domain for the ObSSOCookie.
Conditions:
After network connection failure with backend OAM server, ObConfig initilization returned past Accessgate ID.
Impact:
The impact of this issue is that ObConfig initialization returns the wrong accessgate ID.
Workaround:
This issue has no workaround at this time.
Fix:
AccessGate init should now fail initialization and retry in case of an AccessGate ID mismatch. If all retries fail, then the AccessGate remains uninitialized. The administrator should clear the config cache for all the AccessGates and restart the EAM process.
480242-7 : APD, APMD, MCPD communication error failure now reported with error code
Component: Access Policy Manager
Symptoms:
When an unexpected error is received during communication between apd, apmd, and mcpd, it throws an exception.
Conditions:
Rarely reproducible, failed communication between apd, apmd, and mcpd.
Impact:
The system cores without an error code indicating the reason. This hampers finding the actual cause for the error.
Workaround:
None.
Fix:
Now, when an error occurs, the system prints an error code in HEX, which facilitates finding the reason for the error.
480119-5 : Vague error - Error ERR_BOUNDS connflow ... processing pullup of control message.
Component: Carrier-Grade NAT
Symptoms:
PPTP filter emits a vague error message in the ltm log, for example: 'Error ERR_BOUNDS connflow 74.14.223.32:1723 -- 121.54.54.11:34976 processing pullup of control message,' or
'Error ERR_BOUNDS connflow 65.93.152.110:1723 -- 121.54.54.11:2004 processing egress message.'
Conditions:
PPTP ALG is configured. CGNAT is configured. Non-PPTP traffic is being directed to port 1723.
Impact:
These messages are cosmetic only, and can be ignored safely, but may indicate that another protocol is using port 1723.
Workaround:
None.
Fix:
Error ERR_BOUNDS loglevel has changed from ERR to DEBUG, which is correct behavior.
479682-5 : TMM generates hundreds of ICMP packets in response to a single packet
Component: Local Traffic Manager
Symptoms:
TMM generates hundreds of ICMP packets in response to a single packet.
Conditions:
This occurs on a VIP2VIP configuration when the server on the second virtual server becomes unreachable.
Impact:
tmm sends hundreds of ICMP packets to the client upon receiving single packet from client.
Fix:
TMM no longer generates hundreds of ICMP packets when the server on the second virtual server in a VIP2VIP configuration becomes unreachable.
479553-6 : Sync may fail after deleting a persistence profile
Component: TMOS
Symptoms:
After syncing configuration, the following error occurs:
'One or more persistence attributes are incompatible with the persistence mode for profile'.
Conditions:
This happens if automatic sync is disabled on a device group and a user both creates and deletes a persistence profile before manually syncing the configuration.
Impact:
Peer boxes fail to load the configuration.
Workaround:
There are two possible workarounds: 1. Perform a full sync instead of an incremental sync. 2. Create the profile, then perform a sync, and then delete the profile, and perform a separate sync.
Fix:
This was an invalid error case being handled internally and was removed.
479543-8 : Transaction will fail when deleting pool member and related node
Component: TMOS
Symptoms:
Removing a pool and the related nodes in the same transaction will fail. It will output an error message similar to the following:
01070110:3: Node address '/Common/12.33.22.2' is referenced by a member of pool '/Common/mypool'.
Conditions:
Create a pool, add a single pool member (which creates the associated node). If you then delete the pool and node in the same transaction, the transaction will fail.
Impact:
A pool and related nodes cannot be deleted within the same transaction.
Workaround:
If you delete the pool and nodes in 2 separate transactions, the process will succeed.
Fix:
The pool-member reference check for the node was moved to a later stage of validation, allowing the pool and pool members to be updated/deleted. This ensures that when the delete code for the node checks for references from a pool, there will be none.
479460-4 : SessionDb may be trapped in wrong HA state during initialization
Component: TMOS
Symptoms:
An error case may happen on BIG-IP if the following conditions are met:
1. There are two BIG-IPs configured as inter-cluster HA.
2. These two BIG-IPs are multi-blade chasis system.
3. Master record with independent subkeys is added to SessionDB.
The observed symptom this that you can explicitly deleted such a master record, but auto expiration mechanisms (timeout & lifetime) will not work on it, and this record will live forever until it is explicitly deleted.
Conditions:
Inter-chassis mirroring
Chassis w/ multiple blades
Impact:
an inconsistent state between systems can cause persistence entries to never timeout.
This will impact CGNAT records stored in SessionDB such as persistence records and PBA blocks.
479451-2 : Different Outlook users with same password and client IP are tied to a single APM session when using Basic auth
Component: Access Policy Manager
Symptoms:
Different Outlook users are tied to a single APM session.
Conditions:
Users have identical passwords and come from the same client IP address.
Impact:
The impact of this issue is APM does not validate Outlook credentials.
Workaround:
This issue has no workaround at this time.
Fix:
APM correctly validates Outlook credentials and creates new APM session for users that come from the same IP and have identical passwords.
479334-4 : monpd/ltm log errors after Hotfix is applied
Component: Application Visibility and Reporting
Symptoms:
When you apply a hotfix on an already configured and working volume, many errors are logged in the monpd/ltm logs.
Conditions:
Applying a hotfix to a configured and working volume.
Impact:
None, cosmetic benign errors only.
Workaround:
Run the following commands:
1. mysql -p`perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw` AVR < /var/avr/avr_srv_code.sql
2. bigstart restart monpd
479147-5 : Cannot create VXLAN tunnels with the same local-address and different multicast addresses.
Component: TMOS
Symptoms:
MCP throws an validation error when attempting to create VXLAN tunnels with the same local-address and different multicast addresses.
Conditions:
Create VXLAN tunnels with the same local-address and different multicast addresses.
Impact:
Cannot create VXLAN tunnels with the same local-address and different multicast addresses.
Workaround:
Use a different local-address for each multicast group when creating multicast VXLAN tunnels.
Fix:
Can create VXLAN tunnels with the same local-address and different multicast addresses.
Behavior Change:
You can now create multicast VXLAN tunnels with the same local-address and different multicast addresses.
479142-8 : Deleting a virtual server does not delete the resource record (RR) in ZoneRunner Daemon (ZRD)
Component: Global Traffic Manager
Symptoms:
The resource record (RR) in ZoneRunner Daemon (ZRD) is not deleted when the associated Virtual Server is deleted from the Global Traffic Manager (GTM) server object.
Conditions:
Conditions that lead to this issue include a GTM server object with a Virtual Server; a pool with the above virtual server; a wideip using the above pool as resources; and deleting the virtual server from the GTM server object.
Impact:
BIND will contain and return RRs that were intended to be deleted.
The RR is orphaned and could only be deleted manually from ZRD.
Workaround:
To workaround this issue you can delete the GTM server associated with the virtual server to be deleted, but this would delete other associated virtual servers too. Alternatively, you can manually delete the RR in ZRD.
Fix:
Deleting a virtual server now correctly deletes the resource record (RR) in ZoneRunner Daemon (ZRD).
479084-3 : ZoneRunner can fail to respond to commands after a VE resume.
Component: Global Traffic Manager
Symptoms:
The ZoneRunner GUI can become unresponsive after a VE resume.
Conditions:
This is due to the "lo:" interface not being recreated during the resume processing.
ZoneRunner relies on this interface to communicate with the on box BIND server.
Impact:
ZoneRunner cannot create/modify/delete/query records from the on box BIND server
Workaround:
Restart ZoneRunner after a VE resume with the command:
bigstart restart zonerunner.
Fix:
ZoneRunner now uses the tmm0 interface to communicate with BIND.
478812-4 : DNSX Zone Transfer functionality preserved after power loss
Component: Local Traffic Manager
Symptoms:
Zone transfer daemon, zxfrd, will restart endlessly until it is stopped. On the console there will be emergency system alerts every few seconds saying that zxfrd is restarting. Because of the frequency of these alerts, it will be impossible to use the console for anything.
In addition, zone transfers initiated by the BIG-IP will not succeed.
Conditions:
If BIG-IP loses power in the middle of a DNS zone transfer, zone data may be corrupted upon booting up. This results in a nonfunctional zxfrd.
Impact:
The BIG-IP will not be able to transfer zone data from other servers and the TMOS console will be unusable until zxfrd is stopped.
Workaround:
Run the following commands in the console of your affected BIG-IP:
bigstart stop zxfrd
cd /var/db && rm -f tmmdns.bin zxfrd.bin
bigstart start zxfrd
Fix:
With this fix, zone data is no longer susceptible to corruption from power loss.
478734-4 : Incorrect 'FIPS import for failed for key' failure when operation actually succeeds
Component: Local Traffic Manager
Symptoms:
Incorrect debug failure log.
Conditions:
Found internally by test, conditions for this issue are unknown.
Impact:
False failure logged.
Workaround:
None.
Fix:
Fix debug failure log found by internal F5 testing.
478674-10 : ASM internal parameters for high availability timeout was not handled correctly
Component: Application Security Manager
Symptoms:
The internal parameters bd_hb_interval and bd_hb_interval_low_platforms are not handled correctly and a different value is registered against the high availability (HA) system. This causes the system to have faster than expected failovers. Also, when bypass asm is turned on and a bigstart restart asm was applied, a failover happens.
Conditions:
Two possible conditions:
1. An internal parameter is configured for the timeout to the HA system. When ASM does not send a lifesign to the HA system for 10 seconds (instead of the configured time)
2. bypass asm is internal parameter is applied and a bigstart restart asm happens.
Impact:
A failover happens.
Workaround:
This issue has no workaround at this time.
Fix:
We fixed internal parameter processing for the high availability lifesign timeout.
478617-7 : Don't include maximum TCP options length in calculating MSS on ICMP PMTU.
Component: Local Traffic Manager
Symptoms:
TCP segment size is 40 bytes less.
Conditions:
ICMP implementation using Path MTU (PMTU)
Impact:
The impact of this issue is less data per TCP segment.
Workaround:
Disable Path MTU Discovery by doing the following,
"tmsh modify sys db tm.enforcepathmtu value disable"
Fix:
BIG-IP no longer includes maximum TCP options length in calculating MSS on ICMP PMTU.
478592-5 : When using the SSL forward proxy feature, clients might be presented with expired certificates.
Component: Local Traffic Manager
Symptoms:
When SSL forward proxy feature is enabled, the certificates cached might not expire at the right time resulting in expired certificates being presented to the clients.
Conditions:
When using the SSL forward proxy feature.
Impact:
Incorrect certificates are presented to the clients.
Workaround:
Manually delete the cached certs in: show ltm clientssl-proxy cached-certs.
Fix:
Cached certificates are now handled correctly.
478492-5 : Incorrect handling of HTML entities in attribute values
Component: Access Policy Manager
Symptoms:
If an HTML tag attribute contains HTML entities inside its value, this value may not be processed correctly by Portal Access.
Conditions:
For example, if a form action begins with '/' instead of '/', it will be rewritten although absolute action path should be left untouched. This leads to incorrect behavior of this web application.
Impact:
Web application may not work correctly.
Workaround:
This issue has no workaround at this time.
Fix:
Now HTML tag attributes with HTML entities inside their values are processed correctly.
478470 : AFM Online Help updated: DoS Detection Threshold Percentage
Component: Advanced Firewall Manager
Symptoms:
AFM Online Help was not updated after 11.4.0 to reflect a change in behavior. Prior to 11.4.0 the DoS Detection Threshold Percentage function would drop packets if an attack was detected. This was regarded as unintuitive when there was a separate rate-limit configuration element that customers could use to drop traffic when an attack was detected.
Conditions:
Anyone referring to OLH for a DoS vector Threshold Percentage Increase.
Impact:
Inaccurate description of feature behavior.
Workaround:
Disregard erroneous information in OLH.
Fix:
AFM Online Help has been updated to reflect a change in behavior in the DoS Detection Threshold Percentage. After 11.4.0 the DoS Detection Threshold Percentage function no longer drops packets if an attack was detected. OLH now reflects this.
478439-5 : Unnecessary re-transmission of packets on higher ICMP PMTU.
Component: Local Traffic Manager
Symptoms:
LTM re-transmits TCP segments even when ICMP Path maximum transmission unit (PMTU) is higher than existing MTU.
Conditions:
ICMP PMTU is higher than existing MTU.
Impact:
Burst traffic generated.
Workaround:
Disable Path MTU Discovery by entering the command: tmsh modify sys db tm.enforcepathmtu value disable.
Fix:
Fixed unnecessary re-transmission of packets on higher ICMP Path maximum transmission unit (PMTU).
478399-6 : PEM subscriber sessions are created without PEM licensed, if "radiusLB-subscriber-awre" profile is configured.
Component: Policy Enforcement Manager
Symptoms:
If LTM virtual server has the RADIUS profile 'radiusLB-subscriber-awre' configured, the PEM subscriber session will be created, even if the BIG-IP system is not licensed for PEM, which can cause 100% TMM usage due to the overhead of processing RADIUS messages.
Conditions:
The RADIUS profile 'radiusLB-subscriber-awre' is configured on the LTM virtual server for non-PEM configurations.
Impact:
100% TMM usage due to PEM subscriber session being created, even when the BIG-IP system is not licensed for the PEM module.
Workaround:
The workaround is to avoid the misconfiguration by not associating the RADIUS profile 'radiusLB-subscriber-awre' to LTM virtual servers for non-PEM configurations, such as when there is no PEM license for the BIG-IP system.
Fix:
A validation has been added to prevent the RADIUS profile 'radiusLB-subscriber-awre' from being mistakenly associated with the LTM virtual server, when the BIG-IP system is not licensed for PEM.
478351-2 : Changing management IP can lead to bd crash
Component: Application Security Manager
Symptoms:
A bd crashes after a management IP change.
Conditions:
Remote logger is configured, high traffic volume and a configuration changed for the management IP.
Impact:
The impact of this issue is a system outage as the bd restarts.
Workaround:
This issue has no workaround at this time.
Fix:
We fixed a crash that could happen when management IP configuration was changed.
478333-4 : Edge-Client client shows an error about corrupted config file, when User's profile and temp folders located on different partitions
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Windows client shows an error about corrupted config file, when User's profile and temp folders are located on different partitions
Conditions:
Edge Client for Windows.
User's profile and temp folders are located on different partitions.
Impact:
Configuration will not be saved.
Fix:
Now BIG-IP Edge Client for Windows correctly handles a profile located on a different partition.
478257-6 : Unnecessary re-transmission of packets on ICMP notifications even when MTU is not changed
Component: Local Traffic Manager
Symptoms:
Re-transmission of fragment needed packets.
Conditions:
Multiple ICMP Destination Unreachable with Fragmentation needed code messages.
Impact:
Burst traffic generated.
Workaround:
Disable Path MTU Discovery by doing the following,
"tmsh modify sys db tm.enforcepathmtu value disable"
Fix:
BIG-IP no longer re-transmits packets if the MTU is not changed.
478215-5 : The command 'show ltm pool detail' returns duplicate members in some cases
Component: TMOS
Symptoms:
The command "show ltm pool <poolname> detail" may show duplicate pool members in some conditions.
Conditions:
The conditions required are that the same IP address must be used for multiple members and one member must have :0 port.
Impact:
Redundant pool members listed when running the command.
Workaround:
This issue has no workaround at this time.
Fix:
'show ltm pool detail' no longer returns duplicate entries for members where their IP matches that of another member whose port is 'any'.
477898-2 : Some strings on BIG-IP APM EDGE Client User Interface were not localized
Component: Access Policy Manager
Symptoms:
Some text in internationalized Edge Client was still shown in English.
Conditions:
Use of internationalized edge client
Impact:
Some strings were displayed in English instead of localized language.
Workaround:
None.
Fix:
BIG-IP APM Edge Client User Interface Translation has been updated. UI messages and labels have now been translated into several languages.
477795-4 : SSL profile passphrase may be displayed in clear text on the Dashboard
Component: Access Policy Manager
Symptoms:
Whenever there is a configuration change, it is indicated by a red dot in the dashboard. When the user clicks on it they can see the SSL passphrase, passwords, etc.
Conditions:
This happens whenever there is a config change event.
Impact:
Visible to any user who may not have the permission to see it
Workaround:
None.
Fix:
Now, passphrases, secrets, passwords, and so on, do not display in clear text and appear as "*****".
477789-2 : SSL Certificate can accommodate & (ampersand) in the Common Name, Organization Name, Division and SAN.
Component: TMOS
Symptoms:
When an & (ampersand) character is entered for Common Name, Organization Name, Division or SAN in an SSL Certificate, the ampersand is escaped and replaced with an & string.
Conditions:
Create or renew an existing certificate with an ampersand in the Common Name, Organization Name, Division, or SAN.
Impact:
The system escapes the ampersand with an & string. Names such as AT&T that generate certificates that escape the ampersand character do not work as expected.
Fix:
The system now correctly converts the '&' (ampersand) character in the Certificate and ensures that the Peer Device process is still operating.
477281-9 : Improved XML Parsing
Component: TMOS
Symptoms:
With certain requests, XML parsing improperly returns the incorrect document.
Conditions:
A certain set of parameters are sent to pages which utilize DocumentBuilderFactory to process and return XML documents.
Impact:
The document that was requested is not returned. Another document is returned instead.
Workaround:
None.
Fix:
XML Parser configuration was changed to ensure only correct documents are returned to all requests.
477278-11 : XML Entity Injection vulnerabilities CVE-2014-6032 and CVE-2014-6033
Vulnerability Solution Article: K15605
477274-12 : Buffer Overflow in MCPQ
Vulnerability Solution Article: K16196
477218-6 : Simultaneous stats query and pool configuration change results in process exit on secondary.
Component: TMOS
Symptoms:
Simultaneous stats query and pool configuration change results in process exit on secondary.
Conditions:
Running parallel operations in tmsh/GUI or multiple tmsh operations on pool objects. For example, running 'tmsh show' command while simultaneously updating the monitor on the pool in the GUI.
Impact:
The primary restarts, and the slot goes down, resulting in potential traffic impact. The ltm logs display error messages similar to the following: -- err mcpd[29041]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested pool (/Common/CYBS-P-UBC-43) was not found. -- notice mcpd[8487]: 0107092a:5: Secondary slot 1 disconnected.
Workaround:
Use the absolute name of the pool in the tmsh command: /partition_name/pool_name.
Fix:
TMSH command now automatically issues the absolute path by using the context for the current connection to MCPd, so there are no MCPd restarts in this case.
477195-1 : OSPFv3 session gets stuck in loading state
Component: Local Traffic Manager
Symptoms:
When running tmsh ipv6 ospf neighbor, you see one or more neighbors stuck at Loading. Other adjacent network equipment might report the neighbor at Full.
Conditions:
This occurs when using OSPFv3
Impact:
Neighbor discovery fails to complete
Fix:
OSPFv3 sessions no longer get stuck in loading state.
477064-5 : TMM may crash in SSL
Component: Local Traffic Manager
Symptoms:
When SSL is configured in TMM, a crash might occur if events happen in a specific (unknown) order.
Conditions:
ClientSSL is configured on a virtual.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
The TMM exit and restart that occurred in certain circumstances when processing SSL traffic has been fixed.
476476-9 : Occasional inability to cache optimized PDFs and images
Component: WebAccelerator
Symptoms:
Restarting the datastor service can result in some optimized PDFs or optimized images becoming un-cacheable
Conditions:
If WAM has a handle to cached content in datastor which no longer exists because datastor restarted or evicted it, and if this content is an image or PDF which WAM optimized, and if two requests for such content arrive on the same TCP connection, the second can get incorrectly cached such that it can not be served or replaced until tmm is restarted.
Impact:
Certain URLs become uncacheable, thus reducing effectiveness of WAM.
Workaround:
Disable client keep-alive in the HTTP profile (change Maximum Requests in the HTTP profile from 0 to 1)
or disable PDF linearization and image optimization.
A partial workaround is to use wa_clear_cache instead of restarting datastor to clear the cache. Content which datastor evicts might still suffer (but this is unlikely).
Fix:
Restarting datastor no longer results in the possibility of some optimized PDFs or optimized images becoming uncacheable.
476460-4 : WAM Range HTTP header limited to 8 ranges
Component: WebAccelerator
Symptoms:
When doing a request with multiple ranges, depending on the current state of the document in the cache (due to previous requests), WAM responds with 'HTTP 416 Requested range not satisfiable'.
Conditions:
Client requesting more than 8 ranges in a single HTTP Range request for a document that has an active cache record.
Impact:
Document is not possible retrieve, even with valid range values.
Workaround:
Force the document to not be cached in the Policy and to be always proxied to the OWS.
Fix:
Use db variable Wam.Cache.Range.MaxRanges to increase the number of max allowed sub-ranges in a HTTP range request. It defaults to a maximum of 8 sub-ranges, however it can be increased up to 32.
476288-5 : Tmrouted restarted after a series of creating/deleting route domains and adding/deleting protocols due to seg fault
Component: TMOS
Symptoms:
When multiple route domains and multiple routing protocols per route domain are repeatedly created and deleted, the tmrouted crashes and restarts.
Conditions:
multiple route domains with multiple routing protocols per each route domain are created and deleted repeatedly in a short time intervals.
Impact:
The routing information is lost and the tables need to be built again. This might cause packet loss.
Workaround:
None.
Fix:
Repeated creation and deletion of route domains and routing protocols led to a race condition between the start timer of the routing protocols and inconsistent memory state of the deleted routing protocols. This fix resolves the race condition.
476097-3 : TCP Server MSS option is ignored in verified accept mode
Component: Local Traffic Manager
Symptoms:
After enabling 'verified-accept' in the TCP profile, window scaling is not working on server side connection. More specifically, the BIG-IP system ignores window scaling from the back-end server.
Conditions:
Enabling 'verified-accept' in TCP profile.
Impact:
the BIG-IP system ignores window scaling from the back-end server.
Workaround:
Disable 'verified-accept' in the TCP profile.
Fix:
Window scaling with back-end server now works when 'verified-accept' is enabled in the TCP profile.
476038-9 : Mac Edge Client crashes on OS X 10.7 if a user adds new server using its IP address rather than DNS name
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Mac crashes on OS X 10.7 if a user adds a new server using its IP address rather than its DNS name.
Conditions:
Create an APM virtual server IP address using the Edge Client for Mac
Impact:
Edge Client crashes
Workaround:
Use DNS name rather than IP address when adding a new server.
Fix:
On BIG-IP Edge Client for Mac on OS X 10.7, a user can successfully add a new server using IP address.
476032-6 : BIG-IP Edge Client may hang for sometime when disconnecting from Firepass server
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client hangs in "Disconnecting" state for some time if the backend server is FirePass.
Conditions:
FirePass server as backend
Impact:
User has to wait
Fix:
Issue fixed. Now BIG-IP Edge Client disconnects from FirePass smoothly without delays.
475819-6 : BD crash when trying to report attack signatures
Component: Application Security Manager
Symptoms:
The Enforcer rarely crashes when logging attack signatures.
Conditions:
A rare issue that happens suddenly when reporting attack signatures to the logs.
Impact:
Traffic resets, failover.
Workaround:
This issue has no workaround at this time.
Fix:
We fixed an issue that rarely caused the Enforcer to crash when logging attack signatures.
475743-2 : Improve administrative login efficiency
Vulnerability Solution Article: K92140924
475735-2 : Failed to load config after removing peer from sync-only group
Component: Access Policy Manager
Symptoms:
Load sys config fails.
Conditions:
Loading config after removing peer from sync-only device group.
Impact:
Failed to load config.
Workaround:
Remove peer device from the sync-only device group on which policy sync has been performed previously.
Fix:
A user can now load sys config even after removing the peer from the sync-only group.
475649-6 : HTTP::respond in explicit proxy scenarios may cause TMM crash due to assert
Component: Local Traffic Manager
Symptoms:
Use of HTTP::respond in HTTP_REQUEST iRule event in explicit proxy scenarios may cause TMM to assert and crash due to improper handling of HTTP::respond.
HTTP:collect doesn't work properly in explicit proxy scenarios.
Conditions:
This issue occurs with use of HTTP::respond or HTTP::collect in explicit proxy scenarios.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
HTTP::respond no longer asserts and HTTP::collect now works as expected when used from HTTP_REQUEST in explicit proxy scenarios.
475647-3 : VIPRION Host PIC firmware version 7.02 update
Component: TMOS
Symptoms:
Correctly report part numbers of current-manufacture VIPRION B4300 series blades (part numbers 400-0076-00 and 400-0077-00).
Conditions:
Affects VIPRION B4300 series blades.
Impact:
Features of current-manufacture VIPRION B4300 series blades (part numbers 400-0076-00 and 400-0077-00) may not be properly supported by the BIG-IP software.
Workaround:
None.
Fix:
VIPRION Host PIC firmware version 7.02 update now supports all expected BIG-IP software features on VIPRION B4300 blades.
475551-5 : Flaw in CSRF protection mechanism
Component: Application Security Manager
Symptoms:
Flaw in Cross-site request forgery (CSRF) protection mechanism.
Conditions:
CSRF protection is configured.
Impact:
Flaw in Cross-site request forgery (CSRF) protection mechanism.
Workaround:
None.
Fix:
Internal testing found and resolved a flaw in the CSRF mechanism
475549-2 : Input handling error in GTM GUI
Component: Global Traffic Manager (DNS)
Symptoms:
Certain input sequences are not processed correctly in the GTM WebUI
Conditions:
GTM provisioned
Impact:
Incorrect output from GTM UI web pages
Fix:
Correctly process input in the GTM WebUI
475505-8 : Windows Phone 8.1 built-in browser is not properly detected by BIG-IP system.
Component: Access Policy Manager
Symptoms:
Windows Phone 8.1 built-in browser is not properly detected by the BIG-IP system.
Conditions:
Windows Phone 8.1 built-in browser.
Impact:
Built-in browser is not properly detected.
Fix:
Microsoft Windows Phone 8.1 built-in browser is now properly detected by the BIG-IP system.
475460-6 : tmm can crash if a client-ssl profile is in use without a CRL
Component: Local Traffic Manager
Symptoms:
TMM can crash if a client-ssl profile is in use without a certificate revocation list (CRL) configured.
Conditions:
A client-ssl profile is in use without a configured CRL, and the customer has an Engineering Hotfix installed that includes the fix for ID384451.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
TMM no longer crashes if a client-ssl profile is in use without a certificate revocation list (CRL) configured.
475125-2 : Use of HTTP::retry may cause TMM crash
Component: Local Traffic Manager
Symptoms:
Use of HTTP::retry may cause TMM to crash in certain scenarios.
Conditions:
Use of HTTP::retry may cause TMM to crash in certain scenarios.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
HTTP::retry no longer causes TMM to crash.
474974-2 : Fix ssl_profile nref counter problem.
Component: Local Traffic Manager
Symptoms:
ssl_profile memory leak.
Conditions:
This occurs after several iterations of the following steps:
(1) Create ssl_profiles
(2) Use ssl_profiles to complete a number of handshake operations.
(3) Delete ssl_profiles.
Impact:
ssl_profile memory leak.
Workaround:
None.
Fix:
ssl_profile no longer leaks memory when creating and deleting a number of profiles that have completed handshake operations.
474779-2 : EAM process fails to register channel threads (MPI channel) with TMM, and subsequent system call fails.
Component: Access Policy Manager
Symptoms:
On EAM process initialization, the plugin is unable to register a thread (MPI channel) with TMM on rare occasions. A subsequent system call to end the process fails.
Conditions:
Unknown.
Impact:
EAM plugin is up but the access gates are not initialized correctly.
Workaround:
Establish connection to OAM server.
bigstart stop eam
Clear config.cache from each accessgates by deleting /config/aaa/oam/<partition_name>/<aaa_oam_obj_name>/<accessgate_name>/config.cache using commandline.
bigstart restart eam
Fix:
EAM plugin initialization is fixed, now the plugin register with TMM process will not fail.
474698-5 : BIG-IP as IdP can send incorrect 'Issuer' element for some SLO requests under certain conditions.
Component: Access Policy Manager
Symptoms:
When client initiates Single Logout (SLO) on the BIG-IP system as IdP which is associated with multiple SP connectors, IdP will send SLO request message to each SP to which user has connected within this session.
If user has connected to multiple SP (bound to different IdP) within the same session, the SLO messages f is sent with 'Issuer'element referencing the name of the last IdP service user has accessed.
Conditions:
This issue occurs when:
1.BIG-IP is configured as IdP.
2.BIG-IP has more then one IdP configuration object.
3.IdP objects are assigned as resources to the same Access Policy.
4.Each IdP configuration is bound to at least one SP-connector.
5.Client initiated SLO on IdP.
Impact:
Impact is based on recipient of the message. Recipient (SP) may reject the SLO request, or process it successfully based on implementation.
Workaround:
Disable SLO on BIG-IP.
474613-2 : Upgrading from previous versions★
Component: Application Visibility and Reporting
Symptoms:
Configuration upgrade from versions 11.2, 11.1, or 11.0 fails when two analytics profiles on different partitions are configured with the same remote login server IP address.
Conditions:
Upgrading from versions 11.2, 11.1, or 11.0 when two analytics profiles on different partitions are configured with the same remote login server IP address.
Impact:
Upgrade process fails.
Workaround:
Remove the external logging configuration on the source partition, upgrade, and then restore the configuration as needed.
Fix:
Configuration upgrade from versions 11.2, 11.1, or 11.0 now succeeds and works correctly even when two analytics profiles on different partitions are configured with the same remote login server IP address.
474601-4 : FTP connections are being offloaded to ePVA
Component: Local Traffic Manager
Symptoms:
FTP connections are offloaded to acceleration hardware embedded Packet Velocity Acceleration (ePVA) chip.
Conditions:
SNAT listener
Impact:
FTP data connections fail due to lack of translation in PORT commands.
Workaround:
Use FTP virtual instead of SNAT listener.
Fix:
FTP connections will no longer be offload to ePVA hardware when traversing through a SNAT listener.
474582-2 : Add timestamps to logstatd logs for Policy Sync
Component: Access Policy Manager
Symptoms:
Log messages in /var/tmp/logstatd.log used for Policy Sync do not have timestamps which makes troubleshooting very difficult.
Conditions:
Run Policy Sync.
Impact:
Serviceability. logstatd.log used for Policy Sync do not have timestamps.
Workaround:
None.
Fix:
A timestamp is now prepended to each log message line in logstatd.log for Policy Sync.
474445-3 : TMM crash when processing unexpected HTTP response in WAM
Component: WebAccelerator
Symptoms:
TMM crash when processing unexpected HTTP response in WAM
Conditions:
Three conditions:
WAM enabled virtual server
WAM disabled during request phase
WAM enabled during response phase
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not disable WAM during request processing unless it will also be disabled during response processing. If WAM is disabled, close the connection after the response with HTTP::Close to ensure it cannot be used for future requests.
Fix:
TMM no longer crashes when processing unexpected HTTP response in WAM.
474388-4 : TMM restart, SIGSEGV messages, and core
Component: Local Traffic Manager
Symptoms:
Certain conditions might produce error messages similar to the following, in the core file/tmm.log: -- RVAvpBigIP01 notice RIP=0x8cc872 -- RVAvpBigIP01 notice session_process_pending_event_callback ERROR: could not send callback to 192.168.96.27:50441 - 192.168.96.28:443 ERR_NOT_FOUND.
Conditions:
This occurs because of a race condition, for example, one between the HTTP and APM-related profiles during which an APM-profile-related action completes after the HTTP-profile closes the connection.
Impact:
Traffic disrupted while tmm restarts.
Fix:
The race condition that occurred has been fixed, so no APM-profile-related actions complete after the HTTP-profile closes the connection.
474194-4 : iControl GlobalLB::PoolMember get_all_statistics and get_monitor_association cause memory leaks
Component: TMOS
Symptoms:
iControl methods GlobalLB::PoolMember::get_all_statistics and get_monitor_association can cause memory leaks, which can quickly become problematic when querying large GTM configurations often.
Impact:
Memory leak can become very large with big configurations.
Workaround:
Restart the iControlPortal (bigstart restart httpd).
Fix:
GlobalLB::PoolMember get_all_statistics and get_monitor_association methods no longer cause memory leak.
474058-7 : When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions
Component: Access Policy Manager
Symptoms:
When the BIG-IP system is configured as Service Provider, APD may restart under certain conditions.
Conditions:
This issue occurs when the BIG-IP system is configured as a SAML Service Provider and BIG-IP receives a signed assertion that contains empty "Reference URI" in Signature element.
Impact:
The impact of this issue is that APD restarts.
Workaround:
This issue has no workaround at this time.
Fix:
Fixed issues that caused APD to restart when the BIG-IP system is configured as a SAML Service Provider and BIG-IP receives a signed assertion that contains an empty Reference URI in the Signature element.
473685-2 : Websso truncates cookie domain value
Component: Access Policy Manager
Symptoms:
Cookies assigned during back end authentication may not be returned to back end servers. The failures require the set-cookie header contain a domain assignment and the domain value must begin with a dot.
Conditions:
401 response from a back end has Set-Cookie headers containing domain assignments that begin with a dot.
Impact:
Applications protected by the above authorization may not work.
Workaround:
An iRule can be used to catch the 401 response. If it contains one or more Set-Cookie headers, check each for a domain attribute. Remove the initial dot in the domain value, if present.
Fix:
WebSSO processes domain fields in Set-Cookie headers correctly.
473589-1 : Error at attempt to add GeoIP with parentheses.
Component: Advanced Firewall Manager
Symptoms:
You will get an error if you attempt to add GeoIP with parentheses to a rule. For example one GeoIP code is Cocos (Keeling) Islands (CC), where you will see this error:
Error: 0107179c:3: The specified Geo Location Country Code(Keeling) on (TCP) is invalid
Conditions:
Attempting to add a GeoIP string that contains a parenthesis
Impact:
Unable to ad the GeoIP
Fix:
You can now add GeoIP regions containing parenthesis.
473386-13 : Improved Machine Certificate Checker matching criteria for FQDN case
Component: Access Policy Manager
Symptoms:
Machine cert check agent might fail if the certificate was issued with extended fields or to a domain machine.
Conditions:
This issue occurs when the machine is outside of domain and the certificate is issued to a domain machine.
Impact:
Machine cert check agent might fail on MAC OS X/Windows for the machines currently outside of domain.
Workaround:
This issue has no workaround at this time.
Fix:
Machine cert check agent matching criteria for FQDN has been improved.
473348-5 : SNMP hbInterval value not set to 300 sec after upgrade from 11.2.x to 11.3.0 or later
Component: TMOS
Symptoms:
The hbInterval determines the amount of time the snmpd daemon can wait for a response. Software versions 11.2.x use an hbInterval of 60 sec. Software versions 11.3.0 and later use an hbInterval of 300 sec.
Conditions:
When upgrading from version 11.2.x to version 11.3.0 or later.
Impact:
After upgrade, the hbInterval is still set to 60 sec and not set to 300 sec. An snmpd core is created.
Workaround:
Edit bigipTrafficMgmt.conf and set hbInterval value to 300 using the following procedure:
1. Run the command: bigstart stop snmpd.
2. Change the value of hbInterval in /config/snmp/bigipTrafficMgmt.conf and save the file.
3. Run the command: bigstart start snmpd.
Fix:
When upgrading from a release that did not have the hbInterval set to 300, the new release now has hbInterval set to 300.
473344-7 : Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.
Component: Access Policy Manager
Symptoms:
Kerberos Request-Based Auth (RBA) failure when session is initially created on a different VIP.
Conditions:
APM access policy is configured with Kerberos authentication and the attempted authentication session was was initially created on a different VIP.
Impact:
Error occurs with no error message. The system should post an error message similar to the following: (Failure VIP Name): Kerberos Request-Based Auth failed because session was initially created on a different VIP (Original VIP Name). Please either disable RBA on the originating access profile, or remove the domain cookie.
Workaround:
Either disable RBA on the originating access profile, or remove the domain cookie.
Fix:
With the fix, APMD correctly handles the request for Kerberos Request-Based Auth, and posts the proper error message.
473255-2 : Javascript sibmit() method could be rewritten incorrectly inside of 'with' statement.
Component: Access Policy Manager
Symptoms:
Portal Access could incorrectly rewrite Javascript submit() method if it's called in scope of 'with' statement and without object.
Impact:
Form cannot be submitted from script on page.
Workaround:
Create an iRule which adds explicit object reference to submit() call.
Fix:
Fixed an issue where Portal Access could incorrectly rewrite a form submit initiated from Javascript.
473163-9 : RAID disk failure and alert.conf log message mismatch results in no trap
Component: TMOS
Symptoms:
Due to a mismatch between the definition of an alert for RAID disk failure in alert.conf, and the actual log message syntax, the appropriate SNMP traps are not issued when a disk is failing.
Conditions:
This happens when there is a RAID disk failure and the definition RAID disk failure in alert.conf is similar to the following: alert BIGIP_RAID_DISK_FAILURE "raid[0-9]: Disk failure .*?" {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.96";
lcdwarn description="RAID disk failure." priority="3"
}
Impact:
Actual log message syntax matches the following: 'alert kernel: md/raid1:md12: Disk failure on dm-29, disabling device.' As a result, there is no SNMP trap for a failing disk, so no SNMP trap is issued, and the LCD message is not displayed.
Workaround:
For information about configuring custom traps, see SOL3727: Configuring custom SNMP traps, available here: https://support.f5.com/kb/en-us/solutions/public/3000/700/sol3727.html.
Fix:
RAID disk failure and alert.conf log message now match, so appropriate SNMP traps are now issued when a disk is failing.
473129-6 : httpd_apm access_log remains empty after log rotation
Component: Access Policy Manager
Symptoms:
The /var/log/httpd/access_log file remains empty after log rotation.
Conditions:
At least one log rotation which happens at 4:00am every day of the box time
Impact:
access_log are missing
Workaround:
"bigstart restart httpd_apm" must be part of the cronjob every day [around 4:30am] after log rotation.
Fix:
Logging to access_log continues after log rotation.
473037-7 : BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP
Component: TMOS
Symptoms:
BIG-IP 2000/4000 platforms do not support RSS with L4 data on SCTP. If multiple connections are attempted, the same port is computed.
Conditions:
This occurs on BIG-IP 2000/4000 platforms with SCTP configured.
Impact:
This causes 'Inet port collision' log errors, and the connection is terminated.
Workaround:
None.
Fix:
BIG-IP 2000/4000 platforms now support RSS with L4 data on SCTP.
472969-3 : If you try to create more than 264 AVR profiles, avrd might crash.
Component: Application Visibility and Reporting
Symptoms:
The maximum number of AVR profiles in the system is 264.
If you try to create more than 264 AVR profiles, avrd might crash.
Conditions:
Creating more than 264 AVR profiles
Impact:
avrd crashes.
Fix:
The maximum number of AVR profiles in the system is 264.
If you try to create more than 264 AVR profiles, MCP now generates the following message:
"Can't generate more than 264 AVR profiles", and the system will not create the profiles.
472748-4 : SNAT pool stats are reflected in global SNAT stats
Component: Local Traffic Manager
Symptoms:
There is a virtual server with SNAT pool configured. And a global default SNAT also configured similar to SNAT pool configuration. Traffic that hits virtual and uses the virtual SNAT pool to translate the source address. The same traffic stats will be reflected in default global SNAT though the default SNAT is not being used.
Conditions:
A virtual server has a SNAT configured. There is a global default SNAT configured similar to the configured SNAT pool.
Impact:
SNAT pool stats are reflected in global SNAT stats.
Workaround:
Configure the default SNAT in a different VLAN.
Fix:
The system now releases the default SNAT from the virtual server if there is a SNAT configuration directly associated with the virtual server.
472585-5 : tmrouted crashes after a series configuration changes
Component: Local Traffic Manager
Symptoms:
When multiple route domains with multiple routing protocols with heartbeat enabled are repeatedly created and deleted, the tmrouted daemon may restart.
Conditions:
This occurs when the following conditions are met: -- Heartbeat is enabled. -- Multiple route domains and routing protocols are created and deleted in a short time interval.
Impact:
The tmrouted crashes and it might lead to packet loss with regard to forwarding.
Workaround:
None.
Fix:
The tmrouted functions normally when multiple route domains with multiple routing protocols, with heartbeat enabled, are created and deleted repeatedly.
472446-4 : Customization group template file might cause mcpd to restart
Component: Access Policy Manager
Symptoms:
A config sync or tmsh transaction might fail and make mcpd restart if the config sync or tmsh transaction includes a misconfigured object and simultaneously includes a customization group template file.
If strict updates are enabled on iApp and Adv Customization is performed that MCPd could crash tpp.
Conditions:
The config sync or tmsh transaction includes a misconfigured object and includes a customization group template file.
Impact:
The config sync or tmsh transaction fails, and mcpd exits. Note: Avoid configurations that put customization group template file objects through a config sync or tmsh transaction, when that transaction might contain an object configured with an invalid value. This results in a configuration error.
Here is one example of the types of messages that may be displayed when this occurs:
-- info mcpd[12395]: 01071528:6: Device group '/Common/f5omb' sync inconsistent, Incremental config sync may not be complete on one or more devices in this devicegroup, Sync status may not be consistent until incremental config sync is complete.
-- err mcpd[12395]: 01070734:3: Configuration error: Cannot apply template as cache path for (customization template file logon.inc customization group /Common/ap_deptSharePt_act_logon_page_ag) cannot be empty.
-- err mcpd[12395]: 01070596:3: An unexpected failure has occurred, - apm/validation/APMCustomizationFileObject.cpp, line 1825, exiting...
-- info sod[5467]: 010c0009:6: Lost connection to mcpd - reestablishing.
-- err zxfrd[12033]: 0153e0f7:3: Lost connection to mcpd.
Workaround:
None.
Fix:
This release corrects the configuration error that occurred in the config sync or tmsh transaction whose configuration included a misconfigured object and a customization group template file.
472365-5 : The vCMP worker-lite system occasionally stops due to timeouts
Component: TMOS
Symptoms:
The VCMP host side of the worker-lite system has a shorter timeout that the VCMP guest side. This can cause a worker-lite VCMP host to silently stop processing worker-lite requests for a VCMP guest.
Conditions:
This issue affects worker-lite based VCMP hosts running any version of VCMP guests that are processing SSL and compression traffic.
Impact:
SSL and compression traffic does not pass through VCMP guests running on an affected VCMP host. The system posts error messages in /var/log/ltm, similar to the following: Device error: crypto codec 'device-name' queue is stuck.
Workaround:
To resume processing of SSL and compression traffic in a VCMP guest, restart the guest tmm by issuing a 'bigstart restart tmm' from within the guest. Restarting a VCMP guest by setting its state from 'deployed' to 'provisioned' and then back to 'deployed' also resumes processing of SSL and compression traffic.
Fix:
Corrected a VCMP timeout issue that might have prevented a VCMP guests from processing SSL and compression traffic.
472256-4 : tmsh and tmctl report unusually high counter values
Component: Access Policy Manager
Symptoms:
When running the command 'tmctl profile_access_stat', the values displayed for sessions_eval_cur, sessions_active_cur, and/or sessions_estab_cur mignt be unusually high.
Conditions:
The issue might appear if the following events happen, in sequence:
1. Some sessions have been established.
2. On a chassis system, a blade restarts. On an appliance system, tmm restarts on the active system, which triggers failover.
3. Some of the existing sessions log out after the chassis or appliance is back online.
Impact:
The profile access stat might report inaccurate readings. The system returns results similar to the following: -- sessions_active_cur 18446744073709551615. -- sessions_eval_cur 18446744073709551615.
Workaround:
None.
Fix:
tmsh and tmctl now report the expected correct counter values.
472202-2 : Potential false positive report of DMA RX lockup failure
Component: TMOS
Symptoms:
Due to mixed traffic in the same ring, heartbeat message might not be received in time and therefore system report DMA RX lockup after a period of time.
Conditions:
Mixed traffic stressing into DMA ring 0 and have impacts to heartbeat healthy messages.
Impact:
TMM restart and report HSB DMA RX lockup
Workaround:
None.
Fix:
The false positive report of RX HSB DMA lockup had been eliminated as long as the ring is moving.
472125-3 : IP Intelligence report data is not roll-forwarded between installations as it should★
Component: Advanced Firewall Manager
Symptoms:
Upgrade process does not apply on AVR-DWBL tables, and thus will show no data after the upgrade.
Conditions:
Upgrading from 11.5.0 / 11.5.1 / 11.5.4
Impact:
AVR statistics for DWBL will lose their data.
Fix:
DWBL statistics tables are now backed-up to be used in the new version after the upgrade.
472106-1 : TMM crash in a rare case of flow optimization
Component: Policy Enforcement Manager
Symptoms:
During a special case of optimization the peer connflow is released. Subsequent references to connflow result in crash.
Conditions:
When PEM hudfilter is optimized & server sends a reset, the code checks a non-existent peer connection.
Impact:
Traffic disrupted while tmm restarts.
Fix:
The code path checks for NULL connflow before attempting to access the data structure.
472093-2 : APM TMUI Vulnerability CVE-2015-8022
Vulnerability Solution Article: K12401251
472092-6 : ICAP loses payload at start of request in response to long execution time of iRule
Component: Service Provider
Symptoms:
A long-running iRule in ICAP_REQUEST can cause the loss of payload while the iRule is running, resulting in the beginning of the payload being omitted in the request to the ICAP server. (Note that headers are unaffected.)
Conditions:
This issue occurs when the following conditions are met: -- request-adapt or response-adapt is used. -- IVS with ICAP. -- iRule on ICAP_REQUEST event that takes a long time to execute.
Impact:
ICAP request to ICAP server can lose the beginning of the payload.
Workaround:
When possible, keep iRule duration short by minimizing processing in ICAP_REQUEST and avoiding unnecessary processing, or move the processing elsewhere.
Fix:
The complete request payload is now sent to the ICAP server, even in the presence of a long-running iRule in ICAP_REQUEST.
472062-2 : Unmangled requests when form.submit with arguments is called in the page
Component: Access Policy Manager
Symptoms:
Expressions like form.submit(something) are not being rewritten by Portal Access.
This may cause direct URL or unmangled paths in request. Such request will fail and application could stop working.
Impact:
Web Application could send unmangled requests and stop working.
Workaround:
iRule workaround is possible, but it will be unique for each web application.
Fix:
Calls of form.submit with arguments are now correctly handled by Portal Access.
471874-6 : VDI plugin crashes when trying to respond to client after client has disconnected
Component: Access Policy Manager
Symptoms:
VDI plugin crashes when trying to respond to client after client has disconnected.
Conditions:
Client has disconnected, VDI plugin tries to send response to the client.
Impact:
VDI plugin crash.
Fix:
The VDI plugin does not crash when trying to respond to a client after the client has disconnected.
471860-2 : Disabling interface keeps DISABLED state even after enabling
Component: TMOS
Symptoms:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface still shows DISABLED.
Conditions:
This occurs when using both tmsh and the GUI.
Impact:
The state of the interface remains DISABLED. However, the interface passes traffic after enabling.
Workaround:
You can reboot correct the indicator.
Fix:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface now shows ENABLED.
471827-2 : Firstboot early syslog-ng log: /var/run/httpd.pipe does not exist★
Component: TMOS
Symptoms:
Early syslog-ng starts up with a config file that references /var/run/httpd.pipe, but it does not exist and syslog-ng logs the following:
<date> <host> notice syslog-ng: Error opening file for reading; filename=\'/var/run/httpd.pipe\', error=\'No such file or directory (2)\'
Conditions:
First boot of a newly installed system uses a different syslog-ng.conf file, but only on the first boot of a newly installed system.
After first boot, the real syslog-ng config file is used.
The following log appears in /var/log/boot.log
[only in 11.x releases]:
Sep 4 10:17:35 localhost notice syslog-ng: Error opening file for reading; filename=\'/var/run/httpd.pipe\', error=\'No such file or directory (2)\'
Impact:
There is no actual impact due to this behavior because:
(1) syslog-ng is restarted with the correct syslog-ng configuration later in the boot.
(2) httpd is not started until later which means there is no actual usage of /var/run/httpd.pipe.
Fix:
Prior to starting the early syslog-ng, create the missing file /var/run/httpd.pipe. This also happens later when etc/init.d/syslog-ng is run, but does nothing because the early syslog-ng startup script creates the missing file.
471819-1 : The big3d agent restarts periodically when upgrading the agent on a v11.4.0 or prior system and Common Criteria mode is enabled.
Component: Global Traffic Manager
Symptoms:
The big3d agent restarts periodically if a v11.4.0 or earlier system with Common Criteria mode enabled is updated with a newer version of the big3d agent.
Conditions:
A v11.4.0 or earlier system is updated to run a newer version of the big3d agent and Common Criteria mode is enabled.
Impact:
The impact of this issue is periodic restarting of the big3d agent.
Workaround:
Disable Common Criteria mode.
Alternatively, restore the prior version of the big3d agent.
Fix:
The big3d agent has been modified to run in a mode that eliminates inconsistencies with version 11.4.0 and earlier.
471766-3 : Number of decoding passes configuration
Component: Application Security Manager
Symptoms:
The decoding passes number selected in the "Evasion technique detected" sub-violation setting affects URI and parameter input. However, this setting does not affect the number of decoding passes that the system performs on headers, which is always two.
Conditions:
Headers legally may have more than two or more levels of percent decoding
Impact:
A false positive violation is issued.
Fix:
The number of decoding passes for headers is now taken from the "Evasion technique detected" sub-violation setting.
471625-7 : After deleting external data-group, importing a new or editing existing external data-group does not propagate to TMM
Component: Local Traffic Manager
Symptoms:
After deleting external data-group, importing a new or existing external data-group does not propagate to TMM.
Although the import/modify individually seem to work as expected with no errors displayed in the web interface, the ltm log shows 'update queued', but does not show 'update finished' for the imported/modified datagroup.
tmctl ext_class_stat command shows that the deleted data-groups are still in the TMM and existing data-groups stay the same and do not reflect the modification that are made to them via GUI.
Conditions:
The issue occurs when working in an administrative partition other than Common.
Impact:
iRules associated with the data-groups do not behave as expected if data-group is deleted and afterwards when data-group modifications are made.
Workaround:
There are two options for workarounds: 1. Use short names for the data-group files. It is the long names that are problematic. This is the recommended workaround. 2. Reboot. This causes the mcpd to re-load the data-groups and corrects the situation.
Fix:
After deleting external data-group, importing a new or editing existing external data-group now works as expected.
471535-6 : TMM cores via assert during EPSV command
Component: Local Traffic Manager
Symptoms:
TMM cores via assert during EPSV command from clients when The FTP filter rewrites the commands.
Conditions:
This rarely encountered issue occurs with the use of line feed (NL) characters in rewritten commands.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use a TCP collect iRule to detect and insert the missing CR.
Fix:
FTP filter now accepts NL-only line-ending when rewriting EPSV command.
471467-1 : gtmparse segfaults when loading wideip.conf because of duplicate virtual server names
Component: Global Traffic Manager
Symptoms:
gtmparse segfaults when loading wideip.conf with duplicate virtual server names, or whose names differ only by spaces.
Conditions:
wideip.conf contains duplicate virtual server name definitions, or the virtual server names are unique only because of leading or trailing spaces.
Impact:
gtmparse segfaults during a wideip.conf load, causing GTM configuration load to fail.
Workaround:
Change virtual server definitions so that there are no duplicate named virtual servers. Note that adding only leading or trailing spaces does not result in a unique virtual server name.
Fix:
gtmparse will now throw descriptive errors when encountering duplicate vs names in wideip.conf, for example:
./gtm/wideip.conf:61: "opt_vs_long_def: vs set name vs_1 on vs 10.221.43.28:1545 failed, duplicate name exists" at character '1545' in line:
name "vs_1"
address 10.221.43.28:1545
471117-3 : iframe with JavaScript in 'src' attribute not handled correctly in IE11
Component: Access Policy Manager
Symptoms:
If an HTML page contains an iframe with JavaScript code in the src attribute, some web applications might not work correctly through portal access in Internet Explorer 11.
Conditions:
Conditions leading to this issue include Internet Explorer 11 and iframe with JavaScript in the src attribute: <iframe src="javascript: some code...">
Impact:
Some Web applications may work incorrectly.
Workaround:
This issue has no workaround at this time.
Fix:
If an HTML page contains an iframe with JavaScript code in the src attribute, it is handled correctly in Internet Explorer 11 through Portal Access.
471059-7 : Malformed cookies can break persistence
Component: Local Traffic Manager
Symptoms:
Clients sending a malformed cookie (that is, a space character that precedes the persistence cookie) might prevent the parsing of a valid persistence cookie.
Conditions:
HTTP request contains malformed cookie value that occurs before the BIG-IP system persistence cookie, For example: Cookie:foo=bar =bar; BIGipServerhttp=60361226.20480.0001
Impact:
Persistence is ignored.
Workaround:
None.
Fix:
Cookie values containing space character are parsed properly.
470788-4 : Creating static ARP entry with unreachable IP address causes BIG-IP to be unreachable after reboot
Component: TMOS
Symptoms:
Saved configuration may not load if static ARP entries are configured that do not match a self IP subnet.
Conditions:
Saved config with static ARP whose IP falls outside of any self IP subnet.
Impact:
The impact of this issue is that the config fails to load.
Workaround:
To work around this issue remove the static ARP entry from saved config by manually editing config file.
Fix:
Static ARP entries that fall outside of configured self IP addresses can now be loaded. However, this invalid configuration is now avoided by requiring static ARP entries in a self IP subnet to be removed before a self IP can be removed.
470779-3 : The Enforcer should exclude session awareness violations when counting illegal requests.
Component: Application Security Manager
Symptoms:
Getting False positive by blocking requests.
Conditions:
Session Awareness is enabled.
Impact:
Release session status from being blocked/logged can be renewed if illegal traffic runs at the same time even with 'Disallowed access...' violation only
Workaround:
N/A
Fix:
The Enforcer now excludes session awareness violations when counting illegal requests for session awareness actions.
Previously, these violations were counted and therefore prematurely caused the session status to be "Blocked".
470756-8 : snmpd cores or crashes with no logging when restarted by sod
Component: TMOS
Symptoms:
Prior to sod restarting snmpd following a heartbeat timeout, there are often no snmpd warning/error logs leading up to the restart condition that might indicate root-cause.
Conditions:
snmpd can be blocked waiting for mcpd responses to its database queries. This is typically experienced when CPU utilization is very high.
Impact:
sod continues restarting snmpd (and generating a core dump) as long as the blocking conditions continue for longer than the configured snmpd heartbeat interval. During this time, external MIB queries might timeout/fail.
Workaround:
Address CPU utilization issues.
Fix:
The snmpd daemon now periodically logs warning messages regarding slow query responses from mcpd. snmpd also attempts to maintain heart-beat communication with sod under these conditions.
470627-4 : Incorrect and benign log message of bandwidth utilization exceeded when licensed with rate limit in VE
Component: TMOS
Symptoms:
When Virtual Edition (VE) is licensed with limited throughput, tmm checks and enforces rate limits. However, due to the nature of clustering in data plane, individual tmm processes performs the check independently (that is, divided by the number of tmms on the system). Thus, the check result is not accurate from global rate perspective. In this case, the system log messages that indicates data rate exceeds licensed rate.
Conditions:
Multiple tmm in VE and licensed with limited date rate, when only some of the tmms are processing traffic.
Impact:
Message indicating data rate exceeds licensed rate.
Workaround:
None.
Fix:
Incorrect and benign log message of bandwidth utilization exceeded when licensed with rate limit in Virtual Edition no longer occurs.
470235-1 : The HTTP explicit proxy may leak memory in some cases
Component: Local Traffic Manager
Symptoms:
When the HTTP explicit proxy generates error pages it may leak memory in some cases.
Conditions:
The HTTP explicit proxy is used, and an error occurs that triggers an error page to be generated.
Impact:
The TMM's available memory will slowly decrease over time.
Workaround:
Using a smaller error page may make the memory leak less likely.
Fix:
The HTTP Explicit proxy feature will no longer leak memory when error pages are generated.
470205-4 : /config/.../policy_sync_d Directory Is 100% Full
Component: Access Policy Manager
Symptoms:
After a policy sync operation, the Policy Sync history file objects remain within the /config/.../policy_sync_d directory.
Conditions:
This issue is further exacerbated when customization an/or sandbox (hosted content) files are associated with the profiles being synced.
Impact:
Over time the saved number and size of the Policy Sync history files can grow to fill all available space.
Workaround:
The psync-history objects and related data files can be manually deleted by running the following commands from within tmsh context:
`cd /Common/PolicySyncHistory`
`delete apm policy psync-history all`
`save sys config partitions all`
Please note that the above steps will remove all psync-history and related file objects from your local device. Which means, you will no longer have entries within the history tab of your Policy Sync page of the Admin GUI.
Fix:
After a policy sync operation, the Policy Sync history file objects no longer remain within the /config/.../policy_sync_d directory as expected.
470184-1 : In Configuration Utility, unable to view or edit objects in Local Traffic :: iRules :: Data Group List
Component: TMOS
Symptoms:
Navigate to Local Traffic :: iRules :: Data Group List and click on any existing objects. User will see a No Access error, instead of the Data Group object.
Conditions:
Data Group objects exist.
Impact:
User will be unable to view or edit Data Group objects in the Configuration Utility.
Workaround:
View and edit objects in tmsh.
469824-9 : Mac Edge client on Mac mini receives settings for iOS Edge Client
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Mac on Mac mini receives settings for iOS Edge Client. Edge Client behavior might be different than expected if Mac Edge Client settings are different from iOS Edge Client settings.
Conditions:
Mac mini, iOS Edge and Mac Edge Client setting in connectivity profile on BIG-IP.
Impact:
Different than expected behavior of Edge Client for Mac.
Fix:
Edge Client for Mac on Mac mini now uses the settings for the Mac Edge Client in the connectivity profile on BIG-IP system.
469786-2 : Web Scraping Mitigation: Display of request status when configuration includes an ASM iRule
Component: Application Security Manager
Symptoms:
A wrong display of the request status (as a blocked request) for requests that were only alarmed.
Conditions:
Web scraping in alarm mode, ASM iRules in place.
Impact:
A wrong display of the request status as if it is a blocked request when it was alarmed request.
Workaround:
This issue has no workaround at this time.
Fix:
When web scraping mitigation configuration mode is set to Alarm (log) and there is an ASM iRule, the iRule no longer displays requests as being blocked when they are actually logged and not blocked.
469770-3 : System outage can occur with MPTCP traffic.
Component: Local Traffic Manager
Symptoms:
System outage can occur when a pool member is unreachable for MPTCP traffic.
Conditions:
MPTCP traffic.
Serverside unreachable.
Impact:
System outage can occur.
Fix:
System correctly handles ICMP unreachable for MPTCP traffic.
469627-2 : When persistence is overriden from cookie to some other persistence method, the cookie should not be sent.
Component: Local Traffic Manager
Symptoms:
If cookie persistence is configured, then persistence cookies will be sent to the client. However, if the persistence profile is overridden by an iRule "persist" command, that cookie should not be sent.
Conditions:
1) A cookie persistence profile is used, and it is overridden to some other persistence method via an iRule.
2) Passive cookie persistence is used, the "always send" option is off, and cookie encryption is enabled.
Impact:
1) Extra persistence cookies may be included in a response even if they are not required by the current persistence method.
2) Passive cookies may not be encrypted in some situations.
Workaround:
1) The extra cookie can be removed by an iRule.
2) Turn the "always send" option on if using passive persistence cookies.
Fix:
1) Persistence cookies will not be inserted if the persistence method is changed from cookie persistence to some other persistence method.
2) Passive persistence cookies will be encrypted even if the "always send" option is off.
469297-2 : Address list summary page does not display the description for individual address list entries.
Component: Advanced Firewall Manager
Symptoms:
Description for an address list entry is not displayed in the address list summary page
Conditions:
'Description' for address list entry (created from tmsh) is not displayed in the address list summary page (in the GUI).
Impact:
The value for 'description' is not seen in the GUI
Workaround:
View the description in tmsh.
Fix:
Address list summary page displays the description for individual address list entries.
469033-15 : Large big3d memory footprint.
Component: Global Traffic Manager
Symptoms:
The big3d process might take up a large amount of memory.
Conditions:
Using GTM in various configurations.
Impact:
Large big3d memory footprint. This is a configuration- and usage-dependent issue.
Workaround:
None.
Fix:
Reduced big3d memory footprint.
468949-1 : audit_forwarded started error message
Component: TMOS
Symptoms:
During system start you see the following error message in /var/log/ltm: bigip01 err audit_forwarder: audit_forwarder started"
Conditions:
This message can be displayed during either system start or system restart.
Impact:
None. This notice should be logged at the info log level, not error level.
Fix:
The audit forwarder starting message is now displayed at the info level.
468874-1 : Monpd errors appear when AVR loads data to MySQL
Component: Application Visibility and Reporting
Symptoms:
An error of the form "Too many partitions (4) defined for DB table..." will appear in both /var/log/ltm and /var/log/avr/monpd.log
Conditions:
This issue occurs when traffic is running and AVR is being used by any of the following provisioned modules: AVR, ASM, PEM, AFM, or SWG.
Impact:
No actual impact on data accuracy or performance - only errors in /var/log/ltm and /var/log/avr/monpd.log
Workaround:
This issue has no workaround at this time.
Fix:
Error messages such as "Too many partitions (4) defined for DB table..." no longer appear in the log files.
468820-2 : MPTCP Flows may hang whan an MTU mismatch occurs on the network.
Component: Local Traffic Manager
Symptoms:
System did not correctly handle the ICMP message reporting an MTU mismatch for MPTCP traffic.
Conditions:
MPTCP traffic
MTU mismatch.
Impact:
Degraded operation, some flows might hang.
Fix:
System correctly handles ICMP notification for MPTCP traffic.
468791-3 : Crash when using FIX tag maps and a FIX message arrives without a SenderCompID.
Component: Local Traffic Manager
Symptoms:
Crash when using FIX tag maps and a FIX message arrives without a SenderCompID.
Conditions:
LTM virtuals using the fix-map tcp profile.
Impact:
tmm can crash
Workaround:
None
Fix:
Fix crash when no SenderCompID is supplied
468688-1 : Initial sync fails for upgraded pair (11.5.x to 11.6)★
Component: Advanced Firewall Manager
Symptoms:
Config sync fails immediately after upgrade from 11.5.x to 11.6.
Conditions:
Config sync fails immediately after upgrade from 11.5.x to 11.6.
Impact:
Configurations may not sync if the devices were upgraded from 11.5 to 11.6.
Workaround:
No consistent workaround.
Fix:
Fixed issue where config sync failed on 11.5.x devices after upgrading to 11.6.
468519-6 : BIG-IP DNS configuration load failure from invalid bigip_gtm.conf file.
Component: Global Traffic Manager
Symptoms:
Config reload fails when renewing the license or performing a new install based on the current config.
This appears to be the result of a invalid bigip_gtm.conf which is used to load the config rather than the mcpdb.bin.
Conditions:
If any virtual servers are configured with a dependency list that includes other virtual servers from the same BIG-IP system, BIG-IP DNS creates an invalid bigip_gtm.conf file.
Impact:
BIG-IP DNS config will fail to load when triggered to load from config file
Workaround:
None.
Fix:
Depends-on block is populated correctly with the virtual server info and no error was thrown when reloading BIG-IP DNS config.
468473-5 : Monitors with domain username do not save/load correctly
Component: TMOS
Symptoms:
Using the Traffic Management Shell (tmsh) to create or modify an object with a string parameter may fail with an error.
Conditions:
This issue occurs when the following condition is met:
• You use the tmsh utility to create or modify an object with a string that uses a backslash (\) to escape a double quotation mark (") character.
Impact:
Users may not be able to modify strings by using the tmsh utility.
Workaround:
The username field must be adjusted in the /config/bigip.conf file to specify the username field with a domain using a \\ syntax. For example: domain\user would need to be configured as: domain\\user.
Fix:
tmsh utility does not process backslashes and embedded double quotation marks as expected.
468472-6 : Unexpected ordering of internal events can lead to TMM core.
Component: Local Traffic Manager
Symptoms:
TMM may core and failover with the following tcp4 assert: ../modules/hudfilter/tcp4/tcp4.c:937: %svalid pcb%s.
Conditions:
If the TCP profile receives a spurious event it can cause TMM to crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
Unexpected ordering of internal events no longer leads to TMM core.
468471-1 : The output of DNS::edns0 subnet address command is not stored properly in a variable
Component: Local Traffic Manager
Symptoms:
When the iRule command "DNS::ends0 subnet address" is an IPv4 address and is stored in a variable, it might not be interpreted properly by other iRule commands that expect an IP address (for example, the "whereis" command).
Conditions:
The output of "DNS::ends0 subnet address" command returns an IPv4 address and it is stored in a variable.
Impact:
Other iRule commands that utilize the variable may not work as expected (for example, the "whereis" command).
Workaround:
When utilizing the variable, force a string interpretation of the value. For example, rather than:
set srcip [DNS::ends0 subnet address]
set srccountry [whereis $srcip country]
Use
set srcip [DNS::ends0 subnet address]
set srccountry [whereis [string tolower $srcip] country]
468441-2 : OWA2013 may work incorrectly via Portal Access in IE10/11
Component: Access Policy Manager
Symptoms:
JavaScript error appears if user tries to view/change settings in OWA2013 via Portal Access in Internet Explorer 10/11.
Conditions:
Internet Explorer 10 or 11
OWA2013
Impact:
User cannot change settings in OWA2013.
Workaround:
No workaround is known.
Fix:
Now it is possible to view and/or change settings in OWA2013 via Portal Access using Internet Explorer 10/11.
468433-2 : OWA2013 may work incorrectly via Portal Access in IE10/11
Component: Access Policy Manager
Symptoms:
JavaScript error appears if user tries to view or change settings in OWA2013 via Portal Access in Internet Explorer 10/11.
Conditions:
Conditions leading to this issue include: Internet Explorer 10 or 11 and OWA2013.
Impact:
User cannot change settings in OWA2013.
Workaround:
This issue has no workaround at this time.
Fix:
Now it is possible to view and/or change settings in OWA2013 via Portal Access using Internet Explorer 10/11.
468395-2 : IPv4 Allocation failure ... is out of addresses
Component: Access Policy Manager
Symptoms:
Existing Network Access clients have problems reconnecting.
Conditions:
This occurs when all of the lease pool IP addresses are allocated to Network Access clients.
Impact:
Existing clients cannot reconnect. The system posts messages to the APM logs: IPv4 Allocation failure ... is out of addresses.
Workaround:
Assign more IP addresses in the lease pool.
Fix:
Network Access clients can reconnect now and the lease pool does not run out of IP addresses.
468387-2 : Enforcer core related to specific error condition in the session db
Component: Application Security Manager
Symptoms:
A bd restart, and failover if redundant pair, may occur.
The core file will show tm_untimeout () as the coring frame.
Conditions:
Load on the system, heavy usage of the sessiondb infrastructure.
Impact:
Traffic will reset while the bd restart or while the failover is happening.
Workaround:
Disable session tracking from the ASM policy.
Fix:
We fixed an Enforcer crash related to a specific error condition in the session db.
468375-2 : TMM crash when MPTCP JOIN arrives in the middle of a flow
Component: Local Traffic Manager
Symptoms:
TMM crash when MPTCP JOIN arrives in the middle of a flow.
Conditions:
No workaround
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
A MPTCP JOIN arriving in the middle of a flow is now handled correctly.
468345-2 : Blocking page with harmful JavaScript can be run by system administrator
Vulnerability Solution Article: K16081
468300-3 : Filters may not work correctly with websockets or CONNECT
Component: Local Traffic Manager
Symptoms:
If filters that buffer messages exist on the chain, then when HTTP switches to pass-through mode, those filters may spuriously fail to see the headers of the response that cased that switch.
The problem is due to HTTP immediately switching into pass-through mode, and then sending the headers as raw data through the chain.
Conditions:
A filter on the chain that buffers a RESPONSE_DONE message, and HTTP switches to pass-through, combined with looking at the headers in a filter other than HTTP.
This is more likely to happen if the server sends data immediately after a successful CONNECT or transition to websockets. (Without waiting for a response from the client.)
Impact:
The TMM may core, or wrong information may be obtained from filters looking at the HTTP headers of a response that causes a switch to pass-through mode.
Workaround:
This issue has no workaround at this time.
Fix:
HTTP now waits until all filters have seen a 101 Switching Protocols or CONNECT 200 Connected response before switching into pass-through mode.
468235-3 : The worldwide City database (City2) does not contain all of the appropriate Proxy strings.
Component: TMOS
Symptoms:
Digital Element's proxy information is not available in the City2 database.
Conditions:
This occurs when using the City2 database available from an F5 partner.
Impact:
In the case of a customer obtaining and installing the city database, Digital Element's proxy information is not included.
Workaround:
None.
Fix:
The worldwide City database (City2) now includes Digital Element's proxy information.
468137-12 : Network Access logs missing session ID
Component: Access Policy Manager
Symptoms:
Without session ID in client logs, it's hard to correlate client and server-side logs.
Impact:
Hard to troubleshoot client logs
Fix:
Now Network Access components print session ID in four messages:
Starting pending session ID: %sessionid,
Session %sessionid established,
Session %sessionid closed:
Status, and Failed to open session %sessionid.
467945-4 : Error messages in AVR monpd log
Component: Application Visibility and Reporting
Symptoms:
Following errors (similar) appear in the monpd log:
monpd|INFO|Jun 18 13:40:08.947|12463| [stat_bridge_thread::load_file, ] Some rows of load_stat_asm_http_ip_1403124000.1 not loaded (18194 rows affected)
Conditions:
In rare cases that include stress traffic and other rare conditions.
Impact:
There can be very small percentage of lost statistics (approximately 0.002%)
Workaround:
No workaround.
Fix:
We fixed an issue where the system had duplicated data, leading to display of the following warning message in the AVR monpd log:
"Some rows of load_stat_asm_http_ip_xxxxxxxxxx.x not loaded (xxxxx rows affected)".
467847-1 : passphrase visible in audit log
Component: TMOS
Symptoms:
With audit logging enabled, you notice that after updating a password for an account it is visible in /var/log/audit
Conditions:
This occurs when audit logging is enabled.
Impact:
Password is visible in the audit log.
Workaround:
Disable audit logging.
Fix:
The password is no longer logged in the audit log.
467551-5 : TCP syncookie and Selective NACK (profile option) causes traffic to be dropped
Component: Local Traffic Manager
Symptoms:
TCP syncookie and Selective NACK (profile option) causes traffic to be dropped.
Conditions:
This occurs when the following conditions are met: -- Selective NACK enabled in TCP profile. -- TCP syncookie mode. -- No Selective NACK option in TCP options from client SYN.
Impact:
Traffic might be dropped.
Workaround:
Disable Selective NACK option in TCP profile.
Fix:
TCP syncookie and Selective NACK (profile option) now works correctly.
467542-1 : TMM core in AAM assembly code during high memory utilization
Component: WebAccelerator
Symptoms:
TMM core is seen in AAM assembly code during high memory utilization.
Conditions:
AAM is provisioned. High memory utilization scenario resulting in sweeper aggressive mode being triggered. This results in connections getting reset. Inlining or smart client cache is enabled in AAM.
Impact:
Traffic disrupted while tmm restarts.
467256-1 : Deleting OPSWAT/Epsec packages from GUI does not delete files from disk causing UCS packages to bloat
Component: Access Policy Manager
Symptoms:
If there were multiple EPSEC packages installed on a BIG-IP system and if a UCS backup is taken subsequently, that UCS backup will contain all the files causing the UCS to become huge. Installing this UCS may fail due to disk space limitations.
Conditions:
For this issue, multiple EPSEC packages have to be installed in the system and the UCS of this system is created.
Impact:
UCS fails to install due to its large size.
Workaround:
One can do the following:
1. Delete the EPSEC package from the GUI.
2. Then go the /config/filestore/files_d/Common_d/epsec_package_d/ Find the extra files for which there is no corresponding entry in /config/bigip.conf.
3. Delete those extraneous files manually using rm.
Fix:
When you delete EPSEC packages using the GUI, APM now correctly deletes the corresponding EPSEC ISO file from the filestore (/config/filestore/files_d/Common_d/epsec_package_d/).
Before creating archives, administrators are now required to delete non-active EPSEC packages using the GUI to make sure that non-active EPSEC ISO files are not included in the archives.
Although this issue has been resolved for newly downloaded EPSEC ISO files, you might still need to perform some cleanup:
1. You must remove previous leftover EPSEC ISO files as follows:
a. Delete the EPSEC package from the GUI: Select System > Software Management > Antivirus Check Updates; select an existing EPSEC package from the list and click Delete.
b. Go to /config/filestore/files_d/Common_d/epsec_package_d/ and find files for which there is no corresponding entry in /config/bigip.conf.
c. Delete those extraneous files manually using the rm command.
2. You cannot import huge previously created UCS archives. Instead, you should delete non-active
EPSEC packages prior to creating a UCS.
3. If you want to include only one (active)
EPSEC ISO in a UCS archive, you must first delete non-active EPSEC packages using the GUI.
467196-4 : Log files limited to 24 hours
Component: TMOS
Symptoms:
In this release, the max log size setting is 1024. This causes large systems (multiple blades, high-availability) to truncate log files, and often prevent log files from storing messages for more than 24 hours.
Conditions:
Multiple blades in a high-availability configuration.
Impact:
Cannot have log files spanning more than 24 hours. This makes it very difficult to use the log when diagnosing problems, because the system overwrites the files before the customer can report the issue.
Workaround:
Change the max-file-size for logrotate from '1024' (the default) to '0' to prevent logrotate from truncating log files. This workaround is also documented in SOL16015: The BIG-IP system may truncate log files, available here: https://support.f5.com/kb/en-us/solutions/public/16000/000/sol16015.html.
This can be done from tmsh by running a command such as:
tmsh modify /sys log-rotate max-file-size 0
Fix:
The max log size setting is now greater than 1024, which allows large systems (multiple blades, high-availability) to store messages for more than 24 hours.
466761-5 : Heartbeat, UDP packet with only double CRLF, on existing SIP flow results in connection loss.
Component: Service Provider
Symptoms:
Heartbeat, UDP packet with only double CRLF, on existing SIP flow might result in connection loss.
Conditions:
SIP heartbeat message, a UDP packet with double CRLF, sent by the client to the server.
Impact:
Connection might be terminated.
Workaround:
None.
Fix:
The heartbeat SIP message, which is a UDP packet with CRLF, is ignored and connection is maintained.
466745-2 : Cannot set the value of a session variable with a leading hyphen.
Component: Access Policy Manager
Symptoms:
Cannot set the value of an ACCESS::session variable with a leading hyphen.
Conditions:
Using a leading hyphen for the value of the session variable, for example: ACCESS::session set data var_name -value.
Impact:
Cannot use hyphen in session variable value. The system posts and error message similar to the following: err tmm3[12741]: 01220001:3: TCL error: /Common/pass <ACCESS_POLICY_AGENT_EVENT> - bad option name (line 1)setting variable var_name for sid (null) failed (line 1)Illegal argument (line 1) (line 1) invoked from within "ACCESS::session data set var_name "-foo""
Workaround:
This issue has no workaround at this time.
Fix:
In this release, an extra parameter, made up of two dashes (--), was added. When -- is inserted before a value, the value can start with a hyphen; for example, "ACCESS::session set data var_name -- -value".
466612-2 : Missing sys DeviceModel OID for VIPRION C2200 chassis
Component: TMOS
Symptoms:
The SNMP sysObjectID OID returns a value of Unknown for VIPRION C2200 chassis.
Conditions:
Affected versions of BIG-IP running on VIPRION B2xxx-series blades in a VIPRION C2200 chassis.
Impact:
The VIPRION C2200 chassis is not identified as such by the SNMP sysObjectID OID.
Workaround:
None.
Fix:
The sys DeviceModel OID for VIPRION C2200 (Viprion2200) chassis is now present in the F5-BIGIP-SYSTEM-MIB.
466423-1 : ASM REST: Partial PATCH to User-Defined Signature-Set Filter Resets Other Fields to Defaults
Component: Application Security Manager
Symptoms:
Update any "filter" field for signature-set changes other unchanged "filter" fields to default.
Conditions:
REST Client is used to configure ASM and partial objects (only changed fields) are sent in a PATCH
Impact:
A User-Defined Filter Based Signature Set may not contain the expected signatures
Workaround:
When updating the object via a PATCH, send the fully populated object.
Fix:
Filter fields that are not explicitly specified in the PATCH call are correctly left unchanged.
466266-3 : In rare cases, an upgrade (or a restart) can result in an Active/Active state★
Component: TMOS
Symptoms:
After upgrading or restarting, the system starts up in an active state even if the peer system is already active.
Conditions:
An upgrade or system restart for an active/standby pair. The issue occurs intermittently and is timing-dependent. There is code executed during sod's initialization that attempts to detect when communication between mcpd and sod has gone bad; this code does this by checking for "end transaction" messages. If 30 or more messages from mcpd are received without an "end transaction" message, sod will reset its connection with mcpd. While the connection is being reset, it is possible for sod to miss messages from mcpd. Depending on which messages it misses, sod may end up in a bad state and exhibit the symptoms of this bug. If this occurs after an upgrade, it does not matter which version one is upgrading from.
Impact:
The impact of this issue is that both systems take traffic.
Workaround:
Restarting the 'sod' daemon on the system after an upgrade or reboot clears the condition. This causes the system to go offline and will disrupt traffic.
Standard BIG-IP appliance:
bigstart restart sod
VIPRION system:
clsh bigstart restart sod
Fix:
In this release, the system ensures that an upgrade or a restart can never result in an Active/Active state.
466007-3 : DNS Express daemon, zxfrd, can not start if it's binary cache has filled /var
Component: Local Traffic Manager
Symptoms:
DNS Express daemon, zxfrd, can not start if it's binary cache has filled the /var directory.
Conditions:
Using DNS Express and the /var directory is filled.
Impact:
Zxfrd will continually restart.
Workaround:
No workaround, but if in zxfrd restart loop due to this issue we mitigate by deleting /var/db/tmmdns.bin and then bigstart restart zxfrd.
Fix:
DNS Express daemon, zxfrd, will now check to see if /var is full or if the tmmdns.bin database file is corrupted. If either of these conditions is true, zxfrd will not continually restart.
465951-1 : If net self description size =65K, gtmd restarts continuously
Component: Global Traffic Manager
Symptoms:
The gtmd process restarts continuously.
Conditions:
This issue occurs when the net self <IP> description >= <65K string>
'Description', 'Location', 'Contact', or 'Comment' field for the device (Device Management>Devices>Properties) > = <65K string>
Impact:
When this happens, gtmd is unable to perform its duties.
Workaround:
This issue has no workaround at this time.
Fix:
An issue that caused gtmd to restart because of long descriptions has been fixed.
465675-5 : Invalid MAX-ACCESS clause for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable.
Component: TMOS
Symptoms:
Invalid MAX-ACCESS clause for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable.
Conditions:
Using deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable.
Impact:
User is unable compile MIB (using smidump) if deprecated objects are not ignored.
Workaround:
Modify MAX-ACCESS to read-only.
Fix:
MAX-ACCESS clause is now correct for deprecated variables: ltmNodeAddrNewSessionEnable and ltmPoolMemberNewSessionEnable.
465590-4 : Mirrored persistence information is not retained while flows are active
Component: Local Traffic Manager
Symptoms:
Mirrored persistence information is not retained. This is most visible on long-running flows, where the mirrored entry is removed while the flow is still active.
Conditions:
Mirrored flows with persistence profiles assigned to the VIP, or when persistence profiles are marked to mirror persistence entries.
Impact:
If a failover occurs, a new load balancing pick is made for new flows.
Fix:
Mirrored persistence records are now correctly retained.
465229-1 : Fix for Policy Rule Names Displaying Distorted in Rare Conditions
Component: Advanced Firewall Manager
Symptoms:
Policy rule names are same as firewall rules, except when a rule list is used, they also show the name for referencing rule to rulelist. In rare conditions, these names may show distorted data.
Conditions:
You have a firewall policy with a rule list in it.
Impact:
Referencing rule names may look distorted. No impact on performance or process.
Fix:
Upon investigation, a basic memory problem is diagnosed and fixed.
465181-4 : Unhandled connection error in iprepd causes memory leak in iprepd or merged
Component: Application Security Manager
Symptoms:
If the BIG-IP system fails to connect to the IP reputation database server (either using a proxy or not), it causes a memory leak in one of the internal daemons (iprepd and/or merged).
Conditions:
IP-reputation is enabled and it fails to connect to the database server (usually to the proxy of the database server or there is a bad/non-existent connection outside).
Impact:
This issue causes a slow memory leak in the iprepd or merged daemon.
Workaround:
Fix the proxy to the ipreputation or the connection to the IP reputation or turn off IP reputation.
Fix:
Even if the BIG-IP system fails to connect to the IP reputation database server (either using a proxy or not), it no longer causes a memory leak in one of the internal daemons.
465142-5 : iControl LocalLB::ProfileClientSSL::create and create_v2 methods result in crash when not in /Common
Component: TMOS
Symptoms:
The iControlPortal process crashes if the LocalLB::ProfileClientSSL::create or create_v2 methods are called outside of the /Common partition.
Conditions:
This occurs when using iControl to create Client SSL profiles in partitions other than /Common.
Impact:
The iControl portal crashes with a 500 Internal Server Error. The Client SSL profile is not created.
Workaround:
Create Client SSL profile in the /Common partition.
Fix:
LocalLB::ProfileClientSSL::create and create_v2 methods now work correctly when used in partitions other than /Common.
465012-5 : Rewrite plugin may crash if webtrace or debug log level is enabled for Portal Access
Component: Access Policy Manager
Symptoms:
Rewrite plugin may crash on large javascript files and tags when webtrace or debug log for Portal Access is enabled.
Conditions:
Portal Access log level is set to "Debug", or
Web Application Trace feature of Portal Access is active.
Impact:
Portal Access is temporarily unavailable.
Core file for 'rewrite' process is generated.
Workaround:
Disable webtrace
Change Portal Access log level to Notice
Fix:
Fixed an issue where Rewrite plugin could crash when collecting webtrace or debug logs for Portal Access.
465009-2 : VIPRION B2100-series LOP firmware version 2.10 update
Component: TMOS
Symptoms:
Booting the blade via PXE results in garbled PXE menu. (ID464614)
Conditions:
VIPRION B2100 and B2150 blades with LOP firmware version 2.09.
Impact:
PXE menu display is garbled, although responds correctly to correct inputs.
464992-8 : Mac Edge fails to pass machine certificate inspection if domain component is included in search criteria
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Mac fails to recognize DC component in certificate common name field. Edge Client fails to pass machine certificate inspection if domain component is included in search regular expression.
Conditions:
BIG-IP Edge Client for Mac, machine certificate agent, DC component in common name search regex
Impact:
BIG-IP Edge Client for Mac might fail to log in.
Fix:
BIG-IP Edge Client for Mac now passes Machine Certificate inspection when domain component is included in search criteria.
464972-2 : Wrong parsing of Country Code (Geo) from address region list if Country name contains parentheses.
Component: Advanced Firewall Manager
Symptoms:
Wrong parsing of Country Code (Geo) from address region list if Country name contains parentheses.
Conditions:
If Country name contains parentheses, then an error is thrown and it cannot be added to the address list
Impact:
Address List creation Page
Workaround:
Use tmsh to add the country Name with parentheses
Fix:
If the country Name contains parentheses, it can now be added to the address list page.
464966-1 : Active Rule page may display incorrectly if showing multiple rules and at least one rule list
Component: Advanced Firewall Manager
Symptoms:
The Active Rule page will truncate the display of active rules if there is more than one page worth of rules to display plus one or more rule lists.
Conditions:
More rules than will display on a single page and at least one rule list.
Impact:
Difficulty in reviewing and editing firewall rules.
Workaround:
It may be possible to review the assigned rules through the individual Policy pages.
Fix:
The Active Rule page now displays large numbers of rules correctly along with rule lists.
464801-1 : Intermittent tmm core
Component: Local Traffic Manager
Symptoms:
tmm intermittently cores. Stack trace signature indicates "packet is locked by a driver"
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed an intermittent tmm core
464762-1 : Rule lists may not display schedules for rules that have them
Component: Advanced Firewall Manager
Symptoms:
Rule lists may not display schedules for rules that have them.
Conditions:
This occurs when looking at Active Rules or policies if they have schedules assigned to them.
Impact:
The rule list will display that each rule with a schedule is scheduled, but will not show which schedule is associated with the rule.
Workaround:
none
Fix:
Rule lists now correctly display schedules for rules.
464735-1 : Errors and unavailable virtual server upon deactivation of ASM policy that is assigned to a non-default rule of L7 policy
Component: Application Security Manager
Symptoms:
When trying to deactivate a policy used in a non-default L7 policy, you get the following error, and the policy is deactivated:
"MCP Validation error - 01071726:3: Cannot deactivate policy action '/Common/vs126'. It is in use by ltm policy '/Common/l7_policy'."
In addition, the virtual server becomes unavailable after the deactivation.
Conditions:
ASM is provisioned.
ASM policy is assigned to a non-default L7 policy.
Impact:
Virtual server is unavailable.
ASM policy assigned to the LTM virtual server is broken.
Workaround:
Prior to the deactivation of such an ASM policy, remove it from all L7 policies from the following screen:
Local Traffic > Policies > Policy List > <L7_policy_name> > Properties.
Fix:
The deactivation of an ASM policy that is assigned to a non-default rule in an LTM policy produces a verbose and meaningful error message, and the virtual server is now available after the deactivation.
464687-1 : Copying Access Profile with Machine Cert Agent check fails
Component: Access Policy Manager
Symptoms:
When attempting to copy an Access Profile with Machine Cert Check Agent, it fails with no error message on the web interface nor in the a log file.
Conditions:
Copying of Profile Access with Access Policy that has Machine Cert Check Agent with cert assigned
Impact:
The copy fails, and no error message is displayed.
Workaround:
Edit access policy, remove machine certificate assignment
Copy
Edit access policy, set machine certificate back
Fix:
Now it is possible to copy an access profile that contains a Machine Cert access policy item.
464651-7 : Multiple root certificates with same 'subject' and 'issuer' may cause the tmm to core.
Component: Local Traffic Manager
Symptoms:
Two or more root certificates with the same 'subject' and 'issuer' but different serial numbers may cause the tmm to core.
The core was due to an assert failure in size caused by a loop in certificate chain construction.
Conditions:
When multiple certificates with the same 'subject' and 'issuer' are in a CA file, and the CA file is configured in SSL profile as trusted CAs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Keep only one certificate for a given 'subject' and 'issuer' in CA file.
Do not leave two certificates with the same 'subject' and 'issuer' in a CA file.
Fix:
Resolved a failure when the customer installs another self-signed certificate with same subject/issuer before a self-signed certificate expires.
464547-5 : Show proper error message when VMware View client sends invalid credentials to APM
Component: Access Policy Manager
Symptoms:
The View client shows no information or error page if the user types the wrong password or username
Conditions:
Bad credentials supplied to Vmware View client connecting using APM.
Impact:
End user would not know if the failed login was caused by bad credentials or for another reason.
Fix:
VMware View client displays a proper message when a user enters invalid credentials.
464273-1 : PEM: CCR-I for the Gx session has only one subscriber ID type even if session created has more than one type
Component: Policy Enforcement Manager
Symptoms:
When a PEM session is created by radius/irule and there are more that one subscriber ID types associated to the session then only one of them is sent.
Conditions:
Subscriber session has more that one subscriber ID types but just one type sent.
Impact:
If PCRF is expecting all the subscriber IDs associated to the session then only one of them being sent.
Workaround:
here is no workaround at this time'
Fix:
All the associated subscriber ID types (imsi, e164, private) are sent of the CCR-I message for the session if they are present during session creation.
464225-6 : 'tmsh list ltm message-routing' and 'tmsh show ltm message-routing' fail for non-admin users
Component: TMOS
Symptoms:
Running the commands 'tmsh list ltm message-routing' and 'tmsh show ltm message-routing' fail for non-admin users, even though non-admin users have tmsh access to all partitions.
Conditions:
A non-admin user is logged in via tmsh.
Impact:
The non-admin user cannot run the command 'list ltm message-routing' or 'show ltm message-routing' via tmsh. The system posts an error message similar to the following: Unexpected Error: Can't display all items, can't get object count from mcpd.
Workaround:
None.
Fix:
Non-admin users can now successfully run the commands 'tmsh list ltm message-routing' and 'tmsh show ltm message-routing'.
464222-1 : Policy Rule Missing from TMSH Overlapping Status Output
Component: Advanced Firewall Manager
Symptoms:
Policy rule column which shows a referencing rule in policies which have rule-lists may be missing from the advanced rule status or a.k.a. overlapping-status mode.
Conditions:
This occurs when using rules that reference rule-lists
Impact:
You may not be able to see the real rules that reference the rule-lists. The impact is minimal.
Workaround:
In regular firewall rule modes, such as "show security firewall policy" or "show ltm virtual fw-enforced-policy", etc, you can still see Referencing Rule column.
Fix:
Missing Referencing Rule column is added to overlapping status mode.
464116-5 : HTTP responses are not cached when response-adapt is applied
Component: Service Provider
Symptoms:
When a response-adapt profile is applied on a virtual with ramcache, HTTP responses are not cached.
Conditions:
Both ramcache and response-adapt on a virtual.
Impact:
HTTP responses are not cached.
Fix:
HTTP responses modified by response-adapt are cached.
464043-4 : Integration of Firmware for the 2000 Series Blades
Component: TMOS
Symptoms:
Integration of Firmware for the 2000 Series Blades.
Conditions:
When firmware has changes that benefit platforms, it is internally released and updated in the latest version of software.
Impact:
This will improve functioning of the hardware.
Workaround:
None. This is an action item.
Fix:
Integration of Firmware for the 2000 Series Blades.
463468-9 : failed tmsh command generate double logs
Component: TMOS
Symptoms:
A single failed tmsh command generates two identical audit logs, and audit_forwarder sends two logs to audit server (TACACS+ in this example).
Conditions:
tmsh audit is on and tmsh command is failed from mcpd validation. This does not occur with successful commands.
Impact:
Here is an example of the failure:
tmsh create ltm pool pool20
01020066:3: The requested pool (/Common/pool20) already exists in partition Common
Tue May 20 16:27:17 2014 10.10.10.201 root unknown unknown update service=system protocol=ip task_id=130start_time=1400627369 event=cmd_acct reason=May 20 16:09:29 aftest notice tmsh[20175]: 01420002:5: AUDIT - pid=20175 user=root folder=/Common module=(tmos)# status=[01020066:3: The requested pool (/Common/pool20) already exists in partition Common.] cmd_data=create ltm pool pool20
Tue May 20 16:27:17 2014 10.10.10.201 root unknown unknown update service=system protocol=ip task_id=132start_time=1400627369 event=cmd_acct reason=May 20 16:09:29 aftest notice tmsh[20175]: 01420002:5: AUDIT - pid=20175 user=root folder=/Common module=(tmos)# status=[01020066:3: The requested pool (/Common/pool20) already exists in partition Common.] cmd_data=create ltm pool pool20
Workaround:
None.
Fix:
Failed tmsh command no longer generates double logs.
463380-4 : URIs with space characters may not work properly in ODATA query
Component: Device Management
Symptoms:
ODATA query strings such as: $filter=partition eq 'Common' may not work correctly unless the spaces are encoded with +.
Conditions:
ODATA query strings with spaces.
Impact:
The query will fail with a 400 error.
Workaround:
Encode the query string space characters with + as replacement.
Fix:
URIs with space characters now work properly in ODATA query.
463314-1 : Enabling ASM AJAX blocking response page feature causing cross domain AJAX requests to fail
Component: Application Security Manager
Symptoms:
When AJAX blocking response page feature is enabled, ASM's pre-injected javascript code adds a custom header to each outgoing ajax request. Adding the header to a cross domain ajax request forces browsers to send an OPTIONS preflight request, if a back-end server doesn't not treat the pre-flight request properly, the request will fail resulting in broken functionality of a web application.
Conditions:
Provision asm, attach asm policy to a virtual server and configure Enable AJAX blocking response page feature.
Impact:
Broken cross domain ajax requests
Workaround:
Disable AJAX blocking response page feature in ASM policy.
Fix:
Avoid adding custom headers to cross domain ajax request.
463202-6 : BIG-IP system drops non-zero version EDNS requests
Component: Local Traffic Manager
Symptoms:
If a query from a client contains a non-zero EDNS version, the query is dropped instead of sending an appropriate response.
Conditions:
This occurs with DNS profile/processing when a client sends a query with non-zero EDNS version.
Impact:
Dropped queries, retries, and then time-outs occur.
Fix:
If the EDNS version is not zero, the query passes through the filter and is not dropped.
462827-8 : Headers starting with X-F5 may cause problems if not X-F5-REST-Coordination-Id
Component: Device Management
Symptoms:
Some URIs passed to the BIG-IP system with X-F5 that are not X-F5-REST-Coordination-Id may improperly parse the HTTP request headers. These include iControl-REST URIs
/mgmt/tm/analytics/...
/mgmt/tm/vcmp/...
/mgmt/tm/actions/...
/mgmt/tm/gtm/...
/mgmt/tm/ltm/...
/mgmt/tm/net/...
/mgmt/tm/pem/...
/mgmt/tm/util/...
/mgmt/tm/sys/...
/mgmt/tm/cli/...
/mgmt/tm/secuirty/...
/mgmt/tm/ilx/...
/mgmt/tm/apm/...
/mgmt/tm/transaction/...
/mgmt/tm/auth/...
/mgmt/tm/wom/...
/mgmt/tm/cm/...
/mgmt/tm/wam/...
Conditions:
Headers prefixed with X-F5 that are not X-F5-REST-Coordination-Id.
Impact:
Headers are not parsed properly.
Workaround:
None
Fix:
The system now checks for the full header name to properly parse instead requiring X-F5 to determine whether or not it is the X-F5-REST-Coordination-Id header.
462714-3 : Source address persistence record times out even while traffic is flowing on FastL4 profile virtual server
Component: Local Traffic Manager
Symptoms:
A source address persistence record created on a virtual server with a FastL4 profile times out and is aged out even while traffic is flowing through that flow. The traffic that results in this issue is UDP with checksum of 0.
Conditions:
The profile has to be FastL4. Traffic that is either UDP with checksum of 0, or SCTP, or ESP, are definitely affected.
Impact:
Source address persistence is not usable as the entry ages out when it should not.
Workaround:
None.
Fix:
Source address persistence record no longer times out unexpectedly on FastL4 profile virtual server.
462598-3 : Failover triggered due to a TMM crash resulting from unavailable APM renderer pool members.
Component: Access Policy Manager
Symptoms:
When the APM Access renderer or renderer pool (used for serving internal pages) goes down for an unknown reason, tmm goes into retry loop and sod kills the tmm.
Conditions:
For the problem to occur, at the very least, APM must be in use. The problem showed up in the past with a mangled iRule in place.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This has only been observed with an incorrectly formed iRule. So it is likely that fixing an associated iRule to operate as intended will resolve the problem. If this occurs without an associated iRule, there is no workaround.
Fix:
Now when an APM renderer or renderer pool (used for serving internal pages) goes down, APM detects the unavailability and sends a TCP Reset to the client.
462268-1 : long session var processing in variable assignment agent
Component: Access Policy Manager
Symptoms:
before the fix, there was no way to operate session variables > 4096 bytes in variable assignment agent
Conditions:
variable assignment agent uses session variable that is longer than 4Kb (value)
Impact:
cannot process some well known attributes of from active directory server like memberOf if user is a member of thousands groups OR member if group has thousands of members
Workaround:
None
Fix:
There is no limit on session variable value length in the variable assign agent.
462187-6 : 'tmsh list net tunnels' and GUI tunnel access fail for non-admin users
Component: TMOS
Symptoms:
'tmsh list net tunnels' and GUI tunnel access fail for non-admin users. Non-admin users have access to all partitions via tmsh.
Conditions:
This occurs for non-admin users on the tunnel list page when selecting a predefined tunnel or one that has been configured.
Impact:
The command or operation fails. The system displays the following error: Unexpected Error: Can't display all items, can't get object count from mcpd.
Fix:
Non-admin users can now use the GUI to access the tunnel list page or properties for a configured tunnel without error.
461715-2 : AVR: Collecting geolocation IDs
Component: Application Visibility and Reporting
Symptoms:
Long computation in geo location handling caused Keep-Alive timer to stop the bd process.
Conditions:
This bug occurred during stress run when bd is running.
Impact:
The bug cause the bd process to crash.
Workaround:
There is no workaround.
Fix:
We improved the way AVR collects geolocation information, so the long computation does not take place anymore, and the keep alive timer does not stop the bd process.
461597-10 : MAC edge client doesn't follow HTTP 302 redirect if new site has untrusted self-signed certificate
Component: Access Policy Manager
Symptoms:
BIG-IP Edge Client for Mac does not follow HTTP 302 redirect if new site has an untrusted self-signed certificate.
Conditions:
BIG-IP Edge Gateway and Mac Edge Client and HTTP 302 redirect to new site with untrusted certificate
Impact:
User might not be able to log in if HTTP 302 redirect is configured for a site with an untrusted certificate.
Workaround:
Configure APM with trusted certificate or configure client machine to trust APM's certificate
Fix:
BIG-IP Edge Client for Mac now follows HTTP 302 redirect if the new site has an untrusted self-signed certificate and the user will be able to log in successfully.
461587-6 : TCP connection can become stuck if client closes early
Component: Local Traffic Manager
Symptoms:
Connection remains half-open and appears in connflow table after receiving FIN/ACK from serverside. the BIG-IP system never sends FIN/ACK to serverside to indicate connection has been closed.
Conditions:
Clientside connection is closed before serverside completes 3-way handshake. Serverside never completes 3-way handshake and LB::reselect command is issue via iRule.
Impact:
Connection remains half-open and stuck in connflow table
Fix:
Serverside connections established due to LB::reselect will now correctly get closed after the 3-way handshake completes if the corresponding clientside connection has already been closed.
461560-6 : Edge client CTU report does not contain interface MTU value
Component: Access Policy Manager
Symptoms:
Client troubleshooting utility reports do not log the value of MTU on network interfaces.
Conditions:
This occurs on the APM client CTU report.
Impact:
Troubleshooting MTU related issues become difficult.
Workaround:
Use third party tools to capture MTU values.
461216-2 : Cannot rename some files using CIFS optimization of the BIG-IP system.
Component: Wan Optimization Manager
Symptoms:
Cannot rename some files using CIFS optimization of the BIG-IP system.
Conditions:
Happens with BIG-IP systems with WOM configuration and CIFS optimization enabled and the files names are very long.
Impact:
Unable to rename files with long filenames using CIFS optimization of the BIG-IP system. wocplugin core.
Workaround:
None.
Fix:
You can now rename files with long filenames using CIFS optimization of the BIG-IP system.
461084-2 : Kerberos Auth might fail if client request contains Authorization header
Component: Access Policy Manager
Symptoms:
When the BIG-IP system is configured with Kerberos Auth agent and the client sends a request with an Authorization header prior to the "HTTP 401" challenge, authentication fails.
Conditions:
An auth request to the BIG-IP systems contains Authorization header; Kerberos Auth is configured.
Impact:
Authentication can fail and the client might see a login prompt again when the IP address changes.
Workaround:
None
Fix:
Client's Kerberos auth will succeed now.
460833-2 : MCPD sync errors and restart after multiple modifications to file object in chassis
Component: TMOS
Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:
1. Errors are logged to /var/log/ltm similar to the following:
err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..
2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.
Conditions:
This symptom may occur under the following conditions:
1. Two or more VIPRION chassis are configured in a device sync group.
2. File objects (such as SSL certificates) are added/modified/deleted on one chassis in the group.
3. These changes are synchronized to other members of the device sync group.
4. While the previous changes are still being synchronized to all blades in all chassis in the device sync group, an overlapping set of file objects are added/modified/deleted on a chassis in the group (typically the same chassis as in step 2).
5. While the previous sync operation is still in progress, these subsequent changes are synchronized to other members of the device sync group.
Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.
Workaround:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.
Fix:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.
460627-5 : SASP monitor starts a new connection to the Group Workload Manager (GWM) server when a connection to it already exists
Component: Local Traffic Manager
Symptoms:
When the SASP monitor starts up, it can attempt to open a new TCP connection to the GWM server when another connection exists to it.
Conditions:
This happens when a GWM server sends the SendWeight messages to SASP monitor immediately after the registration of the pool member is complete, but the registration of all the pool members is not complete.
Impact:
The SASP monitor fins an existing TCP connection to the GWM server.
Workaround:
This issue has no workaround at this time.
Fix:
The Send Weight messages are processed only after the registration of all the pool members is complete. Monitor logging has been vastly improved. In addition, there was a crashing bug that caused the SASPD_monitor process to be restarted. That bug has been fixed.
460456-3 : FW RELEASE: Incorporate 5000, 5050, 5250 BIOS 2.06.214.0
Component: TMOS
Symptoms:
This is a standard bug used for tracking the incorporation of Firmware changes.
Conditions:
The purpose of this change is to integrate a firmware package into the BIG-IP build.
Impact:
There is no impact to this fix.
Workaround:
None.
Fix:
Incorporated 5000, 5050, 5250 BIOS 2.06.214.0 into BIG-IP firmware.
460444-3 : VIPRION B4300 BIOS version 2.03.052.0 update
Component: TMOS
Symptoms:
1. The Disk Erase operation takes longer than expected, and may time out before completion. The Disk Erase progress bar may show 100% with 1 minute still remaining.
2. Pressing the ESC key at Disk Erase confirmation dialogs results in continuation. Pressing the ESC key in the Disk Erase intermittently causes the highlighted action to be performed. (ID458683-2)
Conditions:
Affects VIPRION B4300 series blades.
Impact:
1. The Disk Erase operation may time out before completion. The Disk Erase progress bar may show 100% completion prematurely.
2. Disk Erase operations may be initiated unintentionally. (ID458683-2)
460428-3 : BIG-IP 2000-/4000-series BIOS version 2.02.171.0 update
Component: TMOS
Symptoms:
1. The Disk Erase operation takes longer than expected, and may time out before completion. The Disk Erase progress bar may show 100% with 1 minute still remaining.
2. Pressing the ESC key at Disk Erase confirmation dialogs results in continuation. Pressing the ESC key in the Disk Erase intermittently causes the highlighted action to be performed. (ID458683-4)
Conditions:
Affects BIG-IP 2000-/4000-series appliances.
Impact:
1. The Disk Erase operation may time out before completion. The Disk Erase progress bar may show 100% completion prematurely.
2. Disk Erase operations may be initiated unintentionally. (ID458683-4)
460427-6 : Address collision reported when the Primary blade goes down or its TMM crashes in an Chassis IntraCluster environment.
Component: Access Policy Manager
Symptoms:
In Chassis IntraCluster environment; when the Primary blade or its TMM goes down for any reason, (e.g., crash, restart, or shut down) the system posts 'IPv4 Addr collision' messages in APM logs.
Conditions:
This happens when a Chassis platform is used in IntraCluster mode with APM's Network Access.
Impact:
Address collision is reported in the logs, and affected clients (that have duplicate IP addresses - both the original ones and the new ones) might intermittently lose connectivity.
Workaround:
None.
Fix:
Now the TMM leasepool IP information for the primary blade is mirrored on the oldest secondary blade, so the system no longer posts 'IPv4 Addr collision' messages.
460422-3 : BIOS 4.01.006.0 for BIG-IP 10000, 10250, 10350 platforms.
Component: TMOS
Symptoms:
BIOS 4.01.006.0 for BIG-IP 10000, 10250, 10350 platforms.
Conditions:
Firmware earlier than BIOS 4.01.006.0 on the BIG-IP 10000, 10250, 10350 platforms.
Impact:
Updated BIOS needed.
Workaround:
None.
Fix:
BIOS 4.01.006.0 has been incorporated into the BIG-IP 10000, 10250, 10350 platforms.
460406-3 : VIPRION B2100-series BIOS version 1.06.043.0 update
Component: TMOS
Symptoms:
1. The Disk Erase operation takes longer than expected, and may time out before completion. The Disk Erase progress bar may show 100% with 1 minute still remaining.
2. Pressing the ESC key at Disk Erase confirmation dialogs results in continuation. Pressing the ESC key in the Disk Erase intermittently causes the highlighted action to be performed. (ID458683-1)
Conditions:
Affects VIPRION B2100 and B2150 blades.
Impact:
1. The Disk Erase operation may time out before completion. The Disk Erase progress bar may show 100% completion prematurely.
2. Disk Erase operations may be initiated unintentionally. (ID458683-1)
460397-3 : FW RELEASE: Incorporate B2250 BIOS 1.26.012.0
Component: TMOS
Symptoms:
The purpose of this bug is to incorporate firmware into the BIG-IP Release.
Conditions:
The purpose of this bug is to incorporate firmware into the BIG-IP Release when there is a change to the maintenance firmware.
Impact:
There is no impact with this change.
Workaround:
None.
Fix:
FW RELEASE: Incorporated B2250 BIOS 1.26.012.0 into BIG-IP release.
460165-5 : General Database Error when accessing Clusters or Templates page
Component: TMOS
Symptoms:
On multi-blade chassis systems, the Templates and Clusters pages conflict. If you navigate to the Clusters page and then navigate to Templates, the Templates page will be blank and post a General Database Error, and vice versa.
Conditions:
This occurs only in a multi-blade chassis system (i.e., where there is a Clusters page).
Impact:
Ability to configure via the UI is degraded. System posts an error in catalina.out: ERROR [TP-Processor3] application_005ftemplate.list_jsp:_jspService - Column not found: SLOT_ID in statement [SELECT LIMIT 0 10 OPTIMIZED * FROM app_template ORDER BY slot_id ASC].
Workaround:
Restart tomcat each time you want to use these pages.
Fix:
Accessing Template and Cluster pages now load correctly.
459884-5 : Large POST requests are not handled well by APM.
Component: Local Traffic Manager
Symptoms:
Large (4 MB or more) POST requests cause APM to crash if the request is retried. (The default limit is 64 KB, but can be increased in the configuration.)
Conditions:
An unusually large POST limit in APM. A big POST that needs to be retried.
Impact:
The TMM may core. The TMM lacks the required contiguous block of memory due to fragmentation.
Workaround:
Make sure POST limit is 4 MB or lower.
Fix:
APM no longer cores when configured to accept large POST requests, and the POST cannot be buffered.
459671-1 : iRules source different procs from different partitions and executes the incorrect proc.
Component: Local Traffic Manager
Symptoms:
iRules source different procs from different partitions and executes the incorrect proc.
Conditions:
Multiple iRule procs defined in multiple admin partitions.
Impact:
iRules "proc" lookup algorithm is not deterministic, or Virtual Servers are improperly caching and sharing the lookup results.
Workaround:
To work around this issue, ensure all iRule proc names defined in the BIG-IP configuration are unique.
459584-2 : TMM crashes if request URI is empty or longer than 4096 bytes.
Component: Access Policy Manager
Symptoms:
TMM crashes and restarts.
Conditions:
This occurs when using URL redirection on APM. If the request uri is empty or greater than 4096 bytes it can trigger this.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Insure the request URI is not empty or longer than 4096 bytes.
Fix:
TMM no longer crashes if request URI is empty or longer than 4096 bytes.
459100-6 : TMM may crash when offloading one-way UDP FastL4 flow
Component: Local Traffic Manager
Symptoms:
When handling UDP traffic on a FastL4 VIP, sometimes the TMM tries to offload both client and server flow when there is only one way traffic (either client-side or server-side). That would result TMM crashed on invalid pointer access.
Conditions:
HSBe2 platform, FastL4 VIP for UDP traffic, and one-way traffic during run time.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
TMM now handles one way UDP traffic offloading correctly.
459024-1 : Error L4 packets were hitting configured WL entries we were not matching the protocol for them
Component: Advanced Firewall Manager
Symptoms:
For error vectors we only match vlan keys and we were not matching the protocols.
Conditions:
If an error packet is sent , then we were not matching the protocol
Impact:
Before this fix, for error packets protocol were not getting compared with configured WL protocol entries and hence they were not getting dropped. After this fix , since error packet protocol will be matched with the specified protocol in the WL entries, so appropriate action will be taken.
Workaround:
None
458872-1 : Check SACK report before treating as dupack
Component: Local Traffic Manager
Symptoms:
TCP uses duplicate acks as a sign that data has left the network. When SACK is enabled, the SACK contains better information about this. When SACK indicates no data has left, do not execute duplicate ACK processing.
Conditions:
SACK is enabled and duplicate ACKs arrive.
Impact:
TCP sends data in excess of what is authorized by the congestion window.
Workaround:
It's a mild performance impact, so no workaround is necessary.
Fix:
Consider SACK information before dupack processing.
458823-2 : TMM Crash can lead to crash of other processes
Component: Application Visibility and Reporting
Symptoms:
When TMM is crashing abnormally, the restart procedure can lead to following crashes of other processes in the system.
Conditions:
Relates to cases in which TMM crashes abnormally as a result of other issues.
Impact:
The crash of the other processes has no impact on the system, as the fact that TMM already crashed is the main impact.
There is evidence of the other processes crash, since there are core dump files, so it is raising concerns about why several processes crashed and leads to customer escalations.
Fix:
The non-TMM processes are shut down more gracefully and are not crashing with core dumps during the system restart.
458822-5 : Cluster status may be incorrect on secondary blades
Component: Local Traffic Manager
Symptoms:
Cluster status may be out of date on secondary blades.
Conditions:
There is a race condition that becomes apparent when the cluster status is changed on the primary. This change may not be affected on the secondary.
Impact:
The cluster status when viewed on a secondary blade may not be up to date. clusterd's status will be correct, but mcpd's copy of the message may be out of date.
Workaround:
This is a cosmetic issue.
Fix:
Changes are now immediately reflected on secondary blades when the cluster status is changed on the primary blade.
458810-1 : Time field may not display correctly in log search function
Component: Advanced Firewall Manager
Symptoms:
On the event log page, searching by time and clicking on another field will cause the time field to not display.
Conditions:
Always
Impact:
Display temporarily omits the time field.
Workaround:
Clicking a second time causes the time field to display.
Fix:
The time field in the event log search function now displays correctly.
458770-4 : [Mac][Edge] Edge client doesn't handle ending redirects to the same box if second access policy assumes interaction
Component: Access Policy Manager
Symptoms:
Mac Edge Client doesn't work properly with ending redirects if the redirect is to the same box (another VS) and second access policy
contains agents that assume interaction (Logon page, Message box, Mac Process check).
Conditions:
Redirect not working when subsequent agent assumes interaction.
Impact:
Redirect not working.
Workaround:
N/A
Fix:
Redirect works when the subsequent agent assumes interaction.
458737-1 : non-printable characters are escaped before hexencoding
Component: Access Policy Manager
Symptoms:
In non-printable values of AD/LDAP attributes, BIG-IP processing escapes the "|" (pipe) character.
Conditions:
This occurs when there is an AD/LDAP query in use and the query returns binary attributes with the "|" (pipe) character.
Impact:
This creates a problem when the value is processed back to its previous value, a process that includes removing the escape characters. In this case, the resulting data does not match the original binary data.
Workaround:
Unescape binary attribute values after hexdecode manipulation to match the original value.
Fix:
When an AD or LDAP query is in use and the query returns binary attributes with the "|" (pipe) character, APM now checks whether the value contains non-printable characters, and if so, hex encodes the value. If the value is printable, APM escapes the "\" and "|" characters (because "|" is used as a separator for multivalue attributes).
458563-3 : A "status down" message is logged when enabling a pool member that was previously disabled
Component: TMOS
Symptoms:
When a pool member is disabled and subsequently re-enabled, it logs a message saying that the monitor status is down for a very short time (just prior to coming back up). This is because the system is in the state "forced down" when the pool member is disabled, and when it is re-enabled it transitions to the state "down" and then immediately to the state "up", and each of these transitions is logged.
Conditions:
A pool member is disabled, then re-enabled.
Impact:
A potentially confusing log message.
Workaround:
None.
Fix:
We no longer log the transition from "forced down" to "down".
458348-3 : RESOLV:: iRule commands and sFlow don't function correctly when using non-default CMP hashing.
Component: Local Traffic Manager
Symptoms:
Packets originating from the RESOLV:: iRule commands and sFlow are not routed correctly when using non-default CMP hashing on external and internal VLANs.
Conditions:
External and internal VLANs have, respectively, src-ip and dst-ip cmp hashing configured.
Impact:
Packets are dropped.
Fix:
RESOLV:: iRule commands and sFlow now function correctly when using non-default CMP hashing.
458104-6 : LTM UCS load merge trunk config issue
Component: TMOS
Symptoms:
Performing the ucs sys load command does not overwrite trunk interface configuration, it merges with the existent setting. When loading UCS with RMA flag, you may not get expected results. The expected outcome is that the trunk is overwritten, not merged.
Conditions:
Current configuration has a trunk with several interface members.
The UCS to be loaded contains the same trunk name but with other interfaces.
Impact:
The trunk incorrectly appears as merged, having both sets of interfaces.
The config on disk bigip_base.conf shows the correct config.
Reboot does not resolve the issue.
Workaround:
1. Restore the BIG-IP configuration to factory default settings using the command sequence: -- load sys config default. -- load sys ucs example.ucs no-license. -- save sys config.
2. Force the mcpd process to reload the BIG-IP configuration with the command sequence: touch /service/mcpd/forceload. -- load sys ucs example.ucs no-license. -- save sys config.
Fix:
Trunk config member interfaces are no longer merged during load. Only the trunk member interfaces defined in the config are present after a load.
457951-3 : openldap/ldap.conf file is not part of ucs backup archive.
Component: TMOS
Symptoms:
/etc/openldap/ldap.conf is not saved as part of a UCS backup.
Conditions:
/usr/libdata/configsync/cs.dat file on the BIG-IP sysesm does not have the entry for /etc/openldap/ldap.conf.
Impact:
Any changes in /etc/openldap/ldap.conf will not get backed up.
Workaround:
None.
Fix:
Added /etc/openldap/ldap.conf file to cs.dat.
457902-5 : No EAM- log stacktrace in /var/log/apm on EAM crash event.
Component: Access Policy Manager
Symptoms:
On EAM crash event, stack trace or fault address were not logged in /var/log/apm.
Conditions:
EAM crash and the signal handler did not log much details on /var/log/apm
Impact:
Core debugging is made easier with improved signal handler to log stack trace, fault address etc.
Workaround:
No workaround
Fix:
[OAM] Improve signal handler to log stack trace, fault address etc. to /var/log/apm - this is now fixed.
457811-1 : CVE-2013-6438 : HTTPD Vulnerability
Vulnerability Solution Article: K15300
457760-6 : EAM not redirecting stdout/stderr from standard libraries to /var/log/apm
Component: Access Policy Manager
Symptoms:
Logs from standard libraries were not redirected to /var/log/apm in EAM plugin.
Conditions:
Stdout/stderr from standard libraries are affected.
Impact:
stderr/ stdout from standard libraries were not logged and that impacted troubleshooting effort.
Workaround:
No workaround to log stderr/stdout
Fix:
[OAM] Redirecting stdout/stderr from standard libraries to /var/log/apm. This is now fixed.
457603-3 : Cookies handling issue with Safari on iOS6, iOS7
Component: Access Policy Manager
Symptoms:
Wrong cookies set send to backend with some requests. The issue is very intermittent.
Conditions:
Web-Application with Portal Access when Safari on iOS6, iOS7 is used.
Impact:
Web-Application misfunction.
Workaround:
This issue has no workaround at this time.
Fix:
Web applications with portal access using Safari on iOS now work correctly when an 'onbeforeunload' event occurs.
457568-1 : Loading of configuration fails intermittently due to WOC Plug-in-related issues.
Component: Wan Optimization Manager
Symptoms:
Loading of configuration fails intermittently due to WOC Plug-in-related issues.
Conditions:
This rarely encountered issue occurs when the BIG-IP system is configured with AAM (formerly WOM/WOC/WAM) objects when there is an attempt to change/load the configuration.
Impact:
Configuration load fails. Cannot change the configuration.
Workaround:
Manually change the configuration and restart/reboot the system.
Fix:
Loading of configuration no longer fails due to WOC Plug-in-related issues.
457525-3 : When DNS resolution for AppTunnel resource fails, the resource is removed
Component: Access Policy Manager
Symptoms:
App tunnel gets removed from webtop if one of items is not DNS resolvable.
Conditions:
This issue occurs when at least one of items in app tunnel resource is not DNS resolvable.
Impact:
If one of the items in app tunnel resource is not DNS resolvable, the app tunnel resource gets removed.
Workaround:
This issue has no workaround at this time.
Fix:
APM removes an app tunnel resource from a webtop only if all resource items are not DNS resolvable; otherwise, the app tunnel continues to work with resource items that are DNS resolvable.
457109-3 : Traffic misclassified and matching wrong rule in CPM policy.
Component: Local Traffic Manager
Symptoms:
Traffic matches the wrong rule in Centralized Policy Management (CPM) policy. User traffic is matching either uri or host headers to rules that should not match the header.
Conditions:
This issue is caused by long list of hosts in certain rules resulting in wrong execution of statemachine due to wraparound in shifting.
Impact:
Misclassification and forwarding of traffic.
Workaround:
This issue has no workaround at this time.
Fix:
A range check has now been added to correctly classify and forward traffic in the case of incorrect rules in CPM policies.
456853-2 : DTLS cannot handle client certificate when client does not send CertVerify message.
Component: Local Traffic Manager
Symptoms:
For DTLS, CCS record will be held until all other handshake messages besides Finish are handled. When pcm is set to request, client may not send CertVfy message. BIG-IP system waits for CertVfy until the timeout.
Conditions:
For DTLS, CCS record will be held until all other handshake messages besides Finish are handled. When pcm is set to request, client may or may not send CertVfy message,
Impact:
BIG-IP waits for CertVfy until timeout.
Workaround:
None.
Fix:
For DTLS, CCS record will be held until all other handshake messages besides Finish are handled. When pcm is set to request, client may or may not send CertVfy message, in this case, expcertvfy=TRUE and pcm=request, BIG-IP should hold CCS maximum DTLS_MAX_NUM_HOLD_CCS_WAIT_CERTVFY times.
When pcm=request, client sends client certificate message to BIG-IP (client-ssl profile), there are two cases for DTLS.
1. Client never sends CertVfy message. Then when BIG-IP receives CCS message, it should process CCS and not hold it.
2. Client sends CertVfy message but in the wrong order, CCS then CertVfy. In this case, BIG-IP should hold CCS to wait for CertVfy message. Then after BIG-IP receives CertVfy message, we process as the following CertVfy then CCS.
After BIG-IP receives CCS message, BIG-IP does not know if it can expect CertVfy message or not. Then it will hold CCS for three(DTLS_MAX_NUM_HOLD_CCS_WAIT_CERTVFY) times to
wait for the retransmission of 3 messages before it thinks that client will not send CertVfy message. hs->num_hold_ccs_wait_certvfy is the counter for it.
It is always increasing, after it reaches 3, it starts to process CCS message.
456766-2 : SSL Session resumption with hybrid handshake might fail
Component: Local Traffic Manager
Symptoms:
When using SSL session resumption during a hybrid handshake (sslv2 with tls1.0), the resumption might fail.
Conditions:
SSL session resumption is allowed, and is using a hybrid handshake.
Impact:
Session resumption would fail, necessitating a complete handshake to reconnect.
Workaround:
Disable SSL Session Cache
Fix:
SSL Session resumption now works in all expected cases.
456763-2 : L4 forwarding and TSO can cause rare TMM outages
Component: Local Traffic Manager
Symptoms:
In certain rare circumstances using L4 forwarding and TSO, the MSS sizes on client and server sides in combination with internal processing can cause an internal mismatch resulting in a TMM crash.
Conditions:
This applies only when using L4 forwarding virtuals with TSO; additional exact external conditions are still under investigation.
Impact:
This issue causes a failover or TMM outage.
Workaround:
This issue has no workaround at this time.
Fix:
TMM will properly handle cases when the MSS sizes would have led to underflow.
456608-5 : Direct links for frame content, with 'Frame.src = url'
Component: Access Policy Manager
Symptoms:
Direct links in web-application with Portal Access.
Conditions:
Direct links for frame content, when using 'Frame.src = url'.
Impact:
Web-Application misfunction.
Fix:
Correct rewriting for obj.src = some_url was added to support Web Applications.
456573-5 : Sensor read faults with DC power supply
Component: TMOS
Symptoms:
While running BIG-IP v11.5.0 or later on a BIG-IP 2000-/4000-/5000-/7000-/10000-series appliances using DC power supplies, error messages containing the following strings may appear in /var/log/ltm:
err chmand[####]: 012a0003:3: Sensor read fault for Power supply #1 fan-1
err chmand[[####]: 012a0003:3: Sensor read fault for Power supply #1 meas. inlet temp
err chmand[####]: 012a0003:3: Sensor read fault for Power supply #2 fan-1
err chmand[####]: 012a0003:3: Sensor read fault for Power supply #2 meas. inlet temp
Conditions:
- BIG-IP 2000-/4000-/5000-/7000-/10000-series appliances
- DC power supplies (FND850 for 10000-series, FND300 for 2000-/4000-/5000-/7000-series)
- Running BIG-IP v11.5.0 or later.
Impact:
These errors result from a mismatch in the list of power supply sensors queried by BIG-IP, and the sensors actually present in a DC power supply.
These errors do not indicate a problem with the power supply in question.
Workaround:
These errors, when occurring under the conditions described, can be safely ignored.
Fix:
Power supply sensor values are successfully read without errors on BIG-IP 2000-/4000-/5000-/7000-/10000-series appliances with DC power supplies.
456413-4 : Persistence record marked expired though related connection is still active
Component: Local Traffic Manager
Symptoms:
A persistence record might be marked expired even though its corresponding connection is still active and passing traffic.
Conditions:
This occurs when using persistence.
Impact:
Persist records disappear in spite of flow activity that is more recent than the persist timeout.
Workaround:
Set the timeout of persist to at least 33 seconds longer than the related flow timeout.
Fix:
Persistence records are maintained when connection and persistence timeouts are with 33 seconds of each other.
456263 : Platform marketing name for B4300 is incorrectly shown as A108
Component: TMOS
Symptoms:
When viewing the hardware information, the name will display as A108 instead of BIG-IP VPR-B4300
Conditions:
Running Viprion B4300 and reviewing the hardware information via one of the management consoles.
Impact:
Incorrect name displayed.
Fix:
Platform marketing name for BIG-IP VPR-B4300 is now correct when viewed from management console.
456175-3 : Memory issues possible with really long interface names
Component: Local Traffic Manager
Symptoms:
When an interface has a very long name, it is possible for various functions to overrun the memory allocated and cause other problems. The other problems will vary, depending on what is running at the time of the memory overrun.
Conditions:
This can occur if the interface is associated with a non-default route domain.
Impact:
Possible loss of client connectivity or random errors possibly resulting in cores. Traffic disrupted while tmm restarts.
Fix:
Long interface names no longer cause issues.
455980-6 : Home directory is purged when the admin changes user password.
Component: TMOS
Symptoms:
When an admin changes a user's password, the contents of the home directory are purged, that is, the system deletes some or all of the files in that user's home directory.
Conditions:
This happens whenever a user's password is modified. Can also be triggered by an upgrade from 10.x.
Impact:
Some or all of the files in that user's home directory are deleted.
Workaround:
This issue has no workaround for the basic case at this time. However, when this is caused by a 10.x-to-11.x upgrade, the original files can be recovered by booting back into the 10.x boot location and copying them off the system (or by extracting them from a UCS, or by mounting the root lvm volume from the previous boot location).
Fix:
On password change by an admin user for a user, the home directory of the user is left intact.
455840-5 : EM analytic does not build SSL connection with discovered BIG-IP system
Component: Local Traffic Manager
Symptoms:
EM analytic does not build SSL connection with discovered BIG-IP system.
Conditions:
When using management SSL client profile.
Impact:
EM analytic cannot connect to discovered BIG-IP system.
Fix:
Enterprise Manager analytics now works with BIG-IP systems running version 11.5.0 or later.
455762-3 : DNS cache statistics incorrect
Component: Local Traffic Manager
Symptoms:
DNS Cache statistics might skew high due to shared information between TMMs incrementing the same statistic multiple times.
Conditions:
Any DNS Cache might see this issue.
Impact:
DNS Cache Statistics are listed as higher than they should have been.
Workaround:
This issue has no workaround.
Fix:
DNS Cache Statistics are no longer being incremented multiple times for the same action.
455651-6 : Improper regex/glob validation in web-acceleration and http-compression profiles
Component: TMOS
Symptoms:
The use of regex or glob patterns in certain MCP configuration objects leads to inconsistent parsing across MCP and TMM. For glob patterns, for example, the TMM produces an error indicating that the regex is invalid, while entries such as *.js are correctly treated as globs.
Conditions:
MCP configuration objects supporting regex and glob inclusion/exclusion patterns lead to inconsistent parsing across MCP/TMM.
Impact:
Cacheable objects are improperly cached or are not cached, or objects are deflated or are not deflated in opposition to the customer's intent.
Workaround:
None.
Fix:
The parsing of regex and glob patterns has been improved for consistent behavior across MCP and TMM.
455553-8 : ICMP PMTU handling causes multiple retransmissions
Component: Local Traffic Manager
Symptoms:
When an improperly large TCP Maximum Segment Size (MSS) triggers ICMP PMTU messages, TCP responds by resending
the entire send queue with the new MSS.
Conditions:
This occurs when you configure a path with an MTU less than 1500 Bytes and attempt a file transfer with initcwnd greater than 1.
Impact:
Large amounts of duplicate retransmission.
Fix:
No multiple retransmission of the entire send queue when the MSS size is improperly large.
455286-2 : BIG-IP might send both session ID and server certificate during renegotiation
Component: Local Traffic Manager
Symptoms:
When the BIG-IP initiates renegotiation, it might send both the session ID and the server certificate. This will cause the client to alert() with `unexpected message'
Conditions:
BIG-IP initiates renegotiation.
Impact:
The SSL connection will fail.
Workaround:
None.
Fix:
If BIG-IP intends to do a complete handshake it will not send a session ID. This is correct behavior.
455264-2 : Error messages are not clear when adding member to device trust fails
Component: TMOS
Symptoms:
If you cannot reach the IP address of a device that you are adding to a device trust then the error message does not properly display in the GUI. For some errors the message is empty and for some errors the message contains unformatted xml data.
Conditions:
This problem occurs when adding a peer or subordinate to the device trust where the IP address cannot be reached.
Impact:
User cannot be sure what the problem with adding the device really is.
Workaround:
Verify that the address is correct and that you are able to route to the device you are trying to add to the device trust.
Fix:
During trust initiation when the peer is unreachable, the system now posts the error message is "This device is not found."
455006-6 : Invalid data is merged with next valid SIP message causing SIP connection failures
Component: Service Provider
Symptoms:
SIP phone connections fail.
Conditions:
SIP over UDP.
Impact:
SIP phone connections fail.
Workaround:
Create a packet filter to discard the invalid UDP datagrams.
Fix:
Invalid UDP datagrams that interfered with SIP processing are now dropped.
454784-2 : in VPE %xx symbols such as the variable assign agent might be invalidly decoded.
Component: Access Policy Manager
Symptoms:
in VPE %xx symbols might invalidly decode
If user assignment string contains percent encoded symbols like: "%60", "%7E", "%21", "%40", "%23" etc
Saved string is written properly but re-readed and displayed as character "`", "~", "!", "@", "#"
Therefore new saving might cause uneeded re-encoding of such symbols
Conditions:
Variable assign agent. Assigned string contains %xx symbol
Impact:
Medium. Customer is confused and might not be able to modify saved and then loaded string
Workaround:
1. Direct bigip.conf editing
2. Saving proper string in other location and copy paste before modification so %xx encoded symbols would stay preserved
Fix:
Issue fixed, encoding doesn't reencode/redecode symbols anymore.
454583-4 : SPDY may cause the TMM to crash if it aborts while there are stalled streams.
Component: Local Traffic Manager
Symptoms:
If SPDY has a stalled stream and it is being aborted, it may cause the TMM to crash due to referencing cleared state.
100 Continue messages appeared in response bodies. 100 Continue responses sent in the same packet as the response could stall the stream.
Conditions:
SPDY aborts due to a miss-ordered event. SPDY then sees egress, and marks the stream as stalled. SPDY aborts the connection to the client, and marks the stream as unknown. Finally, the stream aborts again and dereferences the NULL pointer to the client when it tries to unstall itself.
A 100 Continue message in a response, either by itself, or in the same packet as the response body.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
Fix:
SPDY will no longer cause a TMM crash when it aborts, followed by egress, followed by a second abort.
SPDY will handle 100 Continue messages correctly by ignoring them.
454492-2 : Improved handling of signature_algorithms extension to avoid using SHA1 in TLS handshake signatures
Component: Local Traffic Manager
Symptoms:
BIG-IP uses SHA1 in handshake signature, even though the client indicates support for stronger hash algorithms.
Conditions:
When BIG-IP acts as TLS server (applies to clientssl SSL Profile):
- SSL Profile "SSL Sign Hash" set to ANY. The use of other choices is not recommended.
- Client sends signature_algorithms extension that includes SHA256.
- ECDSA X.509 certificate has additional logic. If the TLS client doesn't send signature_algorithms, BIG-IP will choose SHA256.
Impact:
The updated code respects client signature_algorithms extension. If possible, BIG-IP now prefers SHA256 in the handshake signature based on the content of the signature_algorithms extension.
BIG-IP further upgrades the hash algorithm to SHA384 from SHA256 when P-384 is used, e.g. when P-384 ECDSA X.509 certificate is used in the handshake. This additional enhancement only applies to the code base starting from 12.0; it was not ported to the 11.x code base.
The signature_algorithms extension is defined in TLS 1.2. It's not not present in prior versions of the protocol.
This logic attempts to avoid the use of SHA1 in TLS handshake, whenever possible. This change does not affect signatures used in X.509 certificates as these signatures are created by the X.509 CAs and not by BIG-IP.
The only time SHA1 will be used in the handshake signature is when either of the following is true:
- RSA key is used and the signature_algorithms extension is missing or
- signature_algorithms is present and only lists SHA1.
These conditions are expected to not hold for modern TLS clients, resulting in the upgrade to the SHA256 or better.
Behavior Change:
Respect client signature_algorithms extension. If possible, prefer SHA256 in handshake signature.
454392-1 : Added support for BIG-IP 10350N NEBS platform.
Component: TMOS
Symptoms:
N/A
Conditions:
N/A
Impact:
N/A
Fix:
This release adds support for the BIG-IP 10350N NEBS platform.
454086-4 : Portal Access issues with Firefox version 26.0.0 or later
Component: Access Policy Manager
Symptoms:
Using Firefox version 26.0.0 or later with some web-applications can fail. The page may stop loading and/or rendering page.
Conditions:
Firefox version 26.0.0 or later, asynchronously loaded script which works with cookies and DOM in same time.
A good example is google analytics script in the page.
Impact:
Web-application stops loading/rendering.
Workaround:
No general workaround.
Fix:
When using portal access on Firefox with some applications, the browser would go into deadlock. This no longer occurs.
454071-1 : 'Show all' button has no effect or becomes hidden for short period of time
Component: Application Visibility and Reporting
Symptoms:
If you update the time scale with your mouse when looking at AVR statistics, a 'Show all' button will momentarily appear, then disappear after a few seconds. Clicking it does nothing. The button is not supposed to appear at all.
Conditions:
This occurs when viewing any statistics in Statistics :: Analytics and changing the time scale.
Impact:
Show All button appears but does not persist, and clicking Show All does nothing
Workaround:
Manually extend the time range to the full scope of time you wish to see
Fix:
The Show All button has been removed from the analytics pages.
454018-6 : Nexthop to tmm0 ref-count leakage could cause TMM core
Component: Local Traffic Manager
Symptoms:
Each use of the interface tmm0 for inter-TMM communication is supposed to increment its count of nexthop references. When the use of the interface is expired, the reference count is supposed to decrement, but in this case, the reference count is not decremented.
Conditions:
This occurs when TMM runs over an extended period of time, and internal communication between TMMs over tmm0 is heavy during the period.
Impact:
Reference count leaks, which causes the count to monotonically increase, which eventually might cause TMM to crash and restart.
Workaround:
This issue has no workaround.
Fix:
The nexthop reference count of the interface tmm0 is thoroughly examined and corrected, so it no longer leaks ref counts.
453949-3 : small memory leak observed in audit_forwarder
Component: TMOS
Symptoms:
some small memory leak observed in audit_fowarer
Conditions:
Audit_forwarder is used, especially in some error conditions.
Impact:
memory usage of audit_forwarder increases at a very slow pace.
Fix:
No more memory leak observed after fix.
453720-6 : clientssl profile validation fails to detect config with no cert/key name and no cert/key★
Component: Local Traffic Manager
Symptoms:
The system does not prevent creation of a clientssl profile with no cert-key-chain name and no cert/key (or a cert/key of 'default'), and does not post an error alerting the user to the condition. The system creates the profile without error. This can cause issues when upgrading.
Conditions:
This occurs when attempting to create a clientssl profile without a cert-key-chain name or cert/key, or a cert/key of 'default'. Note: The system should prevent this, but does not do so in versions 11.5.1, 11.5.2, or 11.5.3.
Impact:
The system incorrectly allows a blank cert-key-chain name and an empty cert/key in clientssl profiles. When upgrading such a profile to versions 11.5.4, 11.6.0, 12.0.0, or later, the configuration fails to load with a message similar to the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Workaround:
Use the following steps to work around this issue:
-- To correct the configuration, run the following command: sed -ie '/"" { }/d' /config/bigip.conf.
-- To load the modified configuration, run the following command: tmsh load sys config.
Note: To determine whether profiles are affected, run the following command: grep '"" { }' /config/bigip.conf -A2 -B1. On affected profiles, the system returns the following output: cert-key-chain { "" { }.
Fix:
The system now presents an error message when attempting to create a clientssl profile without a cert-key-chain name and a cert/key (or a cert/key of 'default'), and prevents the creation of the profile, so potential upgrade failures no longer occur.
453640-2 : Java core when modifying global-settings
Component: Device Management
Symptoms:
While modifying global settings, java cores.
Conditions:
This is a general problem related to low stack size, but was observed during internal testing of /sys global-settings.
Impact:
java crashes.
Fix:
JVM's default stack size per thread has been increased to 384KB
453489-3 : userauth_hostbased mismatch: warnings from VIPRION for localhost or slotN
Component: TMOS
Symptoms:
Error messages indicating userauth_hostbased mismatch are posted.
Conditions:
VIPRION-based system or VIPRION-hosted vCMP guest. This also occurs on a sinple slot.
Impact:
The sshd userauth_hostbased mismatch messages are innocuous only if they appear for the client sending one of the following: localhost, localhost.localdomain, slot1, slot2, slot3, slot4, slot5, slot6, slot7, or slot8. The system might post warning messages from sshd similar to the following: userauth_hostbased mismatch: client sends slot1, but we resolve 127.3.0.1 to 127.3.0.1.
Fix:
The system no longer posts extraneous warning messages caused by ssh connections from peers on the 127.0.0.0/8 subnet.
453455-9 : Added support of SAML Single Logout to Edgeclient.
Component: Access Policy Manager
Symptoms:
SAML single logout does not work on BIG-IP Edge Client. The BIG-IP (as IdP) system shows the session as active.
Conditions:
Edge client, BIG-IP as SAML.
Impact:
Edge client logout doesn't function correctly.
Workaround:
none
Fix:
SAML single logout is now supported on BIG-IP Edge Client.
452900-3 : IP iRules may cause TMM to segfault in low memory scenarios
Component: Local Traffic Manager
Symptoms:
TMM may core during low memory conditions when executing iRules containing the following commands:
IP::local_addr
IP::remote_addr
IP::client_addr
IP::server_addr
Conditions:
No memory available to allocate IP iRule objects.
Impact:
TMM will be restarted.
Workaround:
This issue has no workaround.
Fix:
Memory allocations are verified when using the following iRules:
IP::local_addr
IP::remote_addr
IP::client_addr
IP::server_addr
452659-1 : DNS Express zone creation, deletion or updates can slow down or stop other DNS services.
Component: Local Traffic Manager
Symptoms:
DNS Express zone creation, deletion or updates can slow down or stop other DNS services.
Conditions:
Any action that causes a the DNS Express zone database to be updated, including zone creation, deletion or zone transfer.
Impact:
Other DNS Services may stop working.
Workaround:
Restarting tmm will resolve the issue temporarily, until the next update. If DNS Express is not being used, removing any DNS Express config will prevent this issue from triggering.
Fix:
An issue with ann unclosed file descriptor that was impacting DNS Express zone modification has been fixed.
452656-4 : NVGRE tunnel traffic might stall if the sys db variable tm.tcplargereceiveoffload is set to 'enable'
Component: TMOS
Symptoms:
NVGRE tunnel traffic might stall if the sys db variable tm.tcplargereceiveoffload is set to 'enable'.
Conditions:
The sys db variable tm.tcplargereceiveoffload is set to 'enable'.
Impact:
NVGRE tunnel traffic might stall.
Workaround:
Set the sys db variable tm.tcplargereceiveoffload to 'disable'. The default value of this variable is 'disable', so it is very unlikely that you will encounter this error condition in normal operating conditions.
Fix:
NVGRE tunnel traffic no longer stalls when the sys db variable tm.tcplargereceiveoffload is set to 'enable'.
452527-2 : Machine Certificate Checker Agent always works in "Match Subject CN to FQDN" mode
Component: Access Policy Manager
Symptoms:
Limited/normal user cannot pass Machine Cert Auth through 'Successful' branch if Agent is configured to match certificate by any condition except Match FQDN.
Conditions:
Machine Cert Auth agent configured to match certificate by any condition except Match FQDN.
Current user has no rights to access private key directly (that means elevation or service is required).
Impact:
User cannot pass Machine Cert Authorization.
Fix:
Fixed issue that caused Machine Cert Checker service to always work in "Match Subject CN to FQDN" mode.
452487-5 : Incremental sync causes incorrect accounting of member count of pools
Component: TMOS
Symptoms:
If a sync-compatible pool is created and given pool members, pushing that sync operation will cause the member count to be incorrect on all other devices.
Conditions:
This only affects device groups where incremental sync is in use.
Impact:
The number of pool members will be displayed incorrectly at various points (GTM statistics, the ltmPoolMemberCnt SNMP variable, and the GUI).
Workaround:
Perform a sync between the creation of the pool and the pool members.
Fix:
The pool member count is now always calculated accurately, even across configuration synchronizations.
452464-6 : iClient does not handle multiple messages in one payload.
Component: Access Policy Manager
Symptoms:
iClient does not handle multiple messages in one payload leading to possible memory leak symptoms.
Conditions:
If by chance multiple messages arrive as one from the BIG-IP Edge Client.
Impact:
Possible memory leak symptoms.
Workaround:
This issue has no workaround at this time.
Fix:
If multiple messages arrive from BIG-IP Edge Client in one payload, the system processes them correctly.
452439-4 : TMM may crash when enabling DOS sweep/flood if a TMM process has multiple threads
Component: Local Traffic Manager
Symptoms:
There is a bug caused by race condition in the library used by the AFM Sweep/flood feature. When the Sweep/flood feature is enabled, if one TMM process has multiple threads, one thread may attempt to access the memory released by another thread at some time. In this situation, TMM may crash due to access an invalid memory segment.
Conditions:
(1) AFM sweep/flood enabled
(2) A single TMM process has multiple threads.
(3) race condition occurs
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable thread or disable sweep/flood
Fix:
TMM will not crash when enabling DOS sweep/flood detection feature regardless of threading.
452416-6 : tmctl leasepool_stat and snmp apmLeasepoolStatTable return incorrect values
Component: Access Policy Manager
Symptoms:
On a multi-blade chassis, tmctl leasepool_stat for some slots may not be in sync. In addition, query of snmp apmLeasepoolStatTable returns values that do not match the tmctl leasepool_stat output for the current primary slot.
Conditions:
The issue occurs after a blade or tmm of a blade restarts.
Impact:
Incorrect stats only. No impact to fuctionality.
Fix:
The system now uses the correct system object to track current primary slot, which ensures that counters in leasepool_stat that have global context (that is, cur_member, cur_assigned, cur_free, max_assigned) are synced to all blades.
452318-2 : Apache Commons FileUpload vulnerability CVE-2014-0050
Vulnerability Solution Article: K15189
452246-4 : The correct cipher may not be chosen on session resumption.
Component: Local Traffic Manager
Symptoms:
During session resumption, the same cipher must be used as was during the original session. If the original session negotiates cipher A, and the resumed clienthello contains cipher A and B, the BIG-IP system might choose cipher B, which is incorrect.
Conditions:
The original ClientHello contains a different cipher list from the resuming one, and the resuming one contains a stronger cipher than was originally chosen.
Impact:
Not strictly RFC compliant.
Workaround:
This issue has no workaround.
Fix:
When the original ClientHello and resuming ClientHello contain different ciphers, if the original cipher is in the resuming ClientHello it will be chosen and the session resumed, otherwise a full handshake will be used.
452163-1 : Cross-domain functionality is broken in AD Query★
Component: Access Policy Manager
Symptoms:
Cross-domain functionality is broken in AD Query agent due to DNS resolving library upgrade.
Conditions:
AD Query is configured with cross-domain option enabled.
Impact:
Users from trusted domains cannot pass access policy because AD Query agent failure.
Fix:
AD Query parses DNS response properly and cross-domain functionality works as expected.
452010-4 : RADIUS Authentication fails when username or password contain non-ASCII characters
Component: Access Policy Manager
Symptoms:
RADIUS Authentication fails when the logon name contains non-ASCII characters.
The problem is caused due to failure in conversion from UTF-8 to Windows-1252.
Conditions:
RADIUS authentication is configured and username/password contain non-ASCII characters.
Impact:
Users are not able to log in.
Workaround:
There is no workaround for this issue.
Fix:
Now it is possible to configure charset decoding behavior. You can decode usernames and passwords into CP-1252 (original behavior) or use UTF-8 charset (in this case, RADIUS Auth sends the username and password unmodified).
451960-3 : HTTPS monitors do not work with FIPS keys
Component: Local Traffic Manager
Symptoms:
If HTTPS monitor is configured with FIPS key, the monitor connection to the backend server is unsuccessful and consequently, the corresponding pool is marked down.
Conditions:
BIG-IP FIPS platforms (except 6900F, 8900F) using FIPS keys with HTTPS monitor(s).
Impact:
Pool is incorrectly marked down.
Workaround:
This issue has no workaround.
Fix:
Monitors configured with FIPS keys now work and the pool status is marked correctly.
451602-6 : DPD packet drops with keyed VLAN connections
Component: TMOS
Symptoms:
The DPD (Dead Peer Detection) packets are dropped after the IPsec tunnel is up. This occurs because the BIG-IP system drops DPD packets because keyed VLAN connections are enabled. The system tries to match the VLAN ID along with other parameters for DPD packets.
Conditions:
Enable keyed VLAN connections and bring up IPsec tunnel.
Impact:
The tunnel does not stay up because of the DPD failure. The match should be done for the host interface instead of the actual VLAN interface.
Workaround:
None.
Fix:
Changed the interface match to look up host interface instead of VLAN interface.
451494-1 : SSL Key/Certificate in different partition with Subject Alternative Name (SAN)
Component: TMOS
Symptoms:
You are unable to create an SSL key/certificate in partition other than Common, with Subject Alternative Name (SAN)
Conditions:
In a partition other than Common, create a new SSL key/certificate with SAN.
Impact:
SSL key/certificate is not created.
Workaround:
Use tmsh to create an SSL key/certificate with SAN in a partition other than Common.
Fix:
You can now create an SSL Key/Certificate in partition other than Common, with Subject Alternative Name (SAN).
451469-3 : APM User Identity daemon doesn't generate core
Component: Access Policy Manager
Symptoms:
OMAPD is a daemon that stores all the IP->User mappings. It doesn't seem to generate cores. It will be hard to debug issues when it crashes.
Conditions:
Always
Impact:
Cores will not be generated.
Fix:
OMAPD now generates core files making debugging easy.
451433-2 : HA group combined with other failover (e.g., VLAN Failsafe or Gateway Failsafe)
Component: TMOS
Symptoms:
Combining HA group with other types of failover mechanism such as VLAN Failsafe or Gateway Failsafe results in traffic going to failed device.
Conditions:
HA-group should not be combined with other types of failover mechanism such as VLAN Failsafe or Gateway Failsafe. If these mechanisms are combined, the failsafe causes all traffic groups to go to standby on the failed device.
Impact:
Because the HA Group score might favor the failed device, there could be no active traffic group on any device.
Workaround:
Replace the failover VLAN or Gateway with an HA group. Note: HA group should not be combined with other types of failover mechanism such as VLAN Failsafe or Gateway Failsafe. If these mechanisms are combined, the failsafe causes all traffic groups to go to standby on the failed device.
Fix:
If a device goes to standby due to a failsafe operation, the HA Group Scores on that device are forced to zero, so that the traffic groups can become active on an active device. This is the correct behavior.
Behavior Change:
In the previous code, if a user configured both HA Group Score and an HA Failsafe, when the failsafe triggered, all traffic groups on the failed device would transition to Standby. However, the group score for that device would remain at the prior value so that the traffic group would not become active on another device. The result was a traffic group that was not active on any device.
With this change, the traffic group score on the failed device is forced to 0, since the failsafe condition indicates that the device is not acceptable to host any traffic group. The HA Group scoring algorithm then activates the traffic group on the best remaining non-failed device.
451301-2 : HTTP iRules break Citrix HTML5 functionality
Component: Access Policy Manager
Symptoms:
HTTP iRules break Citrix HTML5 functionality.
Conditions:
This issue occurs when HTTP iRule is used on the Citrix HTML5 virtual server.
Impact:
Citrix HTML5 functionality breaks
Workaround:
Use "priority 1" for HTTP iRules.
Fix:
Now HTTP iRules do not affect Citrix HTML5 functionality.
451224-2 : IP packets that are fragmented by TMM, the fragments will have their DF bit
Component: Local Traffic Manager
Symptoms:
IP packets that are fragmented by TMM, the fragments will have their DF bit set if tm.pathmtudiscovery is set to enable (this is the default setting for this dbvar). This is perfectly compliant with RFC standards, and it is the correct thing to do.
Conditions:
IP packet that needs to be fragmented by TMM due to MTU restriction on the egress VLAN/interface. Non RFC compliant downstream switches that do not want to see the DF bit set in IP fragments.
Impact:
Non-RFC compliant switches by other vendors may reject a fragment with DF bit leading to packet being dropped or treated as a bad packet by them.
Workaround:
Setting tm.pathmtudiscovery to disable results in DF bit not being set on the fragments.
Fix:
tm.pathmtudontfragoverride dbvar introduced. If the value is changed from 'disable' (this is the default) to 'enable', then DF bit will not be set in IP fragments generated by TMM.
451211-3 : Error using GUI when setting debug option on GTM SIP monitor.
Component: Global Traffic Manager (DNS)
Symptoms:
Error using GUI to set the debug option on GTM SIP monitor.
Conditions:
This occurs when no headers are configured for GTM SIP monitors.
Impact:
Cannot set debug using the GUI. System posts the following error: An error has occurred while trying to process your request.
Workaround:
Use tmsh to set the debug option for GTM SIP monitors.
Fix:
This release fixes an error that occurred when no headers were configured for GTM SIP monitors.
451118-8 : Fixed mistakes in French localization
Component: Access Policy Manager
Symptoms:
French localization contains mistakes
Conditions:
French locale configured on user machine
Impact:
User observes incorrect translation
Fix:
Mistakes in French localization were fixed.
451089-1 : ASM REST: Incorrect/Duplicate REST id for policy after a copy is made
Component: Application Security Manager
Symptoms:
When comparing two policies using Policy Diff, a copy may be made of the policies being compared. If this is done, the new copy does retains the same REST id of the original policy.
This will confuse REST clients and block BIG-IQ discovery.
Conditions:
Two policies are compared using Policy Diff, and a copy is made
Impact:
The new copy does retains the same REST id of the original policy.
This will confuse REST clients and block BIG-IQ discovery.
Workaround:
Export the copied policy, delete the bad copy, and import it again.
Fix:
Copied policies now are correctly assigned a new REST id.
451059-8 : SSL server does not check and validate Change Cipher Spec payload.
Component: Local Traffic Manager
Symptoms:
SSL server does not check and validate Change Cipher Spec payload.
Conditions:
This issue occurs when a clientssl profile is used.
Impact:
There is no impact to this issue.
Workaround:
This issue has no workaround.
Fix:
clientssl profile (SSL server) now checks the Change Cipher Spec payload received from the SSL client, and ensures that the Change Cipher Spec payload is a single byte of value '1'.
450814-9 : Early HTTP response might cause rare 'server drained' assertion
Component: Local Traffic Manager
Symptoms:
Early HTTP response from the server might cause 'server drained' assertion and traffic disruption.
Conditions:
This occurs when the server sends an early response, which might occur if the server responded before the system completed processing the entire incoming HTTP request data from the client.
A filter other than HTTP is also required on the chain.
Impact:
The system posts a 'server drained' assertion and traffic is disrupted.
Workaround:
None, however, this issue occurs very rarely.
Fix:
HTTP will not cause a "server drained" assertion if a server ends a connection in an early server response.
450779-1 : PEM source or destination flow filter attempts match against both source and destination IPs of a flow
Component: Policy Enforcement Manager
Symptoms:
In the event that the source and destination IPs fall in the same range, it is possible that a source-IP (or destination-IP) based flow-filter may match against the destination-IP (or source-IP) of the packet resulting in potentially wrong flows receiving a policy.
Conditions:
Source and Destination networks must have overlapping prefix(es)
Impact:
A wrong flow may have inappropriate policies applied to it.
Fix:
The bug is fixed and given to the customer as 11.5.0-18 HF.
450314-1 : Portal Access / JavaScript code which uses reserved keywords for object field names may not work correctly
Component: Access Policy Manager
Symptoms:
JavaScript code with object field names equal to reserved keywords is not handled correctly by Portal Access.
Conditions:
JavaScript code with objects containing fields with reserved keywords as a name, for example:
a.default = 1;
Impact:
JavaScript code is not rewritten and may not work correctly.
Workaround:
It is possible to use iRule to rename field names in original code.
Fix:
Now JavaScript with reserved keywords as field names is handled correctly by Portal Access.
449848-5 : Diameter Monitor not waiting for all fragments
Component: Local Traffic Manager
Symptoms:
When the server returns response in two fragments, the Diameter monitor sends an ACK for the first fragment followed by a FIN and then a reset.
Conditions:
Server returns response in two fragments.
Impact:
Pool member is marked down.
Workaround:
None.
Fix:
Diameter Monitor now handles fragments as expected.
449643-2 : Error message "Gx uninit failed!" and "Gy unint failed!" received during boot of the system
Component: Policy Enforcement Manager
Symptoms:
During booting of the system, error message "Gx uninit failed!" and "Gy unint failed!" is received repeatedly.
Conditions:
Gx or Gy is not licensed for PEM to use. And then rebooting system.
Impact:
Undesired error message is received.
Fix:
After the fix, only in debug mode, we see messages "Gx not initialized" or "Gy not initialized" for the purpose of reminding unlicensed Gx and Gy.
449525-1 : apd and apmd constantly restarting
Component: Access Policy Manager
Symptoms:
If mcpd fails to start for some reason, apd and apmd will continuously crash. Symptoms in /var/log/ltm: err tmsh[892]: 01420006:3: "apm" unexpected argument and there will be an apmd and apd core.
Conditions:
This occurs if mcpd fails to start or crashes on the standby.
Impact:
Multiple core files, system will not pass traffic
Fix:
Fixed a condition where apd and apmd would try to start if mcpd was not running.
449231-1 : ASM REST: Updating multiple items in a list only make one change
Component: Application Security Manager
Symptoms:
When attempting to add several items to a list (ex. urlContentProfiles for urls), the one of the new values is added to the list.
Conditions:
ASM REST is used to PATCH a resource to add/update multiple items in an array field.
Impact:
The resource is not updated as expected and Policy enforcement may not be as expected.
Workaround:
Send the same request multiple times, or make only one modification at a time.
Fix:
List values are now correctly updated via ASM REST.
448493-11 : SIP response from the server to the client get dropped
Component: Service Provider
Symptoms:
SIP responses are not forwarded to the client. Instead, the system drops those SIP responses.
Conditions:
This occurs when using SIP OneConnect with an iRule that uses the node/snat command in SIP_RESPONSE event in the iRule to direct the SIP response from the server.
Impact:
Some SIP flows do not complete, which affects the SIP clients.
Workaround:
Remove the node/snat command from SIP_RESPONSE event processing in the iRule.
Fix:
iRules node/snat command in the iRule SIP_RESPONSE event now works correctly.
447565-4 : Renewing machine-account password does not update the serviceId for associated ntlm-auth.
Component: Access Policy Manager
Symptoms:
Renewing machine-account password does not update the serviceId for associated ntlm-auth.
Because of this issue, you might see the following symptoms:
-- End users report that they cannot access email.
-- NTLM logons stop working for all users.
-- Log file shows errors similar to the following:
err nlad[12384]: 01620000:3: <0x566d4b90> nlclnt[71601c70a] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC.
Conditions:
This occurs when the system has an NTLM machine account configured, but it is not known exactly what triggers the error. It can be triggered if the machine account credentials change, but the symptom might not show up for days since the connection can be reused.
Impact:
End users will be unable to connect.
Workaround:
Correct the problem by running the following command:
bigstart restart eca.
447483-7 : CVE-2014-3959
Vulnerability Solution Article: K15296
447364-2 : BIG-IP may report getLopSensorData warnings at boot time or when changing a PSU
Component: TMOS
Symptoms:
When booting a BIG-IP device, or performing a hot swap operation of one of its power supplies, the following kind of log messages may be displayed for a brief time:
localhost warning chmand[7059]: 012a0004:4: getLopSensorData: LopDev: sendLopCmd: Lopd status: 1 packet: action=1 obj_id=115 sub_obj=0 slot_id=ff result=24 len=0 crc=6576 payload= (error code:0x24)
localhost warning chmand[7059]: 012a0004:4: getLopSensorData: LopDev: sendLopCmd: Lopd status: 1 packet: action=1 obj_id=16f sub_obj=1 slot_id=ff result=1 len=0 crc=acaf payload= (error code:0x1)
These messages should not persist, and when a real error occurs it should be accompanied by additional warnings and alerts from the system.
Conditions:
The condition occurs when the sensor monitoring process tries to obtain information from power supply model types that are supported but not actually installed. It does this until it discovers the actual model type installed, or that no power supply is installed. The specific conditions under which this is likely to happen are when the BIG-IP software is re-started or a power supply is changed while the system is running.
Impact:
A few additional log messages that indicate a warning when there is no legitimate failure.
Workaround:
None. This is cosmetic.
Fix:
BIG-IP no longer logs getLopSensorData warnings with error code 0x24 for newly-inserted power supplies (PSUs).
447272-4 : Chassis with MCPD audit logging enabled will sync updates to device group state
Component: Local Traffic Manager
Symptoms:
If mcpd audit logging is enabled on a chassis, updates to device group state will be recorded on every configuration change, even if CMI is not configured or no synchronizable object was modified.
Conditions:
This only applies on chassis systems with at least one secondary blade, and the log messages only appear if mcpd audit logging is enabled.
Impact:
Updates to device group state will be recorded on every configuration change.
Workaround:
This issue has no workaround at this time.
Fix:
If mcpd audit logging is enabled on a chassis, updates to device group state were in past versions recorded on every configuration change, even if CMI was not configured or no synchronizable object was modified. This no longer happens, and these log messages are now only generated if the state actually changes.
447075-3 : CuSFP module plugged in during links-down state will cause remote link-up
Component: TMOS
Symptoms:
If a CuSFP module is plugged into a port that is in a links-down state while connected via a cable to a remote switch or other network connection, the remote switch will report a links-up state.
A port on the BIG-IP or VIPRION device may be in a links-down state while BIG-IP is not in a running state, or if the network interface has been administratively disabled.
Conditions:
Issue has been primarily observed with VIPRION B2100 or B2150 blades.
However, the problem could potentially occur on other VIPRION blades or BIG-IP appliances which employ a Broadcom hardware switch (i.e., most F5 hardware products).
BIG-IP appliances which do NOT employ a Broadcom hardware switch include:
BIG-IP 2000-/4000-series appliances.
Impact:
The remote switch may erroneously attempt to direct traffic to what is seen as an active link, which the BIG-IP or VIPRION device will not be able to process.
Workaround:
You may work around this problem by any of the following methods:
1. Unplug the cable connecting the CuSFP (Copper SFP) module to the remote network connection before plugging the CuSFP into the port on the BIG-IP or VIPRION device.
2. Wait until the port on the BIG-IP or VIPRION device is in an enabled/links-up state before plugging in the CuSFP.
3. Enable the port on the BIG-IP or VIPRION device after plugging in the CuSFP.
Fix:
A remote network connection no longer shows as Up/Link when a CuSFP module is plugged into a port on a BIG-IP or VIPRION device that is in a links-down state, while connected via a cable to the remote switch/other network connection.
447043-11 : Cannot have 2 distinct 'contains' conditions on the same LTM policy operand
Component: Local Traffic Manager
Symptoms:
Cannot express conditions such as 'user-agent contains 'Android' AND 'Mobile'. LTM policies have operands that can be matched against a set of values, causing a match when the operand matches one of these values. There is no way to use current functionality to match all of the values. One specific situation in which this is needed is to configure 'contains'.
Conditions:
Specify an ltm rule with 2 conditions with the same operand and match type, for example:
conditions {
0 {
http-header
name User-Agent
contains
values { Android }
}
1 {
http-header
name User-Agent
contains
values { Mobile }
}
Impact:
The policy does not work. The system posts an error message similar to the following: Failed to compile the combined policies.
Fix:
LTM policies now allow for rules to have multiple conditions on the same operand and same match type so that 'user-agent contains 'Android' AND 'Mobile' can now be expressed by specifying:
conditions {
0 {
http-header
name User-Agent
contains
values { Android }
}
1 {
http-header
name User-Agent
contains
values { Mobile }
}
446860-6 : APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348
Component: Access Policy Manager
Symptoms:
APM Exchange Proxy does not honor tmm.access.maxrequestbodysize DB variable and is subject to ID 405348 (ActiveSync client fails to login to APM with large POST body)
Conditions:
ActiveSync client large POST body tries to log into APM.
Impact:
ActiveSync client with large POST body cannot log in even when tmm.access.maxrequestbodysize DB variable is configured
Workaround:
This issue has no workaround at this time.
Fix:
Now APM Exchange Proxy honors the tmm.access.maxrequestbodysize DB variable.
Modify the tmm.access.maxrequestbodysize DB variable with a value larger than the maximum email body size you would like to support.
The maximum supported value is 25000000 (25MB).
446830-2 : Current Sessions stat does not increment/decrement correctly.
Component: Local Traffic Manager
Symptoms:
Current Sessions stat does not increment/decrement correctly.
Conditions:
On a virtual server with an HTTP filter, if either side closes the connection after the HTTP request has been forwarded to the server but before the server has sent its response, the pool member's cur_sessions stat is incremented but not decremented.
Impact:
Difficult to determine an accurate number of Current Sessions. Current Sessions stat appears unexpectedly large, for example, Current Sessions : 18446744073709551615, rather than as expected, Current Sessions : 0.
Workaround:
None.
Fix:
On a virtual server with an HTTP filter, Current Sessions stat now increments/decrements correctly if either side closes the connection after the HTTP request has been forwarded to the server but before the server has sent its response.
446755-5 : Connections with ramcache and clientssl profile allowing non-SSL traffic may stall
Component: Local Traffic Manager
Symptoms:
Connections with both ramcache and clientssl profile allowing non-SSL traffic connection may stall under certain unusual conditions.
Conditions:
Virtual server with ramcache and clientssl profile allowing non-SSL traffic.
Impact:
The connection stalls until reset by the client or expired by the sweeper. The client may see a response from the server.
Workaround:
No practical workaround.
Fix:
Connections no longer stall on virtual servers with ramcache and clientssl profile allowing non-SSL traffic.
446493-3 : foreign key index error on local traffic-only group★
Component: TMOS
Symptoms:
When running the load verify command (tmsh load sys config verify) on a scf file, an error is thrown: 01070712:3: Values (/Common/traffic-group-local-only) specified for self IP (/Common/10.7.7.3_24): foreign key index (traffic_group_fk) do not point at an item that exists in the database.
Unexpected Error: Validating configuration process failed.
However, the config will still successfully load when the verify parameter is not specified.
Conditions:
Running tmsh load sys config file verify on a scf file with a local traffic group in it. traffic-group-local-only groups are not loaded during config verify which triggers the error.
Impact:
Config verify fails.
Workaround:
If there are otherwise no other errors in the configuration, it should be able to load successfully using tmsh load sys config file filename.
Fix:
Running tmsh load sys config file verify no longer throws a foreign key error on traffic-only group.
445984-1 : Wrong overlapping status is shown if there are firewall rules with source or destination port range that begins with "1"
Component: Advanced Firewall Manager
Symptoms:
Wrong overlapping status is shown if there are rules with source or destination port range that begins with "1" configured in the system.
Conditions:
Firewall rules with source or destination port range that begins with "1" configured in the system.
Impact:
Rules that are not overlapped or conflicting will be shown as overlapped or conflicting.
Fix:
Fix the overlapping detection function to properly handle the port ranges.
445633-2 : Config sync of SecurID config file fails on secondary blades
Component: TMOS
Symptoms:
If APM is provisioned, after uploading a new SecurID config file via the GUI, mcpd restarts and fails to sync on device group peers.
Conditions:
This happens on a device group peer with APM provisioned, only after using the GUI to update the SecurID configuration. This can also happen on chassis secondary blades.
Impact:
The peer receiving the sync restarts mcpd, which in turn restarts several other daemons. The peer never receives the config file properly.
Workaround:
Use tmsh: tmsh modify apm aaa securid <name> config-files modify { sdconf.rec { local-path /path/to/sdconf.rec } }.
Fix:
The fix changes the behavior of transactions. Previously, if a single transaction contained a delete operation and a modify of the object just deleted, the outcome was that the object was deleted and the modify was silently ignored. This was different behavior from a delete followed by a create, which ignored the delete and internally modified the object. Since that modify is sent to the peer as a modify, the object must have the same behavior as a delete-plus-create operation. So the new behavior is that, when a single transaction contains a delete followed by a modify of the same object, then the delete is ignored and the modify is applied.
Behavior Change:
With this release, there is a change to the behavior of transactions. Previously, if a single transaction contained a delete operation and a modify of the object just deleted, the outcome was that the object was deleted and the modify was silently ignored. This was different behavior from a delete followed by a create, which ignored the delete and internally modified the object. Since that modify is sent to the peer as a modify, the object must have the same behavior as a delete-plus-create operation. So the new behavior is that, when a single transaction contains a delete followed by a modify of the same object, then the delete is ignored and the modify is applied.
445471-1 : DNS Express zone creation, deletion or updates can slow down or stop other DNS services.
Component: Local Traffic Manager
Symptoms:
DNS Express zone creation, deletion or updates can slow down or stop other DNS services.
Conditions:
Any action that causes a the DNS Express zone database to be updated, including zone creation, deletion or zone transfer.
Impact:
Other DNS Services may stop working.
Workaround:
Restarting tmm will resolve the issue temporarily, until the next update. If DNS Express is not being used, removing any DNS Express config will prevent this issue from triggering.
Fix:
An improperly handled file descriptor caused the issue. This file description is now properly closed preventing the problem.
445329-2 : DNS cache resolver connections can be slow to terminate
Component: Local Traffic Manager
Symptoms:
An excessive number of DNS cache resolver connections can build up if local configuration errors (routing, interfaces, VLANs) exist.
Conditions:
Local networking configuration errors exist.
Impact:
An excessive number of outbound DNS cache connections are present.
Workaround:
Ensure default routes for IPv4 and IPv6 are properly configured and operational.
Fix:
Local connection errors now cause immediate connection termination.
445327-1 : OpenJDK 1.7 vulnerabilities
Component: TMOS
Symptoms:
There is no impact; F5 products are not affected by this vulnerability. For information see K53146535: Multiple Sun Java vulnerabilities https://support.f5.com/csp/article/K53146535
Conditions:
There is no impact; F5 products are not affected by this vulnerability. For information see K53146535: Multiple Sun Java vulnerabilities https://support.f5.com/csp/article/K53146535
Impact:
There is no impact; F5 products are not affected by this vulnerability. For information see K53146535: Multiple Sun Java vulnerabilities https://support.f5.com/csp/article/K53146535
Fix:
There is no impact; F5 products are not affected by this vulnerability. For information see K53146535: Multiple Sun Java vulnerabilities https://support.f5.com/csp/article/K53146535
444710-8 : Out-of-order TCP packets may be dropped
Component: Local Traffic Manager
Symptoms:
Out-of-order TCP packet will be dropped if it occurs during 3-way handshake.
Conditions:
Client initiates TCP connection to BIG-IP with ACK segment arriving after (i.e., out-of-order) a second packet.
Resultant sequence:
1. Client - BIG-IP : SYN
2. BIG-IP - Client : SYN-ACK
3. Client - BIG-IP : PSH, ACK (w/Segment #2) =-- Out-of-order ; Must be retransmitted.
4. Client - BIG-IP : ACK (w/Segment #1)
Impact:
Packet must be retransmitted by client.
Workaround:
None.
Fix:
Out-of-order segments received before 3WHS is completed are no longer dropped.
443298-3 : FW Release: Incorporate VIPRION 2250 LOP firmware v1.20
Component: TMOS
Symptoms:
This is a standard bug used for tracking the incorporation of Firmware changes.
Conditions:
The purpose of this change is to integrate a firmware package into the BIG-IP build.
Impact:
None expected.
Workaround:
None.
Fix:
FW Release: Incorporated VIPRION 2250 LOP firmware v1.20 into BIG-IP.
443157-1 : zxfrd might crash when the zone file (zxfrd.bin) is deleted from the directory /var/db
Component: Local Traffic Manager
Symptoms:
zxfrd might crash when the zone file zxfrd.bin is deleted and zxfrd is restarted.
Conditions:
Manually delete zxfrd.bin and restart zxfrd.
Impact:
The zxfrd daemon might crash.
Workaround:
Never manually delete zxfrd.bin.
Fix:
Manually deleting zxfrd.bin should no longer crash the zxfrd daemon.
442869-7 : GUI inaccessible on chassis when var/log/audit log is full
Component: Local Traffic Manager
Symptoms:
When MCP logging on a chassis is set to Enabled, Verbose, or Debug for Audit Logging, the system sends numerous messages to the var/log/audit log. This causes the log to fill, which might render the GUI inaccessible.
Conditions:
This occurs on chassis only when the Audit Logging option MCP is set to Enabled, Verbose, or Debug.
Impact:
When the var/log/audit log is full, the GUI might become inaccessible.
Workaround:
The workaround is to specify Disabled for the MCP option in Audit Logging (available under the System :: Logs).
Fix:
The primary blade formerly sent a message to all secondaries every second telling them to change the primary selection time. (The actual timestamp is correct and is the same every second.) Over time, this might fill up the audit log. This no longer occurs, and the message is now sent only when the primary actually changes.
442698-9 : APD Active Directory module memory leak in exception
Component: Access Policy Manager
Symptoms:
The APD Active Directory module might leak memory if an exception happens.
Conditions:
exception happens when request is being processed
Impact:
session request failed, apd leaks a memory
Workaround:
NA
Fix:
APD is now more robust and handles exceptions in AD module properly.
442686-1 : DNSX Transfers Occur on DNSX authoritative server change
Component: Local Traffic Manager
Symptoms:
DNS Express authoritative servers do not update zone information when you change the authoritative server for that zone until the next successful zone transfer from the new server.
Conditions:
Create a DNS Express zone and provide an authoritative DNS Express server for that zone, wait for zone transfer to occur, and then change the authoritative server.
Impact:
Data from the original server is still served until the next successful zone transfer from the new server or the zone expires.
Workaround:
Delete and recreate the DNSX zone with the new server information.
Fix:
Changing a DNSX authoritative server for a zone will cause the BIG-IP to stop serving data from the original server and trigger a transfer request to the new server to obtain new data.
442647-4 : IP::stats iRule command reports incorrect information past 2**31 bits
Component: Local Traffic Manager
Symptoms:
Due to a mistaken internal object-size conversion, the statistical data used by the IP::stats iRule command reports a negative number when the data exceeds 2**31.
Conditions:
Transferring more than 2 gigabytes or 2 billion packets on a connection that then uses IP::stats commands in an iRule will show a negative number.
Impact:
iRules cannot rely on the validity of the IP::stats counters when more than 2 gigabytes have been transferred.
Workaround:
Upgrade to a fixed version.
Fix:
iRules now uses a 64-bit object
442539-3 : OneConnect security improvements.
Component: Local Traffic Manager
Symptoms:
OneConnect security improvements.
Conditions:
OneConnect security improvements.
Impact:
OneConnect security improvements.
Workaround:
None.
Fix:
OneConnect security improvements.
442528-5 : Demangle filter crash
Component: Access Policy Manager
Symptoms:
Demangle filter crashes with a SIGBUF.
Conditions:
Very long URLs must be used and the demangle filter must be in the chain.
Impact:
HTTP requests with very long URL cannot be processed.
Workaround:
To work around the problem, add this code to the iRule:
when HTTP_REQUEST {
log local0. "Refer length is [string length [HTTP::header Referer] ]"
if { [string length [HTTP::header Referer] ] > 4000 } {
HTTP::header remove Referer
}
}
Fix:
Long URLs (up to 16K long) are handled correctly.
442455-4 : Hardware Security Module (HSM) CSR and certificate fields constraints: 15 characters and no spaces.
Component: Local Traffic Manager
Symptoms:
While using the tmsh command or fipskey.nethsm utility to create HSM keys/csr/cert, Locality, Province, Organization names cannot be longer than 15 characters.
While using the tmsh command to create HSM keys/csr/cert, Locality, Province, Organization names, common name cannot process multiple words. The system accepts only the content up to the first space character.
Conditions:
HSM keys/csr/cert, Locality, Province, Organization names, common name are longer than 15 characters or consists of strings separated by space characters.
Impact:
The system truncates field content to 15 characters or to the string up to the first space character.
Workaround:
Use strings shorter than or equal to 15 characters. Use strings without spaces. To use strings containing spaces, quote the entire string and delimit spaces with a backslash character (\). For example, for the string F5 Networks Inc, use this: "F5\ Networks\ Inc". Note that the delimiting slash still counts as a character.
Fix:
You can now create HSM CSR and certificate fields containing space characters and use strings longer than 15 characters for keys/csr/cert, Locality, Province, Organization names, common name fields.
442313-6 : Content length header leading whitespaces should not be counted as digits
Component: Application Security Manager
Symptoms:
A customer has reported that they are seeing a non-trivial number of requests blocked with "HTTP Protocol compliance failed - Unparsable content length".
Conditions:
The customer has a proxy before ASM that adds whitespaces before the content-length.
Impact:
False positive of blocked requests upon content length headers with leading whitespaces.
Workaround:
N/A
Fix:
The system no longer blocks content length headers with leading whitespaces, because it is legal. The system used to issue the "HTTP protocol compliance failed" sub-violation: "Unparsable request content".
442231-1 : Pendsect log entries have an unexpected severity
Component: TMOS
Symptoms:
Pendsect logs non-errors with a 'warning' severity.
Conditions:
This occurs when pendsect is executed.
Impact:
Unexpected log entries. When pendsect is executed and does not find any disk errors, it logs the following at the warning level: warning pendsect[21788]: pendsect: /dev/sdb no Pending Sectors detected. This is not an error. The message is posted at the incorrect severity level and does not indicate a problem with the BIG-IP system.
Workaround:
None needed. This is cosmetic.
Fix:
Adjusted severity level of various logs generated by pendsect script, so that informational messages are not logged as warnings.
442157-2 : Incorrect assignment of ASM policy to virtual server
Component: Application Security Manager
Symptoms:
Incorrect assignment of ASM policy to LTM virtual server occurs when it is managed from the
Local Traffic > Virtual Servers > Virtual Server List > <vs_name> > Security > Policies screen when the same ASM policy is assigned to multiple LTM virtual servers by the means of a single LTM policy (L7 policy).
Conditions:
ASM is provisioned, and an ASM policy is assigned to multiple LTM virtual servers by the means of a single LTM policy (L7 policy).
Impact:
Changes are applied to all LTM virtual servers that are assigned with the relevant LTM policy (L7 policy) instead of changing only the currently managed LTM virtual server.
Workaround:
Assignment of ASM policies to LTM policies and to LTM virtual can be handled from the following screens:
1) LTM policies:
Local Traffic > Policies > Policy List > <L7_policy_name> > Properties
1) LTM virtuals:
Local Traffic > Virtual Servers > Virtual Server List > <vs_name> > Resources
Fix:
The assignment of an ASM policy to an LTM virtual server at from Local Traffic > Virtual Servers > Virtual Server List > <vs_name> > Security > Policies is now NOT available when there is a one-to-many relationship between the underlying LTM policy to LTM virtual servers/ASM policies.
In addition, the message 'Manual Configuration (Advanced)' is displayed in the 'Application Security Policy' field on that screen.
441790 : Logd core formed, while executing provisioning run script(mod_combo_7000_12721.py) on 5000 and 7000 series platforms
Component: Access Policy Manager
Symptoms:
Logd core formed while executing provisioning run script(mod_combo_7000_12721.py) on 5000 and 7000 series platforms.
Conditions:
While executing provisioning run script(mod_combo_7000_12721.py) on 5000 and 7000 series platforms.
Impact:
logd restarts.
Workaround:
Run the tmsh command: logd restart.
Fix:
Fixed a threading pitfall that could cause deadlock between DB rotation and loading threads.
441642-4 : /etc/monitors/monitors_logrotate.conf contains an error
Component: TMOS
Symptoms:
The primary symptom will be unrotated monitor log files. Other symptoms include:
- Error messages:
-- error: /etc/monitors/monitors_logrotate.conf:6 unknown unit 'B'
-- error: found error in /var/log/monitors/*.log , skipping
- No disk space
Conditions:
This occurs in /etc/monitors/monitors_logrotate.conf.
Impact:
Monitor logs will not consider file size for rotation criteria. An email notification is generated periodically, which references an error in /etc/monitors/monitors_logrotate.conf.
Workaround:
edit /etc/monitors/monitors_logrotate.conf to be "size=5M" instead of "size=5MB"
the file should look like this once edited:
/var/log/monitors/*.log {
compress
missingok
notifempty
rotate 7
size=5M
olddir=/var/log/monitors
}
Fix:
Monitor log rotation functionality has been restored, so that emails with error statements sent to the postmaster every 30 minutes have been stopped.
441638-9 : CACHE::header insert fails with 'Out of bounds' error for 301 Cache response
Component: Local Traffic Manager
Symptoms:
Notice the following log message in /var/log/ltm,
err tmm3[12122]: 01220001:3: TCL error: /Common/set_xcache_header <CACHE_RESPONSE> - Out of bounds (line 1) invoked from within "CACHE::header insert Via F5-CACHE"
Also, notice the missing header in the HTTP response.
Conditions:
1. Enabled Web Acceleration profile
2. Handling CACHE_RESPONSE iRule event
3. 301 response is cached
Impact:
Missing header in the HTTP response
Workaround:
Remove the header insert command from the iRule
Fix:
Keep the cache information in sync with packet data
441613-8 : APM TMUI Vulnerability CVE-2015-8022
Component: Access Policy Manager
Symptoms:
APM Advanced Customization allows image files to be uploaded. It is possible to upload other js or html or php files using this facility that could lead to potential security issues
Conditions:
Uploading non images files in the customization that is intended to accept only image files
Impact:
Potential xss and other security vulnerability
Workaround:
This is used by limited users with admin privilege.
Fix:
Check the file types and content before accepting it as a valid content.
441214-3 : monpd core dumps in case of MySQL crash
Component: Application Visibility and Reporting
Symptoms:
When MySQL crashes, the monpd process creates a core dump.
Conditions:
This issue occurs when MySQL crashes or does not start correctly.
Impact:
Reports not available for the duration of MySQL going down.
Workaround:
This issue has no workaround at this time.
Fix:
We fixed an issue where monpd would intermittently do a core dump due to a MySQL crash, and reports would not be available during the crash.
441100-1 : iApp partition behavior corrected
Component: TMOS
Symptoms:
Since 11.4, iApps have looked for the non-existence of "/Common/cookie" as the indicator of Edge licensing, since cookie persistence is not provided with Edge Gateways. This test reads incorrectly if the iApp is run from a partition other than /Common, and has been replaced with a direct test for the appropriate license features.
Impact:
Affects customers using partitions on BIG-IP in association with the following iapps: f5.http, f5.bea_weblogic, f5.sap_erp, f5.peoplesoft_9, f5.sharepoint_2010, f5.dns, f5.diameter, f5.radius, f5.ldap, f5.oracle_ebs, f5.microsoft_iis.
Workaround:
To workaround, make a copy of the iapp template and change 2 instances of the "set is_edge" statement to "set is_edge 0"
Fix:
Certain iApps now operate normally when executed from an administrative partition. f5.http, f5.bea_weblogic, f5.sap_erp, f5.peoplesoft_9, f5.sharepoint_2010, f5.dns, f5.diameter, f5.radius, f5.ldap, f5.oracle_ebs, and f5.microsoft_iis were affected.
441058-5 : TMM can crash when a large number of SSL objects are created
Component: Local Traffic Manager
Symptoms:
Administrative operations which trigger a full reload of SSL cert, key, or CRL files can cause TMM to abort. TMM will miss its heartbeat, at which time it will be killed by sod daemon via SIGABRT.
Conditions:
Configuration contains a large number of SSL certs, keys and/or CRLs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove any unused SSL objects from configuration.
Fix:
The system now loads the virtual IP addresses and associated SSL Certs/Keys in batches, so that TMM config load no longer exceeds its allowed CPU time.
440913-2 : Apply Policy Fails After Policy Diff and Merge
Component: Application Security Manager
Symptoms:
Merging global extractions with references to URLs or File Types from one security policy to another introduces a data inconsistency that prevents Apply Policy actions on the target policy.
Conditions:
A security policy with global extractions that has references to URLs or File Types is merged to another security policy.
Impact:
A data inconsistency is introduced that prevents Apply Policy actions on the target policy.
Workaround:
Remove the extractions from the list of found changes before using auto-merge, and add the extraction manually if desired.
Fix:
Global extractions now merge correctly using Policy Diff.
440841-4 : sso and apm split tunnelling log message is at notice level
Component: Access Policy Manager
Symptoms:
This split tunnelling log message is written at the notice level: "Username used for SSO contains domain information. Please enable 'Split domain from full Username' option in the Logon Page if domain info should be separated from username for SSO to work properly".
Conditions:
Username used for SSO contains domain information
Impact:
logged at notice level for each request in /var/log/apm
Fix:
This split tunnelling log message is no longer written at the notice level: "Username used for SSO contains domain information. Please enable 'Split domain from full Username' option in the Logon Page if domain info should be separated from username for SSO to work properly" The log is now written at the informational level.
440752-2 : qkview might loop writing output file if MCPD fails during execution
Component: TMOS
Symptoms:
If qkview is executed, and while it is executing, a problem arises with MCPD, it is possible that qkview may enter a loop where it continually writes the following lines to the file ./mcp_module.xml: end_transaction.
Conditions:
1. qkview is run while mcpd is executing properly.
2. mcpd enters unstable state while qkview is running.
Impact:
Disk can fill up, causing a system failure.
Workaround:
Do not run qkview if mcpd has been acting unpredictably.
Fix:
Qkview MCP module has been corrected to prevent qkview from looping infinitely when failing to connect to MCPD.
440605-4 : Unknown BigDB variable type 'port_list'
Component: TMOS
Symptoms:
You see the following in /var/log/ltm: notice dag.roundrobin.udp.portlist: Unknown BigDB variable type 'port_list'
This can also be observed by running tmsh modify sys db dag.roundrobin.udp.portlist value
A tmm crash could also occur if it is doing round robin load balancing of udp and attempts to load balance a fragmented udp payload.
Conditions:
The error will occur when tmm starts.
Impact:
Traffic disrupted while tmm restarts.
Fix:
BIG-IP will now recognize dag.roundrobin.udp.portlist
439514-6 : Different time-stamps are translated to the same time (due to DST clock change) and causes database errors
Component: Application Visibility and Reporting
Symptoms:
Due to DST (Daylight Savings Time) - Different timestamps can be translated to the same (local) time
Conditions:
DST clock change has occurred
Impact:
Analytics database cannot create new partition after DST clock change
Fix:
Appending the time-stamp to the partition name, so that if time is the same, the time-stamp will make the partition name different.
439343-9 : Client certificate SSL authentication unable to bind to LDAP server
Component: TMOS
Symptoms:
When LDAP Client Certificate SSL Authentication is configured to bind to the LDAP server with a password, the bind fails due to an incorrect password.
Conditions:
LDAP client certificate SSL authentication enabled
LDAP server requires password to bind
Impact:
Client certificates cannot be authenticated
Fix:
LDAP client certificate SSL authentication sends correct bind password to LDAP server
439299-5 : iApp creation fails with non-admin users
Component: TMOS
Symptoms:
This error message may occur when Application Editor or Manager users try to create an iApp instance:
Error parsing template:Tcl_Init failed: (invalid command name "file" while executing "file join $i init.tcl" (procedure "tclInit" line 21) invoked from within "tclInit" line:46)
Conditions:
This issue occurs when an iApp instance is being created by a non-admin user. Application Editor and Manager users have been specifically tested.
Impact:
The iApp creation fails.
Workaround:
iApp creation will succeed if performed by an admin user.
Fix:
iApp creation by non-admin users previously could fail with this error:
Error parsing template:Tcl_Init failed: (invalid command name "file" while executing "file join $i init.tcl" (procedure "tclInit" line 21) invoked from within "tclInit" line:46)
This no longer occurs.
439249-1 : PEM:Initial quota request in the rating group request is not as configured.
Component: Policy Enforcement Manager
Symptoms:
When quota request is being sent for the rating group for the first time the initial quota request in the request is not as configured.
Conditions:
Quota request for a rating group is sent for the first time for the session and initial quota request for the rating group not as configured.
Impact:
If not initial quota request then OCS may not allocate right quota for the the session.
Workaround:
here is no workaround at this time
Fix:
Initial quota request is sent the request for quota as configured.
439013-5 : IPv6 link-local vlan tag handling incorrect
Component: Local Traffic Manager
Symptoms:
Validation is not allowing IPv6 link-local address with vlan tag
Conditions:
Trying to create IPv6 link-local with vlan tag notation, or bits in the second group of the IPv6 address.
Impact:
When trying to use the same IPv6 address on multiple vlans
Workaround:
Put the desired IPv6 link-local address with the vlan tag notation in bigip_base.conf, and run "tmsh load sys config"
Fix:
Validation now allows IPv6 link-local address with %vlan notation.
Behavior Change:
It's no longer possible to use %vlan notation with non-link-local IPv6 address as object name.
438969-2 : HTML5 VMware View Client does not work with APM when Virtual Server is on non-default route domain
Component: Access Policy Manager
Symptoms:
HTML5 VMware View Client does not work with APM when Virtual Server is on non-default route domain.
Conditions:
HTML5 VMware View client is used on APM Webtop to access VMware View desktops through a Virtual Server that is on non-default route domain.
Impact:
HTML5 VMware View Client does not work.
Fix:
HTML5 VMware View Client now works with APM when the virtual server is on a non-default route domain.
438792-10 : Node flapping may, in rare cases, lead to inconsistent persistence behavior
Component: Local Traffic Manager
Symptoms:
If persistence is used, and a node is marked down and then up in quick succession (less than about 7 seconds), then persistence may act inconsistently (meaning, not all connections expected to persist to a server will do so). Further requests in certain circumstances may hang (the client will be left waiting for a response).
Conditions:
Persistence, rapid node flapping, new connection (via a TMM with an existing connection) after node has been re-marked as up.
Impact:
Inconsistent persistence behaviors. If persistence records are examined, you might find multiple, conflicting entries. This is an intermittent issue.
Workaround:
Add an iRule command to the PERSIST_DOWN event that deletes the persistence entry for this connection. One example might be:
when PERSIST_DOWN {
persist delete source_addr [IP::client_addr]
}
For more information, see SOL14918: Node flapping may cause inconsistent persistence records, available here: http://support.f5.com/kb/en-us/solutions/public/14000/900/sol14918.html.
Fix:
The system now deletes a persist entry from all peer TMMs when it is deleted in any TMM, so no conflicts occur.
438773-1 : Network Firewall event logs page pops up date/time picker automatically during drag-and-drop
Component: Advanced Firewall Manager
Symptoms:
Network Firewall event logs page pops up date/time picker automatically during drag-and-drop of the time field in the table to the custom search area.
Conditions:
This occurs in AFM when dragging and dropping a time
from the log event list table
Impact:
Datetime picker pops up automatically
Fix:
Datetime picker no longer pops up date/time picker during drag and drop.
438674-4 : When log filters include tamd, tamd process may leak descriptors
Component: TMOS
Symptoms:
The log filter functionality in TMOS allows users to publish logs from a specific set of processes to various log destinations.
Conditions:
Configure log filter that includes tamd.
Impact:
Client authentication might fail. When a log filter includes tamd, the tamd process might start to leak descriptors.
Workaround:
Do not define log filters that include tamd (tamd is included in 'all').
Fix:
The BIG-IP system no longer sends tamd log messages to the configured remote log destinations.
438608-1 : PEM: CCR-U triggered during Gy session may not have Request Service Unit (RSU)
Component: Policy Enforcement Manager
Symptoms:
CCR-U triggered by PEM when managing Gy session may not have Requested-service-unit (RSU) in the message.
Conditions:
When rating group is idle for a while and periodically quota request is sent after the timeout then this request will not Requested-Service-Unit (RSU) in the CCR-U message.
Impact:
If no RSU being encoded then OCS may not allocate right quota the the session.
Workaround:
there is no workaround at this time
Fix:
RSU is now being encoded in all rating groups in CCR-U except the one which are marked as Final reporting.
438092-2 : PEM: CCR-U triggered by RAR during Gy session will have not have Requested Service Unit(RSU)
Component: Policy Enforcement Manager
Symptoms:
When RAR message is triggered by OCS to reauthorize rating groups associated in the Gy session then corresponding CCR-U will not have any requested service unit (RSU)
Conditions:
RAR triggered by OCS and CCR-U will not have any RSU in the message for the rating group.
Impact:
if no RSU in the CCR-U then OCS may not grant correct quota for the rating groups.
Workaround:
here is no workaround at this time'
Fix:
Requested Service Unit (RSU) is present in the CCR-U triggered by OCS
437744-7 : SAML SP service metadata exported from APM may fail to import.
Component: Access Policy Manager
Symptoms:
SAML SP service metadata exported from APM contains elements in incorrect order which might cause it to fail to be imported by other implementations.
Conditions:
When SAML metadata is exported from BIG-IP when it is acting as SAML Service Provider, the order of
'SingleLogoutService' and 'AssertionConsumerService' are not right.
Impact:
Import of SAML metadata with SAML IdP from BIG-IP as SP might fail.
Workaround:
Edit exported metadata: change the order of elements in the SPSSODescriptor so that SingleLogoutService element goes first in the sequence.
Fix:
SAML metadata elements are exported in correct order.
437743-8 : Import of Access Profile config that contains ssl-cert is failing
Component: Access Policy Manager
Symptoms:
An access profile configuration that uses an SSL Certificate fails to import. This happens because of a change in the method to import SSL certificates.
Conditions:
Access Profile configuration contains (SSL) Certificate File object, that is configurations that include OCSP responder, Certificate Authority Profile or ServerSSL Profile.
Impact:
Serious. It's not possible to import configs that contain above mentioned objects to another box, which might prevent users from distributing profiles manually or properly importing a backup/
Workaround:
You can either exclude above-\ mentioned objects prior to export and then recreate them after the import or (not recommended) edit the config manually and import the SSL certificate prior to import.
Fix:
You can import an access profile that includes an SSL certificate object in its configuration objects.
437670-2 : Race condition in APM windows client on modifying DNS search suffix
Component: Access Policy Manager
Symptoms:
Race condition in APM client have a potential to leave "SearchList" registry key (DNS search suffix) in corrupted state.
Conditions:
Windows user connecting and disconnecting network access connection to BIG-IP APM.
Impact:
Windows can get incorrect DNS search suffix after using using network access connection to BIG-IP APM server. This issue is a race condition and may happen at random.
Workaround:
n/a
Fix:
Addressed race condition in APM client on modifying DNS search suffix on Windows-based systems.
437637-2 : Sensor critical alarm: Main board +0.9V_CN35XX
Component: TMOS
Symptoms:
TMOS may log a critical alarm for the 0.9 volt sensor even though the voltage is in the nominal range.
Bug 447349 is a duplicate of this bug. The log message reads "Blade 0 hardware sensor critical alarm: Main board +0.9V_CN35XX voltage: 888 mV"
Conditions:
When the host is powered off using the AOM menu, the LBH will detect an under voltage condition for all non-standby voltage rails. This puts the sensors in the critical state. When the host powers the voltage rails turn on and the sensors transition back to the nominal state as the voltage rises. The 0.9 volt rail on some systems does not get high enough to clear the alert even though the voltage makes it into the nominal range.
Impact:
There will be a single ltm log message indicating this critical alarm, however the voltage reported in the log message will be in the nominal range.
Workaround:
Do not power cycle the host with the AOM menu. This error does not occur with an AC power cycle.
Fix:
The 7000 Series platform no longer reports a false positive sensor out-of-range error when the Host is powered off using the AOM.
437611-3 : ERR_NOT_FOUND. File: ../modules/hudfilter/access/access_license.c, Function: access_read_license_settings, Line: 204
Component: Access Policy Manager
Symptoms:
The system posts this error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access_license.c, Function: access_read_license_settings, Line: 204.
Conditions:
This benign error occurs with an LTM Base license or APM standalone license in the following circumstances: -- APM is provisioned. -- License is upgraded. -- System is booted up or restarted.
Impact:
This error does not indicate any error condition, and you can safely ignore it.
Fix:
An error referencing the access_license.c file is no longer logged during provisioning, system startup, reboot, or license upgrade.
437285-4 : Multiple socat vulnerabilities
Vulnerability Solution Article: K14919
437256-1 : clientssl profile has no key/cert pair
Component: Local Traffic Manager
Symptoms:
After starting tmm, you notice the following critical error in /var/log/tmm, but the system otherwise boots and performs normally:
crit tmm[11621]: 01260000:2: Profile profile-name: clientssl profile has no key/cert pair.
Conditions:
This can occur during start-up of tmm (usually during system boot-up).
Impact:
If the system otherwise performs normally (i.e., you do have the correct clientssl certificate installed), this error is benign; during initial start-up it is possible that the clientssl profile data has not yet been loaded at the right time. In this case the critical log message is misleading.
Workaround:
None.
Fix:
The BIG-IP system now logs a critical error 'clientssl profile has no key/cert pair' only if the clientssl profile truly does not have a certificate configured.
437025-5 : big3d might exit during loading of large configs or when a connection to mcpd is dropped.
Component: Global Traffic Manager
Symptoms:
If big3d loses its connection to MCPD and cannot reconnect immediately, big3d retries too often and re-uses timer IDs incorrectly.
This might result in a core dump with either SIGABRT or SIGSEV.
One way this can happen is that while processing very large configs, the mcpd process does not respond to queries from the big3d process.
Conditions:
A large configuration file (for example, larger than 10 MB) or a very busy MCPD/control plane.
Impact:
big3d core errors.
Workaround:
This issue has no workaround at this time.
Fix:
Very large configuration files (for example, larger than 10 MB) or a very busy MCPD/control plane no longer causes big3d core errors.
436682-6 : Optical SFP modules shows a higher optical power output for disabled switch ports
Component: TMOS
Symptoms:
Some optical SFP/SFP+ modules may continue to provide optical power output higher than the specified detection threshold when the port has been disabled. As a result, the remote connected device may indicate a false positive link state.
Conditions:
The SFP or SFP+ module switch port has been disabled on the BIG-IP system. The problem occurs due to the optical transmitter in the SFP/SFP+ module not being disabled when the switch port itself is in a disabled state.
The problem may occur with certain optical SFP/SFP+ modules, including all or a subset of individual modules with the following part numbers:
OPT-0010-00 (1G-SR)
OPT-0011-00 (1G-LR)
OPT-0016-00 (10G-SR)
OPT-0017-00 (10G-LR)
For a list of F5 supported Fiber Gigabit Ethernet SFP, XFP, SFP+ and QSFP+ modules, see SOL6097: Specifications of the Fiber Gigabit Ethernet SFP, XFP, SFP+ and QSFP+ module ports on BIG-IP system platforms, available here: https://support.f5.com/kb/en-us/solutions/public/6000/000/sol6097.html.
Impact:
Link status may be incorrectly reported as up on remote connected device.
Workaround:
To work around this issue, when disabling an affected switch port on the BIG-IP system, you can also disable the connected port on the remote device.
Fix:
Optical SFP/SFP+ modules now show the correct optical power output for disabled switch ports, which no longer attributes to false link states.
436468-2 : DNS cache resolver TCP current connection stats not always decremented properly
Component: Local Traffic Manager
Symptoms:
DNS cache resolver TCP current connection stats are not always decremented properly.
Conditions:
This occurs when gathering statistics.
Impact:
Indirectly causes max connections to be wrong.
Fix:
DNS cache resolver TCP current connection stats are now decremented properly.
436201-15 : JavaScript can misbehave in case of the 'X-UA-Compatible' META tag when a client uses IE11
Component: Access Policy Manager
Symptoms:
JavaScript can misbehave when encountering the 'X-UA-Compatible' META tag from clients using Microsoft Internet Explorer 11.
Conditions:
Internet Explorer 11 and meta http-equiv='X-UA-Compatible' content='IE=10'.
Impact:
Web application malfunction.
Workaround:
Use an iRule.
Fix:
JavaScript now correctly handles the X-UA-Compatible meta tag from clients using Microsoft Internet Explorer 11.
435335-6 : SSL proxy session ID cache does not respect limit set by tmm.proxyssl.cachesize
Component: Local Traffic Manager
Symptoms:
After setting tmm.proxyssl.cachesize to a non-default value and restarting TMM, the new maximum size is not respected, either causing too many or too few entries to be retained. This can lead to memory exhaustion over time.
Conditions:
Proxy SSL feature enabled with non-default tmm.proxyssl.cachesize value set.
Impact:
The setting has no effect, so if it is being used to avoid low-memory conditions, the low-memory conditions persist.
Fix:
The tmm.proxyssl.cachesize and tmm.proxyssl.bucketcount settings are now respected when set and TMM has been restarted after the new values have been set.
435044-4 : Erroneous 'FIPS open failed' error on platforms without FIPS hardware
Component: Local Traffic Manager
Symptoms:
The following error may be logged on BIG-IP platforms which do not contain a FIPS hardware device:
date_and_time hostname err iControlPortal.cgi[30667]: Checking for FIPS card.. FIPS open failed.
Conditions:
This error occurs when the iControl get_certificate_bundle function is invoked on BIG-IP platforms that do not contain a FIPS hardware device.
The F5 Enterprise Manager product makes frequent use the iControl get_certificate_bundle function.
Impact:
This error message does not indicate a functional problem and should be ignored.
Workaround:
None.
Fix:
The following error is no longer logged erroneously on BIG-IP platforms which do not contain a FIPS hardware device:
date_and_time hostname err iControlPortal.cgi[30667]: Checking for FIPS card.. FIPS open failed.
434096-5 : TACACS log forwarder truncates logs to 1k
Component: TMOS
Symptoms:
TACACS log forwarder truncates logs to 1 KB.
Conditions:
When the log size is bigger than 1 KB.
Impact:
Log texte will be truncated.
Workaround:
None.
Fix:
The BIG-IP system now allows up to an 8 KB log message size.
433466-5 : Disabling bundled interfaces affects first member of associated unbundled interfaces
Component: TMOS
Symptoms:
When the bundled interface (e.g., 2.1) is disabled, it might result in link issues observed with the first member of the associated unbundled interfaces (e.g., 1.1).
Conditions:
Disabling bundled interfaces affects first member of associated unbundled interfaces.
Impact:
Traffic unable to pass due to ports 'Down' status.
Workaround:
Do not disable the associated bundled interface (e.g., 2.1) when intending to use the first member of the associated unbundled interfaces (e.g., 1.1). Same for the interface bundle/unbundle relationships for 2.2/1.5, 2.3/1.9, vice-versa, etc.
Fix:
Disabling bundled interfaces no longer affects the first member of associated unbundled interfaces.
432900-12 : APM configurations can fail to load on newly-installed systems★
Component: Access Policy Manager
Symptoms:
APM upgrades fail if the /shared/apm directory is not present before you load the configuration. APM writes a configuration loading error to the /var/log/ltm file with content similar to this:
Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: EPSEC::In copy_file - src (/config/filestore/files_d/Common_d/epsec_package_d/:Common:EPSEC:Images:epsec-1.0.0-160.0.iso_14866_1) dst (/shared/apm/images/epsec-1.0.0-160.0.iso)
Oct 25 08:42:11 localhost notice mcpd[6311]: 0107165d:5: copy_file: Failed in file copy errno=(No such file or directory)
....
01071558:3: EPSEC - File Copy to /shared location failed Unexpected Error: Loading configuration process failed.
Conditions:
If the system is fresh from manufacturing or has had a recent formatting installation, it is vulnerable to this upgrade defect. The failure is only observed if the configuration being applied contains elements of APM.
Impact:
After booting into an upgraded system, the configuration will fail to load. A load failure can also be observed when manually loading a UCS file.
Workaround:
Create the directory /shared/apm and try to load the configuration again.
Fix:
Releases with this fix will load the configuration properly. There is no need for users to first create the /shared/apm directory.
432423-8 : Need proactive alerts for APM license usage
Component: Access Policy Manager
Symptoms:
Customer would like APM to generate proactive alerts when license usage reaches a certain threshold
Conditions:
N/A
Impact:
Without proactive alert, customer will not know that license consumption is near the maximum allowed and, hence, will not be prepared for the event of license being exhausted.
Workaround:
N/A
Fix:
Support for generating a license usage alert when a threshold is crossed has been added.
431980-2 : SWG Reports: Overview and Reports do not show correct data.
Component: Access Policy Manager
Symptoms:
When traffic is very sparse, the report may be incorrect and omit information due to skipped aggregation process of collected data.
The original fix caused heavy spikes to the CPU every 5 minutes.
Conditions:
Very sparse traffic with significant gaps.
Impact:
AVR reports may be incorrect.
Workaround:
This issue has no workaround at this time.
Fix:
Aggregation of data when traffic is very sparse with significant gaps is now done correctly, and also occurs when data is queried, instead of every 5 minutes in order to avoid a 5 minute CPU spiking issue.
431283-3 : iRule binary scan may core TMM when the offset is large
Component: Local Traffic Manager
Symptoms:
Binary command does not check if the offset argument is beyond the internal buffer boundary, this may core TMM. Here is an example:
binary scan [TCP::payload] @${offset_num}c var1
if "offset_num" is larger than payload buffer length, TMM may core.
Conditions:
Here is an example:
binary scan [TCP::payload] @${offset_num}c var1
if "offset_num" is larger than payload buffer length, TMM may core.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Check payload length and compare with the offset argument before using the command.
Fix:
Check the offset value before moving the cursor.
431149-8 : APM config snapshot disappears and users see "Access Policy configuration has changed on gateway"
Component: Access Policy Manager
Symptoms:
In scenarios where there are multiple slots on a chassis in an HA pair (in both vCMP and chassis only mode), the error "Access Policy configuration has changed on gateway" might be displayed when a user connects to a virtual server.
Conditions:
It can occur in conditions when :
- right after when the whole chassis is rebooted
- secondary/slave slot's tmm cores.
- disabling a slot on chassis
Impact:
Customer would see following message when they connect to virtual server "Access Policy configuration has changed on gateway"
Workaround:
To work around the problem, type the command "bigstart restart apd" on the primary slot.
Fix:
The issue is fixed by having the primary blade of the chassis/vCMP to recreate config snapshots if a secondary blade transitions from online to offline and vice versa.
430799-5 : CVE-2010-5107 openssh vulnerability
Vulnerability Solution Article: K14741
430323-3 : VXLAN daemon may restart when 8000 VXLAN tunnels are configured
Component: TMOS
Symptoms:
VXLAN daemon may restart when 8000 VXLAN tunnels are configured.
Conditions:
8000 VXLAN tunnels are configured.
Impact:
VXLAN daemon restart.
Fix:
VXLAN daemon does not restart when 8000 VXLAN tunnels are configured.
429011-8 : No support for external link down time on network failover
Component: Local Traffic Manager
Symptoms:
For switch based platforms, the bcm56xxd daemon monitors the active/standby state using the failover.bigipunitmask DB variable and if this indicates a transition from Active to Standby, it downs external links and starts a timer for re-enabling the links after a customer-specified delay as per the failover.standby.linkdowntime DB variable.
Conditions:
This occurs on BIG-IP 2000 series and 4000 series platforms.
Impact:
No support for external link down time on network failover.
Workaround:
None.
Fix:
External link down time on network failover is now supported on BIG-IP 2000 series and 4000 series platforms. You can find the Link Down Time on Failover option in the GUI under Device Management :: Device Groups :: [device_group_name] :: Failover.
428387-9 : SAML SSO could fail if SAML configuration contains special XML characters (&,<,>,",')
Component: Access Policy Manager
Symptoms:
SAML AuthRequest and Assertion generation could fail if the configuration (IdpEntityID, ACS, SAML Attributes, and so on) contain special XML characters, such as [&,<,>,",'].
Conditions:
- Assertion signing is enabled on BIG-IP as IdP.
- SAML Configuration (IdpEntityID, ACS, not-encrypted SAML Attributes, ACS URL, SP Entity ID, SLO URL) contains special characters, e.g. [&,<,>,",']
Impact:
SAML AuthRequest and Assertion generation could fail.
Workaround:
You can replace special XML character with XML-escape codes in the configuration:
" " ' ' < < > > & &
For example, replace "http://f5.com/acs_url?user=5&password=pass"
with "http://f5.com/acs_url?user=5&password=pass"
Fix:
The BIG-IP system, when configured as an Identity Provider (IdP), can now successfully create SAML assertions even when the BIG-IP configuration contains special XML characters.
428163-2 : Removing a DNS cache from configuration can cause TMM crash
Component: Local Traffic Manager
Symptoms:
Removing a DNS cache from the configuration with outstanding packets on the server side can cause a TMM crash if those responses time out after the resolver removed.
Conditions:
This occurs with DNS traffic in progress when removing a configured DNS cache from the configuration.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This occurs with DNS traffic in progress. Disabling the listener using that cache and waiting 60 seconds before removing the cache prevents this from occurring.
Fix:
Deleting a cache resolver no longer results in outstanding packet issues.
428068-2 : Insufficiently detailed causes for session deletion.
Component: Access Policy Manager
Symptoms:
When a session is deleted for a reason unrelated to explicit admin action, a generic log message appears: 'Session deleted due to user inactivity or errors.' The message does not distinguish user inactivity from 'error', so the log message indicates a possible error when perhaps none had occurred.
Conditions:
Normal user inactivity is indistinguishable from numerous other causes related to policy actions.
Impact:
Cannot troubleshoot a session termination cause because there is no ability to determine whether the session was deleted because of normal user inactivity or due to some other cause.
Workaround:
None.
Fix:
The session deletion cause has been added as an enhancement to the session deletion log functionality.
427174-6 : SOL15630: TLS in Mozilla NSS vulnerability CVE-2013-1620
Vulnerability Solution Article: K15630
425980-2 : Blade number not displayed in CPU status alerts
Component: TMOS
Symptoms:
Messages displayed on the VIPRION chassis LCD display always reference the blade number of the Primary blade in the chassis at the time that the message was issued.
The slot number where the blade-specific condition is not included in message in the LCD display.
In the case of CPU status alerts, where the CPU temperature is too high or the CPU fan speed is too low, the identification of the blade is not included in the console output or log messages produced by the system_check utility.
Conditions:
Affects:
VIPRION B4100 (PB100), B4200 (PB200) and B4300-series blades in VIPRION C4400, C4480 and C4800 chassis.
VIPRION B2100, B2150 and B2250 blades in VIPRION C2400 and C2200 chassis with external LCD displays attached.
Impact:
It may not be possible to accurately determine which blade has actually experienced a blade-specific condition reported on the chassis LCD display.
Workaround:
Use one of the following commands to examine the CPU measurements to determine which CPU on which blade is experiencing excessive temperature and/or slow fan speed:
1. tmsh show sys hardware
2. tmctl cpu_status_stat
Fix:
The system_check utility now logs the blade number as part of CPU status alerts to the system console and log messages.
Such detail is not made available on the LCD display.
425882-4 : Windows EdgeClient's configuration file could be corrupted on system reboot/sleep
Component: Access Policy Manager
Symptoms:
User is prompted for message box prompt about corrupted config file on system start up.
Conditions:
Undefined. Somehow related to improper shutdown/hibernate/poweroff.
Impact:
Profile is reset to default values.
User is annoyed.
Workaround:
http://support.f5.com/kb/en-us/solutions/public/10000/900/sol10935
Fix:
Configuration file handling for the BIG-IP Edge Client was improved to prevent configuration corruption.
425729-1 : mcpd debug logging hardening
Component: TMOS
Symptoms:
mcpd should obfuscate sensitive information even in debug logging mode
Conditions:
mcpd log level set to Debug
Impact:
Certain commands can log too much information
Workaround:
MCP logging is at the Notice level by default. You should only use the Debug log level for certain troubleshooting efforts.
Fix:
Fixed an issue with mcpd debug logging.
425331-1 : On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports Chassis ID not Blade ID
Component: TMOS
Symptoms:
On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID reports the ID of the Chassis.
This differs from the behavior on VIPRION 4xxx-series platforms, where the SNMP sysObjectID OID reports the ID of the Blade.
Conditions:
This occurs on VIPRION 2xxx-series platforms:
- C2xxx-series chassis
- B2xxx-series blades
Impact:
SNMP queries to identify the System ID of VIPRION platforms will identify different classes of hardware component on VIPRION 2xxx-series vs. 4xxxx-series platforms.
Fix:
On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID now reports the ID of the Blade, to match the behavior on VIPRION 4xxx-series platforms.
Previously, SNMP sysObjectID reported the ID of the Chassis on VIPRION 2xxx-series platforms.
Behavior Change:
On VIPRION 2xxx-series platforms, the SNMP sysObjectID OID now reports the ID of the Blade, to match the behavior on VIPRION 4xxx-series platforms.
Previously, SNMP sysObjectID reported the ID of the Chassis on VIPRION 2xxx-series platforms.
424936-1 : apm_mobile_ppc.css has duplicate 1st line
Component: Access Policy Manager
Symptoms:
An extra line (that consists of "<?") appears at the top of the apm_mobile_ppc.css file and
causes an error like this one:
Jul 9 08:37:10 roeislfl4gm err httpd_sam[13917]: [error] [client 127.1.1.4] PHP Parse error: syntax error, unexpected '&lt;' in /var/sam/www/php_include/webtop/renderer/customization/general_ui/Common/tmsproext-apm_general_ui/en/apm_mobile_ppc.css on line 2
Impact:
Generate an error message in /var/log/http_errors log file.
Workaround:
To work around the problem, remove the extra line
("<?") from var/sam/www/php_include/webtop/renderer/customization/general_ui/Common/tmsproext-apm_general_ui/en/apm_mobile_ppc.css.
424831-4 : State Mirroring does not work for an HA pair that uses only hardwired (serial) failover, without network failover
Component: Local Traffic Manager
Symptoms:
Failovers between devices in a HA pair might result in an unexpected disruption of traffic (for instance, if virtual servers are configured for mirroring).
Persistence / session table information would similarly be missing on the newly-active system.
Conditions:
Platform that supports hardwired failover, configured for hardwired failover. (Note: this excludes chassis-based platforms, as well as VCMP guests and VEs)
Network failover disabled.
Impact:
- Failovers may result in unexpected disruption of traffic that failed to be mirrored.
- Session database (SessionDB things, iRule session table, persistence table, etc) will not be mirrored, as expected, which may result in unknown unexpected traffic failures.
Workaround:
Enable network failover, then restart all TMMs.
Note: workaround will temporarily disrupt traffic.
Fix:
State Mirroring now works for HA configurations that use only hardwired (serial) failover, without network failover.
424368-3 : parent.document.write(some_html_with_script) hangs up parent frame for IE browsers
Component: Access Policy Manager
Symptoms:
A statement such as: parent.document.write(some_html_with_script) hangs the parent frame for Internet Explorer browsers
Conditions:
Internet Explorer 10 through Internet Explorer 11
Impact:
Some web-applications are affected by this bug.
Fix:
Parent HTML page dynamic re-writing is supported in case of Internet Explorer 10-11: JavaScript statements like parent.document.write(some_html_with_script) are handled correctly.
423392-7 : tcl_platform is no longer in the static:: namespace
Component: Local Traffic Manager
Symptoms:
In previous versions of iRules, the variable tcl_platform was readable as: 'set myvar static::tcl_platform'. However with recent changes, the variable is in the global, not static namespace and should be accessed as '::tcl_platform'.
Conditions:
This occurs on pre-11.4.0 iRules that use the variable 'static::tcl_platform'.
Impact:
iRules that worked properly under earlier versions can result in runtime Tcl exceptions (disrupting traffic) after an upgrade to v11.4.0 or later, if those iRules reference static::tcl_platform.
Workaround:
To map tcl_platform into the static namespace in an iRule, use the following: when RULE_INIT { upvar #0 tcl_platform static::tcl_platform }. Or you can use ::tcl_platform instead of static::tcl_platform. Note: The latter workaround might demote a virtual server from CMP. For more information, see K14544: The tcl_platform iRules variable is not in the static:: namespace, available here: https://support.f5.com/csp/#/article/K14544.
423282-7 : BIG-IP JavaScript includes can be improperly injected in case of conditional commment presence
Component: Access Policy Manager
Symptoms:
JavaScript does not work if a page contains conditional comments inside its head tag.
Conditions:
Presence of conditional comments contain very first script tag.
Example:
<html>
<!--[if lt IE 9]>
<script src="foo.js"></script>
<![endif]-->
<script>
document.write("foo");
</script>
</html>
Impact:
JavaScript does not work.
Workaround:
To work around the problem, use an iRule. The exact commands to use depend on the situation.
Fix:
The issue has been fixed by adding necessary JavaScript includes into every conditional branch.
422107-7 : Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set
Component: Local Traffic Manager
Symptoms:
DNS transparent cache may have RRSIG in the responses for queries without DO bit set.
Conditions:
DNS transparent cache receives a DNS query without DO bit set.
If the query is answered by a DNSSEC zone of a pool member. The response returned to the client will contain RRSIG.
Impact:
Responses contain unnecessary RR sets. Not RFC compliant.
Workaround:
None.
Fix:
Queries answered by DNS transparent cache will no longer add RRSIG to the response if DO bit is not set in the query.
422087-4 : Low memory condition caused by Ram Cache may result in TMM core
Component: Local Traffic Manager
Symptoms:
As a result of this issue, you may encounter the following symptoms:
- The TMM process crashes with a SIGABRT
- The BIG-IP system fails over to the peer system in a high-availability configuration.
- The BIG-IP system generates a TMM core file in the /var/core directory.
Conditions:
- Associating a Web Acceleration profile with a virtual server
- TMM has become deficient in memory.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
There is no workaround for this issue.
Fix:
Tmm no longer crashes in certain low memory conditions with Ram Cache enabled.
421971-7 : Renewing certificates with SAN input in the GUI leads to error.
Component: TMOS
Symptoms:
Renewing an existing certificate fails using the GUI if a user provides Subject Alternative Name (SAN) as input.
Conditions:
Using the GUI, provide SAN while renewing certificate.
Impact:
Cannot renew certificate using the GUI.
Workaround:
Do not provide SAN information while renewing certificates. As an alternative, you can create a new certificate with a SAN.
Impact of workaround: Performing the suggested workaround should not have a negative impact on your system.
Fix:
Renewing an existing certificate now succeeds if a user provides Subject Alternative Name (SAN) as input in the GUI.
421791-4 : Out of Memory Error
Component: WebAccelerator
Symptoms:
TMM crashes due to a segmentation violation early in a WAM interface.
Most likely, before the crash occurs the logs should show messages indicating that the sweeper was activated one or more times.
Conditions:
Only happens when free memory is very low to non-existent.
Impact:
TMM crashes.
Workaround:
Reduce load on box if possible.
Fix:
Guards were placed on the module interfaces to bypass the module when the necessary memory could not be allocated for a connection.
420512-1 : All Messages report does not display any data when the Log Levels are selected to filter data based on Log levels
Component: Access Policy Manager
Symptoms:
When an admin runs All Messages report and selects some Log Level checkbox in Report Parameters popup to filter out messages by log level, the report does not bring any data.
Impact:
User cannot filter out the All Messages report by Log level
Workaround:
None
Fix:
The ability to filter out the messages in the All Messages Report was restored with this fix. The All Messages Report now displays data correctly when the log level filter is used.
420440-7 : Multi-line TXT records truncated by ZoneRunner file import
Component: Global Traffic Manager
Symptoms:
Checking your TXT record in the web interface causes the system to give an error. Querying for the data against a listener for the record reveals that the TXT rdata is incorrect.
Conditions:
GTM enabled and a zone file with a TXT record that has multi-line rdata has been imported via the GUI into ZoneRunner.
Impact:
Your DNS TXT records will be incorrect.
Workaround:
Enter your multi-line TXT records via the web interface as single line, quote separated lines.
Fix:
Multi-line TXT records are no longer truncated.
420438-2 : Default routes from standby system when HA is configured in NSSA
Component: TMOS
Symptoms:
In an NSSA configuration with a DR, BDR, and HA-configured BIG-IP systems, there are three default routes, one each from DR, BDR, and the standby BIG-IP system. The standby BIG-IP system should not send out any default routes.
Conditions:
This occurs when using OSPF in an NSSA configuration with a DR, BDR and HA pair BIG-IP systems.
Impact:
Traffic is incorrectly directed to the standby and dropped.
Workaround:
None.
Fix:
There are now no default routes from the standby BIG-IP system in an HA pair. This is correct behavior.
420341-5 : Connection Rate Limit Mode when limit is exceeded by one client also throttles others
Component: Local Traffic Manager
Symptoms:
Connection Rate Limit Mode is set to Per Virtual Server and Source Address, you might encounter unexpected results. Once a particular client is above the limit, other clients (other source IP addresses) are also throttled by the system.
Conditions:
This occurs in the following manner: There is a configured connection rate limit per virtual server per client; one client exceeds the configured rate limit; and the virtual server also throttles other, unrelated clients.
Impact:
The virtual server throttles clients that are not exceeding the connection rate limit.
Workaround:
None.
Fix:
Connection Rate Limit Mode when limit is exceeded by one client no longer throttles others.
420204-2 : FIPS key deletion by-handle does not post an error if corresponding key object exists but the keyname is more than 32 characters long
Component: TMOS
Symptoms:
Starting 11.4.0, 'tmsh delete sys crypto fips by-handle handle#' command is expected to throw an error if the key object corresponding to this FIPS key handle exists in BIG-IP config. However, this does not work if the key name is longer than 32 characters because the operation relies on key name being the same as the FIPS key label, which is not the case for keynames of greater than 32 chars.
Conditions:
BIG-IP contains a FIPS key object with a name that is longer than 32 characters. User attempts 'tmsh delete sys crypto fips by-handle handle#' for this FIPS key handle. The expected error does not occur, and the operation deletes the FIPS key from the FIPS card, which makes the BIG-IP key object invalid.
Impact:
The corresponding BIG-IP key object is now invalid with no corresponding FIPS key in FIPS card. Traffic using this key object will fail.
Workaround:
Use keynames shorter than 32 characters for FIPS keys.
Fix:
The BIG-IP system now posts an error if the user tries to manually delete a particular FIPS key by-handle while its corresponding key object exists in BIG-IP configuration, regardless of the length of the key name. IMPORTANT: FIPS key deletion by-handle should still be executed with caution because the FIPS handle might belong to keys in different boot locations of the BIG-IP configuration. Deleting those FIPS keys does not throw an error, but will make FIPS keys in the other boot locations invalid and unusable.
420107-3 : TMM could crash when modifying HTML profile configuration
Component: TMOS
Symptoms:
Modification of configuration for a virtual with HTML profile attached may cause a tmm crash if there are open connections with html content.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable virtual server (or make sure that it does not have open connections in any other way) before modifying configuration.
Fix:
Fixed an issue in HTML profile which could cause a tmm crash during configuration change on a virtual with open connections.
419458-3 : HTTP is more efficient in buffering data
Component: Local Traffic Manager
Symptoms:
Expiration of HTTP connections.
Conditions:
If many small packets are received, then the HTTP filter may buffer those packets inefficiently.
Impact:
Excessive memory usage for buffering data.
Workaround:
None.
Fix:
HTTP is more efficient in buffering data so that HTTP connections do not get expired early.
419217-1 : LTM policy fails to decompress compressed http requests
Component: Local Traffic Manager
Symptoms:
Administrator configures LTM policy to decompress http request (so, for example, that ASM can check it). However compressed requests are not decompressed.
Conditions:
Issue occurs always when there is a decompress action on an LTM policy.
Impact:
Requests and/or responses are not decompressed as desired.
Workaround:
An iRule can be added to the virtual server to override policy setting. (DECOMPRESS::enable, DECOMPRESS::disable).
Fix:
A coding change has been made to cause LTM decompress action to work as expected.
418890-5 : OpenSSL bug can prevent RSA keys from rolling forward★
Component: Local Traffic Manager
Symptoms:
When trying to upgrade from version 10.x to version 11.x, SSL keys can fail to roll forward. The roll-forward process does not handle what appears to be an OpenSSL bug (tested through OpenSSL 1.0.1c).
Conditions:
This occurs when rolling forward RSA keys from version 10.x to 11.x.
Impact:
Rather than receiving the expected decrypt failure unable to load Private Key with a bad decrypt, approximately 0.3% respond differently, where the return is non-zero and does not contain 'bad decrypt'. In this case, the system considers the key bad even though it is fine.
Workaround:
None.
Fix:
All SSL keys from version 10.x can be loaded correctly using the UCS file.
418664-3 : Configuration utility CSRF vulnerability
Component: TMOS
Symptoms:
For more information, see K21485342: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K21485342
Conditions:
For more information, see K21485342: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K21485342
Impact:
For more information, see K21485342: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K21485342
Fix:
For more information, see K21485342: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K21485342
417006-5 : Thales HSM support on Chassis cluster-mode.
Component: Local Traffic Manager
Symptoms:
Unable to correctly install and use Thales network-HSM in cluster-mode on BIG-IP chassis such as VIPRION.
Conditions:
Use Thales Network-HSM with BIG-IP chassis systems such as VIPRION in cluster mode.
Impact:
Unable to use Thales HSM with BIG-IP chassis system cluster-mode.
Workaround:
Follow manual install procedures for Thales install on each slot.
Fix:
Thales HSM install now needs to be done only on the primary slot on the BIG-IP cluster-mode chassis systems such as VIPRION. A single install on primary slot will take care of installing Thales on all active slots.
On any already-open sessions to the BIG-IP slot(s), the PATH environment variable will need to be reloaded by executing 'source ~/.bash_profile' in order to be able to use Thales utilities.
If at a later stage, a new blade is added or a disabled or powered-off blade is made active or is powered-on, the user will have to run 'thales-sync.sh -v' *only* on the new secondary slot. If the new slot is made primary before running thales-sync.sh on it, then the regular install procedure using nethsm-thales-install.sh will be required on the new primary slot.
416734-2 : Multiple Perl Vulnerabilities
Vulnerability Solution Article: K15867
416372-3 : Boost memory allocator vulnerability CVE-2012-2677
Vulnerability Solution Article: K16946
416115-13 : Edge client continues to use old IP address even when server IP address changed
Component: Access Policy Manager
Symptoms:
Edge client goes in reconnect loop if the server it connected to went down and DNS assigned a new IP Address to server host name.
Conditions:
1) Edge clients connected successfully to a server.
2) Server goes down and DNS resolves the server host name to a different IP address
Impact:
- Client goes in a reconnect loop and needs to be restarted to successfully connect to new IP address.
Workaround:
Restart Edge Client
Fix:
Now BIG-IP Edge Client resolves the host name during reconnection and initiates full reconnection after an IP address change is detected.
415358-6 : Remote login shell hardening
Component: Local Traffic Manager
Symptoms:
The expected behavior is for privilege roles such as admin, resource-admin, etc. to have capability for root access when required.
Impact:
Potential for local privilege escalation.
Workaround:
Restrict any users in the affected roles to GUI access, i.e. remoteconsoleaccess none.
Fix:
Console login now consistent with ssh.
413708-7 : BIG-IP system may use an ephemeral source port when sending SNMP IPv6 UDP response.
Component: TMOS
Symptoms:
When SNMP IPv6 UDP queries are directed from client to self-ip, response from the BIG-IP system does not preserve source port. An ephemeral source port will be used, instead of the source port 161.
Conditions:
SNMP IPv6 UDP query only.
Impact:
SNMP query fails.
Fix:
A problem of SNMP IPv6 UDP response from the BIG-IP system with an ephemeral source port has been solved.
412160-4 : vCMP provisioning may cause continual tmm crash.
Component: TMOS
Symptoms:
vCMP provisioning may cause continual tmm crash. In rare cases, tmm cores when VCMP is provisioned/deprovisioned.
The tmm log file presents messages similar to the following: panic: ../dev/cn1120/n3_compress.c:555: Assertion 'enough n3_comp_dev structs' failed.
Conditions:
1) LTM is provisioned.
2) Provision vCMP.
3) View the tmm log file/system process table/etc.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
1) Save the system configuration.
2) Reboot
3) After reboot, ensure that the device stays active and has only twoNitrox 3 Compression Devices listed in /var/log/tmm:
-- notice n3-compress0 PASS 0.1: Nitrox 3 Compression Device
-- notice n3-compress1 PASS 0.1: Nitrox 3 Compression Device
Fix:
The system now prevents the tmm from starting up in the case where vCMP is provisioned/deprovisioned. This is correct behavior.
411233-2 : New pool members take all requests until lb_value catches up.
Component: Local Traffic Manager
Symptoms:
When a new pool member is added, the system assigns it a lb_value of 0, which causes new pool members to take all requests until the lb_values for all pool members are reset to accommodate the new member.
Conditions:
This occurs in a pool that uses predictive or observed load balancing modes, typically with a slow ramp time that is small or zero.
Impact:
When the pool member goes out of slow ramp before handling a connection, that pool member becomes the preferred pick for every request until its lb_value is reset in order with the other members.
Workaround:
Add the pool member disabled, and then enable it. If a member is added disabled and then enabled, the lb_values are correctly set, and the problem does not occur.
Fix:
The system now initializes lb_value to the minimum current lb_value for unused pool members. This is correct behavior.
410398-8 : sys db tmrouted.rhifailoverdelay does not seem to work
Component: TMOS
Symptoms:
The problem is that the sys db tmrouted.rhifailoverdelay value <value> does not seem to take any effect, and the route is being withdrawn, sometimes before the newly active device is able to advertise the virtual address, leaving a blackhole route.
Conditions:
This occurs during a failover.
Impact:
Temporary black hole for a route.
Fix:
Fixed tmrouted to not bypass rhifailoverdelay during op-state change.
410101-4 : HSBe2 falls off the PCI bus
Component: TMOS
Symptoms:
While restarting the host tmm on a VCMP capable platform, an HSB on one of the blades stops responding and cannot be found, causing all tmms on the blade to fail to pass traffic. A large packet burst may be observed when this happens. Restarting the blade will clear the condition.
Conditions:
It is not known what triggers this condition. It was observed on BIG-IP 10000 and 12000 platforms, as well as B4300 blades. This is an intermittent issue that was seen rarely, restarting the host tmm seemed to trigger it more frequently.
Impact:
Traffic is interrupted, tmms non responsive on the blade or VCMP instance with the affected HSBe2
Fix:
Fixed a lockup issue with HSBe2
409323-2 : OnDemand cert auth redirect omits port information
Component: Access Policy Manager
Symptoms:
On-Demand Cert Auth redirect does not honor a port other than 443 in virtual server.
Conditions:
On-Demand Cert Auth is used in an access policy that's assigned to a virtual server with non-standard port.
Impact:
The redirect URL is missing the port information, hence subsequent client connections aren't successful.
Workaround:
N/A
Fix:
On Demand Cert Auth support for non standard port has been added to include the port information from VS as part of redirect URL.
408851-3 : Some Java applications do not work through BIG-IP server
Component: Access Policy Manager
Symptoms:
Some Java applications do not work through the BIG-IP server.
Impact:
Users are unable to use some web applications that use Java applets.
Fix:
Fixed bug that resulted in incorrect loading of Java applets (Java applications).
406001-5 : Host-originated traffic cannot use a nexthop in a different route domain
Component: Local Traffic Manager
Symptoms:
If a route uses a nexthop in a different route domain, traffic originating from the host will not be forwarded to that nexthop.
Conditions:
Multiple route domains, gateway route that matches traffic using a nexthop in a different route domain.
Impact:
Nodes reached by the route cannot be monitored.
Workaround:
none
Fix:
Host-originated traffic can now use a nexthop in a different route domain.
405752-2 : TCP Half Open monitors sourced from specific source ports can fail
Component: TMOS
Symptoms:
TCP Half Open monitors; when sourced from ports 1097 (except on some platforms), 1098, 1099, and 3306; will fail. Upon receipt of SYN-ACK from the monitored device, TMOS will filter the packet and respond with ICMP port unreachable.
Conditions:
Use one or more TCP Half Open monitors. Port 1097 will not be affected on the BIG-IP 800, 1600, 3600, 3900, 6900, 8900 (and derivative), 11000, or 11050 platforms.
Impact:
May result in false monitor failures.
Workaround:
1. Use a monitor type other than TCP Half Open.
2. Modify iptables by removing the relevant iptable rules.
For all platforms:
-- /sbin/iptables -D INPUT -p tcp --dport 3306 -j REJECT --reject-with icmp-port-unreachable.
-- /sbin/iptables -D INPUT -p tcp -m tcp --dport 3306 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset.
-- /sbin/iptables -A INPUT -p tcp -m tcp --dport 3306 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset.
Then, for platforms where port 1097 is affected:
-- /sbin/iptables -D INPUT -p tcp --dport 1097:1099 -j REJECT --reject-with icmp-port-unreachable
-- /sbin/iptables -D INPUT -p tcp -m tcp --dport 1097:1099 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset
-- /sbin/iptables -A INPUT -p tcp -m tcp --dport 1097:1099 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset
Or for platforms where port 1097 is not affected:
-- /sbin/iptables -D INPUT -p tcp --dport 1098:1099 -j REJECT --reject-with icmp-port-unreachable
-- /sbin/iptables -D INPUT -p tcp -m tcp --dport 1098:1099 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset
-- /sbin/iptables -A INPUT -p tcp -m tcp --dport 1098:1099 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset
Fix:
TCP Half Open monitors sourced from certain ports now handle traffic as expected.
405635-5 : Using the restart cm trust-domain command to recreate certificates required by device trust.
Component: TMOS
Symptoms:
The device trust manages the certificates and keys SSL connections require between devices used for configuration synchronization. You should always have the necessary certificates and keys. If they are not present, device trust fails.
Conditions:
This might occur after manually removing the 'cm' stanzas from the config file, and reloading the configuration.
Impact:
No certificates and keys exist. If there are no certificates and keys, device trust cannot be set up, and the system cannot complete the SSL connections necessary for config synchronization.
Workaround:
To recreate the certs and keys, run the command: restart cm trust-domain.
Fix:
This release contains a new tmsh command 'restart cm trust-domain' to restart device trust in this circumstances.
405611-2 : Configuration utility CSRF vulnerability
Component: TMOS
Symptoms:
For more information, see K61045143: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K61045143
Conditions:
For more information, see K61045143: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K61045143
Impact:
For more information, see K61045143: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K61045143
Workaround:
None.
Fix:
For more information, see K61045143: Configuration utility CSRF vulnerability, available at https://support.f5.com/csp/article/K61045143
404141-3 : Standby system offers option to Apply Access Policy even though it has been synced
Component: Access Policy Manager
Symptoms:
After syncing an access policy from the active system to the standby, the standby system will still prompt you to apply the access policy, even though it is in sync with the primary
Conditions:
Device group configured and an access policy is synced from the active device to the standby device(s).
Impact:
The message is erroneous on the standby, as the policy was already synced.
Workaround:
The standby device will no longer prompt to sync the access policy if it has already been synced from the active device.
403991-9 : Proxy.pac file larger than 32 KB is not supported
Component: Access Policy Manager
Symptoms:
Proxy.pac file larger than 32 KB is not downloaded and edge client may fail to provide network access.
Conditions:
BIG-IP APM, MAC Edge Client, network access, proxy.pac URL pointing to the file greater than 32 KB.
Impact:
User might not be able to access internal resources and Edge Client might go into connect/disconnect loop.
Fix:
BIG-IP Edge Client for Mac now supports Proxy.pac file size of up to 1 MB; previously, the limit was 32KB.
402793-13 : APM Network Accces tunnel slows down and loses data in secure renegotiation on Linux and Mac clients
Component: Access Policy Manager
Symptoms:
VPN connection on Linux and Mac clients can slow down and may loose some packets while performing secure re-negotiation on TLS or DTLS Network Access tunnel.
Conditions:
Secure re-negotiation configured on APM virtual server.
Impact:
Users can experience disconnects or traffic loss on APM Network Access connection.
Workaround:
n/a
Fix:
APM clients for Linux and Mac modified to perform better during secure re-negotiation.
402412-10 : FastL4 tcp handshake timeout is not honored, connection lives for idle timeout.
Component: Local Traffic Manager
Symptoms:
When FastL4 performs hardware acceleration at TCP handshake, FastL4 handshake timeout is not honored.
Conditions:
When FastL4 performs hardware acceleration at SYN time, once a flow is offloaded to hardware, the flow switches to using idle timeout instead of standard established timeout.
Impact:
FastL4 tcp handshake timeout is not honored, connection lives for idle timeout.
Workaround:
None.
Fix:
FastL4 no longer switches to idle timeout before data is received, so the 5-second TCP handshake timeout holds until the first data arrives, at which time it switches to idle timeout.
401893-2 : Allowing tilde in HTTP Profile fields Response Headers Allowed and Encrypt Cookies
Component: TMOS
Symptoms:
You will be unable to use the tilde (~) character in the fields Response Headers Allowed and Encrypt Cookies when using the GUI.
Conditions:
Attempting to use the tilde character in HTTP Profile fields Response Headers Allowed and Encrypt Cookies in HTTP Profiles.
Impact:
The GUI errors out with an error: Bad Characters. Only the following special characters are allowed: period, dash and underscore (.-_). Multiple arguments should be separated by spaces."
Workaround:
Use tmsh to create/update HTTP Profile fields Response Headers Allowed and Encrypt Cookies that need a tilde character.
Fix:
The tilde character can now be used in HTTP Profile fields Response Headers Allowed and Encrypt Cookies.
400456-2 : HTTP monitors with long send or receive strings may not save or update
Component: TMOS
Symptoms:
HTTP monitors with long send or receive strings may not save or update. When you attempt to save or update an affected monitor configuration, a warning message similar to the following example appears on the Configuration utility screen:
Some Fields below contain errors. Correct them before continuing.
Value may not contain literal newline characters.
Conditions:
You use a Google Chrome or Safari web browser.
You attempt to configure a long send or receive string that contains word wraps within the text box of the Configuration utility.
Impact:
You are unable to create or update affected HTTP monitors using the Configuration utility.
Workaround:
To work around this issue, you can use the Internet Explorer or Firefox browser. Alternatively, you may use the Traffic Management Shell (tmsh) to create the HTTP monitor.
399732-2 : SAML Error: Invalid request received from remote client is too big
Component: Access Policy Manager
Symptoms:
Some SAML deployments will produce SAML Assertions or SAML Authentication Requests in POST data that are larger than 64KB.
When this occurs, an error message will be produced in the APM log:
"Invalid request received from remote client is too big."
Conditions:
When a BIG-IP systems acts as a SAML service provider, it supports only assertions of size 64K or less. Also, when a BIG-IP system acts as a SAML IdP, it supports only authentication requests of size 64K or less.
Impact:
SAML cannot be used in BIG-IP as IdP or BIG-IP as SP with deployments that cause large POST data from clients.
Workaround:
No workaround possible.
397431-8 : Improved security for Apache.
Component: TMOS
Symptoms:
Improved security for Apache.
Conditions:
Improved security for Apache.
Impact:
Improved security for Apache.
394236-4 : MCP unexpectedly exits, "failure has occurred, There is no active database transaction, status: 0 -
Component: TMOS
Symptoms:
MCP exits unexpectedly and you see a trace in the ltm log file similar to:
Feb 9 12:54:41 localhost err mcpd[9995]: 01070596:3: An unexpected failure has occurred, There is no active database transaction, status: 0 - EdbDbConnection.cpp, line 133, exiting...
Conditions:
Unexpected MCP exit.
Impact:
MCP is already exiting, so there is no impact.
Fix:
Changed ordering of shutdown operations to avoid MCP error message for benign condition.
393270-3 : Configuration utility may become non-responsive or fail to load.
Component: TMOS
Symptoms:
While doing normal operations via the configuration utility, the status indicators may become non-responsive or fail to load, the GUI could become very sluggish, and you could be unable to load the GUI, or you could be taken to the license activation screen.
Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.
Impact:
Unable to log into the GUI or GUI shows blank page
Workaround:
Run the command 'bigstart restart tomcat' or reboot the BIG-IP system.
Fix:
Configuration utility now responds as expected when deleting local users (Access Policy :: Local User DB : Manage Users), or under other conditions in which an internal timeout results in GUI non-responsiveness because of an incomplete transaction close.
389484-5 : OAM reporting Access Server down with JDK version 1.6.0_27 or later
Component: Access Policy Manager
Symptoms:
Cannot connect to Access Server.
When running eamtest tool to check the functionality between OAM and the access server are working correctly, the following error is seen:
Preparing to connect to Access Server. Please wait.
Access Server you specified is currently down. Please check your Access Server.oamconfig[2368]: Could not configure OAM
Conditions:
The problem occurs only when OAM server is installed with JDK version 1.6.0_27 or later.
Impact:
Cannot connect to backend OAM server using BIG-IP AccessGate.
Workaround:
Install older version of JDK than v1.6.0_27.
Fix:
Applied OAM ASDK patch given by Oracle, so OAM no longer reports Access Server down with JDK version 1.6.0_27 or later.
388274-2 : LTM pool member link in a route domain is wrong in Network Map.
Component: TMOS
Symptoms:
Pool member link in a route domain in Network Map is broken.
Conditions:
This occurs for pool members that exist in a route domain.
Impact:
System cannot correctly read the % used with route domains.
Workaround:
None.
Fix:
LTM pool member link in a route domain is now in the correct Network Map.
384451-8 : Duplicated cert/keys/chain might cause SIGABRTs and low-memory conditions
Component: Local Traffic Manager
Symptoms:
SSL per-virtual stats might cause SSL profile cert/keys/chain to be instantiated per-virtual server.
Conditions:
This occurs when using cert/keys/chain in SSL profile virtual servers.
Impact:
In this case, cert/keys/chain are duplicated and those duplicates might cause excessive memory use and disk activity which might lead to SIGABRTs and low-memory conditions.
Workaround:
None.
Fix:
Improved memory management when there are duplicated keys or certs.
384072-5 : Authorization requests not being cached when allowed.
Component: WebAccelerator
Symptoms:
Requests containing authorization headers are not cached under any circumstance, not complying with RFC 2626 14.8.
Conditions:
-- Requests containing Authorization headers.
-- OWS returning responses with either cache-control:public, must-revalidate or s-maxage.
Impact:
The cache benefit is not seen in objects that should be cached that are requested using authentication headers.
Workaround:
None.
Fix:
Now the authentication header handling complies with RFC 2616 14.8, based on the OWS response headers.
382157-2 : Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats
Component: TMOS
Symptoms:
Stats presented by the MIB sysVlanStatTable does not match sflow vlan stats.
Conditions:
Running the following command returns data inconsistent with sflow statistics: snmpwalk -v2c -c public localhost F5-BIG-IP-SYSTEM-MIB::sysVlanStatTable.
Impact:
Incorrect interpretation of vlan stats. As a result of fixing this issue, F5-BIG-IP-SYSTEM-MIB::sysVlanStatTable is obsoleted, IF-MIB::ifXTable should be used instead.
Workaround:
None.
Fix:
The IF-MIB::ifXTable was implemented to use the same stats as sflow. The F5-BIG-IP-SYSTEM-MIB::sysVlanStatTable is obsolete.
Behavior Change:
F5-BIGIP-SYSTEM-MIB::sysVlanStatTable is obsoleted, IF-MIB::ifXTable should be used instead.
375887-5 : Cluster member disable or reboot can leak a few cross blade trunk packets
Component: Local Traffic Manager
Symptoms:
Using the cluster member 'disable' command with a trunk that spans blades might cause a brief period where received broadcast and multicast packets egress out the enabled trunk members of the cluster.
Conditions:
This occurs on a trunk that spans blades.
Impact:
To an external device running spanning tree protocol or variant, this can look like a loop.
Workaround:
None.
Fix:
Cluster member disable or reboot no longer leaks a few cross-blade trunk packets.
375246-11 : Clarification of pool member session enabling versus pool member monitor enabling
Component: TMOS
Symptoms:
In previous documentation of LocalLB::Pool::set_member_monitor_state and set_member_session_enabled_state lead to some confusion for those using the API.
Conditions:
Reading the documentation.
Impact:
Confusion in the expected behavior for both functions.
Workaround:
Experimentation with the SOAP api and observation of BIG-IP behavior.
Fix:
When set_member_session_enabled_state sets a pool member to disabled, then current connections will be maintained, but no more connections will be allowed.
When set_member_monitor_state sets a pool member to disabled, then all connections will be killed immediately and no more connections will be allowed.
374339-5 : HTTP::respond/redirect might crash TMM under low-memory conditions
Component: Local Traffic Manager
Symptoms:
HTTP::respond/redirect might crash TMM under low-memory conditions.
Conditions:
Under low-memory conditions, if a new HTTP connection triggers an HTTP::respond/redirect event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Reduce memory usage
Fix:
HTTP::respond/redirect no longer crashes TMM under low-memory conditions.
374067-2 : Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections
Component: Local Traffic Manager
Symptoms:
Using the 'snatpool' command in the CLIENT_ACCEPTED iRule event causes keepalive requests to originate from the self-IP of the BIG-IP system.
Conditions:
An iRule using the 'snatpool' command in CLIENT_ACCEPTED.
Impact:
Keepalive connections occasionally source from the BIG-IP system's self-IP address.
Workaround:
Use the HTTP_REQUEST event to set the SNAT pool.
Fix:
A virtual server no longer intermittently causes HTTP Keep-Alive connections to use a self IP address as the secure network address translation (SNAT) address.
Behavior Change:
The persistence record attached to a connection is no longer reset upon pool member detachment when using OneConnect. When using OneConnect, the pool member detaches on the completion of every response.
This causes subsequent requests to be load balanced to the original pool member.
372473-3 : mcp error 0x1020003 may be logged to /var/log/tmm when TMM crashes
Component: Local Traffic Manager
Symptoms:
A message beginning with 'mcp error: 0x1020003' may be logged to /var/log/tmm when TMM crashes.
Conditions:
TMM crashes.
Impact:
This is an MCP error that is logged erroneously upon TMM shutdown, and does not indicate an issue with MCP.
Workaround:
None.
Fix:
The message is no longer logged when TMM crashes.
372118-1 : import_all_from_archive_file and import_all_from_archive_stream does not create file objects.
Component: TMOS
Symptoms:
An attempt to transition certs/keys/etc. from a 10.2.x configuration to version 11.5.4, 11.6.0, 11.6.1, or 12.0.0 configuration using import_all_from_archive_stream results in the files being copied to the directories under /config/ssl/, but no file-objects are created on the target system.
Conditions:
This occurs when you attempt to transition certs/keys/etc. from a 10.2.x configuration to version 11.5.4, 11.6.0, 11.6.1, or 12.0.0 configuration using import_all_from_archive_stream.
Impact:
Files being copied to the directories under /config/ssl/, but no file-objects are created on the target system.
Workaround:
None.
Fix:
Attempting to transition certs/keys/etc from a 10.2.x configuration to version 11.5.4, 11.6.0, 11.6.1, or 12.0.0 configuration using import_all_from_archive_stream now creates the file-objects on the target system in addition to the files being copied to the directories under /config/ssl/.
368824-1 : There is no indication that a failed standby cannot go active.
Component: TMOS
Symptoms:
There is no indication that a failed standby cannot go active.
One example is if pool-min-up-members fails. In this case the device will go standby and since this condition may persist, it will not be able to go active.
Conditions:
When a standby fails, there is no indication that it cannot go active.
Impact:
It is not apparent that the standby cannot go active.
Workaround:
None.
Fix:
-- The chassis display state of 'failed' is shown when a chassis is in the Standby state and one or more global fail-safe(s) is active on the chassis.
-- The traffic group state of 'failed' is displayed when a traffic group is in the Standby state and one or more global fail-safe(s) is active on the chassis.
-- The commands 'show cm traffic-group' and 'show cm device. display the Standby state.
-- Updated GUI to show failover status, as well updates to the overview and device screens under device management.
Behavior Change:
The system now provides indication that a failed standby cannot go active.
-- The chassis display state of 'failed' is shown when a chassis is in the Standby state and one or more global fail-safe(s) is active on the chassis.
-- The traffic group state of 'failed' is displayed when a traffic group is in the Standby state and one or more global fail-safe(s) is active on the chassis.
-- The commands 'show cm traffic-group' and 'show cm device. display the Standby state.
-- Updated GUI to show failover status, as well updates to the overview and device screens under device management.
366605-2 : response_log_size_limit does not limit the log size.
Component: Application Security Manager
Symptoms:
The internal parameter response_log_size_limit does not limit the log size.
Conditions:
The internal parameter response_log_size_limit is configured.
Impact:
Response log size limit is not applied.
Workaround:
None.
Fix:
response_log_size_limit now correctly limits the log size.
365219-3 : Trust upgrade fails when upgrading from version 10.x to version 11.x.★
Component: TMOS
Symptoms:
Trust upgrade fails when upgrading from version 10.x to version 11.x. The upgrade fails without apparent error, but there will be one of the two following error messages in /var/log/ltm log:
-- com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:425): Trust configuration update for HA Pair has failed: [STACK TRACE: {java.lang.Exception: Config sync password is invalid.}{ at com.f5.devmgmt.certmgmt.TrustConfigUpdateForHAPairTask.run(TrustConfigUpdateForHAPairTask.java:200)}.
-- devmgmtd[7983]: 015a0000:3: Trust Config Update: [TrustConfigUpdateForHAPair.cpp:521 ] Skipping already-completed trust.
Conditions:
Upgrading high availability version 10.x configurations that use the factory default admin password.
Impact:
Trust upgrade for version 10.x high availability configuration fails.
Workaround:
Change the default admin password in the 10.x configuration before upgrading to 11.0.0.
Fix:
Upgrades of high availability configurations from version 10.x to version 11.x or later now succeed, even if the 10.x system was still using the factory default admin password. It is recommended that you change the default admin password before deployment.
364994-14 : TMM may restart or disabled connections may be reused when a OneConnect profile is configured and OneConnect reuse is disabled be an iRule.
Component: Local Traffic Manager
Symptoms:
Version 11.3.0 and earlier, TMM may restart.
Version 11.4.0 and later, disabled connections may be reused.
Conditions:
A virtual server with an associated OneConnect profile.
A server side connection is disabled on the client side by the iRule ONECONNECT::reuse disable command.
Impact:
Version 11.3.0 and earlier, tmm can crash.
Version 11.4.0 and later, disabled connections may be reused.
Workaround:
Version 11.3.0 and earlier:
If HTTP::disable is being called in a client-side event, OneConnect must be disabled in a server-side event. This can be done by including 'ONECONNECT::reuse disable' in the client-side event (so a new connection is created), setting a variable, and then invoking ONECONNECT::reuse disable in SERVER_CONNECTED
Example:
set oc_reuse_ss_disable 1
ONECONNECT::reuse disable
CACHE::disable
COMPRESS::disable
HTTP::disable
Add this (or merge with an existing SERVER_CONNECTED event in the iRule):
when SERVER_CONNECTED {
if { [info exists oc_reuse_ss_disable] } {
ONECONNECT::reuse disable
ONECONNECT::detach disable
}
}
11.4.0 and later:
Replace "ONECONNECT::reuse disable" with "set oc_reuse_ss_disable 1" in the iRule client-side event.
Add this (or merge with an existing SERVER_CONNECTED event in the iRule):
when SERVER_CONNECTED {
if { [info exists oc_reuse_ss_disable] } {
ONECONNECT::reuse disable
}
}
Fix:
TMM no longer restarts when a OneConnect profile is applied to a virtual server and OneConnect reuse is disabled on the server side by an iRule.
364978-2 : Active/standby system configured with unit 2 failover objects★
Component: TMOS
Symptoms:
If an active/standby system is misconfigured with unit 2 failover objects, two traffic groups are automatically created: traffic-group-1 and traffic-group-2.
Conditions:
This occurs when an active/standby system is misconfigured with unit 2 failover objects.
Impact:
For traffic-group-2, the default device points toward the unit 2 box. Instead, it should point to the unit 1 box, because it is an active/standby pair.
Workaround:
To work around this, modify the default device to point to unit 1 using a command similar to the following: tmsh modify /cm traffic-group traffic-group-2 default-device unit_1_device_name.
Fix:
Active/standby system configured with unit 2 failover objects now create one traffic group, which is correct behavior.
362267-2 : Configuring network failover on a VIPRION cluster using the blade management addresses results in 'Cannot assign requested address' errors★
Component: TMOS
Symptoms:
If a user configures network failover on a VIPRION that uses a blade's management address as the unicast address, the other blades cannot use this address and issues an error message. This is correct operation.
Conditions:
System is configured with per-blade management addresses as unicast network failover addresses.
Impact:
The system posts error messages that appear severe. However, there is no impact to system functionality.
Workaround:
No workaround is needed (under these conditions, message is cosmetic), but the use of multicast failover avoids the messages.
Fix:
The system now tracks the set of active self-ips and management addresses, only issues errors when the unicast source ip is invalid, or does not behave as expected.
359774-5 : Pools in HA groups other than Common★
Component: TMOS
Symptoms:
In v11.x, pools used in an HA group must be in Common. If the user has a v10.x configuration that has pools in different partitions that are used in an HA group, an upgrade to v11.x fails.
Conditions:
HA group pools in administrative partitions other than Common.
Impact:
Upgrade fails.
Workaround:
None, except ensuring that all pools used in HA groups exist in the Common administrative partition.
Fix:
Upgrade script has been updated to append the full partition path names to pools in ha-groups when upgrading from 10.x to 11.x and ha-groups are defined. If the same pool name is used in multiple partitions, the pool in /Common will be used first. If the name exists in multiple partitions other than /Common, the first match is used, and a warning will be logged by the upgrade script.
356841-2 : Don't unilaterally set Connection: Keep-Alive when compressing
Component: Local Traffic Manager
Symptoms:
The Connection HTTP header is unilaterally set to "Keep-Alive" when compressing. This may overwrite a "Connection: Close" header set elsewhere.
Conditions:
Compression enabled with the INFLATE/DEFLATE filter, and the content length is altered by compression.
Impact:
The client may try to use pipelining when the server doesn't support it. This may result in the client receiving an unexpected RST.
Fix:
Compression no longer unilaterally sets a Connection: Keep-Alive header.
355806-2 : Starting mcpd manually at the command line interferes with running mcpd
Component: TMOS
Symptoms:
Starting mcpd at the command line while mcpd is running causes issues.
Conditions:
Having a running mcpd and executing mcpd at the command line.
Impact:
Various issues on the system, such as some utilities may no longer interact with mcpd, etc.
Workaround:
Don't try to use the mcpd directly.
Fix:
You are now told the PID of the current mcpd and the executed command will exit abnormally.
355661-2 : sod logs error 010c003b:3: bind fails on recv_sock_fd, Cannot assign requested address
Component: TMOS
Symptoms:
During system startup, particularly after an upgrade or 'load sys config', the sod daemon will repeatedly log errors failing to bind() to the appliance management address to listen for network failover packets. This is caused by a race condition between the chassis management daemon programming the management port address and the failover daemon attempting to access that address.
Conditions:
The management address is configured as a device unicast address.
Impact:
Excessive logging traffic at error level for a valid configuration.
Workaround:
None.
Fix:
The sod daemon has been modified to validate the unicast addresses against the configured management addresses and non-floating self-IPs, and retries the bind() without logging an error if a race condition occurs. The daemon now reports when it is successfully listening on each of the configured unicast addresses, and only logs bind() errors if the configured address is invalid, which is correct behavior.
355199-5 : ePVA flow not removed when connection closed
Component: TMOS
Symptoms:
An ePVA flow might stay accelerated when the connection is closed.
Conditions:
If the idle-timeout in the fastl4 is lower than the default pva-aging timeout, then it's possible for the ePVA flow to stay accelerated.
Impact:
Accelerated flows will continue to pass traffic while not being tracked by software.
Workaround:
Increase the idle-timeout.
Fix:
ePVA flow now removed when connection is closed.
353556-2 : big3d https monitor is unable to correctly monitor the web server when SSL protocol is changed
Component: Global Traffic Manager
Symptoms:
Big3d keeps a SSL session cache for HTTPs monitors to improve performance, when the web server changes the SSL protocol, big3d fails to connect to the web server since it was using the cached SSL session.
Conditions:
Modify SSL protocol at the server side and restart the web server.
Impact:
Big3d is unable to correctly monitor the https web server.
Workaround:
restart big3d
Fix:
Fixed, now when big3d fails to connect to the https web server it will clear the session entry from the session cache and initiate a new SSL negotiation.
352925-4 : Updating a suspended iRule and TMM process restart
Component: Local Traffic Manager
Symptoms:
Updating a suspended iRule assigned via a profile causes the TMM process to restart when trying to return to the suspended iRule.
Conditions:
This occurs when the iRule is suspended and the TMM process is trying to restart.
Impact:
TMM restarts.
Workaround:
Assign the iRule to the virtual server instead of assigning it to the profile.
Fix:
Updating a suspended iRule no longer results in TMM process restart.
348000-16 : HTTP response status 408 request timeout results in error being logged.
Component: Local Traffic Manager
Symptoms:
HTTP response status 408 request timeout results in error being logged.
Conditions:
HTTP profile is attached to a virtual server. 408 response status is received from server and is not preceded by request from the client.
Impact:
The 408 response status received is consumed and the connection is reset. The response never makes it to the client. The following error is reported in the log: http_process_state_prepend - Invalid action EV_INGRESS_DATA during ST_HTTP_PREPEND_HEADERS.
Workaround:
None.
Fix:
HTTP response status 408 request timeout no longer results in error being logged.
342013-5 : TCP filter doesn't send keepalives in FIN_WAIT_2
Component: Local Traffic Manager
Symptoms:
TCP filter does not send keepalives in FIN_WAIT_2 (half close state). This may result in connections to remain open when they should be closed.
Conditions:
The problem is the BIG-IP stops sending keepalives once the connection enters half close state, and the server sends keep-alives. This ends up keeping connections open indefinitely if the client disappears, or a firewall drops its flow entry, etc. It is never swept as the server keepalives reset the idle timeout.
Impact:
Possible open idle never ending connections.
Workaround:
None.
Fix:
This is fixed by sending keepalives even in half close state, as idle connections intentionally left open will still be allowed, and clients will be detected disappearing.
339825-2 : Management.KeyCertificate.install_certificate_from_file failing silently
Component: TMOS
Symptoms:
If the iControl function Management.KeyCertificate.install_certificate_from_file fails, it does not return error.
Conditions:
Using iControl to install a certificate from a file.
Impact:
The method fails, but appears to succeed.
336255-8 : OneConnect Connection Limits with Narrow Source Address Masks
Component: Local Traffic Manager
Symptoms:
If a OneConnect profile with a narrow source address mask (e.g. 255.255.255.255) is applied to a virtual with a SNAT pool, existing, idle, server connection can NOT be reused (because of the SNATted source address and narrow source address mask). New connections, therefore, will be created.
Effectively, the pool member connection limits will be interpreted as applying to active connections, with in-flight (HTTP) requests or responses.
Conditions:
This can happen when OneConnect is used with SNAT pools and narrow OneConnect source address masks.
Impact:
More TCP connections to pool members than expected will occur.
Workaround:
Relax the OneConnect source address mask width.
Fix:
This fix introduces a "limit-type" OneConnect profile option (currently supported only via TMSH and iControl/REST -- GUI and iControl/SOAP support in progress). The limit-type can take on one of three values:
none: behaviour is as before, "connections" are counted toward the pool member limit based on whether they have active, in-flight, requests or responses.
strict: a hard TCP pool member connection limit is enforced. No attempt will be made to try to find a connection to reuse if at the TCP connection limit, even if one might be available. This mode of operation is not recommended.
idle: if a client connection is accepted and we are at or above the TCP connection limit, a random idle connection will be dropped.
291469-3 : SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries.
Component: TMOS
Symptoms:
The SNMP query fails to return ARP entries when the ARP table exceeds 2,048 entries.
Conditions:
The following error message is reported in the /var/log/messages file: snmpd[1748]: Error allocating more space for arpcache. Cache will continue to be limited to 2048 entries.
Impact:
The ARP entries up to the boundary are returned. Any ARP entries after the boundary is reached are not returned.
Workaround:
None.
Fix:
Memory validation now allows arpcache to expand, so The SNMP query no longer fails to return ARP entries when the ARP table exceeds 2,048 entries.
226043-5 : Add support for multiple addresses for audit-forwarder.
Component: TMOS
Symptoms:
The BIG-IP system supports only one destination address for audit-forwarder.
Conditions:
Audit forwarder.
Impact:
Cannot use multiple destinations for audit forwarder.
Workaround:
None.
Fix:
This release adds support for multiple destination addresses for audit-forwarder. There is one new db variable added for audit_forwarder: 'config.auditing.forward.multiple'. There are three options: 'broadcast', 'failover' and 'none'. The default is 'none'. When set to 'none', the behavior is the same as in previous releases.
When db variable 'config.auditing.forward.multiple' is set to 'broadcast' or 'failover', db variable 'config.auditing.forward.destination' can be set to multiple IP addresses, separated by commas ( , ), such as '192.0.2.1,198.51.100.53,www.example.com'. This provides more than one destination IP address to the BIG-IP system audit_forwarder. Note that a single IP address works as well.
When 'config.auditing.forward.multiple' is set to 'broadcast', the audit message is sent to all destinations. When it is set to failover, audit_forwarder sends the message to the first destination. If that fails, audit_forwarder tries the next destination until it finds a successful destination, or fails all destinations. Note that 'failover' mode is not supported for RADIUS server since it is UDP and there is no notion of failing to connect. For RADIUS server, if config.auditing.forward.multiple' is set to 'failover', audit_forwarder treats it as 'none'.
When there is a failure to send the audit message, the system logs errors in '/var/log/ltm'.
Behavior Change:
There is one new db variable added for audit_forwarder: 'config.auditing.forward.multiple'. There are three options: 'broadcast', 'failover' and 'none'. The default is 'none'. When set to 'none', the behavior is the same as in previous releases.
When db variable 'config.auditing.forward.multiple' is set to 'broadcast' or 'failover', db variable 'config.auditing.forward.destination' can be set to multiple IP addresses, separated by commas ( , ), such as '192.0.2.1,198.51.100.53,www.example.com'. This provides more than one destination IP address to the BIG-IP system audit_forwarder. Note that a single IP address works as well.
When 'config.auditing.forward.multiple' is set to 'broadcast', the audit message is sent to all destinations. When it is set to failover, audit_forwarder sends the message to the first destination. If that fails, audit_forwarder tries the next destination until it finds a successful destination, or fails all destinations. Note that 'failover' mode is not supported for RADIUS server since it is UDP and there is no notion of failing to connect. For RADIUS server, if config.auditing.forward.multiple' is set to 'failover', audit_forwarder treats it as 'none'.
When there is a failure to send the audit message, the system logs errors in '/var/log/ltm'.
225443-6 : gtmparse fails to load if you add unsupported SIP monitor parameters to the config
Component: Global Traffic Manager
Symptoms:
Customers could either manually or via tmsh add unsupported properties to a GTM SIP monitor. Examples of properties that are supported by LTM SIP monitor but not GTM SIP monitor are "headers" and "filter neg". If these are added to a GTM SIP monitor definition in wideip.conf, gtmparse will fail to load the configuration.
Conditions:
Unsupported GTM SIP monitor properties like "headers" and "filter neg" are added either manually or via tmsh to wideip.conf and then customer runs gtmparse to load the config and/or the config is gtm sync'd to another box and fails to load there.
Impact:
Gtmparse will fail to load the configuration.
Workaround:
none
Fix:
Gtmparse will now successfully load a configuration that contains GTM SIP monitors that include the following properties: "headers" and "filter neg".
Please note that if a single box in a GTM sync group is upgraded to this hotfix version and the "headers" or "filter neg" gtm sip monitor options are used, all of the boxes in the sync group must be upgraded to this version as well in order for the config to sync successfully between boxes in a sync group.
Known Issues in BIG-IP v11.5.x
TMOS Issues
| ID Number | Severity | Description |
| 641390-3 | 1-Blocking | Backslash removal in LTM monitors after upgrade★ |
| 653376-4 | 2-Critical | bgpd may crash on receiving a BGP update with >= 32 extended communities |
| 649234 | 2-Critical | TMM crash from a possible memory corruption. |
| 646388-4 | 2-Critical | TMM crash when moving to standby |
| 641013-4 | 2-Critical | GRE tunnel traffic pinned to one TMM |
| 625824-4 | 2-Critical | iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory |
| 625456-1 | 2-Critical | Pending sector utility may write repaired sector incorrectly |
| 613415-5 | 2-Critical | Memory leak in ospfd when distribute-list is used |
| 593536-3 | 2-Critical | Device Group with incremental ConfigSync enabled can report "In Sync" when devices have differing configurations |
| 591104-4 | 2-Critical | ospfd cores due to an incorrect debug statement. |
| 587698-1 | 2-Critical | bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured |
| 571635 | 2-Critical | VIPRION B2100 or B2150 blade Optic OPT-0016-00 is ON during BIG-IP system boot sequence causing errors with connected equipment |
| 555464-1 | 2-Critical | HA channel flapping will cause SessionDB memory leak on standby due to unexpired entries |
| 528343-1 | 2-Critical | Loading cli preference that does not contain the user attribute will fail |
| 517589-1 | 2-Critical | 'array' command not functional from within MOS context |
| 515764-3 | 2-Critical | PVA stats only being reported on virtual-server and system-level basis. |
| 511868-2 | 2-Critical | Management port loses connectivity during AOM reset |
| 511006-2 | 2-Critical | Virtual address is advertised to ZebOS (as visible via imi shell) while unavailable. |
| 505323-3 | 2-Critical | NSM hangs in a loop, utilizing 100% CPU |
| 475728-1 | 2-Critical | BCM56xxd might restart due to parity errors |
| 473641-2 | 2-Critical | Missing a tunnel FDB endpoint configuration in VXLAN tunnels could result in memory leak |
| 464870-6 | 2-Critical | Datastor cores and restarts. |
| 457252-2 | 2-Critical | tmm crash when using sip_info persistence without a sip profile |
| 451458-6 | 2-Critical | The leasepool stat query should only return primary blade data. |
| 447542-3 | 2-Critical | TMM crashes at startup when reprovisioning. |
| 442199-4 | 2-Critical | HA group must be set up before running ccmode★ |
| 436674-2 | 2-Critical | The msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime values contained in SNMPv3 trap message may be incorrect after the SNMP agent reboot. |
| 435555-4 | 2-Critical | Cannot load UCS from different BIG-IP system using Secure Vault |
| 423061-1 | 2-Critical | Creating an SNMP v3 user using the Configuration utility or tmsh adds passwords in plain text to the snmpd.conf file |
| 418734-3 | 2-Critical | vCMP guest unit_key empty★ |
| 376120-6 | 2-Critical | tmrouted restart after reconfiguration of previously deleted route domain |
| 657834-4 | 3-Major | Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent |
| 652671-2 | 3-Major | Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit. |
| 651432 | 3-Major | When mcpd on a secondary blade crashes, after it comes back up, the virtual_disk entries are missing for that blade |
| 651136-4 | 3-Major | ReqLog profile on FTP virtual server with default profile can result in service disruption. |
| 650002-4 | 3-Major | tzdata bug fix and enhancement update |
| 648621-3 | 3-Major | SCTP: Multihome connections may not expire |
| 648544-3 | 3-Major | HSB transmitter failure may occur when global COS queues enabled |
| 647834-2 | 3-Major | Failover DB variables do not correctly implement 'reset-to-default' |
| 645179-4 | 3-Major | Traffic group becomes active on more than one BIG-IP after a long uptime |
| 644979-4 | 3-Major | Errors not logged from hourly 1k key generation cron job |
| 644484-2 | 3-Major | Inconsistent behavior between CLI and GUI for remote auth user passwords |
| 643799-3 | 3-Major | Deleting a partition may cause a sync validation error |
| 643459-1 | 3-Major | Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy |
| 642923-4 | 3-Major | MCP misses its heartbeat (and is killed by sod) if there are a large amount of file objects on the system |
| 641450-2 | 3-Major | A transaction that deletes and recreates a virtual may result in an invalid configuration |
| 639774-3 | 3-Major | mysqld.err rollover log files are not collected by qkview |
| 639575-5 | 3-Major | Using libtar with files larger than 2 GB will create an unusable tarball |
| 638091-2 | 3-Major | Config sync after changing named pool members can cause mcpd on secondary blades to restart |
| 636031-2 | 3-Major | GUI LTM Monitor Configuration String adding CR for type Oracle |
| 633512-5 | 3-Major | HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION. |
| 633465-1 | 3-Major | Curl cannot be forced to use TLSv1.0 or TLSv1.1 |
| 632825-3 | 3-Major | bcm56xxd crash following 'silent' port-mirror configuration failure |
| 631172-2 | 3-Major | GUI user logged off when idle for 30 minutes, even when longer timeout is set |
| 630610-4 | 3-Major | BFD session interface configuration may not be stored on unit state transition |
| 629834-3 | 3-Major | istatsd high CPU utilization with large number of entries |
| 629499-3 | 3-Major | tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found" |
| 628202-1 | 3-Major | Audit-forwarder can take up an excessive amount of memory during a high volume of logging |
| 627760-1 | 3-Major | gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card |
| 626721-2 | 3-Major | "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart |
| 626589-3 | 3-Major | iControl-SOAP prints beyond log buffer |
| 624692-1 | 3-Major | Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying |
| 624626-2 | 3-Major | Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility |
| 623930-1 | 3-Major | vCMP guests with vlangroups may loop packets internally |
| 623391-2 | 3-Major | cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★ |
| 623371-4 | 3-Major | After changing from remote auth to local auth, if SSH keys are used, SSH attempts from nonexistent users result in a connection closed |
| 623367-3 | 3-Major | When RADIUS remote authentication is enabled, a nonexistent user is able to ssh into the BIG-IP if they present the root's key. |
| 623336-1 | 3-Major | After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★ |
| 623265-1 | 3-Major | UCS upgrade from v10.x to v11.4.x or later incorrectly retains v10.x ca-bundle.crt★ |
| 622619-2 | 3-Major | BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD |
| 622183-2 | 3-Major | The alert daemon should remove old log files but it does not. |
| 621909-6 | 3-Major | Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members |
| 621273-5 | 3-Major | DSR tunnels with transparent monitors may cause TMM crash. |
| 621259-1 | 3-Major | Config save takes long time if there is a large number of data groups |
| 620969-2 | 3-Major | iControl doesn't give correct valid key sizes for FIPS keys on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards. |
| 620658 | 3-Major | Existence of /mprov_firstboot with vcmp can set improper tmmcount |
| 619854 | 3-Major | Duplicate entry for bigipPb200 in F5-BIG-IP-SYSTEM-MIB |
| 619210 | 3-Major | [FIPS] High CPU usage (11.5.4) or memory error messages (11.6.1) during stress test using FIPS keys |
| 618319-2 | 3-Major | HA pair goes Active/Active, and reports peer as 'offline' if network-failover service is blocked |
| 617628-3 | 3-Major | SNMP reports incorrect value for sysBladeTempTemperature OID |
| 614493-3 | 3-Major | BIG-IP reset on ePVA accelerated flow may contain stale TCP window information. |
| 614486-4 | 3-Major | BGP community lower bytes of zero is not allowed to be set in route-map |
| 612721 | 3-Major | FIPS: .exp keys cannot be imported when the local source directory contains .key file |
| 610417-4 | 3-Major | Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported. |
| 609772-2 | 3-Major | Tilde character does not work on GET requests via iControl REST |
| 609186-1 | 3-Major | TMM or MCP might core while getting connections via iControl. |
| 609119-3 | 3-Major | Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3: |
| 607961-5 | 3-Major | Secondary blades restart when modifying a virtual server's route domain in a different partition. |
| 606330-1 | 3-Major | The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family. |
| 605840-1 | 3-Major | HSB receive failure lockup due to unreceived loopback packets |
| 605800-1 | 3-Major | Web GUI submits changes to multiple pool members as separate transactions |
| 605792-5 | 3-Major | Installing a new version changes the ownership of administrative users' files★ |
| 605775 | 3-Major | Config sync fails after creating local user matching previously logged in remote user |
| 602566-3 | 3-Major | sod daemon may crash during start-up |
| 602193-1 | 3-Major | iControl REST call to get certificate fails if |
| 601709-4 | 3-Major | I2C error recovery for BIG-IP 4340N/4300 blades |
| 601414-3 | 3-Major | Combined use of session and table irule commands can result in intermittent session lookup failures |
| 601220 | 3-Major | Multi-blade trunks seem to leak packets ingressed via one blade to a different blade |
| 600944-4 | 3-Major | tmsh does not reset route domain to 0 after cd /Common and loading bash |
| 600558-2 | 3-Major | Errors logged after deleting user in GUI |
| 598650-3 | 3-Major | apache-ssl-cert objects do not support certificate bundles |
| 597729-2 | 3-Major | Errors logged after deleting user in GUI |
| 596826-1 | 3-Major | Don't set the mirroring address to a floating self IP address |
| 596815-2 | 3-Major | System DNS nameserver and search order configuration does not always sync to peers |
| 596067-1 | 3-Major | GUI on VIPRION hangs on secondary blade reboot |
| 595868 | 3-Major | HSB TX HGM lockup on 3900, 8900, and 10000-series platforms. |
| 595317-5 | 3-Major | Forwarding address for Type 7 in ospfv3 is not updated in the database |
| 592194-1 | 3-Major | Rarely, an HSB transmitter failure occurs |
| 590938-1 | 3-Major | The CMI rsync daemon may fail to start |
| 590904-4 | 3-Major | New HA Pair created using serial cable failover only will remain Active/Active |
| 589856 | 3-Major | iControl REST : possible to get duplicate transaction ids when transactions are created by multiple clients |
| 589338-1 | 3-Major | Linux host may lose ECMP routes on secondary blades |
| 588646-4 | 3-Major | Use of Standard access list remarks in imish may causes later entries to fail on add |
| 587821-4 | 3-Major | vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor. |
| 587668-4 | 3-Major | LCD Checkmark button does not always bring up clearing prompt on VIPRION blades. |
| 587457-1 | 3-Major | REST API does not allow modification of AFM address list |
| 584583-2 | 3-Major | Timeout error when attempting to retrieve large dataset. |
| 583754-4 | 3-Major | When TMM is down, executing 'show ltm persist persist-records' results in a blank error message. |
| 583475-3 | 3-Major | The BIG-IP may core while recompiling LTM policies |
| 582084-4 | 3-Major | BWC policy in device sync groups. |
| 581851-5 | 3-Major | mcpd, interleaving of messages / folder contexts from primary to secondary blade |
| 580832 | 3-Major | mcpd core during config push from Enterprise Manager |
| 579694-3 | 3-Major | Monitors may create invalid configuration files |
| 579035-1 | 3-Major | Config sync error when a key with passphrase is converted into FIPS. |
| 578551-1 | 3-Major | bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot |
| 577440-3 | 3-Major | audit logs may show connection to hagel.mnet |
| 575368-1 | 3-Major | Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card |
| 567774-3 | 3-Major | ca-devices and non-ca-devices addition/deletion has been removed from restart cm trust-domain Root |
| 566507-1 | 3-Major | Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment |
| 561444-2 | 3-Major | LCD might display incorrect output. |
| 559916 | 3-Major | Corrupt MCP message causes crash in MCPConnection::sendMessage |
| 559584-4 | 3-Major | tmsh list/save configuration takes a long time when config contains nested objects. |
| 559100-1 | 3-Major | Unable to Import Certificate to a partition subfolder, message: Name cannot contain '/' nor '\'. |
| 559080-2 | 3-Major | High Speed Logging to specific destinations stops from individual TMMs |
| 557155-1 | 3-Major | BIG-IP Virtual Edition becomes completely unresponsive under very heavy load. |
| 557079 | 3-Major | 'gtmd' daemon is not visible in daemon-ha list command |
| 553446-2 | 3-Major | Interface bfd session does not appear in configuration file or in show running-config |
| 552585-2 | 3-Major | AAA pool member creation sets the port to 0. |
| 552278 | 3-Major | Inconsistent behavior on IP TTL handling between ePVA and tmm for Fast L4 flows. |
| 548175-3 | 3-Major | Idle timeout may be tcp handshake timeout on CMP demoted Fast L4 virtual servers. |
| 545946-3 | 3-Major | Vlangroup may have its MAC address set to 02:00:00:00:00 on first configuration load★ |
| 545799-3 | 3-Major | Dashboard fails to export derived throughput history |
| 545214-4 | 3-Major | OSPF distance command does not persist across restarts. |
| 542191-3 | 3-Major | Snmpd V1 and V2c view based access. |
| 539832-2 | 3-Major | Zebos: extended community attributes are exchanged incorrectly in BGP updates. |
| 539199-2 | 3-Major | HTML filter is truncating the server response when sending it to client |
| 528987-2 | 3-Major | Benign warning during formatting installation |
| 528295-9 | 3-Major | Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later. |
| 528083-3 | 3-Major | On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown. |
| 527206-4 | 3-Major | Management interface may flap due to LOP sync error |
| 526708-1 | 3-Major | system_check shows fan=good on removed PSU of 4000 platform |
| 524193-3 | 3-Major | Multiple Source addresses are not allowed on a TMSH SNMP community |
| 524123-4 | 3-Major | iRule ISTATS::remove does not work |
| 523985-2 | 3-Major | Certificate bundle summary information does not propagate to device group peers |
| 523797-4 | 3-Major | Upgrade: file path failure for process name attribute in snmp.★ |
| 522304-1 | 3-Major | Some password policy changes are not reflected in /etc/shadow when synced in a CMI device group |
| 522024-4 | 3-Major | Config sync of SecurID config file fails on secondary blades |
| 521828-1 | 3-Major | CMI device credentials (device name or password) containing XML special charactersresults in peer discovery error |
| 517578-2 | 3-Major | statsd crash when failed to open stats files |
| 516540-2 | 3-Major | devmgmtd file object leak |
| 516167-4 | 3-Major | TMSH listing with wildcards prevents the child object from being displayed |
| 512853-3 | 3-Major | Kerberos SSO fails if KDC is not specified |
| 512130-5 | 3-Major | Remote role group authentication fails with a space in LDAP attribute group name |
| 510436-4 | 3-Major | TMM logs carry a generic hostname at startup |
| 508556-2 | 3-Major | CSR missing SAN when renewing cert in GUI |
| 506548-1 | 3-Major | Mgmt port does not link with correct speed or duplex when using fixed media on AOM-based platforms |
| 505123-6 | 3-Major | sysObjectID returns 'unknown' platform on the VIPRION 4400 |
| 501947-1 | 3-Major | Cannot delete keys/certificates whose names start with 0 (zero). |
| 501418-3 | 3-Major | OSPF: Multiple ECMP default routes not distributed to TMM |
| 499694-3 | 3-Major | LTM v10.2.x to v11.x upgrade misses partition name on node specific monitor★ |
| 496663 | 3-Major | iRule object in non-Common partition referenced from another partition breaks upgrade/config load★ |
| 496155-1 | 3-Major | tmsh show ltm persistence persist-records sometimes shows an incorrect number of entries on VIPRION chassis |
| 496038-1 | 3-Major | system_check shows stale chassis fan tray data after the chassis is removed |
| 493250-3 | 3-Major | BGP disabling graceful-restart in ZebOS does not persist and is automatically enabled |
| 489499-1 | 3-Major | chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd |
| 488610-1 | 3-Major | Navigating to iApps :: Templates :: MyTemplate :: Properties in the GUI presents a blank page |
| 488262-5 | 3-Major | moving VLAN from route-domain being deleted in the same transaction can cause errors |
| 485352-2 | 3-Major | TMM dumps core file when loading configuration or starting up |
| 485164-3 | 3-Major | MCPD cores when the Check Service Date in the license is not current. |
| 483840-1 | 3-Major | Serial number of a blade is not cleared in show command after it is moved |
| 476708-9 | 3-Major | ZebOS using BGP ECMP may not correctly update the ECMP paths when one of the paths goes down and comes back up |
| 474149-3 | 3-Major | SOD posts error message: Config digest module error: Traffic group device not found |
| 473415-2 | 3-Major | ASM Standalone license has to include URL and HTML Rewrite★ |
| 473088-7 | 3-Major | Virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile |
| 472308-2 | 3-Major | Management IP address change interaction with HA heartbeat / failover traffic |
| 469549-1 | 3-Major | User Modification Denied error on initial bootup★ |
| 469366-1 | 3-Major | ConfigSync might fail with modified system-supplied profiles |
| 468710-3 | 3-Major | Using non-standard lettercasing for header name results in misleading error during commit of transaction |
| 468559-1 | 3-Major | Config fails to load after upgrade to 11.5.1 when iApp requires PSM module.★ |
| 467195-1 | 3-Major | Allow special characters importing SSL Key and Certificate except backslash. |
| 464252-3 | 3-Major | Possible tmm crash when modifying html pages with HTML profile. |
| 461818-2 | 3-Major | Occasional extreme large value reported for tmm-info five-min-avg-usage-ratio |
| 460176-3 | 3-Major | Hardwired failover asserts active even when standalone |
| 457149-1 | 3-Major | Remotely authenticated users may still obey local password policy |
| 452660-3 | 3-Major | SNMP trap engineID should not be configsynced between HA-pairs |
| 446713 | 3-Major | Initial boot from non-Primary blades causes daemon restarts and error messages on VIPRION B4300/B4300N blades and on the VIPRION C2200 chassis. |
| 441482-3 | 3-Major | SWG is seen on platforms with less than 8 GB of memory |
| 441297-2 | 3-Major | Trunk remains down and interface's status is 'uninit' after mcpd restart |
| 439399-4 | 3-Major | Discrepancy between Throughput and Detailed Througput data |
| 433055-5 | 3-Major | BFD GTSM IMI shell commands don't work |
| 427924-8 | 3-Major | ipport hash type is not programmed in new blade |
| 424542-2 | 3-Major | tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments |
| 423928-1 | 3-Major | syslog messages over 8 KB in length cause logstatd to exit |
| 423482-1 | 3-Major | Removing the gateway failsafe pool in web interface does not set the pool::gateway failsafe device property to none |
| 421797-2 | 3-Major | ePVA continues to accelerate IP Forwarding VS traffic even in Standby |
| 416292-8 | 3-Major | MCPD can core as a result of another component shutting down prematurely |
| 384995-3 | 3-Major | Management IP changes are not synced to the device group. |
| 378967-2 | 3-Major | Users are not synchronized if created in a partition |
| 375434-3 | 3-Major | HSB lockup might occur when TMM tries unsuccessfully to reset HSB. |
| 373949-3 | 3-Major | Network failover without a management address causes active-active after unit1 reboot |
| 369596-1 | 3-Major | show ltm pool doesn't show the most updated info |
| 369352-12 | 3-Major | No verification prompt when executing 'load sys config default' for resource administrator role |
| 351130-2 | 3-Major | iApp templates are visible with only vCMP provisioned. |
| 337934-14 | 3-Major | remoterole: attributes ending in 'role' or 'deny' will be parsed incorrectly |
| 225094-2 | 3-Major | When changing expired password, user is dictionary restricted even with password policy disabled |
| 224903-4 | 3-Major | CounterBasedGauge64 MIB values do not work with Network Management Systems. The MIB should be Gauge32. |
| 660239-4 | 4-Minor | When accessing the dashboard, invalid HTTP headers may be present |
| 652981 | 4-Minor | tmipsecd aborts |
| 647812-1 | 4-Minor | /tmp/wccp.log file grows unbounded |
| 645589 | 4-Minor | Password-less ssh access lost for non-admin users after tmsh load sys ucs |
| 636823-1 | 4-Minor | Node name and node address |
| 634014-3 | 4-Minor | Absolute timers may fire one second early during the leap second event |
| 632668-2 | 4-Minor | When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds |
| 631334 | 4-Minor | TMSH does not preserve \? for config save/load operations |
| 624909-4 | 4-Minor | Static route create validation is less stringent than static route delete validation |
| 623536-5 | 4-Minor | SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent |
| 616021-4 | 4-Minor | Name Validation missing for some GTM objects |
| 611054-4 | 4-Minor | Network failover "enable" setting is sometimes ignored on chassis systems |
| 609107-3 | 4-Minor | mcpd does not properly validate missing 'sys folder' config in bigip_base.conf |
| 608348-1 | 4-Minor | Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system |
| 606799-4 | 4-Minor | GUI total number of records not correctly initialized with search string on several pages. |
| 598498-6 | 4-Minor | Cannot remove Self IP when an unrelated static ARP entry exists. |
| 598289-1 | 4-Minor | TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port> |
| 594647-1 | 4-Minor | No iControl functions to get and set master key. |
| 591733-1 | 4-Minor | Save on Auto-Sync is missing from the configuration utility. |
| 591732 | 4-Minor | Local password policy not enforced when auth source is set to a remote type. |
| 589862-3 | 4-Minor | HA Grioup percent-up display value is truncated, not rounded |
| 588946 | 4-Minor | BIG-IP v11.5.4 successfully installs on 12250v platform but is not supported. |
| 586348-3 | 4-Minor | Network Map Pool Member Parent Node Name display and Pool Member hyperlink |
| 585097-4 | 4-Minor | Traffic Group score formula does not result in unique values. |
| 584788-3 | 4-Minor | Directed failover of HA pair using only hardwire failover will fail |
| 583777-1 | 4-Minor | [TMSH] sys crypto cert missing tab completion function |
| 583084-3 | 4-Minor | iControl produces 404 error while creating records successfully |
| 582595-1 | 4-Minor | default-node-monitor is reset to none for HA configuration. |
| 581865 | 4-Minor | 6900, 8900, 8950, or 11050 platforms missing swap storage★ |
| 575848-3 | 4-Minor | Traffic statistics on a SNAT object might not be updated if traffic is ePVA accelerated. |
| 575176-4 | 4-Minor | Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic |
| 573031-2 | 4-Minor | qkview may not collect certain configuration files in their entirety |
| 571424 | 4-Minor | Topology Records: Longest Match Sorting in Unexpected Order |
| 571333-3 | 4-Minor | fastL4 tcp handshake timeout not honored for offloaded flows |
| 563560-2 | 4-Minor | Intermittent iStats reset |
| 559911 | 4-Minor | Nondescriptive error when an application template upload fails on iApp load. |
| 559837-7 | 4-Minor | Misleading error message in catalina.out when listing certificates. |
| 559571 | 4-Minor | Temporary negative bit-count on mgmt interface after LBH reset |
| 557452-3 | 4-Minor | Messages logged when the CAN daemon (cand) receives unsolicited data |
| 542292-3 | 4-Minor | GUI might cause MIB files to be uncompressed when downloading from GUI with Chrome. |
| 541693-1 | 4-Minor | Monitor inheriting time-until-up and up-interval from parent incorrectly via GU |
| 541320-4 | 4-Minor | Sync of tunnels might cause restore of deleted tunnels. |
| 533790-2 | 4-Minor | Creating multiple address entries in data-group might result in records being incorrectly deleted |
| 532915-2 | 4-Minor | No validation error attempting to modify a record in an external data-group using iControl SOAP. |
| 530927-1 | 4-Minor | Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed |
| 530530-4 | 4-Minor | [mcpd] TMSH "range" filter for 'show sys log' fails to work as expected |
| 528894-4 | 4-Minor | Config sync after sub-partition config changes results extra lines in the partition's conf file |
| 527720-3 | 4-Minor | Rare 'No LopCmd reply match found' error in getLopReg |
| 526642-5 | 4-Minor | iRule with HTML commands inside can be attached to Virtual server without HTML profile |
| 525847-1 | 4-Minor | SNMP manager doesn't accept community name in double quotes in packet capture. |
| 524606-2 | 4-Minor | SElinux violations prevent cpcfg from touching /service/mcpd/forceload |
| 524185-1 | 4-Minor | Unable to run lvreduce |
| 523992-6 | 4-Minor | tmsh error map not included in /etc/alertd |
| 505003 | 4-Minor | SSLv3 is disabled by default on the management interface of BIG-IP on AWS Marketplace |
| 503960-5 | 4-Minor | The requested unknown (1936) was not found. |
| 499348-3 | 4-Minor | System statistics may fail to update, or report negative deltas due to delayed stats merging |
| 495242 | 4-Minor | mcpd log messages: Failed to unpublish LOIPC object |
| 495227-4 | 4-Minor | tmsh displays wrong cert expiration date on 'show gtm iquery' (later than Jan 18 2038). |
| 483242-3 | 4-Minor | GUI LTM Profile ClientSSL unable to recognize certificates/key with short names. |
| 479262-1 | 4-Minor | 'readPowerSupplyRegister error' in LTM log |
| 477700-2 | 4-Minor | Detail missing from power supply 'Bad' status log messages |
| 476544-1 | 4-Minor | mcpd core during sync |
| 475896-3 | 4-Minor | 'tmsh load /sys config from-terminal' (or from file) with a reference to an external file fails |
| 473213-5 | 4-Minor | Emergency alert treated as critical on the 10000s, 10200v, 10250v, and 10350vN platforms. |
| 473212-2 | 4-Minor | Systems which do not use RAID show confusing RAID status on the LCD |
| 472581-1 | 4-Minor | Cannot use 'default' as the FIPS security officer password. |
| 472310-3 | 4-Minor | BIG-IP may report getLopSensorData warnings at boot time or when changing a PSU |
| 467703-3 | 4-Minor | Management interface sending erroneous IPv6 MLD or IPv4 IGMP packets |
| 466017-1 | 4-Minor | Tab-completion does not work for TCP/HTTP profiles with ltm virtual profiles |
| 464650-2 | 4-Minor | Failure of mcpd with invalid authentication context. |
| 451479-4 | 4-Minor | ConfigSync over IPv6 fails due to wrong rsync formatting |
| 629207 | 5-Cosmetic | TMSH output shows dtca.crt certificate-key-size is 1 |
| 603092-2 | 5-Cosmetic | "displayservicenames" does not apply to show ltm pool members |
| 594228 | 5-Cosmetic | Resetting mgmt interface statistics doesn't work on VE or VCMP |
| 589199 | 5-Cosmetic | CoS queue egress drop counts not reported in all drop counter stats. |
| 572655-3 | 5-Cosmetic | Request Logging profile Template textarea wrapping set to soft wrap |
| 479888-1 | 5-Cosmetic | BCM debug logging cannot be turned off once enabled |
| 476405-2 | 5-Cosmetic | BFD IPv6 session display command in IMI shell display the wrong remote port number. |
| 466116-4 | 5-Cosmetic | Intermittent 'AgentX' warning messages in syslog/ZebOS log files |
| 425339-2 | 5-Cosmetic | GUI shows incorrect number of members of pool in HA group after pool config is sync'ed from peer unit. |
| 417045-2 | 5-Cosmetic | Error: 'err chmand[8873]: Error sending MCP system_information (err:1020003) |
| 402414-2 | 5-Cosmetic | Configured flow control not applied to Copper SFPs |
| 396273-4 | 5-Cosmetic | Error message in dmesg and kern.log: vpd r/w failed |
Local Traffic Manager Issues
| ID Number | Severity | Description |
| 621452-4 | 1-Blocking | Connections can stall with TCP::collect iRule |
| 618905-2 | 1-Blocking | tmm core while installing Safenet 6.2 client |
| 657713-4 | 2-Critical | TMM cored with SIGPFE panic string "Valid node" |
| 648037-4 | 2-Critical | LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash |
| 646643-4 | 2-Critical | HA Standby Virtual Server with a lasthop pool may crash. |
| 646604-4 | 2-Critical | Client connection may hang when NTLM and OneConnect profiles used together |
| 639744-4 | 2-Critical | Memory leak in STREAM::expression iRule |
| 639039-2 | 2-Critical | Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons |
| 634259-1 | 2-Critical | IP tuple nexthop object can be freed while still referenced by another structure |
| 625198-4 | 2-Critical | TMM might crash when TCP DSACK is enabled |
| 620958 | 2-Critical | TMM crash with assertion failure of pkt type not already ETHERTYPE_ARP |
| 619528-3 | 2-Critical | TMM may accumulate internal events resulting in TMM restart |
| 618463-1 | 2-Critical | artificial low route mtu can cause SIGSEV core from monitor traffic |
| 613088-2 | 2-Critical | pkcs11d thread has session initialization problem. |
| 609199-2 | 2-Critical | Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join |
| 607360-3 | 2-Critical | Safenet 6.2 library missing after upgrade★ |
| 602326-2 | 2-Critical | Intermittent pkcs11d core when installing Safenet 6.2 software |
| 597978-5 | 2-Critical | GARPs may be transmitted by active going offline |
| 583700-4 | 2-Critical | tmm core on out of memory |
| 581746-4 | 2-Critical | MPTCP traffic handling may cause a BIG-IP outage |
| 541916 | 2-Critical | tmm segfault: hud_process_upper |
| 515915-3 | 2-Critical | Server side timewait close state cause long establishment under port reuse |
| 511782-9 | 2-Critical | The HTTP_DISABLED event does not trigger in some cases |
| 503125-2 | 2-Critical | Excessive MPI net traffic can cause tmm panics on chassis systems |
| 492352-4 | 2-Critical | Mismatch ckcName between GUI and TMSH can cause upgrade failure |
| 489217-2 | 2-Critical | "cipher" memory can leak |
| 481869-1 | 2-Critical | Certain blade failure events may result in a 10+ second delay in failover occurring |
| 469071-2 | 2-Critical | TMM segfault in mpctp_switch_conns |
| 464437-2 | 2-Critical | Quickly repeated external datagroup loads might cause TMM crash. |
| 459994-3 | 2-Critical | tmm may crash if default gateway pool contains members that it cannot route to |
| 457034-3 | 2-Critical | Multipath TCP (MPTCP): TMM crash in stockpile management |
| 450765-1 | 2-Critical | tmm segfault: hud_mptcp_handler HUDCTL_PERFORM_METHOD |
| 423629-5 | 2-Critical | bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted |
| 341928-2 | 2-Critical | CMP enabled virtual servers which target CMP disabled virtual servers can crash TMM. |
| 662881-4 | 3-Major | L7 mirrored packets from standby to active might cause tmm core when it goes active. |
| 661881-4 | 3-Major | Memory and performance issues when using certain ASN.1 decoding formats in iRules |
| 659919-4 | 3-Major | Verified Accept prevents persist cookie from being inserted into responses |
| 658214-4 | 3-Major | TCP connection fail intermittently for mirrored fastl4 virtual server |
| 657883-4 | 3-Major | tmm cache resolver should not cache response with TTL=0 |
| 655767-1 | 3-Major | MCPD does not prevent deleting an iRule that contains in-use procedures |
| 655724-1 | 3-Major | MSRDP persistence does not work across route domains. |
| 655432-3 | 3-Major | SSL renegotiation failed intermittently with AES-GCM cipher |
| 651889-1 | 3-Major | persist record may be inconsistent after a virtual hit rate limit |
| 651541-4 | 3-Major | Changes to the HTTP profile do not trigger validation for virtual servers using that profile |
| 648954-4 | 3-Major | Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls |
| 647071-4 | 3-Major | Stats for SNATs do not work when configured in a non-zero route domain |
| 645635-4 | 3-Major | Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests |
| 645058-2 | 3-Major | Modifying SSL profiles in GUI may fail when key is protected by passphrase |
| 643860-2 | 3-Major | Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly |
| 643041-3 | 3-Major | Less than optimal interaction between OneConnect and proxy MSS |
| 641512-2 | 3-Major | DNSSEC key generations fail with lots of invalid SSL traffic |
| 640369-4 | 3-Major | TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan |
| 637613-1 | 3-Major | Cluster blade being disabled immediately returns to enabled/green |
| 634201-1 | 3-Major | POST requests get reset on early server response. |
| 632156 | 3-Major | A standby system can send gratuitous ARPs using both the VLAN and VLAN group MAC addresses |
| 626434-3 | 3-Major | tmm may be killed by sod when a hardware accelerator does not work |
| 625807 | 3-Major | tmm cored in bigproto_cookie_buffer_to_server |
| 624917-2 | 3-Major | First few handshakes fail after chassis/appliance reboot when using HSM |
| 624616-4 | 3-Major | Safenet uninstall is unable to remove libgem.so |
| 622260 | 3-Major | Some TCP connections do not work when hardware syncookies are being issued and certain options are enabled |
| 622017-7 | 3-Major | Performance graph data may become permanently lost after corruption. |
| 621855 | 3-Major | TMM could use a lot of memory when an iRule calls parking command under AUTH events |
| 621736-2 | 3-Major | statsd does not handle SIGCHLD properly in all cases |
| 621314-1 | 3-Major | A mirror enabled sctp virtual may cause extremey high memory usage on tmm on standby |
| 619849-1 | 3-Major | In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled. |
| 618546-1 | 3-Major | ClientSSL profile could incorrectly inherit cert-key-chain objects from parent profile |
| 618104-4 | 3-Major | Connection Using TCP::collect iRule May Not Close |
| 615553-2 | 3-Major | Reverse/transparent setting reverting to disabled on child monitor |
| 613912 | 3-Major | SSID filter may cause excessive buffering and high CPU |
| 613079-1 | 3-Major | Diameter monitor watchdog timeout fires after only 3 seconds |
| 611691-2 | 3-Major | Packet payload ignored when DSS option contains DATA_FIN |
| 611278-1 | 3-Major | Connections to a BIG-IP system's Self-IP address may fail when the VLAN cmp-hash is altered |
| 610302-3 | 3-Major | Link throughput graphs might be incorrect. |
| 609244-7 | 3-Major | tmsh show ltm persistence persist-records leaks memory |
| 607246-1 | 3-Major | Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires |
| 607166-4 | 3-Major | Hidden directories and files are not synchronized to secondary blades |
| 604880-1 | 3-Major | tmm assert "valid pcb" in tcp.c |
| 603550-4 | 3-Major | Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats. |
| 603236-3 | 3-Major | 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware |
| 602366-3 | 3-Major | Safenet 6.2 HA performance |
| 602329-2 | 3-Major | syncookie header of HA channel mirror packets is not cleared |
| 602136-2 | 3-Major | iRule drop command causes tmm segfault or still sends 3-way handshake to the server. |
| 601189-1 | 3-Major | The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode |
| 601178-4 | 3-Major | HTTP cookie persistence 'preferred' encryption |
| 600593-5 | 3-Major | Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests |
| 598204-2 | 3-Major | In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK. |
| 597879-4 | 3-Major | CDG Congestion Control can lead to instability |
| 597532-3 | 3-Major | iRule: RADIUS avp command returns a signed integer |
| 596433-1 | 3-Major | Virtual with lasthop configured rejects request with no route to client. |
| 595921-3 | 3-Major | VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses. |
| 595854 | 3-Major | An incorrect MSS can be sent in client SYN/ACK packet for an accelerated connection |
| 593530-3 | 3-Major | In rare cases, connections may fail to expire |
| 593390-1 | 3-Major | Profile lookup when selected via iRule ('SSL::profile') might cause memory issues. |
| 592497-3 | 3-Major | Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state. |
| 591666-1 | 3-Major | TMM crash in DNS processing on TCP virtual with no available pool members |
| 589400-5 | 3-Major | With Nagle disabled, TCP does not send all of xfrags with size greater than MSS. |
| 589006-6 | 3-Major | SSL does not cancel pending sign request before the handshake times out or is canceled. |
| 587705-6 | 3-Major | Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools. |
| 586621-2 | 3-Major | SQL monitors 'count' config value does not work as expected. |
| 584948-4 | 3-Major | Safenet HSM integration failing after it completes. |
| 582234-3 | 3-Major | When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again. |
| 582207-6 | 3-Major | MSS may exceed MTU when using HW syncookies |
| 579252-1 | 3-Major | Traffic can be directed to a less specific virtual during virtual modification |
| 575347-3 | 3-Major | Unexpected backslashes remain in monitor 'username' attribute after upgrade |
| 574263 | 3-Major | keys remain on FIPS card after deletion |
| 572234-4 | 3-Major | When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. |
| 572180-3 | 3-Major | httpclass containing escaped backslashes are stripped on migration to LTM policy★ |
| 572142-1 | 3-Major | Config sync peer may fail to monitor newly added pool member after it is added via sync |
| 571482-1 | 3-Major | Unbalanced double-quotes may merge lines upon config save-then-load★ |
| 570570-2 | 3-Major | Default crypto failure action is now "go-offline-downlinks". |
| 568743-2 | 3-Major | TMM core when dnssec queries to dns-express zone exceed nethsm capacity |
| 567862-2 | 3-Major | intermittent SSL traffic failure with Safenet HSM on BIG-IP chassis and appliance |
| 563933-3 | 3-Major | [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs |
| 563687-1 | 3-Major | [DNS] dns64 behavior does not comply with RFC about how to treat RCODEs other than 'NO ERROR' |
| 562292-3 | 3-Major | Nesting periodic after with parking command could crash tmm |
| 560685-3 | 3-Major | TMM may crash with 'tmsh show sys conn'. |
| 560231-2 | 3-Major | Pipelined requests may result in a RST if the server disconnects |
| 559554-3 | 3-Major | CHD congestion control can have erroneous very large cwnd. |
| 557513 | 3-Major | Monitor description containing escape characters could get double-escaped |
| 555343-2 | 3-Major | tmm may crash in fastl4 tcp virtual server |
| 554444-5 | 3-Major | LTM Policy resets connection when removing non-existant HTTP header |
| 554295-5 | 3-Major | CMP disabled flows are not properly mirrored |
| 553830-3 | 3-Major | Use of OneConnect may result in stalled flows |
| 553521-2 | 3-Major | TMM crash when executing route lookup in tmsh for multicast destination |
| 548611-2 | 3-Major | Memory protection strategies can conflict |
| 545796-1 | 3-Major | [iRule] [Stats] iRule is not generating any stats for executed iRules. |
| 544958 | 3-Major | Monitors packets are sent even when pool member is 'Forced Offline'. |
| 542009-3 | 3-Major | tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message. |
| 537209-1 | 3-Major | Fastl4 profile sends RST packet when idle timeout value set to 'immediate' |
| 536563-4 | 3-Major | Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets. |
| 535857-1 | 3-Major | When binary database is not present, during mcp load, unexpected creation of VLAN membership in 'cist' STP singleton |
| 534890-3 | 3-Major | When using session tickets, the session id sent might be incorrect |
| 532904-1 | 3-Major | Some HTTP commands fail validation when it is in a proc and the proc is called from another proc |
| 530266-2 | 3-Major | Rate limit configured on a node can be exceeded |
| 528198-1 | 3-Major | reject in iRule event FLOW_INIT may not respond with a RST |
| 522620-2 | 3-Major | BIG-IP continues to monitor APM AAA pool with old monitor after monitor changed |
| 520604-6 | 3-Major | Route domain creation may fail if simultaneously creating and modifying a route domain |
| 517756-1 | 3-Major | Existing connections can choose incorrect route when crossing non-strict route-domains |
| 517456-2 | 3-Major | Resetting virtual server stat increments cur_conns stat in clientssl profile |
| 516280-1 | 3-Major | bigd process uses a large percentage of CPU |
| 512885-1 | 3-Major | https monitor fails to work with MD5 with RSA as signature hash algorithm |
| 511324-4 | 3-Major | HTTP::disable does not work after the first request/response. |
| 510951-2 | 3-Major | Status of connection limited pool is reported incorrectly |
| 510395-2 | 3-Major | Disabling some events while in the event, then running some commands can cause tmm to core. |
| 507554-2 | 3-Major | Uneven egress traffic distribution on trunk with odd number of members |
| 502129-1 | 3-Major | Hash Cookie Persistence interacts poorly with persistence iRules |
| 501984-1 | 3-Major | TMM may experience an outage when an iRule fails in LB_SELECTED. |
| 499615-14 | 3-Major | RAM cache serves zero length documents. |
| 499431-3 | 3-Major | Validation missing to check that all keys/certificates are removed from the clientSSL profile★ |
| 499404-2 | 3-Major | FastL4 does not honor the MSS override value in the FastL4 profile with syncookies |
| 494977-1 | 3-Major | Rare outages possible when using config sync and node-based load balancing |
| 494333-1 | 3-Major | In specific cases, persist cookie insert fails to insert a session cookie when using an iRule |
| 494084-3 | 3-Major | Certain rapidly-terminating UDP virtuals may core on standby |
| 490121-2 | 3-Major | Incorrect reporting of PVA current and maximum connection with SERVER_CONNECTED event |
| 488921-3 | 3-Major | BIG-IP system sends unnecessary gratuitous ARPs |
| 486735-3 | 3-Major | Maximum connections is not accurate when TMM load is uneven |
| 483653-3 | 3-Major | In some traffic situations, virtuals using SSL can excessively buffer client data instead of closing the TCP window |
| 480982-3 | 3-Major | pkcs11d with a high thread count can result in high CPU utilization |
| 479872-2 | 3-Major | Corresponding protocol profiles must exist on both clientside/serverside |
| 477897-1 | 3-Major | After modifying the protocol profile on an SCTP virtual, the logs may contain error messages |
| 471288-9 | 3-Major | TMM might crash with session-related commands in iRules. |
| 471001-3 | 3-Major | Standby responds to traceroute on mirror enabled forwarding virtual server |
| 468083-1 | 3-Major | An LB_FAILED iRule that references an undefined value can cause Traffic Management Microkernel (TMM) failover. |
| 466875-3 | 3-Major | SNAT automap may select source address that is not attached to egress VLAN/interface |
| 462881-2 | 3-Major | Configuration utility allows for mismatch in IP protocol and transport profile |
| 456378-1 | 3-Major | On a virtual server with the ipother profile assigned, iRule firing on CLIENT_ACCEPTED with discard or reject action may cause TMM to core |
| 452443-3 | 3-Major | DNS cache resolver cannot send egress traffic on a VLAN with src-ip or dst-ip cmp hash configured |
| 446526-6 | 3-Major | TCP virtual server/UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules might cause TMM crash. |
| 441079-4 | 3-Major | BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved |
| 440431-4 | 3-Major | Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands. |
| 439540-5 | 3-Major | Connection to a Self IP to network HSM may not be established after the BIG-IP system reboots. |
| 439490-8 | 3-Major | System does not reconnect to SafeNet HSM if connection is interrupted |
| 437703-6 | 3-Major | LTM policies do not accept special characters in HTTP header names |
| 435055-2 | 3-Major | ECDHE-ECDSA ciphers with hybrid certificate (RSA signed EC cert) |
| 434517-9 | 3-Major | HTTP::retry doesn't work in an early server response |
| 433572-2 | 3-Major | DTLS does not work with rfcdtls cipher on the B2250 blade |
| 433323-11 | 3-Major | Ramcache handling of Cache-Control: no-cache directive in Response |
| 431480-3 | 3-Major | Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message |
| 429810-4 | 3-Major | 2000/4000 platforms can end up in indeterminate ARL/FDB state |
| 390514-1 | 3-Major | SNMP_DCA_BASE monitor does not recognize Threshold and Coefficient★ |
| 385859-2 | 3-Major | iRule TCP::close on VIP with RAM cache can cause TMM restart |
| 352957-3 | 3-Major | Route lookup after change in route table on established flow ignores pool members |
| 343455-2 | 3-Major | HTTP state management (cookie) mechanism may detect wrong version |
| 246726-3 | 3-Major | System continues to process virtual server traffic after disabling virtual address |
| 225634-6 | 3-Major | The rate class feature does not honor the Burst Size setting. |
| 653746-4 | 4-Minor | Unable to display detailed CPU graphs if the number of CPU is too large |
| 652577-4 | 4-Minor | Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address |
| 651005-1 | 4-Minor | FTP data connection may use incorrect auto-lasthop settings. |
| 629033-1 | 4-Minor | BIG-IP should send SHA1 in supported signature hash algorithm last (clientside / Server Hello). |
| 626577 | 4-Minor | HTTP monitor log file is recreated after being deleted |
| 625892-4 | 4-Minor | Nagle Algorithm Not Fully Enforced with TSO |
| 622148-1 | 4-Minor | flow generated icmp error message need to consider which side of the proxy they are |
| 621843-2 | 4-Minor | the ipother proxy is sending icmp error messages to the wrong side |
| 618024-4 | 4-Minor | software switched platforms accept traffic on lacp trunks even when the trunk is down |
| 611161-2 | 4-Minor | VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default. |
| 604272-3 | 4-Minor | SMTPS profile connections_current stat does not reflect actual connection count. |
| 603380-3 | 4-Minor | Very large number of log messages in /var/log/ltm with ICMP unreachable packets. |
| 593396-4 | 4-Minor | Stateless virtual servers may not work correctly with route pools or ECMP routes |
| 592620-4 | 4-Minor | iRule validation does not catch incorrect 'after' syntax |
| 589039-3 | 4-Minor | Clearing masquerade MAC results in unexpected link-local self IPs. |
| 586138-2 | 4-Minor | Inconsistent display of route-domain information in administrative partitions. |
| 584772-2 | 4-Minor | ssldump may crash when decrypting bad records |
| 574020-1 | 4-Minor | Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}') |
| 572015-4 | 4-Minor | HTTP Class profile is upgraded to a case-insensitive policy★ |
| 564899 | 4-Minor | During shutdown, csyncd may dump core |
| 564634-2 | 4-Minor | Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool |
| 558893-1 | 4-Minor | TMM may fail to forward FTP data connections when multiple PORT/EPRT commands are used in succession referring to the same IP/PORT |
| 554774-3 | 4-Minor | Persist lookup across services might fail to return a matching record when multiple records exist. |
| 553614-2 | 4-Minor | modification to parent clientssl CKC does not consistently reflected in the child clientssl profile |
| 549569-1 | 4-Minor | tmm may crash in the case of mem alloc fails. |
| 545856 | 4-Minor | Java VM crash while monitoring DB |
| 544033-1 | 4-Minor | Fragmented ICMP Echo to Virtual Address may not receive response |
| 539026-2 | 4-Minor | Stats refinements for reporting Unhandled Query Actions :: Drops |
| 535122-7 | 4-Minor | tmsh create sys ssl-cert command does not add .crt extension. |
| 530877-6 | 4-Minor | TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances. |
| 527907-3 | 4-Minor | TCP reject Virtual Servers may not respond with TCP reset |
| 525133-2 | 4-Minor | Restarting TMM or failover offline causes causes bigd 'emerg logger' error message |
| 517393-5 | 4-Minor | Spurious RTO Detection Triggers Early Exit from Fast Recovery. |
| 517202-3 | 4-Minor | Microsoft Internet Explorer may fail SSL handshake |
| 511985-2 | 4-Minor | Large numbers of ERR_UNKNOWN appearing in the logs |
| 503795-3 | 4-Minor | [LTM] [DNS] [LOG] debug log information is logged even when "dnscacheresolver.loglevel" set to higher than debug |
| 500402-1 | 4-Minor | 'Data publisher not found or not implemented' mcpd error message when iRule is loaded from tmsh. |
| 499750-2 | 4-Minor | ClientHello includes the _SHA256 cipher in the TLS1.0 |
| 490139-3 | 4-Minor | Loading iRules from file deletes last few comment lines |
| 489572-1 | 4-Minor | Sync fails if keys are created and deleted in same transaction. |
| 477992-1 | 4-Minor | Instance-specific monitor logging fails for pool members created in iApps |
| 450671-1 | 4-Minor | BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable). |
| 402115-3 | 4-Minor | System does not report tmm memory with consideration of threading |
| 368610-1 | 4-Minor | TCP sends RST when regular close might succeed |
| 360485-2 | 4-Minor | Statistics for a lasthop pool member node may be inaccurate |
| 222409-3 | 4-Minor | The HTTP::path iRule command may return more information than expected |
| 222034-5 | 4-Minor | HTTP::respond in LB_FAILED with large header/body might result in truncated response |
| 524277-3 | 5-Cosmetic | Missing power supplies issue warning message that should be just a notice message. |
Performance Issues
| ID Number | Severity | Description |
| 473485-7 | 2-Critical | Fixed a few issues in HTTP Auth module |
Global Traffic Manager Issues
| ID Number | Severity | Description |
| 587617-4 | 2-Critical | While adding GTM server, failure to configure new IP on existing server leads to gtmd core |
| 663310-1 | 3-Major | named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★ |
| 613045-2 | 3-Major | Interaction between GTM and 10.x LTM results in some virtual servers marked down |
| 601180-3 | 3-Major | Link Controller base license does not allow DNS namespace iRule commands.★ |
| 595293-2 | 3-Major | Deleting GTM links could cause gtm_add to fail on new devices. |
| 588289-5 | 3-Major | GTM is Re-ordering pools when adding pool including order designation |
| 574052-5 | 3-Major | GTM autoconf can cause high CPU usage for gtmd |
| 511865-2 | 3-Major | [GTM] GTM external monitor is not correctly synced in GTM sync group without device group |
| 370131-1 | 3-Major | Loading UCS with low GTM Autoconf Delay drops pool Members from config |
| 591705-2 | 4-Minor | Domain-name-strict has been deprecated, but is still present in GUI, GUI OLH, and TMSH CLI help. |
| 514431-2 | 4-Minor | [TMSH][GTM] Add validation for special characters like Ctrl+k for gtm object names |
| 506423-1 | 4-Minor | [GTM] [ZoneRunner] Silent failure when adding a resource record is not successful |
| 474215-2 | 4-Minor | Period characters in GTM virtual server naming★ |
| 423930-2 | 4-Minor | GTM might mark down LTM virtual servers in NON-ZERO route domain named with special characters |
Application Security Manager Issues
| ID Number | Severity | Description |
| 618771-3 | 2-Critical | Some Social Security Numbers are not being masked |
| 582003-3 | 2-Critical | BD crash on startup or on XML configuration change |
| 568347-3 | 2-Critical | BD Memory corruption |
| 518959 | 2-Critical | BIG-IQ Discovery of an 11.5.2 EHF1-19 BIG-IP fails |
| 476616-1 | 2-Critical | Set active fails after accept learning suggestion for illegal metachar Policy with encoding iso-8859-1 |
| 625832-3 | 3-Major | A false positive modified domain cookie violation |
| 617841 | 3-Major | Using iControl REST to create ucs archive results in a "500 internal server error" response when unit has ASM provisioned |
| 605616-4 | 3-Major | Creating 256 Fundamental Security policies will result in an out of memory error |
| 604923-2 | 3-Major | REST id for Signatures change after update |
| 604893-1 | 3-Major | ComplexType child elements in XML schema cannot have different values set in "fixed" attribute |
| 590851-1 | 3-Major | "never log" IPs are still reported to AVR |
| 561595-1 | 3-Major | Guest user cannot see Event Correlation details |
| 559048 | 3-Major | "Request violation" details are blank in /var/log/asm |
| 537213-3 | 3-Major | Second push is required after deactivating Active Security Policy and Sync flag indicates "In Sync" status |
| 535904-3 | 3-Major | BD crashes when attempting to access a closed connection |
| 530102-3 | 3-Major | Illegal meta characters on XML tags -★ |
| 529535-3 | 3-Major | MCP validation error while deactivating a policy that is assigned to a virtual server |
| 523522-2 | 3-Major | In a device group, installing a UCS (on any one of the peers in group) does not propagate the ASU file (that is bundled with UCS) to other peers |
| 520732-2 | 3-Major | XML policy import adds default entities if the relevant element list (in policy xml doc) is specified and empty |
| 520038-2 | 3-Major | Added/updated signatures are added to certain corrupted Manual user-defined sets. |
| 515190-1 | 3-Major | Event Logs -> Brute Force Attacks can't show details after navigating to another page |
| 513887-6 | 3-Major | The audit logs report that there is an unsuccessful attempt to install a mysql user on the system |
| 513787-2 | 3-Major | CSRF doesn't apply web application callback registered as XMLHttpRequest.onload in IE8-10 |
| 512000-2 | 3-Major | Event Log Filter using Policy Group isn't accurate |
| 504917-2 | 3-Major | In ASM Manual Sync Only group, policies do not stay deleted or inactive on secondary after sync is pushed |
| 498433-2 | 3-Major | Upgrading with ASM iRule and virtual server with no websecurity profile★ |
| 465927-1 | 3-Major | Response is halted or reset when the request has an ignore profile |
| 455389-6 | 3-Major | Multiple content type headers detection |
| 451705-1 | 3-Major | Illegal metachar override can be added to policy which prevents Apply Policy★ |
| 450241-4 | 3-Major | iControl error when discover ASM from EM |
| 441075-6 | 3-Major | Newly added or updated signatures are erroneously added to Manual user-defined signature sets. |
| 438045-4 | 3-Major | Web Services signature verification failed. |
| 618693-1 | 4-Minor | Web Scraping session_opening_anomaly reports the wrong route domain for the source IP |
| 617658 | 4-Minor | Attack Signature Update with only 1 active policy logs "Please apply policy" error message |
| 563587 | 4-Minor | Javascript error in Safari browser when working with framed Cross-Domains website |
| 519011-1 | 4-Minor | Auditor role: Exporting the Request Log |
Application Visibility and Reporting Issues
| ID Number | Severity | Description |
| 615696 | 2-Critical | TMM crash during AVR data cleaning timer |
| 575170-6 | 2-Critical | Analytics reports may not identify virtual servers correctly |
| 470559-2 | 2-Critical | TMM crash after traffic stress with rapid changes to Traffic capturing profiles |
| 636104-5 | 3-Major | If pool member is defined with port 0, member may not be visible on the HTTP dimension pane. |
| 635561-4 | 3-Major | Heavy URLs statistics are not shown after upgrade. |
| 601536-5 | 3-Major | Analytics load error stops load of configuration★ |
| 574160-1 | 3-Major | Publishing DNS statistics if only Global Traffic and AVR are provisioned |
| 527058 | 3-Major | TMM Crash, at AVR lookup mechanism |
| 508341-3 | 3-Major | Scheduled-reports are not syncing the 'first-time' value on a sync group |
Access Policy Manager Issues
| ID Number | Severity | Description |
| 653464 | 2-Critical | Horizon VCS 7.1 is not supported with BIG-IP APM 11.5.x |
| 637308-6 | 2-Critical | apmd may crash when HTTP Auth agent is used in an Access Policy |
| 632798-3 | 2-Critical | Double-free may occur if Access initialization fails |
| 614364 | 2-Critical | Linux client NA components cannot be installed neither using sudo password nor root password |
| 580225-4 | 2-Critical | WEBSSO::select may crash tmm. |
| 546231 | 2-Critical | Aced crashed occasionally while shutting down |
| 474532-7 | 2-Critical | TMM may restart when SLO response is received on SLO request URL (.../post/sls) |
| 450136-6 | 2-Critical | Occasionally customers see chunk boundaries as part of HTTP response |
| 446187-6 | 2-Critical | Manual start of a BIG-IP APM service may trigger 100 percent CPU utilization. |
| 442532-3 | 2-Critical | Log shows "socket error: resource temporarily unavailable" |
| 658852-2 | 3-Major | Empty User-Agent in iSessions requests from APM client on Windows |
| 647903 | 3-Major | Android receiver 3.11 new store addition with auto discovery does not work |
| 636643 | 3-Major | OAM Access gate init problem |
| 633364 | 3-Major | Sometimes APM sends 302 back to client for Publicly hosted content in vCMP environment. |
| 627385 | 3-Major | Could not add new account in Citrix receiver for mac v12.3.0 |
| 620829-3 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly |
| 619879-4 | 3-Major | HTTP iRule commands could lead to WEBSSO plugin being invoked |
| 619811-5 | 3-Major | Machine Cert OCSP check fails with multiple Issuer CA |
| 617316 | 3-Major | Desktop title is garbled for Citrix Storefront integration mode with non-sta configuration |
| 616838-1 | 3-Major | Citrix Remote desktop resource custom parameter name does not accept hyphen character |
| 615970-3 | 3-Major | SSO logging level may cause failover |
| 615522-1 | 3-Major | VDI crashes while responding to clients with multiple VDI threads running |
| 611669-3 | 3-Major | Mac Edge Client customization is not applied on macOS 10.12 Sierra |
| 611485-6 | 3-Major | APM AAA RADIUS server address cannot be a multicast IPv6 address.★ |
| 603293-2 | 3-Major | Incorrect handling of L4 Dynamic ACL when it is processed together with L7 ACLs |
| 597214-4 | 3-Major | Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly |
| 589118-2 | 3-Major | Horizon View client throws an exception when connecting to Horizon 7 VCS through APM. |
| 583477 | 3-Major | In Multidomain SSO, primary auth virtual may fail as a resource |
| 572887-5 | 3-Major | DNS doesn't work properly on Ubuntu 15.10 when using f5fpc CLI client |
| 563135-2 | 3-Major | SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt |
| 559402-2 | 3-Major | Client initiated form based SSO fails when username and password not replaced correctly while posting the form |
| 552571 | 3-Major | DWA 8.5 with Safari on MAC OS X 10.11 : check names not works |
| 551454-2 | 3-Major | Edge client sends repeated HTTP probe to captive portal probe URL for mis-configured server |
| 547692-1 | 3-Major | Firewall-blocked KPASSWD service does not cause domain join operation to fail |
| 543344-2 | 3-Major | ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event |
| 541622-3 | 3-Major | APD/APMD Crashes While Verifying CAPTCHA |
| 539018-2 | 3-Major | TMM stack trace when killed by monitoring process when stuck in loop always logged in parent TMM thread log file. |
| 535714 | 3-Major | Policy creation error after resolving LSO in policy sync for a big policy |
| 534373-1 | 3-Major | Some Text on French Localized Edge client on windows has grammatical error |
| 528424-2 | 3-Major | IE11 on Windows 10 doesn't show tooltips/toast notifications when Network Access changes state |
| 527119-2 | 3-Major | Iframe document body could be null after iframe creation in rewritten document. |
| 522124-1 | 3-Major | Secondary MCPD restarts when SAML IdP or SP Connector is created |
| 521822-1 | 3-Major | referer header in request is not completely deflated at gateway, f5-w-dobledot paths are not reduced |
| 511385 | 3-Major | <SecurID Soft Token Messages> are not translated |
| 509677-2 | 3-Major | Edge-client crashes after switching to network with Captive Portal auth |
| 507899-2 | 3-Major | Custom APM report - Assigned IP field shows 'IPv4' instead of assigned IP value |
| 502016-3 | 3-Major | MAC client components do not log version numbers in log file. |
| 495128-3 | 3-Major | Safari 8 continues using proxy for network access resource in some cases when it shouldn't |
| 494435 | 3-Major | Failed to sync connectivity or rewrite profile created from non-default profile |
| 475363-5 | 3-Major | Empty or invalid configuration, or during exception in NTLM, handling might not work as expected. |
| 473488-7 | 3-Major | In AD Query agent, resolving of nested groups may cause apd to spin |
| 471825-6 | 3-Major | Add 'Date:' header in email message generated by APM Email agent to comply with RFC 5322. |
| 468478-6 | 3-Major | APM Portal Access becomes unresponsive. |
| 462258-3 | 3-Major | AD/LDAP server connection failures might cause apd to stop processing requests when service is restored |
| 458450-3 | 3-Major | The ECA process may produce a core file when processing HTTP headers |
| 451083-1 | 3-Major | Citrix Wyse clients when working with StoreFront in integration mode |
| 441913-5 | 3-Major | Empty Webtop when large number of resources assigned to access policy. |
| 440505-5 | 3-Major | Default port should be removed from Location header value in http redirect |
| 439461-5 | 3-Major | Citrix Receiver for Linux is unable to receive full applications list. |
| 439330-7 | 3-Major | Javascript: getAttribute() returns mangled event handlers |
| 438548-3 | 3-Major | Please avoid name "none" for branch rules |
| 435419-3 | 3-Major | Install of partial epsec file causes mcpd to crash, followed by multiple cores. |
| 433972-12 | 3-Major | New Event dialog widget is shifted to the left and Description field does not have action widget |
| 433752-8 | 3-Major | Web applications might rewrite their event handlers |
| 433243-6 | 3-Major | SAML SSO might fail due to clock skew |
| 432102-7 | 3-Major | HTML reserved characters not supported as part of SAML RelayState |
| 431810-6 | 3-Major | APMD process core due to missing exception handling in execute agents |
| 422525-1 | 3-Major | Portal Acccess resources with proxy require hostnames to be resolvable to BIG-IP |
| 420645-5 | 3-Major | Firewall software check cannot detect state of ipfw on MAC OS X |
| 417711-1 | 3-Major | APM does not restore NLAD connections when the configuration is restored from an UCS file★ |
| 398657-16 | 3-Major | Active Session Count graph underflow |
| 372139-2 | 3-Major | Manage Sessions are not showing correct current sessions on VIPRION chassis. |
| 369407-2 | 3-Major | Access policy objects are created inconsistently depending on whether created using wizard or manually. |
| 613095 | 4-Minor | Text Description in Edge client UI may be clipped in sme languages |
| 563651-1 | 4-Minor | Web application does not work/works intermittently via Portal Access after upgrading BIG-IP to any new version.★ |
| 552797 | 4-Minor | Login/logout using Safari presents 'server drop connection' message. |
| 550133 | 4-Minor | OPSWAT fails for Mac OS and Sophos AV version 9.4 |
| 542636 | 4-Minor | APM logon page copyright should show the current year |
| 536724 | 4-Minor | Policy Sync Status stuck at initiated syncing to subgroup after doing to parent group |
| 516200-5 | 4-Minor | HTML5 Receivers for Storefront 2.5 and 2.1 are not working on Google Chrome 40+ |
| 469974-4 | 4-Minor | APM New Session performance graph displays incorrect timed out/error value |
| 586080 | 5-Cosmetic | APM attempts to launch VMware View Linux Desktop from the webtop using HTML5 client which is not supported |
| 439680-4 | 5-Cosmetic | BIG-IP as SP fails to report unsupported key transport algorithms when processing encrypted assertions |
WebAccelerator Issues
| ID Number | Severity | Description |
| 464874-1 | 2-Critical | Client may legitimately send a range request for the cached JS/CSS content which is no longer valid. |
| 630661-1 | 3-Major | WAM may leak memory when a WAM policy node has multiple variation header rules |
| 621284-2 | 3-Major | Incorrect TMSH help text for the 'max-response' RAMCACHE attribute |
| 533900-2 | 3-Major | Extra Proxy on Image Size Change |
| 467589-1 | 4-Minor | Default cron script /usr/share/mysql/purge_mysql_logs.pl throws error. |
Wan Optimization Manager Issues
| ID Number | Severity | Description |
| 440562-3 | 2-Critical | TMM cores dumps due to an iSession "valid event" assertion failure |
| 568795-4 | 3-Major | Dedup Cache Refresh may fail to re-initialize WOM endpoint |
Service Provider Issues
| ID Number | Severity | Description |
| 590091-3 | 3-Major | Single-line Via headers separated by single comma result in first character second header being stripped. |
| 600431-3 | 4-Minor | DIAMETER::avp data get "id" ip4|ip6 errors on valid AVP |
Advanced Firewall Manager Issues
| ID Number | Severity | Description |
| 456376-2 | 1-Blocking | BigIP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32 |
| 572546 | 2-Critical | Assigning address list with 1000+ entries to 1000+ rules policy results in MCP errors |
| 551635-1 | 2-Critical | pccd crash when loading firewall config with mixed IPv4 and IPv6 addresses in the same rule |
| 515562-2 | 2-Critical | Sweep and flood may crash if it is enabled when AFM is not licensed or provisioned. |
| 503951-1 | 2-Critical | AFM policies not synced |
| 484013-3 | 2-Critical | tmm might crash under load when logging profile is used with packet classification |
| 480903-3 | 2-Critical | AFM DoS ICMP sweep mitigation performance impact |
| 612086-1 | 3-Major | Virtual server CPU stats can be above 100% |
| 591828-1 | 3-Major | For unmatched connection TCP RST may not be sent for data packet |
| 551849-2 | 3-Major | If 1 tmm gets more than 1 Mpps then the 1m stats in dos_stats can be wrong |
| 550926-6 | 3-Major | AFM rule with "unknown" source Geo-entity stops functioning when another entity (geolocation or otherwise) is added to the same list of addresses in the rule |
| 526774-3 | 3-Major | Search in FW policy disconnects GUI users |
| 510728-4 | 3-Major | Create and Delete buttons should be disabled for Security :: Protocol Security : Security Profiles : DNS when accessed as Firewall Manager. |
| 507493-1 | 3-Major | Cannot reset counter for rules of Management Port and Global |
| 497424-1 | 3-Major | Policy name field appears on Rule creation page even if Policy is selected |
| 475556-7 | 3-Major | Custom X-forwarded-for headers should take prioriy over xff headers |
| 429885-4 | 3-Major | Traffic that does not match any virtual or Self IP is dropped silently (without any logs or statistics) |
| 404876-1 | 3-Major | Rule modifications reset active counters. |
| 550204-1 | 4-Minor | Any AFM Management Port rules disappear from iptables upon 'bigstart restart iptables' |
| 498490-2 | 4-Minor | Incorrect overlapping status shown when a rule in a rule list has the same name as a rule not in that list |
| 498150-1 | 4-Minor | "General database error retrieving information" appears on Self Ip Security page after removing a rule and refreshing the page |
| 497004-2 | 4-Minor | Policy field is not marked as containing errors when we try to create Rule without Policy |
| 491165-3 | 4-Minor | Legal IP addresses sometimes logged in Attack Started/Stopped message. |
| 454961-2 | 4-Minor | Removal of AFM inline rules |
| 426274-1 | 4-Minor | Firewall ACL Schedules may not work when configured with a daily schedule that starts before the specified start date and time |
Policy Enforcement Manager Issues
| ID Number | Severity | Description |
| 618657-5 | 3-Major | Bogus ICMP unreachable messages in PEM with ipother profile in use |
Carrier-Grade NAT Issues
| ID Number | Severity | Description |
| 521329-3 | 2-Critical | CGNAT - Rare TMM core with Deterministic NAT |
| 504021-3 | 3-Major | lsn-pool member routes not properly propagated to routing table when lsn-pool routing-advertisement is enabled |
| 455020-3 | 3-Major | RTSP profile idle timeout is not applied if it is longer than the TCP profile timeout |
Global Traffic Manager (DNS) Issues
| ID Number | Severity | Description |
| 645615-4 | 2-Critical | zxfrd may fail and restart after multiple failovers between blades in a chassis. |
| 655807-4 | 3-Major | With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score |
| 654599-3 | 3-Major | The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed |
| 653775-1 | 3-Major | Ampersand (&) in GTM synchronization group name causes synchronization failure. |
| 637227-2 | 3-Major | DNS Validating Resolver produces inconsistent results with DNS64 configurations. |
| 636790-1 | 3-Major | Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete. |
| 632423-1 | 3-Major | DNS::query can cause tmm crash if AXFR/IXFR types specified. |
| 628180-3 | 3-Major | DNS Express may fail after upgrade★ |
| 625671-1 | 3-Major | The diagnostic tool dnsxdump may crash with non-standard DNS RR types. |
| 620215-2 | 3-Major | TMM out of memory causes core in DNS cache |
| 619398-3 | 3-Major | TMM out of memory causes core in DNS cache |
| 619158-3 | 3-Major | iRule DNS request with trailing dot times out with empty response |
| 550653 | 3-Major | Errant DNS Express database log message. |
| 517609-1 | 3-Major | GTM Monitor Needs Special Escape Character Treatment |
| 499719-3 | 3-Major | Order Zones statistics would cause database error |
| 463216-1 | 3-Major | 'tmsh load sys config gtm-only' resets link assignments |
| 456047 | 3-Major | Explicit links lost after adding server IP addresses using GUI |
| 366695-6 | 3-Major | Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed |
| 659969-3 | 4-Minor | tmsh command for gtm-application disabled contexts does not work with none and replace-all-with |
| 657961 | 4-Minor | The edit button on the GSLB Wide IP create page does not place the pool name back into the select dropdown |
| 644220-1 | 4-Minor | Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page |
| 620346-1 | 4-Minor | When auto-refresh is enabled on the statistics screen for wideip / pools, it refreshes to the wrong screen. |
Traffic Classification Engine Issues
| ID Number | Severity | Description |
| 447570-1 | 2-Critical | tmm sigsegv |
Device Management Issues
| ID Number | Severity | Description |
| 479773-2 | 1-Blocking | SR C1800930 - GUI crashs - and SQL errors |
| 581840-2 | 3-Major | Cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ. |
| 554659-1 | 3-Major | Configurable maximum message size limit for restjavad |
iApp Technology Issues
| ID Number | Severity | Description |
| 634146 | 3-Major | scriptd crash during iApp reconfiguration |
Known Issue details for BIG-IP v11.5.x
663310-1 : named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★
Component: Global Traffic Manager
Symptoms:
named reports "file format mismatch", zone files are renamed randomly to db-XXXX files, and zone cannot be loaded.
Conditions:
-- Upgrade from BIG-IP containing pre-9.9.X versions of Bind, to BIG-IP versions with Bind versions later than 9.9.x.
-- Slave zone files are in text format.
-- No options set for masterfile-format text.
Impact:
Zones cannot be loaded.
Workaround:
Before upgrading, add the following line to the named.conf options:
masterfile-format text;
662881-4 : L7 mirrored packets from standby to active might cause tmm core when it goes active.
Component: Local Traffic Manager
Symptoms:
L7 mirrored packets from standby to active might cause tmm core when it goes active.
Conditions:
-- Spurious ACK sent to the standby unit that is mirrored over to the active unit for processing.
-- Matching connection on the active has not been fully initialized.
Impact:
tmm crashes. Traffic disrupted while tmm restarts.
Workaround:
None.
661881-4 : Memory and performance issues when using certain ASN.1 decoding formats in iRules
Component: Local Traffic Manager
Symptoms:
Memory and performance issues when using calls to ASN1::decode with "a" or "B" characters in the format string. This occurs because these calls do not correctly free memory allocated by those functions.
Conditions:
iRules that contain calls to ASN1::decode with "a" or "B" characters in the format string.
Impact:
Memory leak, degraded performance, potential eventual out-of-memory crash.
Workaround:
None.
Note: Because of the memory leak associated with this issue, using calls to ASN1::decode with "a" or "B" characters in the format string should be avoided.
660239-4 : When accessing the dashboard, invalid HTTP headers may be present
Component: TMOS
Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.
Conditions:
Access the dashboard via Statistics :: Dashboard.
Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.
Workaround:
None.
659969-3 : tmsh command for gtm-application disabled contexts does not work with none and replace-all-with
Component: Global Traffic Manager (DNS)
Symptoms:
The command for distributed-app's disabled-contexts does not work with the options 'none' and 'replace-all-with'.
Conditions:
Issuing gtm-application disabled contexts commands including the options 'none' and 'replace-all-with'.
Impact:
Command does not complete successfully. This is an internal validation issue.
Workaround:
None.
659919-4 : Verified Accept prevents persist cookie from being inserted into responses
Component: Local Traffic Manager
Symptoms:
A virtual server that has the 'Verified Accept' TCP option enabled will fail to include persistence cookies in the first response on an HTTP connection.
Conditions:
Using cookie persistence when 'Verified Accept' is enabled in the TCP profile.
Impact:
BIG-IP behavior is inconsistent in use of persistence cookies, and may incorrectly load-balance subsequent requests from a client when the expectation is that those requests should have a persist cookie (except the BIG-IP never sent one).
Workaround:
Apply an iRule such as this to a virtual server with Verified Accept configured:
when HTTP_REQUEST {
# Bypass verified-accept handling on first request and force a LB decision / persist lookup
if { [HTTP::request_num] == 1 } { LB::detach }
}
658852-2 : Empty User-Agent in iSessions requests from APM client on Windows
Component: Access Policy Manager
Symptoms:
'User-Agent' might be empty in some '/isession' requests from APM client on Microsoft Windows. Having empty User-Agent headers is not in RFC compliance and forces some firewall to block the connection. This might result in failure to establish a VPN tunnel.
Conditions:
'/isession' requests from APM client on Windows.
Impact:
Failure to establish a VPN tunnel.
Workaround:
None.
658214-4 : TCP connection fail intermittently for mirrored fastl4 virtual server
Component: Local Traffic Manager
Symptoms:
In some cases, a mirrored FastL4 virtual server may fail to forward the SYN on the server-side after receiving the context-ack from the peer. Note: This is a connection-failure through the active system, not simply a failure to mirror to the peer.
Symptoms include:
-- TCP connection failures.
-- Possibly other packets lost.
Conditions:
-- FastL4 virtual server.
-- Mirroring is enabled.
-- Certain traffic interleaving might be necessary for this intermittent problem to occur.
Impact:
FastL4 mirroring does not always forward SYN to server after receiving context ACK. Connections fail.
Workaround:
Set the tm.fastl4_ack_mirror dv variable using the following command: tmsh modify sys db tm.fastl4_ack_mirror value disable.
657961 : The edit button on the GSLB Wide IP create page does not place the pool name back into the select dropdown
Component: Global Traffic Manager (DNS)
Symptoms:
The edit button in the Pools section of a Wide IP create page does not place the pool name entry back into the select dropdown.
Conditions:
There must be a pool in the selected list, that pool must be highlighted when the edit button is clicked.
Impact:
The edit button does not work as intended.
Workaround:
Use the delete button and find the pool in the select dropdown to edit its ratio.
657883-4 : tmm cache resolver should not cache response with TTL=0
Component: Local Traffic Manager
Symptoms:
tmm cache resolver caches responses with TTL=0, and it shouldn't.
Conditions:
TTL is set to 0 on the BIG-IP DNS system, so TMM will see TTL=0 from the DNS answer.
Impact:
tmm cache resolver caches responses with TTL=0.
Workaround:
None.
657834-4 : Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
Component: TMOS
Symptoms:
When using OSPF with high load and network recalculation there is a possibility of a race condition that can lead to additional OSPF retransmissions to be sent out. This will also cause SNMP traps to be sent if configured on the system.
Conditions:
- OSPF routing protocol configured.
- System configured to send SNMP traps
- OSPF instability/networking flaps.
- The larger the amount of routes flapping the more likely to see the condition.
Impact:
There is no impact on the OSPF processing itself. The additional traffic will not cause failing adjacencies or loss of routing information.
However, this may cause many additional OSPF related traps to be sent; which may cause additional load on the external network monitoring system.
Workaround:
While this does not have a direct workaround, you may want to investigate the cause of the network/OSPF instability that causes the additional retransmissions.
657713-4 : TMM cored with SIGPFE panic string "Valid node"
Component: Local Traffic Manager
Symptoms:
In a gateway pool, where the action is set to reject or drop when service is down. Sweeper will then expire and close all connflow. Then ub proxy's own timer triggers to close, it will cause tmm core.
Conditions:
In a gateway pool, when action is set to reject or drop when service is down.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Set service-down-action to none or reselect.
655807-4 : With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score
Component: Global Traffic Manager (DNS)
Symptoms:
When choosing QoS Load balance, packet rate is dominating the score.
Conditions:
QoS load balance.
Impact:
Load balance decision is mostly impacted by packet rate.
Workaround:
None.
655767-1 : MCPD does not prevent deleting an iRule that contains in-use procedures
Component: Local Traffic Manager
Symptoms:
If an iRule that is attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error.
MCPD contains validation that should prevent a user from deleting an iRule that is currently in use by a virtual server, e.g.:
01070265:3: The rule (/Common/rule_uses_procs) cannot be deleted because it is in use by a virtual server (/Common/vs_http).
However, if an iRule attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error. This results in a configuration that will subsequently fail to load (during a config load, MCPD validation will catch this), or will fail if a full configuration sync is performed.
Conditions:
Must be using iRules that call into other iRules.
Impact:
System gets into a state where traffic may fail unexpectedly, and subsequent reboots, configuration loads, upgrades, or configuration sync operations will fail.
Workaround:
None. Use caution when deleting iRules, especially iRules that call into other iRules.
655724-1 : MSRDP persistence does not work across route domains.
Component: Local Traffic Manager
Symptoms:
MSRDP persistence doesn't work with non-default route domains.
Conditions:
Configure a virtual server with a MSRDP persistence profile and a pool using a non-default route domain.
Impact:
MSRDP persistence does not work.
Workaround:
Implement MSRDP persistence using iRules.
655432-3 : SSL renegotiation failed intermittently with AES-GCM cipher
Component: Local Traffic Manager
Symptoms:
SSL failed to renegotiate intermittently with AES-GCM cipher because IV is not properly updated when a change cipher spec message is received.
Conditions:
This failure is more likely to occur during mutual authentication.
Impact:
Some servers authenticate client using renegotiation. This issue prevents their clients from properly connecting to the servers.
Workaround:
Disable AES-GCM cipher.
654599-3 : The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
Component: Global Traffic Manager (DNS)
Symptoms:
Tomcat can potentially drop requests made by the client via the Web GUI on the GSLB Pool Members Manage page.
Conditions:
The config contains a large amount (in the thousands) of GSLB virtual servers or wide IP's, resulting in the action not being completed.
Impact:
The "Finished" button on that page does not save the changes made on that page.
Workaround:
Use TMSH.
653775-1 : Ampersand (&) in GTM synchronization group name causes synchronization failure.
Component: Global Traffic Manager (DNS)
Symptoms:
A GTM synchronization-group-name containing an ampersand (&) might cause an XML parsing failure and GTM sync groups would fail to sync.
Conditions:
A GTM synchronization group name with an ampersand (&) in the name.
Impact:
GTM sync groups does not synchronize.
Workaround:
Remove ampersand from sync group name.
653746-4 : Unable to display detailed CPU graphs if the number of CPU is too large
Component: Local Traffic Manager
Symptoms:
Cannot display detail CPU graph. Go to Statistics :: Performance. Click 'View Detail Graph' under System CPU usage. Graph cannot display. System posts the message: Error trying to access the database.
Conditions:
VIPRION with 288 CPU cores or more totaled across all blades.
Impact:
Administrator is unable to view the detail CPU graphs.
Workaround:
None.
653464 : Horizon VCS 7.1 is not supported with BIG-IP APM 11.5.x
Component: Access Policy Manager
Symptoms:
When assigned to APM webtop, a VMware View resource representing VCS 7.1 cannot be expanded into a list of desktops.
Conditions:
BIG-IP APM 11.5.x used as a PCoIP proxy.
Horizon View Connection Server v7.1
Impact:
End user cannot see nor launch desktops managed by the Horizon VCS 7.1 backend.
653376-4 : bgpd may crash on receiving a BGP update with >= 32 extended communities
Component: TMOS
Symptoms:
bgpd may crash when receiving a BGP update with >= 32 extended communities
Conditions:
A configured BGP peer sends a route update including and attribute containing 32 or more extended communities.
Impact:
bgpd may crash causing the BGP peering to reset
Workaround:
Ensure that peers do not send 32 or more extended communities to the BIG-IP in BGP routing updates.
652981 : tmipsecd aborts
Component: TMOS
Symptoms:
tmipsecd aborts.
Conditions:
Conditions are unknown; this occurred once.
Impact:
IPsec-related operations halted while tmipsecd restarts.
Workaround:
None.
652671-2 : Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.
Component: TMOS
Symptoms:
Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit. When provision.extramb is synced to the peer unit, mprov is called, which restarts tmm.
Conditions:
-- Configure two devices in a sync group.
-- tmsh modify sys db provision.extramb value 150.
-- Sync to peer unit.
Impact:
TMM restarts on the peer unit. Traffic halted while tmm restarts.
Workaround:
None.
652577-4 : Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, changes to the MAC Masquerading setting of a traffic group may cause the Standby unit to be unable to reach the floating Self-IP.
Conditions:
- HA pair
- Traffic-group with a MAC set in the MAC Masquerading setting.
- Floating Self-IP using the above traffic-group
- Make a change to the MAC Masquerading MAC address on the Active unit.
- Run a config-sync from Active to Standby
Impact:
Standby unit is unable to reach the floating Self-IP address.
No external or internet facing traffic will be affected.
Workaround:
Reboot or restart TMM.
651889-1 : persist record may be inconsistent after a virtual hit rate limit
Component: Local Traffic Manager
Symptoms:
persist record may be inconsistent after a virtual hit rate limit
Conditions:
A virtual with rate limit set.
persist is enabled.
Impact:
persist behavior will be impacted.
Workaround:
disable rate limit on virtual
651541-4 : Changes to the HTTP profile do not trigger validation for virtual servers using that profile
Component: Local Traffic Manager
Symptoms:
Changing the HTTP profile does not trigger validation for virtual servers, so no inter-profile dependencies are checked.
Conditions:
Using an HTTP profile with a virtual server that uses other profiles that have settings that are mutually exclusive with those of the HTTP profile.
Impact:
The system will be in an invalid state. One immediate way this can be seen is when syncing to a peer. The sync operation does not complete as expected.
Workaround:
Use the error messages in the logs to determine how to change the configuration to return the system to a valid state.
651432 : When mcpd on a secondary blade crashes, after it comes back up, the virtual_disk entries are missing for that blade
Component: TMOS
Symptoms:
vCMP virtual disk images may appear to be missing according to the BIG-IP system (hypervisor), even though the disk images still exist.
Conditions:
MCPD on a secondary blade restarts, but vcmpd does not restart.
Impact:
This can cause confusion when looking at the hypervisor.
Workaround:
Restart vcmpd.
651136-4 : ReqLog profile on FTP virtual server with default profile can result in service disruption.
Component: TMOS
Symptoms:
When FTP's control channel and data channel arrive on different TMMs, ReqLog profile may fail to identify data channel's listener.
Conditions:
Default inherit FTP profile virtual server configured with ReqLog profile.
Impact:
Service disruption, fail-over event.
Workaround:
Create non-inheriting FTP profile for FTP virtual server with ReqLog profile.
651005-1 : FTP data connection may use incorrect auto-lasthop settings.
Component: Local Traffic Manager
Symptoms:
Due to known issue FTP data connection may fail to use auto-lasthop settings configured on the virtual server and use a value configured on VLAN level instead.
Conditions:
With the configuration below, FTP data connection will fail to use auto-lasthop:
(1)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'enable'
(2)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'disable'
- Virtual server auto-lasthop set to 'enable'
With the configuration below, FTP data connection will improperly use the auto-lasthop:
(1)
- Global auto-lasthop set to 'enable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'disable'
(2)
- VLAN auto-lasthop set to 'enable'
- Virtual server auto-lasthop set to 'disable'
Impact:
FTP data connection may fail to be established.
Workaround:
Use routing instead of auto-lasthop.
(or) Enable auto-lasthop on VLAN level.
650002-4 : tzdata bug fix and enhancement update
Component: TMOS
Symptoms:
There have been changes to timezone data that impact tzdata packages:
* Mongolia no longer observes Daylight Saving Time (DST).
* The Magallanes Region of Chile has moved from a UTC-04/-03 scheme to UTC-03 all year. Starting 2017-05-13 at 23:00, the clocks for the Magallanes Region will differ from America/Santiago.
Conditions:
-- Mongolia during DST portion of the year.
-- Comparing clock times in the America/Santiago zone with those in the Magallanes Region.
Impact:
Timezone data provided in tzdata will not match the area's time. Clocks for the Magallanes Region will differ from America/Santiago (its current timezone).
Workaround:
None.
649234 : TMM crash from a possible memory corruption.
Component: TMOS
Symptoms:
When APM resumes an iRule event from an asynchronous session data lookup, the resumption fails due to a bad memory access resulting in a crash.
Conditions:
The following must be true for this to happen:
- APM provisioned and licensed.
- Use of APM iRule events.
- Session data lookup from iRule events.
Impact:
TMM crash and failover to standby.
Workaround:
None identified yet.
648954-4 : Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls
Component: Local Traffic Manager
Symptoms:
Configuration validation fails spuriously, including potentially as a result of a ConfigSync or modifying an iRule, with an error similar to the following:
01020036:3: The requested rule (/Common/rule_uses_procs) was not found.
Referencing an iRule that previously existed, but has been deleted (or is being deleted as a result of a ConfigSync).
Conditions:
-- iRule using procedures in a different iRule.
-- iRule attached to virtual server.
Impact:
iRule procs are still referenced after deletion. Configuration validation fails spuriously.
Workaround:
Force reloading of the MCP binary database.
For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).
648621-3 : SCTP: Multihome connections may not expire
Component: TMOS
Symptoms:
SCTP: Multihome connections may not expire when forcibly deleted.
Conditions:
When the multi-homing connections have been forcibly deleted from tmsh command.
Impact:
The multi-homing connections won't be expired.
Workaround:
Don't manually deleted the multi-homing connections.
648544-3 : HSB transmitter failure may occur when global COS queues enabled
Component: TMOS
Symptoms:
An HSB transmitter failure may occur if global COS queues enabled. The HSB transmitter failure is logged in the TMM log files.
Conditions:
With global COS queues enabled, the HSB's watchdog loopback packets are sent on HSB ring 2, instead of ring 0. If HSB ring 2 is heavily utilized, this could cause the loopback packets to be dropped. If this occurs, then the watchdog may trigger an HSB transmitter failure.
Impact:
If this issue occurs then the BIG-IP is rebooted.
Workaround:
Do not use global COS queues.
648037-4 : LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash
Component: Local Traffic Manager
Symptoms:
tmm crashes after the LB::reselect iRule fails to connect to the server.
Conditions:
This issue can occur when a virtual server is configured with HTTP and the LB::reselect iRule. If the LB::reselect fails to connect to the server and there is not a monitor on the pool, tmm will crash.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure a monitor for the pool.
647903 : Android receiver 3.11 new store addition with auto discovery does not work
Component: Access Policy Manager
Symptoms:
Could not add a new account in auto discovery for Citrix receiver 3.11 version and getting error as "Citrix Receiver could not verify the server address"
Conditions:
BIG-IP virtual is configured for Citrix replacement mode in 11.5.x release
Adding new account in Citrix Android receiver 3.11 in auto discover mode.
Impact:
Could not add new account in auto discover mode for Citrix Android receiver 3.11
Workaround:
Add this iRule to the virtual server.
when HTTP_REQUEST {
set uri_path [string tolower [HTTP::path]]
if { $uri_path == "/vpn/index.html" } {
set cookie "pwcount=0;Secure;HttpOnly;Path=/"
HTTP::respond 200 -version auto content "/vpn/cgi/login" noserver "Set-Cookie" $cookie
} elseif { $uri_path == "/agservices/discover" } {
set cookie "X-Citrix-Session-Expired=true"
HTTP::respond 403 noserver "X-Citrix-Session-Expired" "true"
}
}
647834-2 : Failover DB variables do not correctly implement 'reset-to-default'
Component: TMOS
Symptoms:
When the 'modify sys db' command option 'reset-to-default' is issued, the new value does not take effect, even though 'list sys db' displays the desired value.
Conditions:
This is known to affect at least the following failover-related DB variables:
log.failover.level
failover.nettimeoutsec
failover.debug
failover.usetty01
failover.rebootviasod
failover.packetcheck
failover.packetchecklog
failover.secure
mysqlhad.heartbeattimeout
mysqlhad.debug
mysqldfailure.enabled
mysqldfailure.haaction.primary
mysqldfailure.haaction.secondary
Impact:
The configuration change does not take effect.
Workaround:
Explicitly set the DB variable to the desired value.
647812-1 : /tmp/wccp.log file grows unbounded
Component: TMOS
Symptoms:
WCCP uses /tmp/wccp.log as output for Diagnostic information,
independent of log level or db key. This file can grow unbounded if there are never any WCCP packets sent. If packets are sent the file is cleaned up automatically.
Conditions:
This can occur if WCCP is configured but never goes beyond negotiation.
Impact:
/tmp/wccp.log grows unbounded, filling up the disk.
647071-4 : Stats for SNATs do not work when configured in a non-zero route domain
Component: Local Traffic Manager
Symptoms:
When creating SNAT in a Route Domain different from 0, the command 'tmsh show ltm snat' does not report any statistics.
Conditions:
This occurs on all SNATs in a route domain other than 0.
Impact:
No statistics for the SNATs
Workaround:
None.
646643-4 : HA Standby Virtual Server with a lasthop pool may crash.
Component: Local Traffic Manager
Symptoms:
A long-running high availability (HA) Standby Virtual Server with a lasthop pool may crash.
Conditions:
HA Standby Virtual Server is configured with a lasthop pool.
It receives more than 2 billion (maximum value of 32 bit integer) connections.
Impact:
tmm on the next-active device crashes. The Active device isn't affected.
Workaround:
None.
646604-4 : Client connection may hang when NTLM and OneConnect profiles used together
Component: Local Traffic Manager
Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.
Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.
Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.
Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.
646388-4 : TMM crash when moving to standby
Component: TMOS
Symptoms:
During the active to standby to transition while passing traffic, tmm crashes.
Conditions:
This can occur intermittently on the transition from active to standby. It is not known exactly what configuration causes this to occur.
Impact:
tmm crashes on the standby, then restarts.
645635-4 : Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, configured units with sflow may incorrectly use 0.0.0.0 as Agent Address.
Conditions:
- vCMP guest deployed on a chassis with only Cluster IP set, and no individual blade IP addresses configured.
- sflow configured
Impact:
sflow may incorrectly use 0.0.0.0 as Agent Address.
Workaround:
Posible workarounds (either):
- Using larger guests (more than 2 cores)
- Configuring cluster blade IP addresses
645615-4 : zxfrd may fail and restart after multiple failovers between blades in a chassis.
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.
Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.
Impact:
zxfrd will create a core file and restart, picking up where it left off.
Workaround:
None.
645589 : Password-less ssh access lost for non-admin users after tmsh load sys ucs
Component: TMOS
Symptoms:
During the load of ucs, the $HOME/.ssh/authorized_keys file is moved to /etc/ssh/<user> and then a symbolic link is pointed to that file in the $HOME/.ssh such that the ucs load modification of ownership won't break the password-less ssh access to the BIG-IP. The problem is that the /etc/ssh/<user> directory has no other-group read permissions and non-admin users can't read the file and hence the password-less access is denied and a password is requested.
Conditions:
Always happens as the permissions for /etc/ssh/<user> are 0700 (user read-write-execute only) and it is owned by root.
Impact:
Non-admin users lose password-less access to their BIG-IP after tmsh load sys ucs.
Workaround:
An admin user needs to manually change the permissions of the /etc/ssh and /etc/ssh/<user> permissions to be 0755.
A non-admin user has no such capability and thus has no workaround.
645179-4 : Traffic group becomes active on more than one BIG-IP after a long uptime
Component: TMOS
Symptoms:
Traffic-groups become active/active for 30s after an uptime of 331.40 days.
The amount of time that is required to trigger this issue is dependent on the number of traffic groups. The more traffic groups, the shorter amount of uptime required to encounter this issue.
For example:
For 7 traffic groups it would take ~710 days.
For 15 traffic groups it would take ~331 days.
Conditions:
Two more BIG-IPs defined in a device group for sync/failover.
There are multiple traffic groups configured.
The BIG-IPs have a long uptime.
Impact:
Outage due to traffic-group members being active on both systems at the same time.
Workaround:
There is no workaround.
You would have to reboot all the BIG-IPs in the device group every so often. And the time frame is dependent on the number of traffic groups.
645058-2 : Modifying SSL profiles in GUI may fail when key is protected by passphrase
Component: Local Traffic Manager
Symptoms:
When a client SSL profile has a Certificate Key Chain (CKC) entry with a passphrase-protected key, attempting to modify/update the profile via the GUI may fail, and produce an error similar to the following:
01070313:3: Error reading key PEM file <Key_File_Path> for profile <Profile_Name>: error:0906A068:PEM routines:PEM_do_header:bad password read.
This can occur even when the passphrase already in the SSL profile is correct.
Conditions:
Upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.
Alternately, creating an SSL profile with a custom cert-key-chain name that references a passphrase-protected key, e.g.:
tmsh create ltm profile client-ssl example-profile defaults-from clientssl cert-key-chain replace-all-with { no { cert protected.crt key protected.key passphrase password } }
Impact:
User cannot update client SSL profile via the GUI.
Workaround:
Modifications to the profile can be made from tmsh. Alternately, delete the CKC and recreate it.
644979-4 : Errors not logged from hourly 1k key generation cron job
Component: TMOS
Symptoms:
Errors from the 1k key generation hourly cron job do not get logged as intended from the hourly 1024-bit key generation task.
Conditions:
This occurs during hourly generation of ephemeral keys.
Impact:
Errors from the 1k key generation hourly cron job do not get logged, and hourly generation of ephemeral keys fails.
Workaround:
Change "loggcercmd" to "loggercmd" in /etc/cron.hourly/genkeys-1024.
644484-2 : Inconsistent behavior between CLI and GUI for remote auth user passwords
Component: TMOS
Symptoms:
If you have remote authentication configured you cannot set a password when creating a user, which is expected, as you are only setting privilege levels for remote users. In TMSH however you can set a password, though it is ignored.
Conditions:
This is seen when remote auth is enabled, and you try to create a user via tmsh.
Impact:
The password can be specified, but it is ignored, and there is no warning that it is ignored.
644220-1 : Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page
Component: Global Traffic Manager (DNS)
Symptoms:
Under LTM :: Virtual Servers :: Properties, the "Link" value sometimes displays "none" when it should display an actual link name.
Conditions:
This happens under certain configuration of Self IP / GTM Servers / GTM Links / LTM Virtual Servers.
Impact:
When conditions are met, the Virtual Server's link information displayed is not correct.
Workaround:
None.
643860-2 : Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly
Component: Local Traffic Manager
Symptoms:
There is no indication that mcpd has restarted, but the system logs messages similar to the following:
-- In /var/log/tmm:
notice MCP connection expired early in startup; retrying.
In/var/log/ltm:
mcpd[5747]: 01070406:5: Removed publication with publisher id TMM1.
Conditions:
The file /dev/vnic is opened by something other than BIG-IP programs.
Impact:
The TMM processes will restart and fail to come up properly.
Workaround:
To recover, reboot the system.
Note: Do not perform file open operations on /dev/vnic. There is no need to.
643799-3 : Deleting a partition may cause a sync validation error
Component: TMOS
Symptoms:
Deleting a partition may cause the sync to peers to fail.
For example, on BIG-IP1:
tmsh delete auth partition P1
tmsh show cm sync-status
Sync Summary
Status Sync Failed
Summary A validation error occurred while syncing to a remote device
Details DG1: Sync error on BIG-IP2: Load failed from BIG-IP1 01070829:5: Input error: Invalid partition ID request, partition does not exist (P1)
Conditions:
Two or more BIG-IPs in a DSC device group, say DG1. A partition (P1) is created where the root partition folder (/P1) or a subfolder is assigned to DG1.
Objects have also been configured in the folder and the user deletes the partition, which will cause the folder and its contents to be deleted.
Impact:
The sync of this change may fail on peers.
Workaround:
Disable auto-sync on the device group if it's enabled, delete the partition on all of the peers, and re-enable auto-sync.
643459-1 : Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy
Component: TMOS
Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you are not able to log in to the Configuration Utility. Instead you will see a login error, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP.
Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.
Impact:
You are unable to login to the Configuration Utility.
Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP in the Referer header.
643041-3 : Less than optimal interaction between OneConnect and proxy MSS
Component: Local Traffic Manager
Symptoms:
When a client with low MSS is the first to establish a OneConnect flow pair and proxy MSS is enabled, the serverside will share the same low MSS. Successive connections from full-MSS clients may utilize this server-side flow, resulting in suboptimal throughput.
Conditions:
Configure a virtual server with both OneConnect and proxy MSS. Note: Proxy MSS is enabled by default beginning with v12.1.0.
Impact:
Decreased throughput, possible congestion due to small segments.
Workaround:
In some instances, it may be sufficient to disable proxy MSS. This too has the potential to increase segment count and decrease throughput.
642923-4 : MCP misses its heartbeat (and is killed by sod) if there are a large amount of file objects on the system
Component: TMOS
Symptoms:
MCP may timeout and get killed by sod, causing mcpd to restart.
Conditions:
If there are a large number (tens of thousands) of file objects configured, such as SSL keys/certs and config is loaded.
Impact:
The system will restart.
Workaround:
Reduce the number of file objects configured.
641512-2 : DNSSEC key generations fail with lots of invalid SSL traffic
Component: Local Traffic Manager
Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.
The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.
Conditions:
DNSSEC keys configured with periodic rollover. The certificate path queues an error (situations include but not limited to lots of SSL traffic with invalid certificates).
Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.
Workaround:
Restart the TMM after the new key generation is created.
641450-2 : A transaction that deletes and recreates a virtual may result in an invalid configuration
Component: TMOS
Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.
Config load error:
01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.
Configuration-change-time error in /var/log/ltm:
err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>
Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).
Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.
Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
1. Delete virtual server.
2. Create virtual server (with an empty profile list).
3. Modify the virtual server's profile list.
641390-3 : Backslash removal in LTM monitors after upgrade★
Component: TMOS
Symptoms:
After upgrading, BIG-IP fails to load the configuration and reports that a monitor failed to load.
Conditions:
This can occur on upgrade, with specific backslash escaping in LTM monitors. It is specific to LTM monitors. Example:
ltm monitor https /Common/my_https {
adaptive disabled
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled
defaults-from /Common/https
destination *:*
interval 5
ip-dscp 0
recv "Test string"
recv-disable \\\"Test\\\"me\\\" <-- pertinent string value (can be in recv, send or username attributes too).
send Test
time-until-up 0
timeout 16
username test\\\"me
}
Impact:
The monitor will fail to load.
Workaround:
Manually correct the string to be the way it was before upgrade, then the configuration will load.
641013-4 : GRE tunnel traffic pinned to one TMM
Component: TMOS
Symptoms:
GRE tunnel traffic can be sent to one TMM if BIG-IP doesn't proxy the GRE tunnel and uses forwarding virtual to handle GRE tunnel traffic.
Conditions:
Use forwarding virtual to handle GRE tunnel traffic.
Impact:
GRE tunnel traffic can overwhelm the one TMM and cause performance degradation.
Workaround:
None.
640369-4 : TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, TMM may respond to an ICMPv6 echo request using the auto-lasthop mechanism, when this has been disabled on the vlan.
Conditions:
- Auto-lasthop disabled on the ingress vlan
- ICMPv6 echo request for a self-IP on the ingress vlan.
- Route to the client IP address via a different vlan
TMM may respond directly using the auto-lasthop feature and not via the route lookup.
Impact:
Traffic may not follow the expected path.
639774-3 : mysqld.err rollover log files are not collected by qkview
Component: TMOS
Symptoms:
Only the file /var/lib/mysql/mysqld.err is collected in qkview without truncation rules normally used for log files. Also, the mysqld.err.1 and mysqld.err.2.gz, etc are not collected at all.
Conditions:
This occurs when generating a qkview.
Impact:
You cannot see other mysqld.err rollover files in the qkview, and since the one mysqld.err file might be huge (larger than 2 GB) the output of qkview will be unusable.
Workaround:
The missing files must be manually copied into the qkview output. If the mysqld.err is greater than 2 GB in size, it must first be truncated to smaller than 2 GB.
639744-4 : Memory leak in STREAM::expression iRule
Component: Local Traffic Manager
Symptoms:
If you are using the STREAM::expression iRule with APM, the stream filter can leak memory.
Conditions:
This can occur when using the STREAM::expression iRule with an APM virtual.
Impact:
This causes a memory leak in tmm.
Workaround:
None.
639575-5 : Using libtar with files larger than 2 GB will create an unusable tarball
Component: TMOS
Symptoms:
Programs such as qkview will create a .tar file (tarball) using libtar and if any of the files collected is greater than 2 GB, the output tar file cannot be read by /bin/tar.
Conditions:
The file collected via libtar (e.g., by qkview or other program dynamically linking with /usr/lib/libtar-1.2.11) is greater than 2 GB.
Impact:
You will be unable to submit a qkview to iHealth for analysis. Other applications using libtar will produce invalid tar files.
Workaround:
The qkview tarball can be extracted with /usr/bin/libtar, but the offending file will be a zero-length file. Alternatively, the offending file that is greater than 2 GB must be removed from the system prior to running qkview or other program that uses libtar.
639039-2 : Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons
Component: Local Traffic Manager
Symptoms:
Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons.
Conditions:
Dynamic routing in use, and you change the host name of the BIG-IP.
Impact:
Dynamic routing information is lost and must be relearned.
Workaround:
When using dynamic routing, only change the host name during a maintenance window.
638091-2 : Config sync after changing named pool members can cause mcpd on secondary blades to restart
Component: TMOS
Symptoms:
After performing a ConfigSync, mcpd restarts and the following error is seen in /var/log/ltm:
01070734:3: Configuration error: Invalid mcpd context, folder not found <foldername>
Conditions:
- Chassis cluster with at least two blades
- sync-failover device group set to full-sync and auto-sync disabled
- Changing a named pool-member in non-default partition without syncing between delete and create
Impact:
Secondary blades do not process traffic as they restart
Workaround:
To prevent blade restart, follow the workaround in K16592: ConfigSync may fail when deleting and recreating a pool member with a node name set (https://support.f5.com/csp/article/K16592).
To work around this issue, you can synchronize the configuration just after deleting the pool member and node, before re-creating the pool member. To do so, perform the following procedure:
Impact of workaround: Performing the following procedure may impact client connectivity to the node. You should perform this procedure only during a maintenance window.
1. Log in to the BIG-IP system Configuration utility.
2. Navigate to Local Traffic :: Pools, and select the Pool with the member you want to delete.
3. From the top of the menu, click Members.
4. Select the checkbox next to the pool member you want to delete, and click Remove.
5. Navigate to Local Traffic :: Nodes.
6. Select the checkbox next to the node with the same name, and click Delete.
7. Navigate to Device Management :: Overview.
8. Select the local device by hostname (self).
9. Click the Sync option.
10. If the ConfigSync was successful, you may now re-create the pool member.
637613-1 : Cluster blade being disabled immediately returns to enabled/green
Component: Local Traffic Manager
Symptoms:
In some scenarios, disabling a blade will result in the blade immediately returning to online.
Conditions:
This can occur intermittently under these conditions:
- 2 chassis in an HA pair configured with min-up-members (for example, 2 chassis, 2 blades each, and min-up-members=2)
- You disable a primary blade on the active unit, causing the cluster to failover due to insufficient min-up-members.
Impact:
Disabling the primary blade fails and it remains the primary blade with a status of online.
Workaround:
This is an intermittent issue, and re-trying may work. If it does not, you can configure min-up-members to a lower value or disable it completely while you are disabling the primary blade. The issue is triggered when the act of disabling the primary blade would cause the number of members to drop below min-up-members.
637308-6 : apmd may crash when HTTP Auth agent is used in an Access Policy
Component: Access Policy Manager
Symptoms:
apmd may crash when HTTP Auth agent is used in an Access Policy.
Conditions:
This might occur on heavy load, when AAA HTTP Server is configured in 'Form based' or 'Custom body' mode.
The probability of occurrence is greater if there are session variables specified in the AAA HTTP Server configuration.
Impact:
apmd daemon crash. APM cannot process requests until apmd starts up again.
Workaround:
Use basic auth, or do not use HTTP Auth.
637227-2 : DNS Validating Resolver produces inconsistent results with DNS64 configurations.
Component: Global Traffic Manager (DNS)
Symptoms:
A DNS Validating Resolver incorrectly validates DNS responses received from A queries made as a result of a front-end AAAA query received on a profile with DNS64 configured.
A SERVFAIL response may be sent to the client unless the Validating Resolver cache has previously successfully validated a front-end A query. In this scenario where the A records already exist in the cache, the expected DNS64 AAAA records are synthesized.
Conditions:
This issue may be observed with a DNS Validating Resolver configured on a DNS profile with DNS64 configured when processing AAAA queries.
Impact:
Incorrect SERVFAIL responses for AAAA queries that should get valid responses.
Workaround:
None.
636823-1 : Node name and node address
Component: TMOS
Symptoms:
If you create a node with a name that is an IP address but the IP address is different than the name, it can produce an error when adding the node to a pool.
Conditions:
This can occur if the node name is, for example, /Common/10.10.10.10 and the IP address is 10.10.10.10%1
Impact:
When you attempt to add the node to a pool, an error will occur:
Node name /Common/10.10.10.10 encodes IP address 10.10.10.10 which differs from supplied address field 10.10.10.10%1
Workaround:
If you set the node name to an IP address it must be identical to the actual IP address.
636790-1 : Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete.
Component: Global Traffic Manager (DNS)
Symptoms:
While logged in as a Manager role, if a user attempts to modify an object this role does not have access to, the GUI will post a validation error.
Conditions:
This occurs when users in the Manager role make changes to Datacenter links/servers/prober-pool/Topology.
Impact:
The system posts generic validation errors when Create, Update, Delete actions are initiated by a user without proper permissions. These permissions are not allowed for the Manager, but the GUI makes it appear as if they are.
Workaround:
None.
636643 : OAM Access gate init problem
Component: Access Policy Manager
Symptoms:
Access gates are not properly initialized after the first gate in the list initializes.
Conditions:
Configure more than one access gate.
Impact:
Other access gates are initialized with incorrect information, server initialization fails due to wring access gate ID.
Workaround:
None.
636104-5 : If pool member is defined with port 0, member may not be visible on the HTTP dimension pane.
Component: Application Visibility and Reporting
Symptoms:
You are unable to see the pool member under the HTTP "pool" dimension.
Conditions:
Pool member is defined with port 0 and traffic is being sent to e.g. port 80.
Impact:
Not seeing the pool member under the HTTP "pool" dimension.
Workaround:
You can define a temporary pool member with the port that is being used (e.g. 80) and delete it after that.
But once defined once, it will go to the DB and will be shown from that point.
This is a partial workaround since it needs to be done for every port that is being used in traffic.
636031-2 : GUI LTM Monitor Configuration String adding CR for type Oracle
Component: TMOS
Symptoms:
If the value entered in for the Configuration String textbox wraps in the GUI, a CR character is added to the configuration file.
Conditions:
Create or edit an LTM Monitor type Oracle. Enter a value in the Configuration String textbox so that it wraps to the next line. Click Finish/Update.
Impact:
The /config/bigip.conf file contains CR characters in the file.
Workaround:
Manually edit the /config/bigip.conf file and remove the CR characters.
635561-4 : Heavy URLs statistics are not shown after upgrade.
Component: Application Visibility and Reporting
Symptoms:
Heavy URLs statistics are not shown after upgrade.
Conditions:
Upgrading to newer version
Impact:
Missing statistics.
Workaround:
No workaround
634259-1 : IP tuple nexthop object can be freed while still referenced by another structure
Component: Local Traffic Manager
Symptoms:
IP tuple nexthop object can be freed while still referenced by another structure.
Conditions:
Using LSN.
Impact:
The BIG-IP system might crash. This is a very timing/memory-usage dependent issue that is rarely encountered.
Workaround:
None.
634201-1 : POST requests get reset on early server response.
Component: Local Traffic Manager
Symptoms:
Connection resets are encountered on large POST requests when the server responds early and shuts down the connection.
Conditions:
AAM is enabled on the virtual server. AAM may improperly forward the response resulting in an internal error.
Impact:
Connections are reset before the response completes.
Workaround:
None.
634146 : scriptd crash during iApp reconfiguration
Component: iApp Technology
Symptoms:
Scriptd crashes on SIGABT While trying to reconfigure an iApp (f5.ldap), and in /var/log/scriptd.out you see the following entry:
terminate called after throwing an instance of 'CLI::Exception'
what(): In root folder, can't get partition folder
/var/log/ltm contains this signature:
info scriptd[22758]: 01420004:6: Starting iApp template /Common/f5.ldap
notice mcpd[5799]: 01070418:5: connection 0x5f654348 (user <user>) was closed with active requests
err scriptd[5619]: 014f0004:3: stopping worker process (22758) socket error
Conditions:
This can be triggered if you click into the iApp, select reconfigure, and hit finish without making any changes.
Impact:
You are unable to update the iApp and may need to uninstall and re-install it.
Workaround:
You may be able to avoid this by ensuring that the "Do you wish to upgrade this template?" checkbox is checked when reconfiguring the iApp.
634014-3 : Absolute timers may fire one second early during the leap second event
Component: TMOS
Symptoms:
Absolute timers that expire at midnight UTC may fire one second early when the leap second is inserted.
Conditions:
This occurs if an absolute timer is used to trigger a task, and the leap second occurs during the timer window. For example if an absolute timer of 60 seconds is scheduled and the leap second event occurs midway through that interval, the event will appear to fire one second earlier than expected.
Impact:
Impact to applications unknown. The system stays stable, and a timer may be fired off earlier than expected
Workaround:
None.
633512-5 : HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.
Component: TMOS
Symptoms:
When a preferred device becomes available and takes over due to an Auto-Failback configuration, the takeover is not performed as a smooth handoff, but instead results in both devices becoming Active for the network failover timeout period (3 seconds).
Conditions:
This problem affects traffic groups on VIPRION systems configured with HA Order and Auto-Failback enabled.
Impact:
Since both nodes are Active for (by default) 3 seconds, this may cause network traffic to be dropped or interrupted during the overlap interval. In addition, the Active/Active overlap may not resolve in favor of the preferred device. When this happens, the preferred device attempts to Auto-Failback again after the Auto-Failback expires, and the process repeats forever.
Workaround:
Do not configure Auto-Failback on VIPRION.
633465-1 : Curl cannot be forced to use TLSv1.0 or TLSv1.1
Component: TMOS
Symptoms:
Curl fails when connecting to server that does not accept TLSv1.1 or TLSv1.2 handshakes. This occurs even if the "--tlsv1.0" or "--tlsv1.1" options to the curl command are used.
Conditions:
Curl is used to attempt to connect to a server that does not understand TLSv1.1 and/or TLSv1.2 handshakes. This occurs when using software v11.5.4 HF2 or v11.6.1 HF1.
Impact:
Curl will fail.
Workaround:
Use "curl-apd" rather than "curl". curl-apd does not currently implement TLSv1.1 or TLSv1.2.
633364 : Sometimes APM sends 302 back to client for Publicly hosted content in vCMP environment.
Component: Access Policy Manager
Symptoms:
Sometimes APM sends 302 back to client for Publicly hosted content in vCMP environment. If vCMP guest runs on only one slot, this issue is not seen. When a vCMP guest is expanded to another slot, Access policy association with Public hosted URI is missing on 2nd slot.
Conditions:
APM needs to be provisioned and public content should be hosted on BIG-IP. Also vCMP guest needs to run on multiple slots.
Impact:
Client might receive 302 from BIG-IP for publicly hosted content instead of 200 or 404.
Workaround:
Restart services on expanded vCMP slot and manually assign the access policy to publicly hosted content.
632825-3 : bcm56xxd crash following 'silent' port-mirror configuration failure
Component: TMOS
Symptoms:
A port-mirror configuration can fail 'silently', that is, no error from MCPD yet the following is logged in /var/log/ltm:
err bcm56xxd: 012c0011:3: Trunk port trouble with bcm_mirror_port_set() Entry exists bs_mirror.c(598).
err bcm56xxd: 012c0010:3: Trouble committing mirror settings to hardware: 0:21 bs_mirror.c(671).
err bcm56xxd: 012c0010:3: Trouble setting port mirror from 2.1 to 2.6 bsx.c(5173).
Once this happens, any subsequent port-mirror configuration will result in a deadlock condition and SOD will restart bcm56xxd.
If the port-mirror interfaces are part of a trunk, any trunk configuration will cause this condition. For example, adding a vCMP guest.
Conditions:
Prior 'silent' port-mirror configuration error followed by a subsequent port-mirror configuration command.
Impact:
bcm56xxd continuously restarts until the bad port-mirror configuration is removed.
Workaround:
None.
632798-3 : Double-free may occur if Access initialization fails
Component: Access Policy Manager
Symptoms:
Double-free may occur if Access initialization fails.
Conditions:
Access initialization failure occurs, possibly due to license issues.
Impact:
tmm crashes and cores. Traffic disrupted while tmm restarts.
Workaround:
None.
632668-2 : When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds
Component: TMOS
Symptoms:
When a BIG-IP using statically configured BFD sessions (i.e. "bfd session <IP> <IP>" in the ZebOS configuration) is forced offline, it continues to send "State Up" BFD packets for an additional ~30 seconds.
Conditions:
System is using statically configured BFD sessions. System is forced offline.
Impact:
The BFD peer thinks the BIG-IP is still online and may send packets to it.
632423-1 : DNS::query can cause tmm crash if AXFR/IXFR types specified.
Component: Global Traffic Manager (DNS)
Symptoms:
Passing "AXFR" or "IXFR" as the type to the DNS::query iRule command can cause a tmm crash.
Conditions:
DNS Express must be enabled when one of the XFR types is used in the DNS::query iRule command.
Impact:
tmm will crash and restart every time this command is issued. Traffic disrupted while tmm restarts.
Workaround:
Do not explicitly use AXFR or IXFR query types.
If the [DNS::question type] command is being used to dynamically pass in the type, add a preceding check similar to the following:
if { not [DNS::question type] ends_with "XFR" } {
set rrs [DNS::query dnsx [DNS::question name] [DNS::question type]]
}
632156 : A standby system can send gratuitous ARPs using both the VLAN and VLAN group MAC addresses
Component: Local Traffic Manager
Symptoms:
The ltm logs show "address conflict" messages for one or more non-floating self IPs:
warning tmm[16580]: 01190004:4: address conflict detected for 172.16.1.17 (00:01:d7:e3:c2:c3) on vlan 1326.
The monitor traffic originated from those self IP addresses might be affected and pool member flapping symptoms might appear in the logs as well.
Conditions:
- The device has at least one non-floating self IP sitting in a VLAN group.
- The device is a member of a Device Group.
- The device's role is standby.
Impact:
Monitoring traffic from the standby unit might be affected, and pool member's status might not be tracked properly.
Workaround:
None.
631334 : TMSH does not preserve \? for config save/load operations
Component: TMOS
Symptoms:
TMSH strips the escape characters for literal strings '\?' to be '?' in ltm monitor send/recv strings.
Conditions:
This condition manifests whenever the send/recv string in ltm monitor contains '\?'.
Impact:
This causes the BIG-IP to load incorrect monitor send/recv strings.
Workaround:
None.
631172-2 : GUI user logged off when idle for 30 minutes, even when longer timeout is set
Component: TMOS
Symptoms:
GUI user is auto-logged off when idle for 30 minutes, even though the configured idle timeout is longer.
Conditions:
User logged in to gui and idle for 20-30 minutes
Impact:
User is logged out of the GUI.
Workaround:
None.
630661-1 : WAM may leak memory when a WAM policy node has multiple variation header rules
Component: WebAccelerator
Symptoms:
When a WAM policy node has multiple variation header rules, a memory leak occurs upon evaluation of each request.
Conditions:
WAM policy with node utilizing multiple variation header rules.
Impact:
Potential per-request memory leakage driven by client traffic.
Workaround:
The only workaround is to ensure that individual WAM policy nodes have fewer than two header variation rules.
630610-4 : BFD session interface configuration may not be stored on unit state transition
Component: TMOS
Symptoms:
'bfd session' statements missing in ZebOS 'running-config'.
Conditions:
State transitions from online to offline.
Impact:
BFD configuration will become missing in ZebOS running config and no BFD sessions will be established.
Workaround:
Re-add statements manually.
629834-3 : istatsd high CPU utilization with large number of entries
Component: TMOS
Symptoms:
With a large number of istats entries, statsd uses a large amount of CPU time to process istats.
Conditions:
This occurs when there is a large number of istats entries in iRules.
Impact:
istats processing is slow. CPU utilization by istatsd is high.
Workaround:
Reduce the number of istats entries. Periodically purge the the istats entries if possible.
629499-3 : tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"
Component: TMOS
Symptoms:
When you run the command tmsh show sys perf, you get an error:
011b030d:3: Graph 'dnsx' not found
This can also occur with other tmsh commands related to performance statistics, like show sys perf dnssec and show sys perf dnsexpress.
Conditions:
It is not known what exactly triggers this, it is caused by a timing issue that occurs during system initialization of multi-blade chassis.
Impact:
Certain tmsh sys perf commands fail to work and give an error.
Workaround:
Restart statsd on all blades once the chassis is up.
e.g.
"bigstart restart statsd" on each blade.
629207 : TMSH output shows dtca.crt certificate-key-size is 1
Component: TMOS
Symptoms:
TMSH output shows dtca.crt certificate-key-size is 1, but the correct value should be 2048. This appears to be a cosmetic bug only, as OpenLLS shows the correct key size.
Conditions:
Running the command tmsh list cm cert dtca.crt.
Impact:
Shows dtca.crt certificate-key-size is 1, but the correct value should be 2048. This is a cosmetic issue only.
Workaround:
Use OpenLLS to see the correct key size.
629033-1 : BIG-IP should send SHA1 in supported signature hash algorithm last (clientside / Server Hello).
Component: Local Traffic Manager
Symptoms:
BIG-IP should send SHA1 in supported signature hash algorithm last (clientside / Server Hello). Instead, the BIG-IP system is sending SHA1 signature algorithms in the Server Hello first.
Conditions:
clientside / Server Hello.
Impact:
Minimal. SHA1 algorithms are listed first and they should be last.
Workaround:
None.
628202-1 : Audit-forwarder can take up an excessive amount of memory during a high volume of logging
Component: TMOS
Symptoms:
During a period where a lot of data is logged (such as the loading of a large configuration), audit_forwarder can use up a large amount of memory.
Conditions:
audit_forwarder is used with config.auditing.forward.type set to either "none" or "radius" and config.auditing set to "verbose" or "all".
Impact:
The excessive memory usage may result in processes getting restarted. Once the logging is done, audit_forwarder will not release all of the used memory.
Workaround:
Setting config.auditing value to "enable" or "disable" will slow or stop the excessive memory usage.
628180-3 : DNS Express may fail after upgrade★
Component: Global Traffic Manager (DNS)
Symptoms:
TMM may not answer DNSX zones without TMM restart / DNSX zone refresh on upgrade.
Conditions:
Upgrading from previous version.
Impact:
DNS Express may fail after TMM.
Workaround:
Restart TMM, or force TMM to reload the DNS express database by running "tmsh load ltm dns dns-express-db".
627760-1 : gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
Component: TMOS
Symptoms:
When running gtm_add from one BIG-IP system to another, if the system being added already has the same DNSSEC key (dictated by DNSSEC key name), and you synchronize the FIPS card, then the FIPS card is wiped out (as expected), but the key is not re-added.
Conditions:
-- There is an existing DNSSEC key on one system.
-- A second system has a DNSSEC key of the same name.
-- Run gtm_add, with instructions to synchronize FIPS cards.
Impact:
No DNSSEC key of that name is present on FIPS card.
Workaround:
None.
627385 : Could not add new account in Citrix receiver for mac v12.3.0
Component: Access Policy Manager
Symptoms:
Could not add new account in Citrix receiver for mac version 12.3.0. It displays error as "Could not detect the specified account".
Conditions:
BIG-IP APM is used in either integration mode with Storefront or replacement mode. Add new account in Citrix receiver for mac v12.3.0
Impact:
Could not add new account
Workaround:
Attach this irule onto virtual server
when HTTP_REQUEST {
set uri_path [string tolower [HTTP::path]]
if { $uri_path == "/vpn/index.html" } {
set cookie "pwcount=0;Secure;HttpOnly;Path=/"
HTTP::respond 200 -version auto content "/vpn/cgi/login" noserver "Set-Cookie" $cookie
}
}
626721-2 : "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart
Component: TMOS
Symptoms:
Running the command "tmsh reset-stats auth login-failures <username>" on a bladed system can cause the mcpd process to restart on secondary blades if the <username> is not an actual user on the system. The /var/log/ltm log file will contain errors messages similar to:
Configuration error: Configuration from primary failed validation: 01020036:3: The requested username (username) was not found.... failed validation with error 16908342
Conditions:
This occurs on VIPRION systems when running the command for a user that doesn't exist on the other blades.
Impact:
mcpd processes on secondary blades restart, possibly causing loss of traffic and a failover (if in a device cluster).
Workaround:
Run the command "tmsh reset-stats auth login-failure <username>" using only valid usernames.
626589-3 : iControl-SOAP prints beyond log buffer
Component: TMOS
Symptoms:
When trace logging is turned on, iControl SOAP can potentially print text beyond its log buffer.
Conditions:
Logging for iControl SOAP is turned on with trace level.
Impact:
iControl-SOAP can print out garbage log to /var/log/ltm and can potentially lead to instability with reading beyond a buffer.
Workaround:
Do not enable logging with trace level, which is not turned on by default.
626577 : HTTP monitor log file is recreated after being deleted
Component: Local Traffic Manager
Symptoms:
HTTP monitor log file is recreated after being deleted.
Conditions:
If the HTTP monitor log file is deleted during normal execution, it will be recreated, which is inconsistent with the behavior of other monitors. Normally the file is not recreated until the process is restarted.
Impact:
Deleted HTTP monitor log file is recreated. There is no impact to the system overall.
Workaround:
None.
626434-3 : tmm may be killed by sod when a hardware accelerator does not work
Component: Local Traffic Manager
Symptoms:
tmm may hang and crash (killed by the switchover daemon, sod), when the Cavium hardware accelerator does not come back after the reset from the driver.
Conditions:
This is a rarely seen occurrence. It is triggered when the Cavium hardware accelerator stops working.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Power cycling the system might correct the error.
625892-4 : Nagle Algorithm Not Fully Enforced with TSO
Component: Local Traffic Manager
Symptoms:
Sub MSS packets are more numerous than Nagle's algorithm would imply.
Conditions:
TCP Segmentation Offload is enabled.
Impact:
Sub-MSS packets increase overhead and client power consumption.
Workaround:
Disable TCP Segmentation Offload by running the following command:
tmsh modify sys db tm.tcpsegmentationoffload value disable
625832-3 : A false positive modified domain cookie violation
Component: Application Security Manager
Symptoms:
An unexpected modified domain cookie violation on system that has more than 127 policies configured.
Conditions:
This occurs when more than 127 policies are configured. The violation modified domain cookie is turned on and there are enforced cookies.
Impact:
A false positive violation.
Workaround:
Remove the modified domain cookie violation from blocking.
625824-4 : iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
Component: TMOS
Symptoms:
iControl calls related to Management::KeyCertificate might leak memory slowly, that causes swap space to increase continuously and might lead to exhaustion of swap space
Conditions:
This occurs with the iControl command bigip.Management.KeyCertificate.certificate_export_to_pem
Impact:
iControlPortal.cgi memory increases
Workaround:
Restart httpd to reload the iControl daemon.
625807 : tmm cored in bigproto_cookie_buffer_to_server
Component: Local Traffic Manager
Symptoms:
TMM cores on SIGSEGV during normal operation.
Conditions:
It is not known exactly what triggers this, but it may be triggered when a connection is aborted in a client-side iRule iRule, this log signature may indicate that this is being triggered:
tmm3[11663]: 01220009:6: Pending rule <irule_name> <HTTP_REQUEST> aborted for <ip> -> <ip>
Impact:
Traffic disrupted while tmm restarts.
625671-1 : The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
Component: Global Traffic Manager (DNS)
Symptoms:
If the dnsxdump diagnostic tool is run when the DNS Express database has a DNS resource record using a non-standard type, the process may crash providing incomplete diagnostic output.
Conditions:
Running dnsxdump with a DNS Express database containing non-standard resource record types.
Impact:
dnsxdump provide incomplete diagnostic output, stopping on the zone containing the resource record with the non-standard type.
Workaround:
This is primarily known to be caused by non-standard RR types created for WINS records. Removing the WINS records from the master nameserver, will allow dnsxdump to work again after the next zone transfer.
625456-1 : Pending sector utility may write repaired sector incorrectly
Component: TMOS
Symptoms:
When the pendsect process detects a pending sector and performs a repair of that sector, incorrect data may be written to an incorrect location on the hard disk.
This may result in corruption of files on the BIG-IP volume that may not be detected for an indeterminate period of time after the pending sector was repaired.
When a pending sector is repaired, a message similar to the following is logged to :
warning pendsect[17377]: Recovered Pending LBA:#########
(where ######### is the Logical Block Address of the repaired sector)
For more information on the pendsect utility, see:
SOL14426: Hard disk error detection and correction improvements
Conditions:
This may occur on BIG-IP appliances or VIPRION blades which contain hard disks which use 4096-byte physical sectors.
Currently-known affected platforms include:
BIG-IP 5000-/7000-series appliances
BIG-IP 10000-series appliances
VIPRION B4300 blades
VIPRION B2100 blades
Due to manufacturing changes and RMA replacements, additional platforms may potentially be affected.
The smartctl utility can be used to identify hard disks using 4096-byte physical sectors:
# smartctl --scan
/dev/sda -d scsi # /dev/sda, SCSI device
# smartctl -i /dev/sda | grep "Sector Size"
Affected:
Sector Sizes: 512 bytes logical, 4096 bytes physical
Not Affected:
Sector Size: 512 bytes logical/physical
Impact:
Potential corruption of unknown files on BIG-IP volumes.
625198-4 : TMM might crash when TCP DSACK is enabled
Component: Local Traffic Manager
Symptoms:
TMM crashes
Conditions:
All of the below are required to see this behavior:
DSACK is enabled
MPTCP, rate-pace, tail-loss-probe, and fast-open are disabled.
cmetrics-cache-timeout is set to zero; congestion control is high-speed, new-reno, reno, or scalable; AND Nagle is not set to 'auto'.
an iRule exists that changes any of the conditions above besides DSACK.
various client packet combinations interact in certain ways with the iRule logic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Change any of the conditions above.
624917-2 : First few handshakes fail after chassis/appliance reboot when using HSM
Component: Local Traffic Manager
Symptoms:
After rebooting with an HSM configured, you notice the first few handshakes fail, with the following error signature in /var/log/ltm:
warning tmm3[13085]: 01260009:4: Connection error: info tmm3[13085]: 01260013:6: ssl_hs_vfy_sign_srvkeyxchg:9921: sign_srvkeyxchg (80)
1260013:6: SSL Handshake failed for TCP <src> -> <dest>
Conditions:
This occurs on the first few connections after reboot when an HSM is configured, and seems to occur if the device does not immediately pass traffic after reboot.
Impact:
The initial SSL connections will fail, then normal operation will resume.
Workaround:
None.
624909-4 : Static route create validation is less stringent than static route delete validation
Component: TMOS
Symptoms:
When creating a static route the BIG-IP ensures that there is a self-IP on the same interface, but does not check to make sure that there is a self-IP on the same interface that uses the same IP protocol (IPv4 vs. IPv6). If the route is created with only self-IPs that use different IP protocols, then the system will not allow you to delete any self-IPs on the same interface as the static route.
Conditions:
Using a static route that has one IP protocol on a given interface along with self-IPs that, while on the same interface, use a different IP protocol.
Impact:
Unable to delete certain self-IPs.
Workaround:
In order to delete the self-IPs you can either:
1) Delete the static route.
or
2) Create a self-IP on the same interface and using the IP protocol as the static route.
624692-1 : Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying
Component: TMOS
Symptoms:
SSL Certificate List page displays "An error has occurred while trying to process your request." or unable to view certificate information via iControl/REST.
Conditions:
Certificate with multi-byte encoded strings.
Impact:
Unable to view certificate list page or view certificate information via iControl/REST.
624626-2 : Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility
Component: TMOS
Symptoms:
You cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility, which returns an error message similar to the following example:
01020036:3: The requested Certificate File (/Common/example.crt) was not found
Conditions:
The presence of SSL certificates and keys created without the .crt and .key extensions. This might have happened, for example, if the SSL certificates and keys were created using the tmsh utility.
Impact:
Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility.
Workaround:
You can use the tmsh utility to delete affected SSL certificates and keys. You would use commands similar to the following example:
tmsh delete sys crypto cert example
tmsh delete sys crypto key example
624616-4 : Safenet uninstall is unable to remove libgem.so
Component: Local Traffic Manager
Symptoms:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, it can't remove libgem.so and generates the following error:
rm: cannot remove `/usr/lib64/openssl/engines/libgem.so': Read-only file system.
Conditions:
This can be triggered when uninstalling the safenet client using the command safenet-sync.sh -u.
Impact:
Uninstall is unable to complete.
Workaround:
None.
623930-1 : vCMP guests with vlangroups may loop packets internally
Component: TMOS
Symptoms:
If a vlangroup is configured within a vCMP guest, under some circumstances unicast packets may be looped between the switchboard and the BIG-IP guest. This is most likely to occur when the guest is part of an HA pair.
Conditions:
vCMP guest, vlangroups.
Impact:
High CPU utilization and potentially undelivered packets.
Workaround:
Correctly configure proxy ARP excludes on the vlangroup and increase the FDB timeout by setting the vlan.fdb.timeout database key to a larger value such as 3600.
623536-5 : SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent
Component: TMOS
Symptoms:
Due to a syntax issue in /etc/alert/alertd.conf, SNMP traps sent for notifying RSTs sent due to maintenance mode on are not being sent.
Conditions:
Reset cause logging and maintenance mode are enabled
Snmp trap destination is configured and routable
Impact:
snmp traps are not sent
Workaround:
Adding custom trap in /config/user_alert.conf with escaped characters will workaround the issue:
alert BIGIP_IP_REJECT_MAINT_MODE_FIX "RST sent from (.*) Maintenance mode \(all VIP\/SNAT\/Proxy connections disabled\)" {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.34"
}
623391-2 : cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size★
Component: TMOS
Symptoms:
cpcfg fails with errors similar to:
Getting configuration from HD1.2
info: Copying configuration to HD1.1
info: Applying configuration to HD1.1
info: >++++ result:
info: Extracting manifest: /var/local/ucs/config.ucs
info: /: Not enough free space info: 739487744 bytes required
info: 259965952 bytes available
info: /var/local/ucs/config.ucs: Not enough free disk space to install!
info: Operation aborted.
Conditions:
Use cpcfg for a UCS that is larger than free space on root filesystem of target volume set.
Impact:
You cannot use cpcfg to copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size
Workaround:
Run the below to fix /etc/mtab on target (HD1.3 is used in this example; substitute the correct target volume) before cpcfg:
- volumeset -f mount HD1.3
- grep HD1.3 /proc/mounts | sed 's_/mnt/HD1.3_/_g;s_//_/_g' > /mnt/HD1.3/etc/mtab
- volumeset -f umount HD1.3
623371-4 : After changing from remote auth to local auth, if SSH keys are used, SSH attempts from nonexistent users result in a connection closed
Component: TMOS
Symptoms:
When attempting to ssh in as a nonexistent user using SSH keypair, the connection closes.
Conditions:
1. Configure SSH keypair for passwordless login.
2. Set auth source to a remote type such as RADIUS, TACACS+, LDAP, Active Directory.
3. Set auth source back to local.
4. Attempt to ssh to BIG-IP using keypair as a user that does not exist in the BIG-IP local user directory.
Impact:
User does not see expected password prompt.
This can be used to check which usernames are valid on the BIG-IP system, but it requires SSH keys.
Workaround:
None known.
623367-3 : When RADIUS remote authentication is enabled, a nonexistent user is able to ssh into the BIG-IP if they present the root's key.
Component: TMOS
Symptoms:
Able to login to BIG-IP using root's keypair as a user which does not exist on either the BIG-IP or the RADIUS server.
Conditions:
1. Configure SSH keypair for passwordless login on the BIG-IP system.
2. Enable RADIUS auth on the BIG-IP system.
3. Attempt to ssh in to the BIG-IP as a user which does not exist on either the BIG-IP or the RADIUS server, using the keypair.
Impact:
With root SSH keys, can login as nonexistent user.
Workaround:
Set the default remote role to something other than admin.
623336-1 : After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS★
Component: TMOS
Symptoms:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check is performed incorrectly, and the old bundle may accidentally be chosen.
Conditions:
This happens when /config/ssl/ssl.crt/ca-bundle.crt in the old version contains an RCS revision number near the top of the file, and the newer TMOS version does not contain a revision number. (This is a change in the format of the file generated by the organization providing F5 with this bundle.)
Impact:
Upgrades to versions that ship the "non-RCS" files will incorrectly retain the ca-bundle.crt from the previous version, instead of keeping the newer version that shipped with those versions.
This can result in certificate verification failures (e.g. for an OCSP stapling profile), or a BIG-IP creating an inconsistent/incomplete certificate chain for a virtual server.
Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:
1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
2. Reboot the system and clear the MCPD binary database. Refer to SOL13030, but essentially:
touch /service/mcpd/forceload && reboot
3. After reboot, verify that the two files match (they should have the same checksum):
md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
623265-1 : UCS upgrade from v10.x to v11.4.x or later incorrectly retains v10.x ca-bundle.crt★
Component: TMOS
Symptoms:
Inconsistent CA certificate chain creation, or certificate validation/verification when verification occurs against /config/ssl/ssl.crt/ca-bundle.crt.
Conditions:
A system is upgraded from v10.x to v11.x/v12.x, or a v10.x UCS is restored onto a v11.x/v12.x system.
Impact:
Inconsistent ca-bundle.crt upgrade/UCS load handling can lead to odd / non-deterministic behavior between devices, even an HA pair / cluster of devices. Non-determinism increases because ca-bundle.crt does not ConfigSync (and appears not to sync across blades in a chassis).
For example, on one device, the BIG-IP system might construct and send a full certificate chain in an SSL Server Hello, when ca-bundle.crt is specified as a Client SSL profile's 'chain', but on its peer, if the peer is using an older/inconsistent ca-bundle, the peer might be unable to construct a full certificate chain.
Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:
1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
2. Reboot the system and clear the MCPD binary database. Refer to AskF5 article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030), but essentially:
touch /service/mcpd/forceload && reboot
3. After reboot, verify that the two files match (they should have the same checksum):
md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt
622619-2 : BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD
Component: TMOS
Symptoms:
MCPd cpu utilization is high and renders it unresponsive.
Conditions:
A ranged log query where the log files are excessively large, e.g., 1 GB uncompressed.
Impact:
MCPd is killed due to being unresponsive, which restarts multiple daemons.
Workaround:
Lower the logging level, thereby decreasing the size of the file which must be parsed.
622260 : Some TCP connections do not work when hardware syncookies are being issued and certain options are enabled
Component: Local Traffic Manager
Symptoms:
On BIG-IP 11.5.x, approximately 50% of TCP connections have all of their packets dropped when hardware syncookies are being issued and certain other features are enabled.
Conditions:
An 11.5.x version of the BIG-IP is in use on the system, the platform supports hardware syncookies, hardware syncookies are being issued, and the sys db TM.TCPProgressive is set to "mptcp" or "negotiate". If the sys db TM.TCPProgressive is set to "negotiate", the issue will occur only if the above conditions and any one of the following conditions applies to the TCP profile attached to the virtual server:
1. MPTCP is enabled.
2. Rate pacing is enabled.
3. Congestion control is not reno, new-reno, high-speed, or scalable.
Impact:
Approximately 50% of connections will have all of their packets dropped when hardware syncookies are being issued.
Workaround:
Any of the following actions will mitigate this issue:
1. Disable hardware syncookies.
2. Set sys db TM.TCPProgressive to "enable" or "disable". This will have performance implications and may disable some TCP features.
3. If sys db TM.TCPProgressive is set to "negotiate", set the following options on the TCP profile as follows:
a. Disable MPTCP.
b. Disable rate pacing.
c. Set congestion control to reno, new-reno, high-speed, or scalable.
622183-2 : The alert daemon should remove old log files but it does not.
Component: TMOS
Symptoms:
When the utilization of the log filesystem goes above the configuration setting 'sys db logcheck.alertthres' (default 90%), it is intended that the alert daemon should delete old log files. It does not.
Conditions:
System activity generates a high number of log messages, and/or a user puts large files in /var/log.
Impact:
The log filesystem may become completely full, and new log messages cannot be saved.
622148-1 : flow generated icmp error message need to consider which side of the proxy they are
Component: Local Traffic Manager
Symptoms:
when generating an error message from a flow, the icmp6 code does not check which side the messages needs to be crafted for.
Conditions:
error handling
Impact:
As a result generated ICMP error message might contain the wrong addressing
Workaround:
no workaround
622017-7 : Performance graph data may become permanently lost after corruption.
Component: Local Traffic Manager
Symptoms:
During an upgrade, system reboot or restart of the statsd daemon, if a performance graph /var/rrd/*.info file is corrupt, the system is expected to backup the performance data before replacing it and starting with new empty graph data. It is then possible to manually recover the previous performance data.
However, if the /shared/rrd.backup directory already exists, the system restarts the performance graph with new data without backing up the previous data.
Conditions:
During startup of the statsd daemon (such as after an upgrade or reboot), the issue occurs if the following two conditions are present:
* The /var/rrd/<filename>.info files are corrupt (CRC value does not match contents).
* The /shared/rrd.backup directory exists.
Impact:
The previous performance graph data is not displayed, and is no longer available for manual recovery.
Workaround:
Old performance graph data can be extracted from the var/rrd directory of a QKView taken prior to the beginning of the problem.
621909-6 : Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members
Component: TMOS
Symptoms:
When a trunk on the BIG-IP 5000 or 10000 platforms has an odd number of members, the traffic distribution to those interfaces will be unbalanced. Some interfaces will see more traffic than others.
Conditions:
This can occur for two reasons:
-- Purposefully configuring an odd number of members.
-- A port goes down in a trunk that has an even number of members.
Impact:
Uneven traffic distribution.
Workaround:
None.
621855 : TMM could use a lot of memory when an iRule calls parking command under AUTH events
Component: Local Traffic Manager
Symptoms:
TMM memory usage keeps going and depending on the situation may eventually crash.
Conditions:
iRule calls parking commands under AUTH events.
Impact:
TMM memory usage keeps going up. Traffic disrupted while tmm restarts.
Workaround:
The AUTH usage is replaced with APM module which is the preferred solution.
621843-2 : the ipother proxy is sending icmp error messages to the wrong side
Component: Local Traffic Manager
Symptoms:
the ipother proxy error handling sends ICMP error messages down the wrong side of the proxy. when a client-side error occurs, the error message is being sent to the server side
Conditions:
error handling of the ipother proxy
Impact:
ICMP error messages show up on the wrong side
Workaround:
no workaround
621736-2 : statsd does not handle SIGCHLD properly in all cases
Component: Local Traffic Manager
Symptoms:
- Performance graphs are not updating or are not existant.
- proc_pid_stat shows statsd time not increasing
- Top also shows that statsd is not taking any processor time.
Infact statsd is stuck on a wait in a signal handler.
Conditions:
If statsd receives a SIGCHLD signal it will get stuck and not process anything.
The following can trigger the issue:
rm -rf /shared/rrd.backup
- sed -i "s/^#CRC.*$/#CRC $RANDOM/" /var/rrd/throughput.info
- kill -HUP $(pgrep -f /usr/bin/statsd)
Impact:
No performance graphs are collected / generated
Workaround:
Restart statsd:
- bigstart restart statsd
621452-4 : Connections can stall with TCP::collect iRule
Component: Local Traffic Manager
Symptoms:
Connection does not complete
Conditions:
A TCP::collect command with two arguments defers collection beyond the first client message, which should be sufficient to produce a response.
The Initial Sequence number in the SYN is < 2^31.
The first received packet after the SYN carries data.
Impact:
Connection fails.
621314-1 : A mirror enabled sctp virtual may cause extremey high memory usage on tmm on standby
Component: Local Traffic Manager
Symptoms:
If a sctp virtual server has HA mirroring enabled, the send buffer on the standby may have extremely high memory usage until the connflows are released.
Conditions:
SCTP virtual server is mirror enabled.
Impact:
TMMs will have high memory usage on standby device.
Workaround:
Disable mirroring on the SCTP virtual server
621284-2 : Incorrect TMSH help text for the 'max-response' RAMCACHE attribute
Component: WebAccelerator
Symptoms:
The TMSH help text for the 'max-response' RAMCACHE attribute incorrectly states that for the default value of 0 (zero) unlimited cache entries are allowed. In reality the number of cache entries is limited to 10.
Conditions:
Invoking the TMSH man/help page on RAMCACHE.
Impact:
Incorrect TMSH help text
Workaround:
N/A
621273-5 : DSR tunnels with transparent monitors may cause TMM crash.
Component: TMOS
Symptoms:
The TMM may crash if the BIG-IP system is configured with a DSR tunnel with a transparent monitor.
Conditions:
The BIG-IP system is configured with a DSR tunnel with a transparent monitor and the DB variable tm.monitorencap is set to "enable".
Impact:
Traffic disrupted while tmm restarts.
621259-1 : Config save takes long time if there is a large number of data groups
Component: TMOS
Symptoms:
Config save takes a long time to complete
Conditions:
This occurs when there is a large number (~2000) of data-group objects in the configuration
Impact:
When take longer than 90 seconds soap iControl will time out.
This make it impossible to manage via EM
620969-2 : iControl doesn't give correct valid key sizes for FIPS keys on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards.
Component: TMOS
Symptoms:
Using the get_valid_key_sizes() for querying the valid key sizes, 1024 is returned, which is not valid when the FIPS firmware is version 2.2 or above.
Conditions:
FIPS firmware is version 2.2 or above.
Impact:
Unsupported key-size is returned.
620958 : TMM crash with assertion failure of pkt type not already ETHERTYPE_ARP
Component: Local Traffic Manager
Symptoms:
tmm crashes repeatedly on SIGSEGV during normal operation.
Conditions:
It is not known exactly what triggers this, but the following log signature is seen in /var/log/ltm:
arning tmm[6659]: 01190004:4: address conflict detected for <ip> (<mac>) on vlan <vlan>
Where <ip> is the self IP, and <mac> is the mac from the peer BIG-IP device.
Impact:
Traffic disrupted while tmm restarts.
620829-3 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
Component: Access Policy Manager
Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.
Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:
var a = { default: 1, continue: 2 };
Impact:
JavaScript code is not rewritten and may not work correctly.
Workaround:
None.
620658 : Existence of /mprov_firstboot with vcmp can set improper tmmcount
Component: TMOS
Symptoms:
During start-up, tmm may go into a restart loop and never come up fully.
Conditions:
This can occur on both the vCMP host and guest, usually during the first or second boot of the upgraded software. The existence of /mprov_firstboot and a provision.tmmcountactual set to an incorrect value is an indication that this is occurring.
Impact:
Traffic disrupted while tmm restarts.
tmm on the host goes into a restart loop due to lack of memory. Signature in the log files is similar to "notice Too small memsize (90) -- need at least 136 MB"
tmm on the guests core with tmm log entries:
notice panic: vdag failed to attach
notice ** SIGFPE **
620346-1 : When auto-refresh is enabled on the statistics screen for wideip / pools, it refreshes to the wrong screen.
Component: Global Traffic Manager (DNS)
Symptoms:
When the page refreshes, it loads the wideip statistics screen, rather than the wideip pool statistics screen.
Conditions:
Have wide IP & pools and visit the stats page and click on view detail under the "Pools" column with refresh enabled.
Impact:
It makes it hard for the user to view updated stats for that particular stats page because it cannot be auto-refreshed.
Workaround:
Clicking the << Back button and "view detail" again would update the page stats.
620215-2 : TMM out of memory causes core in DNS cache
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.
Conditions:
This can occur when the TMM memory is exhausted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Provision sufficient memory for the TMM or reduce load.
619879-4 : HTTP iRule commands could lead to WEBSSO plugin being invoked
Component: Access Policy Manager
Symptoms:
With SSO logs set to 'Debug' in Access log configuration, the following log messages are seen in '/var/log/apm':
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: constructor
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext constructor ...
Sep 30 12:46:17 bigip3900mgmt err websso.3[14520]: 014d0005:3: Unsupported SSO Method
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914b510, SERVER: TMEVT_REQUEST
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914a718, CLIENT: TMEVT_ABORT_PROXY
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext destructor ...
Sep 30 12:46:17 bigip3900mgmt debug websso.3[14520]: 014d0001:7: webssoConfig destructor
With 'rstcause' enabled, the following log message is seen in '/var/log/ltm':
Sep 30 12:46:17 bigip3900mgmt err tmm2[13116]: 01230140:3: RST sent from 172.17.90.92:57611 to 127.0.0.1:10001, [0x24ccbbc:820] Internal error (APM::WEBSSO requested abort (Unsupported SSO Method))
Conditions:
HTTP::disable followed by HTTP::enable.
when CLIENT_ACCEPTED {
HTTP::disable
// do some other stuff
HTTP::enable
}
Impact:
client receives a HTTP 503 reset
Workaround:
When the access profile is added to the virtual server, the websso plugin profile is automatically added. Manually removing the websso plugin fixes this bug.
619854 : Duplicate entry for bigipPb200 in F5-BIG-IP-SYSTEM-MIB
Component: TMOS
Symptoms:
Duplicate error when loading F5-BIG-IP-SYSTEM-MIB into the SNMP manager.
Conditions:
Loading F5-BIG-IP-SYSTEM-MIB into the SNMP manager.
Impact:
F5-BIG-IP-SYSTEM-MIB fails to load into the SNMP manager.
Workaround:
Changing
bigipPb200 OBJECT IDENTIFIER ::= { sysDeviceModelOIDs 19 } to
bigipViprion4 OBJECT IDENTIFIER ::= { sysDeviceModelOIDs 19 }
in the F5-BIG-IP-SYSTEM-MIB.
619849-1 : In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
Component: Local Traffic Manager
Symptoms:
TMM crashes with a SIGABRT (killed by sod)
Conditions:
TCP (full proxy) virtual servers with verified-accept enabled in the TCP profiles, that must be handling traffic.
This issue occurs extremely rarely.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
disable verify accept.
619811-5 : Machine Cert OCSP check fails with multiple Issuer CA
Component: Access Policy Manager
Symptoms:
If there are multiple CAs in the CA bundle and issuing CA is not first in it, the OCSP responder returns "unauthorized" response.
Conditions:
This can only happen when issuing CA is not first in the CA file.
Impact:
OSCP check in machine cert will fail and user won't be able to follow successful branch in Access Policy. This might result in Authentication failure even though the machine cert is valid.
Workaround:
Use iRule Event and variable Assign agent in between Machine Cert and OCSP Auth agent.
Follow these steps:
iRule:
1) Loop through the CA bundle until you find matching issuer cert
2) Set this new issuer cert to "session.check_machinecert.last.cert.issuer.cert"
Variable Assign:
3) Read this issuer cert from the session db and assign it back to the same session variable:
session.check_machinecert.last.cert.issuer.cert = expr { [mcget -nocache {session.check_machinecert.last.cert.issuer.cert}] }
619528-3 : TMM may accumulate internal events resulting in TMM restart
Component: Local Traffic Manager
Symptoms:
Under some uncommon circumstances, long-lived connections may cause internal events to be accumulated causing excessive memory usage potentially resulting in TMM restarting.
Conditions:
HTTP virtual with long-lived connections.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
The issue can be mitigated by setting the HTTP 'max-requests' profile option to a reasonably low value - this value will depend on application requirements.
619398-3 : TMM out of memory causes core in DNS cache
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.
Conditions:
This can occur when the TMM memory is exhausted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Provision sufficient memory for the TMM or reduce load.
619210 : [FIPS] High CPU usage (11.5.4) or memory error messages (11.6.1) during stress test using FIPS keys
Component: TMOS
Symptoms:
When running a stress test (for example, using Apache Bench tool) to aggressively connect virtual server whose clientSSL profile is using FIPS key;
in 11.5.4, you may observe high CPU usage by using "top" command on the system and "Clock advanced" messages in the ltm logs;
in 11.6.1, the above symptoms appeared in 11.5.4 are not seen, but ltm log prints a sequence of ERR_MEMORY_ALLOC_FAILURE at the beginning of the stress test.
Conditions:
1. The connection to the virtual server is using a clientSSL profile whose SSL key is a FIPS key.
2. The connection that uses the FIPS key is triggered very frequently (such as in a stress test). For example, from the client side, it runs this Apache Bench command "ab -c 1000 -n 1000000 https://10.10.10.100/" to test the virtual server.
Impact:
When the connections occupy too much of the CPU's resource, it could impact the performance of other tasks of the system.
Workaround:
When this issue occurs, you can try to mitigate it by any methods that restricts FIPS key usage in the SSL connection, for example, do not configure the clientSSL profile with the FIPS key as the default clientSSL profile of the virtual server, and add more non-FIPS clientSSL profiles to the virtual server, so that the connections are not always handled by the FIPS key.
619158-3 : iRule DNS request with trailing dot times out with empty response
Component: Global Traffic Manager (DNS)
Symptoms:
The DNS request takes about 20 seconds to respond and the response is empty.
Conditions:
An iRule uses RESOLV::lookup or NAME::lookup to resolve a domain name that ends with a dot.
Impact:
The request does not properly resolve to an IP address.
Workaround:
Strip the trailing dot from the domain name before calling RESOLV::lookup or NAME::lookup.
618905-2 : tmm core while installing Safenet 6.2 client
Component: Local Traffic Manager
Symptoms:
tmm core while installing Safenet 6.2 client.
Conditions:
Safenet 6.2 client installation
Impact:
Traffic disrupted while tmm restarts.
618771-3 : Some Social Security Numbers are not being masked
Component: Application Security Manager
Symptoms:
ASM does not block or mask some SSN numbers.
Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains social security numbers with specific ranges.
Impact:
The traffic passes neither masked nor blocked to the end client.
Workaround:
None.
618693-1 : Web Scraping session_opening_anomaly reports the wrong route domain for the source IP
Component: Application Security Manager
Symptoms:
When generating a web scraping attack of session opening anomaly type, there is an attack start/end event shown in the /var/log/asm and GUI: Security :: Event Logs : Application : Web Scraping Statistics. The event has a "source ip" field which should come along with the route domain. In the case of "session opening anomaly" the route domain is always zero. (For example: 127.0.0.1%0). Even there is a non-zero route domain configured.
Conditions:
Route domain is configured and a web scraping attack event triggers.
Impact:
Incorrect route domain field is shown in the GUI and /var/log/asm.
Workaround:
None. This is a cosmetic error. The system uses the correct route domain
618657-5 : Bogus ICMP unreachable messages in PEM with ipother profile in use
Component: Policy Enforcement Manager
Symptoms:
The ipother virtual server will send bogus ICMP unreachable messages caused by incorrect error handling in the PEM filter.
Conditions:
A VS with ipother profile configured together with the PEM profile. In the field defect the additional piece needed was the missing classification, but this is due to code ordering, so in non-fixed versions this can also happen with the classification profile present.
Impact:
Unnecessary ICMP traffic
618546-1 : ClientSSL profile could incorrectly inherit cert-key-chain objects from parent profile
Component: Local Traffic Manager
Symptoms:
Child clientSSL profile continues to inherit the cert-key-chain objects from parent clientSSL profile when it shouldn't.
Conditions:
Create a clientSSL profile is created by having cert/key field as defaults from parent profile, with a change in chain field. Make sure that no new cert-key-chain objects are added to the child profile.
In this case, since chain field is changed, the child profile shouldn't inherit any cert-kay-chain objects from the parent, but it does.
Impact:
Child clientSSL profile continues to inherit the cert-key-chain objects from parent clientSSL profile when it shouldn't.
618463-1 : artificial low route mtu can cause SIGSEV core from monitor traffic
Component: Local Traffic Manager
Symptoms:
When configuring a monitor instance targeting an address reachable via a route with an artificially low route mtu, tmm can crash repeatedly.
Conditions:
see above
Impact:
Traffic disrupted while tmm restarts.
Workaround:
configure correct MTU
618319-2 : HA pair goes Active/Active, and reports peer as 'offline' if network-failover service is blocked
Component: TMOS
Symptoms:
All members of a Sync/Failover Device Group report 'Active' for all traffic-groups, and 'Offline' for all peers. Configuration sync works appropriately.
Conditions:
This can occur if the network failover configuration is incorrect. Each device should have multiple network failover addresses (either unicast or multicast) configured, and any self-IPs configured as unicast addresses must not block the configured unicast UDP source-port (default value: 1026).
If this port is blocked, the devices cannot exchange failover status information.
Impact:
When devices cannot reach the failover address of their peer devices, failover traffic is not processed correctly and the device become active for all traffic groups. This results in duplicate IP addresses on the network for the objects in the traffic groups, which causes a disruption of service.
Workaround:
Ensure that the 'allow-service' parameter for the self-IP address includes the configured network-failover port.
Normally this is done with 'allow-service { default }' if using the default default-list, or an explicit entry can be used with 'allow-service { udp:1026 }'.
618104-4 : Connection Using TCP::collect iRule May Not Close
Component: Local Traffic Manager
Symptoms:
The BIG-IP never sends a TCP FIN in response to a client FIN.
Conditions:
A finite TCP::collect iRule is in progress.
This is repeatable in the debug kernel; in the default kernel, there has to be execution delay in a CLIENT_DATA iRule.
Impact:
The connection does not close until the sweeper causes a RST.
Workaround:
Adding a TCP::close command to a CLIENT_DATA iRule may work.
618024-4 : software switched platforms accept traffic on lacp trunks even when the trunk is down
Component: Local Traffic Manager
Symptoms:
On software switched platforms tmm owned LCAP trunks still accept traffic even though the trunk is down from the control plane ( LACP status down).
Conditions:
LACP trunk with status down
Impact:
VLAN failsafe timers are erroneous reset, VLAN failsafe is broken.
Workaround:
no workaround
617841 : Using iControl REST to create ucs archive results in a "500 internal server error" response when unit has ASM provisioned
Component: Application Security Manager
Symptoms:
using iControl REST to create a ucs archive results in a "500 internal server error" response when unit has ASM provisioned.
however, the UCS file does get created.
Conditions:
ASM provisioned
Impact:
BIG-IP returns a 500 internal server error; however, the UCS file does get created.
Workaround:
N/A
617658 : Attack Signature Update with only 1 active policy logs "Please apply policy" error message
Component: Application Security Manager
Symptoms:
Attack Signature Update on a device with only a single active policy will log the following error message:
"There are too many Security Policies using outdated attack signatures. Please apply policy on all Security Policies."
This occurs even if "Auto Apply New Signatures Configuration After Update" is checked.
Conditions:
Attack Signature Update on a device with only a single active policy.
Impact:
Benign error posted. The error message has no functional impact and can be safely ignored.
Workaround:
None.
617628-3 : SNMP reports incorrect value for sysBladeTempTemperature OID
Component: TMOS
Symptoms:
SNMP reports incorrect value for sysBladeTempTemperature OID, while TMSH reports the corresponding value correctly.
# snmpwalk -v2c -c public localhost .1.3.6.1.4.1.3375.2.1.3.2.4.2.1.2.8.1
F5-BIGIP-SYSTEM-MIB::sysBladeTempTemperature.8.1 = Gauge32: 4294967245
# tmsh show sys hardware
Sys::Hardware
Blade Temperature Status
Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
...
1 8 0 -48 0 Blade CPU #1 TControl Delta tem
...
The negative "Blade CPU #1 TControl Delta" temperature is being incorrectly reported as a large positive temperature by SNMP.
Impact:
A negative temperature may be incorrectly reported by SNMP as an impossibly high positive value.
Workaround:
Use tmsh show sys hardware to view blade temperatures. Negative temperatures are properly reported.
config # tmsh show /sys hardware
Sys::Hardware
Blade Temperature Status
Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
1 1 0 19 49 Blade air outlet temperature 1
1 2 0 14 41 Blade air inlet temperature 1
1 3 0 21 57 Blade air outlet temperature 2
1 4 0 16 41 Blade air inlet temperature 2
1 5 0 25 60 Mezzanine air outlet temperatur
1 6 0 27 72 Mezzanine HSB temperature 1
1 7 0 17 63 Blade PECI-Bridge local tempera
1 8 0 -48 0 Blade CPU #1 TControl Delta tem
1 9 0 25 68 Mezzanine BCM56846 proximity te
1 10 0 22 69 Mezzanine BCM5718 proximity tem
1 11 0 19 57 Mezzanine Nitrox3 proximity tem
1 12 0 16 46 Mezzanine SHT21 Temperature
617316 : Desktop title is garbled for Citrix Storefront integration mode with non-sta configuration
Component: Access Policy Manager
Symptoms:
Desktop launched from browser or from native receiver has garbled title.
Conditions:
Citrix storefront integration mode through APM with no STA configured. Double byte language such as Japanese character set is used in the backend.
Impact:
Desktop title is not shown properly.
Workaround:
None
616838-1 : Citrix Remote desktop resource custom parameter name does not accept hyphen character
Component: Access Policy Manager
Symptoms:
While adding the custom parameter in Citrix Resource would give parser error as following,
01070734:3: Configuration error: apm resource remote-desktop /Common/ctx_resource: Parse error on line 1: DesktopViewer-ForceFullScreenStartup=On"
Conditions:
Having Citrix resource with custom parameter name with hyphen character
Impact:
Custom parameter can not be used with hyphen character
Workaround:
None
616021-4 : Name Validation missing for some GTM objects
Component: TMOS
Symptoms:
BIG-IP fails to load GTM Configurations where names of some objects contain a control character.
Conditions:
User creates a GTM object with a control character in the name.
Impact:
Causes the config to fail to load.
Workaround:
Remove control characters prior to creating gtm objects.
615970-3 : SSO logging level may cause failover
Component: Access Policy Manager
Symptoms:
SSO logging level may cause failover.
Conditions:
SSO logging level set to "Debug".
Impact:
TMM may crash. Core file may be generated.
Workaround:
Lower the SSO log level from "Debug" to either "Info" or "Notice".
615696 : TMM crash during AVR data cleaning timer
Component: Application Visibility and Reporting
Symptoms:
TMM crashed during data cleaning timer.
Conditions:
Root cause is not clear; cannot reproduce issue.
Impact:
TMM crash, BIG-IP is not transferring data until TMM restarts.
Workaround:
N/A
615553-2 : Reverse/transparent setting reverting to disabled on child monitor
Component: Local Traffic Manager
Symptoms:
Child monitor failing. Reverse/transparent setting reverting back to disabled.
Conditions:
Parent monitor with reverse/transparent enabled and child monitor with reverse/transparent disabled.
Impact:
The child monitor begins to fail when the configuration is re-loaded.
Workaround:
Make sure child and parent monitors have the same reverse/transparent setting. Or don't use a custom monitor as a parent if you want to modify reverse/transparent settings.
615522-1 : VDI crashes while responding to clients with multiple VDI threads running
Component: Access Policy Manager
Symptoms:
VDI crash dump is seen in bigip/var/core/ directory while accessing VDI resources.
Conditions:
VDI profile is attached to Virtual server and VDI resources are being used from webtop or from native client
Impact:
VDI access is interrupted
Workaround:
None.
614493-3 : BIG-IP reset on ePVA accelerated flow may contain stale TCP window information.
Component: TMOS
Symptoms:
Reset sent by BIG-IP system on ePVA accelerated active flows might contain stale sequence number and ACK number, which might be out of the receiver's valid RST window.
Conditions:
For example, server side pool member down events lead to BIG-IP reset of all client flows on the pool member. If these flows are actively offloaded in ePVA with heavy traffic at the time of pool member down and reset sending out time, the SEQ/ACK number for the sending RST by BIG-IP SW might not be recent, and therefore a RST with most SW aware SEQ/ACK will be encoded.
Impact:
These RST might be ignored by the receiver if it is out of the valid window. The receiver must rely on the idle or alive timeout to clean this up. Although the receiver must rely on its TCP alive or idle timeout to activate in order to clean up these connections, this is the standard TCP stack behavior.
Workaround:
None.
614486-4 : BGP community lower bytes of zero is not allowed to be set in route-map
Component: TMOS
Symptoms:
The bgpd process does not accept community attributes that contain values of the form ASN:0.
Conditions:
set the BGP community value to a value of form ASN:0
Impact:
if you attempt to configure a BGP daemon community attribute with a value of the form ASN:0, the system does not set the community value. This could also impact upgrading from the old versions to the version that doesn't support community values of the form ASN:0.
Workaround:
None
614364 : Linux client NA components cannot be installed neither using sudo password nor root password
Component: Access Policy Manager
Symptoms:
Linux client Network Access components cannot be installed neither using sudo password nor root password on firefox browser. Issue occurs because version reported is incorrect and post installation version on the machine still doesn't match with version reported by the server.
Conditions:
Firefox web browser, NPAPI plugins, Network Access on Linux distributions
Impact:
Installation and update of web browser plugin for network access fails
613912 : SSID filter may cause excessive buffering and high CPU
Component: Local Traffic Manager
Symptoms:
CPU usage increases with excessive buffering of significant amount of data.
Conditions:
High CPU with huge amount of data buffered up, and SSL persistence is in use.
Impact:
Can slow down the system
613415-5 : Memory leak in ospfd when distribute-list is used
Component: TMOS
Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv2 and the Routing Information Base (RIB). The leak may lead to a the daemon being terminated via the oom-killer.
Conditions:
OSPFv2 in use with a distribute-list, and Link State Advertisements (LSAs) in the database whose prefixes will be filtered by the distribute-list.
Impact:
ospfd may leak memory until the system terminates the process via the oom-killer.
Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.
613095 : Text Description in Edge client UI may be clipped in sme languages
Component: Access Policy Manager
Symptoms:
Text strings in Edge client UI may be clipped in some languages as the width of UI control is not large enough to accommodate some strings translated to a non-English language.
Conditions:
This can be seen in the Edge client using the French translation.
Impact:
Usability impact. Cannot see complete description.
Workaround:
None.
613088-2 : pkcs11d thread has session initialization problem.
Component: Local Traffic Manager
Symptoms:
pkcs11d does not initialize, especially in the secondary slot(s). SafeNet connections cannot be established on the secondary blades.
Conditions:
This occurs when SafeNet is configured with VIPRION chassis
Impact:
When this occurs, BIG-IP is unable to establish SafeNet connections from the secondary blades.
Workaround:
None.
613079-1 : Diameter monitor watchdog timeout fires after only 3 seconds
Component: Local Traffic Manager
Symptoms:
The Diameter monitor has a 3-second timeout that overrides the interval and timeout settings configured for the monitor.
Conditions:
A Diameter monitor must be configured.
Impact:
If the Diameter server takes longer than 3 seconds to reply to requests, it will be marked down.
Workaround:
None.
613045-2 : Interaction between GTM and 10.x LTM results in some virtual servers marked down
Component: Global Traffic Manager
Symptoms:
Some GTM virtual servers are never marked up when interacting with 10.x LTM.
Conditions:
1. On a GTM server, with autoconf off, manually create a virtual server that is using translated IP/port and either no LTM virtual server name or an incorrect LTM virtual server name.
2. Make sure the LTM virtual server is available.
Impact:
On the GTM side, that LTM virtual server will never get marked up.
Workaround:
None.
612721 : FIPS: .exp keys cannot be imported when the local source directory contains .key file
Component: TMOS
Symptoms:
*.exp exported FIPS keys cannot be imported from local directory when the directory contains any file named *.key with matching name. For example, if the directory /shared/abc/ contains an exported FIPS key named xyz.exp and another file named xyz.key, the user will fail to import xyz.exp as a FIPS key into the system.
Conditions:
When the local source directory of the exported FIPS key (xyz.exp) also contains a file with matching name (xyz.key).
Impact:
Unable to import the FIPS key
Workaround:
Remove the same name *.key file from the local directory before importing the FIPS exported key *.exp.
612086-1 : Virtual server CPU stats can be above 100%
Component: Advanced Firewall Manager
Symptoms:
The CPU usage is reported as above 100%.
Conditions:
It is not known exactly what triggers this.
Impact:
The reported CPU usage values are invalid and do not properly report the actual CPU usage. The invalid values will be visible in results from tmsh commands, SNMP OID messages, and also in the GUI.
Workaround:
Use top to see the actual CPU usage, or tmctl to examine the stats for the individual CPUs.
611691-2 : Packet payload ignored when DSS option contains DATA_FIN
Component: Local Traffic Manager
Symptoms:
The payload of a packet is ignored when an MPTCP DSS option has DATA_FIN set.
Conditions:
A packet contains both a payload and an MPTCP DSS option with DATA_FIN set. This has been observed when uploading files from a Linux client to a server.
Impact:
The last packet of data is not received.
Workaround:
Disable MPTCP.
611669-3 : Mac Edge Client customization is not applied on macOS 10.12 Sierra
Component: Access Policy Manager
Symptoms:
Mac Edge Client's Icon, application name, company name amongst other things can be customized on BIG-IP before deploying on end user's machine. But on Mac Edge Client on macOS 10.12 Sierra this customization is not applied.
Conditions:
macOS Sierra 10.12, Edge client, customization
Impact:
Mac Edge Client customization is not applied on macOS 10.12 Sierra. Functionally there should be no impact except that user will see default application visually.
Workaround:
run following command on Terminal and re-launch Edge client:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"
611485-6 : APM AAA RADIUS server address cannot be a multicast IPv6 address.★
Component: Access Policy Manager
Symptoms:
In the 13.0.0 release, support for AAA RADIUS direct IPv6 is added. However, validation will prevent using a multicast address for AAA radius IPv6 address. If you upgrade from a previous version to this version, you will see a validation error when the configuration loads.
Conditions:
The validation error occurs if APM AAA RADIUS address is an IPv6 multicast address on BIG-IP version 13.0.0 and beyond.
Impact:
Support for AAA RADIUS direct IPV6 is added in BIG-IP version 13.0.0. And the new validation affects only IPv6 multicast address. So any working IPv4 configuration will not be affected by this validation.
Workaround:
Multicast IPv6 addresses are not supported for direct IPv6 RADIUS, ensure you are using unicast addresses.
611278-1 : Connections to a BIG-IP system's Self-IP address may fail when the VLAN cmp-hash is altered
Component: Local Traffic Manager
Symptoms:
On a BIG-IP system belonging to a Sync or Sync-Failover Device Group, you encounter intermittent Device Group errors during normal operation. This can include the device status flipping from Offline to In Sync, or actual sync errors on a manual or automatic config sync. You may also see iQuery errors in the logs of BIG-IP GTM systems.
Conditions:
This issue is known to occur on BIG-IP systems belonging to a Sync or Sync-Failover Device Group where the config sync VLAN cmp-hash mode is set to something other than default.
Impact:
Intermittent sync status or occasional config sync failures.
Workaround:
Ensure that the config sync IP is on a VLAN that has the cmp-hash mode set to default.
611161-2 : VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
Component: Local Traffic Manager
Symptoms:
VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
Conditions:
VLAN failsafe configured on a non-default cmp-hash VLAN.
When the VLAN failsafe situation occurs, and the generated arp requests are not being answered, VLAN failsafe resorts to ICMP.
Impact:
There are very rare situations in which failsafe triggers but it should have not.
Workaround:
None.
611054-4 : Network failover "enable" setting is sometimes ignored on chassis systems
Component: TMOS
Symptoms:
The failover device group network-failover attribute has an effect on chassis systems. The high availability subsystem will continue to send network failover packets, and continue to operate normally, even if this is set to "disable".
Conditions:
This only affects chassis systems. On appliances, the setting takes effect, causing all devices to become Active simultaneously.
Impact:
System appears to failover normally even when the configuration is incorrect; however, if the system contains more than one traffic-group, the next-active calculation and other failover features do not function correctly.
Workaround:
Enable network-failover in the sync-failover device-group.
610417-4 : Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
Component: TMOS
Symptoms:
When adding a device to the trust, the SSL connection can use insecure ciphers. Also it will use the undesirable TLSv1 protocol instead of negotiating to the highest safest protocol available which is TLSv1.2
If the peer device is configured to use TLSv1.1 or TLSv1.2 only, device trust will not be established
Conditions:
This exists when configuring devices in a device cluster.
Impact:
Unable to configure stronger ciphers for device trust.
If the peer device is modified to not use TLSv1.0, it is impossible to establish Device Trust.
Workaround:
None.
610302-3 : Link throughput graphs might be incorrect.
Component: Local Traffic Manager
Symptoms:
The link throughput performance graphs available in the GTM, DNS or Link Controller modules might show the throughput for the wrong link in the graph.
Conditions:
Multiple links exist and one of the links has a name that is a prefix for the name of one or more other links.
For example, there are two links defined and named "mylink" and "mylink2".
Impact:
The graphs for all links that contain the prefix might show the throughput for the link whose name matches the prefix.
For example, the throughput graphs for both "mylink" and "mylink2" might both show the throughput data for "mylink"
As a result of this issue, the historical link throughput data is gathered and stored incorrectly. This data is used to generate the throughput graphs.
Workaround:
Do not create links where the name of one link forms a prefix for the name of other links.
609772-2 : Tilde character does not work on GET requests via iControl REST
Component: TMOS
Symptoms:
When issuing an iControl REST GET request to a URL that contains a tilde (~), for example when specifying a folder, the REST call will return an error.
Conditions:
This occurs when performing an iControl REST GET request to any URL that contains contains a tilde character in the path name.
Impact:
iControl REST will respond with an error.
Workaround:
None.
609244-7 : tmsh show ltm persistence persist-records leaks memory
Component: Local Traffic Manager
Symptoms:
A small memory leak is detected when running the following command: tmsh show ltm persistence persist-records.
Conditions:
This occurs when running tmsh show ltm persistence persist-records.
Impact:
The memory leak is small, however if the command is run constantly the memory growth can become large.
Workaround:
None.
609199-2 : Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join
Component: Local Traffic Manager
Symptoms:
If an MPTCP connection times out while a subflow is still performing the three-way handshake, the TMM produces a core. This only affects the debug TMM, not the default one.
Conditions:
An MPTCP connection times out while a subflow is still performing the three-way handshake with MP_JOIN. This only affects the debug TMM.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable MPTCP.
609186-1 : TMM or MCP might core while getting connections via iControl.
Component: TMOS
Symptoms:
When getting the connections list over iControl using System.Connections.get_list(), TMM or MCP cores or exits.
Conditions:
Using iControl to view all connections, and there is a very large number of connections (1 million or more) in the list.
Impact:
TMM or MCP may core or exit. Traffic disrupted while tmm restarts.
Workaround:
None.
609119-3 : Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
Component: TMOS
Symptoms:
Occasionally the logging system prints out a blank message, similar to the following example:
-- err mcpd[19114]: 01070711:3:
For this log statement, there is text associated with the error in the bigip_mcpd_error_defs.in file, so something should be logged.
Conditions:
The problem is the result of an exception handler issue in mcpd's File Object validator. The damaged logs can come from anywhere in mcpd, but appear only after a File Object configuration change fails validation. If the problem occurs, it will happen only once per validation error. The damage caused by the exception handler is automatically corrected when the system rewrites the log.
Impact:
Except for the missing log text, the state and behavior of the BIG-IP system is unaffected.
Workaround:
None. The problem corrects automatically when the system rewrites the log.
609107-3 : mcpd does not properly validate missing 'sys folder' config in bigip_base.conf
Component: TMOS
Symptoms:
If a 'sys folder' is manually removed from bigip_base.conf, and the config is then reloaded, mcpd does not produce any warning or error messages, and allows the config to load.
Conditions:
A folder is removed from a previously valid configuration file.
Impact:
Inconsistent configuration between devices in the same device-group, shows in-sync when they are not, prevents config loading after mcpd has been reset.
Workaround:
Do not remove folders from the configuration file.
608348-1 : Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system
Component: TMOS
Symptoms:
After deleting an iApp build from the f5.citrix_vdi.v2.3.0 template then running a config sync, the system that received the sync could have a tunnel object left over which should have been deleted.
Running 'tmsh load sys config verify' after this sync would give the following error.
01070734:3: Configuration error: The object (Tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect) is owned by a non-existent application (/Common/test-citrix-app-svc.app/test-citrix-app-svc).
Unexpected Error: Validating configuration process failed.
Conditions:
This occurs when the iApp has been deployed in a sync group, then the iApp is deleted, then a config sync is initiated.
Impact:
Config validation fails, and you must delete the tunnel manually.
Workaround:
On the system that received the sync, edit /config/bigip_base.conf to remove the following objects (replace "test-citrix-app-svc" with the name of the deleted iApp):
a. vlan from net route-domain: /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
b. net fdb tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
c. net tunnels tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
607961-5 : Secondary blades restart when modifying a virtual server's route domain in a different partition.
Component: TMOS
Symptoms:
Secondary blades restart when modifying a virtual server's route domain in a different partition. This log signature is in /var/log/ltm before the secondaries restart: err mcpd[1255]: 0107004d:3: Virtual address (/stef/1.1.1.1%0) encodes IP address (1.1.1.1) which differs from supplied IP address field (1.1.1.1%1).
Conditions:
- Only happens on chassis.
- Route domains created on each device.
- Route domain assigned to a new partition after they were created.
Impact:
Traffic disrupted while secondary blades restart.
Workaround:
None.
607360-3 : Safenet 6.2 library missing after upgrade★
Component: Local Traffic Manager
Symptoms:
After upgrading BIG-IP, a symbolic link is missing to the core Safenet library.
Conditions:
This occurs when a BIG-IP installation with Safenet 6.2 already installed is upgraded.
Impact:
Safenet 6.2 is not functional.
Workaround:
Reinstall Safenet 6.2. Or,
run this command at all blades of BIG-IP after the installation.
ln -sf /shared/safenet/toolkit/libgem.so /usr/lib64/openssl/engines/libgem.so
607246-1 : Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires
Component: Local Traffic Manager
Symptoms:
You notice erratic persistence behavior when you set cookie persistence to "required" in your cookie persistence profile
Conditions:
Encrypted cookie persistence with fallback where the fallback persistence has a reasonable short timer such that a request containing a valid cookie is handled after the fallback entry has expired.
Impact:
Persistence fails after fallback expired.
Workaround:
Change cookie-encryption to preferred which allows persistence on either encrypted or decrypted cookie.
607166-4 : Hidden directories and files are not synchronized to secondary blades
Component: Local Traffic Manager
Symptoms:
Hidden directories and files (those whose filenames start with '.') that are created on primary blade are not synced to secondary blades.
Existing hidden files that are edited on the primary blade are not synced to secondaries.
Conditions:
Multi-bladed system.
Impact:
The most common uses of hidden files are per-user shell configuration and history.
Workaround:
Manually copy configuration files onto other blades.
606799-4 : GUI total number of records not correctly initialized with search string on several pages.
Component: TMOS
Symptoms:
GUI total number of records not correctly initialized with search string on several pages.
Conditions:
Searching on the Data Group File List, iFile List, and lw4o6 File Object List pages.
Impact:
GUI shows that there are two pages, but advancing to the second page shows empty page.
Workaround:
Avoid searching in the Data Group File List, iFile List, and lw4o6 File Object List pages to view all items.
606330-1 : The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family.
Component: TMOS
Symptoms:
The BIG-IP system does not accept incoming or initiate outgoing BGP connections when using peer-groups and no default address family.
Conditions:
BGP configured with 'no bgp default ipv4-unicast' and neighbors configured using a peer group that's explicitly activated for IPv4.
Impact:
The BGP connection to any neighbor in the peer group will not come up until 'clear ip bgp' is run on the neighbor or tmrouted is restarted.
Workaround:
Clear the BGP neighbor after changing the configuration.
605840-1 : HSB receive failure lockup due to unreceived loopback packets
Component: TMOS
Symptoms:
HSB reports a lockup due to a receive failure. Analysis of the HSB receive/transmit rings indicate that this is a false positive. Loopback packets were successfully transmitted, but not received, resulting in the receive failure. /var/log/ltm contains this signature: notice *** TMM 9 - PDE 19 - receive failure ***
Conditions:
Unknown.
Impact:
The unit is rebooted.
Workaround:
None.
605800-1 : Web GUI submits changes to multiple pool members as separate transactions
Component: TMOS
Symptoms:
You notice an unusually high amount of sync traffic when changing many pool members at once. In extreme cases, mcpd may run out of memory and crash.
Conditions:
When looking at a list of pool members, it is possible to choose to view many pool members at once, and you can then select them all and enable or disable them with one press of a button. Rather than sending all of the operations in a single transaction, the GUI code updates each pool member one by one. When there are a lot of pool members and auto-sync is being used, this can cause race conditions that can generate a large number of transactions going from the local machine to the remote machine.
Impact:
This can cause an unusually high amount of sync traffic to occur between devices in the sync group with auto-sync enabled. In extreme cases this can cause mcpd to crash and traffic is disrupted while mcpd restarts.
Workaround:
If you frequently need to enable/disable many pool members at once, there are a couple of options:
1. You can switch to manual sync during this operation.
2. You can minimize the number of pool members that are altered at once. The issue was observed when changing over 300 pool members at once.
605792-5 : Installing a new version changes the ownership of administrative users' files★
Component: TMOS
Symptoms:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID.
Conditions:
A user is an administrative user who has advanced shell (bash) access and custom files in their home directory.
Impact:
Low in most cases, since the administrative user can still access most files. One exception is that SSH requires that the authorized_keys file be owned by the user ID in question. This is 0 when a user has an administrative role, so the authorized_keys file will be ignored and a password will still be required for login.
Workaround:
Run the following command, substituting a different filename as needed: chown 0 /home/theuser/.ssh/authorized_keys.
605775 : Config sync fails after creating local user matching previously logged in remote user
Component: TMOS
Symptoms:
After a remote user logs in to a BIG-IP system that is a member of an HA group, if a local user account is created with a name that matches the remote user, config sync fails attempting to sync the local user account to other devices in the HA group.
Conditions:
1. A remotely authenticated user logs in to a BIG-IP HA member.
2. An administrator user creates a local user account on the same BIG-IP HA member with a name that matches the previously logged-in remote user.
This problem has been observed using TACACS remote authentication, but is expected to occur with other remote authentication methods as well.
Impact:
Unable to sync device groups.
Workaround:
1. To avoid this error, create the local user on a different HA member, where the remote user has not previously logged in.
2. To recover from this error:
(a) Delete the newly-created local user from the same HA member where it was created:
tmsh del auth user <new-local-user-name>
(b) Save current config:
tmsh save sys config file <recovery-config-filename.scf>
(c) Recover the device group sync status:
tmsh run cm config-sync recover-sync
(d) Restore the saved config:
tmsh load sys config file <recovery-config-filename.scf>
605616-4 : Creating 256 Fundamental Security policies will result in an out of memory error
Component: Application Security Manager
Symptoms:
ASM out of memory error will occur when 256 fundamental security policies are created.
Conditions:
Create 256 fundamental security policies.
Impact:
Out of memory error.
Workaround:
None.
604923-2 : REST id for Signatures change after update
Component: Application Security Manager
Symptoms:
The REST id of existing signatures are unexpectedly modified after updating a User Defined Signature, or downloading an Attack Signature Update that modifies existing signatures.
Conditions:
A User-Defined Signature is updated, or an ASU containing updated signatures is downloaded.
Impact:
The REST id of the modified signatures is changed which may confuse REST clients.
Workaround:
Execution of the following script will repair an affected device:
perl -MF5::Utils::Rest -MF5::DbUtils -MF5::ASMConfig::Entity::Signature -e '$dbh = F5::DbUtils::get_dbh(); $dbh->begin_work(); $dbh->do("UPDATE PLC.NEGSIG_SIGNATURES SET rest_uuid = \"\" "); F5::Utils::Rest::populate_uuids(dbh => $dbh, rest_entities => ["F5::ASMConfig::Entity::Signature"]); $dbh->commit();'
604893-1 : ComplexType child elements in XML schema cannot have different values set in "fixed" attribute
Component: Application Security Manager
Symptoms:
Within the XML schema definition, multiple child elements under a ComplexType cannot have different values set in "fixed" attribute.
Conditions:
Multiple child elements under a ComplexType in an XML schema are defined with different values set in "fixed" attribute.
Impact:
Subsequent elements are validated incorrectly with the initial element's definition.
Workaround:
Remove "fixed" attribute for subsequent elements in schema definition.
604880-1 : tmm assert "valid pcb" in tcp.c
Component: Local Traffic Manager
Symptoms:
tmm panic tcp.c:2435: Assertion "valid pcb" failed
Conditions:
Unknown.
Impact:
Traffic disrupted while tmm restarts.
604272-3 : SMTPS profile connections_current stat does not reflect actual connection count.
Component: Local Traffic Manager
Symptoms:
SMTPS profile connections_current stat does not reflect actual connection count.
Conditions:
This occurs if you have an SMTPS virtual server configured.
Impact:
profile_smtps_stat.connections_current rises over time and doesn't reflect actual number of SMTPS connections active.
603550-4 : Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
Component: Local Traffic Manager
Symptoms:
Virtual server remains in syncookie mode even after the syn flood stops.
As a result of this issue, you might see the following symptoms:
-- Virtual servers that use both FastL4 and HTTP profiles might show incorrect 'Current SYN Cache' stats.
-- Virtual stats 'Current SYN Cache' does not decrease.
Conditions:
This issue occurs when the configuration contains a virtual server that uses FastL4 as a filter (for example, has both the FastL4 profile and layer 7 profile (HTTP) syn flood to the virtual server).
Impact:
The virtual server stays stuck in syncookie mode after the synflood is over, and does not recover.
Workaround:
None.
603380-3 : Very large number of log messages in /var/log/ltm with ICMP unreachable packets.
Component: Local Traffic Manager
Symptoms:
With ICMP unreachable packets, every packet generates a log message in /var/log/ltm. This results in a very large number of log messages, which takes up space without providing additional information.
Conditions:
ICMP unreachable packets.
Impact:
Very large number of log messages in /var/log/ltm.
Workaround:
None.
603293-2 : Incorrect handling of L4 Dynamic ACL when it is processed together with L7 ACLs
Component: Access Policy Manager
Symptoms:
L4 Dynamic ACL is not applied to incoming traffic when assigned in combination with L7 ACL.
Conditions:
APM supports a combination of L7 ACL and L4 ACL to be assigned to one session. When L7 ACLs are assigned with higher priority than L4 ACLs, the processing of L4 ACLs is automatically deferred until L7 information is available. The issue here is that when none of L7 ACLs with higher priority match with the traffic, L4 ACL is incorrectly marked to be applied only to HTTP traffic. Therefore if the incoming traffic is not HTTP, for example, HTTPS, then this particular dynamic L4 ACL is bypassed.
Impact:
L4 Dynamic ACL is not applied correctly.
Workaround:
Reorder L4 ACLs with higher priority than L7 ACLs, if possible, or to prevent the issue from occurring, avoid assigning L7 ACLs if not needed.
603236-3 : 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware
Component: Local Traffic Manager
Symptoms:
Creating 1024 and 4096 size keys fail when the SafeNet client version installed on BIG-IP is 6.2 and SafeNet appliance firmware is 6.10.9.
Conditions:
-- SafeNet appliance: 6.2.
-- SafeNet client: 6.2.
-- SafeNet firmware: 6.10.9.
Impact:
Cannot create 1024 or 4096 size RSA keys.
Workaround:
None.
603092-2 : "displayservicenames" does not apply to show ltm pool members
Component: TMOS
Symptoms:
The db variable bigpipe.displayservicenames does not apply to the 'show ltm pool members' tmsh command.
Conditions:
This occurs when running tmsh show ltm pool members with bigpipe.displayservicenames enabled.
Impact:
The the IP address but not the service name is displayed.
602566-3 : sod daemon may crash during start-up
Component: TMOS
Symptoms:
sod daemon produces core file during start-up
Conditions:
sod encounters an error during start-up and attempts to recover.
Impact:
sod restarts
602366-3 : Safenet 6.2 HA performance
Component: Local Traffic Manager
Symptoms:
With Safenet 6.2 HA setup, you only sees the performance of one HSM.
Conditions:
Safenet 6.2 client is installed and Safenet HA is used.
Impact:
Only one HSM is used for the HA setup.
Workaround:
Add primary hsm to the newly created ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>
or
echo "copy" | /shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>
Add following hsm to the ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup addMember -serialNumber 470379014 -group ha_test -password <pw>
Enable HAonly
/shared/safenet/lunasa/bin/lunacm -c hagroup HAOnly -enable
Delete ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup deleteGroup -label ha_test
602329-2 : syncookie header of HA channel mirror packets is not cleared
Component: Local Traffic Manager
Symptoms:
You notice that L7 connections on the standby unit are increasing and may not be cleared until the tcp timeout.
Conditions:
This can occur when using mirroring when syn cookies are enabled. It is more severe with hardware syn cookies but still occurs with software syn cookies.
Impact:
Connections increase unnecessarily on the standby unit.
Workaround:
Although it does not completely clear the condition, you can disable hardware syncookies to work around this problem.
In tmsh:
modify /ltm profile tcp <profile_name> hardware-syn-cookie disable
602326-2 : Intermittent pkcs11d core when installing Safenet 6.2 software
Component: Local Traffic Manager
Symptoms:
Sometimes you may see pkcs11d core when stopping/restarting pkcs11d service.
Conditions:
bigstart issues "stop" to pkcs11d while pkcs11d receives message.
Impact:
pkcs11d may core intermittently.
Workaround:
pkcs11d may automatically restart without intervention.
602193-1 : iControl REST call to get certificate fails if
Component: TMOS
Symptoms:
While using the iControl REST API, a call to /mgmt/tm/sys/crypto/cert results in a 400 or 500 error. The call to /mgmt/tm/sys/crypto/key works.
Conditions:
This can occur if any of the certificates contain non utf-8 characters.
Impact:
iControl REST API call will fail.
Workaround:
If possible, generate the certificate to only contain utf-8 characters.
602136-2 : iRule drop command causes tmm segfault or still sends 3-way handshake to the server.
Component: Local Traffic Manager
Symptoms:
If you have a client-side iRule that drops a client-side connection, either tmm will segfault or the BIG-IP system still sends the SYN to the server, and then a RST. The reset cause will be 'TCP 3WHS rejected'.
Conditions:
Client-side iRule that drops a connection.
Impact:
TMM segfaults or the BIG-IP system still sends a SYN to the server.
Workaround:
None.
601709-4 : I2C error recovery for BIG-IP 4340N/4300 blades
Component: TMOS
Symptoms:
The I2C internal bus for the front switch on BIG-IP 4340N/4300 blades may not work.
Conditions:
This rarely happens.
Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up.
Workaround:
bigstart restart bcm56xxd
601536-5 : Analytics load error stops load of configuration★
Component: Application Visibility and Reporting
Symptoms:
After upgrading, the configuration fails to load and you see this log message: 01071ac1:3: Non-Comulative metric (max-request-throughput) cannot be calculated per single entity (pool-member).
Unexpected Error: Validating configuration process failed.
Conditions:
This can occur any time the analytics configuration was valid in a previous release and is no longer valid. For example, if you have an analytics profile set at pool-member granularity, it will load in 12.0.0 but will fail to load on 12.1.0 as granularity must be set at the virtual-server level, not the pool level.
Impact:
Configuration fails to load, will not pass traffic.
Workaround:
Fixing the configuration manually is the only option when this occurs. In the pool-member granularity example, you can check all your analytics profiles for granularity pool-member and set them to granularity virtual-server.
601414-3 : Combined use of session and table irule commands can result in intermittent session lookup failures
Component: TMOS
Symptoms:
[session lookup] commands do not return the expected result.
Conditions:
An iRule which combines use of [table] and [session lookup] commands.
Impact:
Intermittent session functionality.
Workaround:
If possible, use table commands in lieu of session commands.
601220 : Multi-blade trunks seem to leak packets ingressed via one blade to a different blade
Component: TMOS
Symptoms:
When a multi-blade B2100 deployment first starts up, or recovers from a chassis-wide force offline/release offline event, multi-blade trunks seem to leak packets ingressed via one blade back out the same trunk's member interfaces on other blades.
Conditions:
It seems intermittent and happens for only a few milliseconds.
Impact:
This may temporarily break the upstream switch L2 FDB and cause slight traffic redirection as the upstream switch will learn the source MAC of the gratuitous ARPing host from the same trunk the traffic was broadcast to.
Workaround:
There is no workaround.
601189-1 : The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode
Component: Local Traffic Manager
Symptoms:
The BIG-IP system might send TCP packets out of order in Fastl4 in syncookie mode.
Conditions:
-- Fastl4 VS.
-- syncookie mode.
Impact:
TCP packet are sent out of order.
Workaround:
None.
601180-3 : Link Controller base license does not allow DNS namespace iRule commands.★
Component: Global Traffic Manager
Symptoms:
The Link Controller base license was improperly preventing DNS namespace iRule commands.
Conditions:
A Link Controller license without an add-on that allowed Layer 7 iRule commands.
Impact:
An administrator would not be able add DNS namespace commands to an iRule or upgrade from a pre-11.5 configuration where the commands were working to 11.5.4 through 12.1.1.
Workaround:
To address the inability to upgrade, removal of DNS namespace commands from the configuration prior to upgrade will allow the upgrade to proceed. The commands will then be able to be re-added after a fixed version is installed.
601178-4 : HTTP cookie persistence 'preferred' encryption
Component: Local Traffic Manager
Symptoms:
When encryption is 'preferred' in the http cookie persistence profile, when the client presents a plain-text route domain formatted cookie the BIG-IP will ignore the cookie and re-load balance the connection.
Conditions:
This occurs when route-domain-compatible cookies are sent in plaintext.
Impact:
Cookie does not get accepted by the persistence profile and flow does not persist.
600944-4 : tmsh does not reset route domain to 0 after cd /Common and loading bash
Component: TMOS
Symptoms:
In tmsh, you are in a partition with a custom route domain. When you run 'cd /Common' and run bash then run 'ip route', the routing table from the partition is displayed, not /Common
Conditions:
Attempting to see the route table from the /Common partition after leaving another parition
Impact:
You cannot get /Common's route table back without quitting and restarting tmsh.
Workaround:
Quit tmsh and restart.
600593-5 : Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests
Component: Local Traffic Manager
Symptoms:
After a CONNECT request is sent to the BIG-IP system and processed, if the client disconnects before a response is received from the server, the FIN is not propagated to the server-side and that connection remains open. If a client sends another CONNECT request to the same destination, the previous server-side flow is reused for the new request. Inspection of packet captures reveals that the BIG-IP system does not process the new CONNECT request as such, but instead forwards it to the server using the old server-side flow. This behaviour is incorrect. The CONNECT method should disable connection reuse, and the BIG-IP should close the server-side flow if the client disconnects first.
Conditions:
Use of HTTP Explicit Proxy and OneConnect together. CONNECT requests must arrive to the virtual server. The client must disconnect before the server responds.
Impact:
Some connections may fail. Depending on what data is sent to the server over an unintended connection, unpredictable results may be experienced.
Workaround:
You can apply the following iRule to the HTTP Explicit Proxy virtual server to mitigate the issue:
when HTTP_PROXY_REQUEST {
if { [HTTP::method] equals "CONNECT" } {
ONECONNECT::reuse disable
}
else {
ONECONNECT::reuse enable
}
}
600558-2 : Errors logged after deleting user in GUI
Component: TMOS
Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may be observed:
1. After approximately 10 minutes, an error similar to the following appears in the LTM log (/var/log/ltm):
mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests
This message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.
2. After clicking Refresh, the GUI may not show the correct web page.
Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.
Impact:
Error messages logged.
GUI may not show the correct web page.
Workaround:
Use the CLI (tmsh) to delete local users.
600431-3 : DIAMETER::avp data get "id" ip4|ip6 errors on valid AVP
Component: Service Provider
Symptoms:
TCL error in /var/log/ltm that looks like 'error Buffer error invoked from within "DIAMETER::avp data get 257 ip4 index 0"'
Conditions:
iRule that extracts ip address from a diameter avp.
Impact:
The iRule ends with an error.
Workaround:
Instead of
set data [DIAMETER::avp data get 257 ip4]
use an iRule such as
if { [DIAMETER::avp count 257] > 0 } {
set data [DIAMETER::avp data get 257]
binary scan $data S family
switch $family {
1 {
# ipv4 should contains 4 bytes
set ip [IP::addr parse -ipv4 $data 2]
log local0. "ip = $ip"
}
2 {
# ipv6 should contains 16 bytes
set ip [IP::addr parse -ipv6 $data 2]
log local0. "ip = $ip"
}
default {
log local0.alert "address family $family is not supported"
}
}
}
598650-3 : apache-ssl-cert objects do not support certificate bundles
Component: TMOS
Symptoms:
The Traffic Management Shell (tmsh) documents command options for apache-ssl-cert objects that suggest that Apache SSL Certificates (apache-ssl-cert objects) support certificate bundles.
References to certificate bundles in context of the 'bundle-certificates', 'subject' and 'is_bundle' fields are in error, and should refer to single certificates only.
Apache SSL Certificates (apache-ssl-cert objects) do not actually support certificate bundles.
On BIG-IP v11.5.0 and later, attempting to create Apache SSL Certificate objects from a certificate bundle will result an error like the following:
01070712:3: Values (/Common/certificate_name) specified for Certificate Bundle Entity (/Common/certificate_name.0 /Common/certificate_name): foreign key index (certificate_file_object_FK) do not point at an item that exists in the database.
Conditions:
Attempting to create Apache SSL Certificate objects from a certificate bundle.
Impact:
Unable to create Apache SSL Certificate objects from a certificate bundle.
598498-6 : Cannot remove Self IP when an unrelated static ARP entry exists.
Component: TMOS
Symptoms:
Cannot remove a self-IP when an unrelated static ARP entry exists. The system produces an error similar to the following: err mcpd[6743]: 01071907:3: Cannot delete IP <addr> because it would leave a static neighbor (ARP/NDP) entry unreachable.
Conditions:
Static arp entry exists, and there are no Self IP addresses on the same subnet as the static ARP entry. When in this condition, none of the Self IP addresses can be deleted.
Impact:
Must delete static ARP entries in order to delete Self IP addresses.
Workaround:
None.
598289-1 : TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>
Component: TMOS
Symptoms:
In TMSH, when trying to add a pool member that has name in the format of <ipv4>:<number>:<service port>, TMSH gives an error. It also corrupts bigip.conf.
Conditions:
-- Use TM Shell to load configuration.
-- ltm pools have members that have names in the format of <ipv4>:<number>:<service port>
Impact:
TMSH fails to load system configuration file
Workaround:
None.
598204-2 : In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.
Component: Local Traffic Manager
Symptoms:
In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.
Conditions:
This occurs when the following conditions are met:
-- TCP profile.
-- syncookie mode.
Impact:
A TCP virtual server might use bigger MSS in syncookie mode and not honor the MSS specified in the profile. Some configurations require a smaller MSS for certain virtual servers, rather than using the VLAN's MTU to calculate the MSS.
Workaround:
None.
597978-5 : GARPs may be transmitted by active going offline
Component: Local Traffic Manager
Symptoms:
GARPs may be transmitted by the active when going offline. As the standby which takes over for the active will also transmit GARPs, it is not expected that this will cause impact.
Conditions:
Multiple traffic-groups configured and active goes offline.
Impact:
It is not expected that this will cause any impact.
Workaround:
Make the unit standby before forcing offline.
597879-4 : CDG Congestion Control can lead to instability
Component: Local Traffic Manager
Symptoms:
Debug TMM crashes when the TCP congestion window allows an abnormally high or low congestion window. You can see this by looking at the bandwidth value in "tmsh show net cmetrics" if cmetrics-cache is enabled in the TCP profile.
Conditions:
Running the Debug TMM with CDG Congestion Control.
Impact:
Traffic disrupted while tmm restarts.
In the default TMM, the allowed sending rate will be abnormally high or low.
Workaround:
Use a congestion control algorithm other than CDG.
Switch to the default TMM.
597729-2 : Errors logged after deleting user in GUI
Component: TMOS
Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may potentially be observed:
1. After approximately 10 minutes, an error similar to the following may appear in the LTM log (/var/log/ltm):
mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests
Such message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.
2. After clicking Refresh, the GUI may not show the correct web page.
Conditions:
It is possible that this error could be encountered when deleting local users (Access Policy :: Local User DB : Manage Users), and may theoretically be encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.
Impact:
Error messages logged.
GUI may not show the correct web page.
Workaround:
Use the CLI (tmsh) to delete local users.
597532-3 : iRule: RADIUS avp command returns a signed integer
Component: Local Traffic Manager
Symptoms:
iRules that process attribute-value pairs from RADIUS treat integers as signed when they should be treated as unsigned.
Conditions:
iRules using RADIUS::avp to retrieve data
Impact:
iRules using the RADIUS::avp command will not work as expected.
Workaround:
The result can be casted to an unsigned integer after obtaining the value, as follows:
ltm rule radius_avp_integer {
when CLIENT_DATA {
set charid_integer [RADIUS::avp 26 "integer" index 0 vendor-id XXXXX vendor-type Y]
set unsigned_charid_integer [expr {$charid_integer & 0xFFFFFFFF}]
}
}
Note that tmm internally treats avp values as signed integers so this might not completely correct the issue.
597214-4 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
Component: Access Policy Manager
Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.
Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:
var a = { default: 1, continue: 2 };
Impact:
JavaScript code is not rewritten and may not work correctly.
Workaround:
It is possible to use iRule to rename field names in original code.
596826-1 : Don't set the mirroring address to a floating self IP address
Component: TMOS
Symptoms:
Using tmsh, you can configure the mirroring IP address using the command tmsh modify cm device devicename mirror-secondary-ip ip_address
It is possible to set ip_address to a floating self IP address when using tmsh, but BIG-IP can't mirror to a floating self IP address. The tmsh command will complete without error.
Conditions:
Accidentally setting the mirroring IP address to the floating self IP address using tmsh.
Impact:
Mirroring does not work in this case. If you configured it this way using tmsh, the GUI will show the primary and secondary mirroring address as "None".
Workaround:
Change the mirroring address to a non floating self IP address. The GUI will only present non floating self IP addresses.
For more information about mirroring, see K13478: Overview of connection and persistence mirroring at https://support.f5.com/csp/#/article/K13478
596815-2 : System DNS nameserver and search order configuration does not always sync to peers
Component: TMOS
Symptoms:
Modifying the System DNS nameserver and search order configuration does not always sync during an incremental sync if modified in the GUI or tmsh modify sys db.
Conditions:
The device is in a failover device group with incremental sync turned on.
In the GUI, modify the DNS Lookup Server List or the DNS Search Domain List fields under System >> Configuration : Device : DNS.
In tmsh, tmsh modify sys db dns.nameserver (or dns.domainname), and in some cases tmsh modify sys dns name-servers (or search)
Impact:
Modifications will not change the sync status nor sync the change to peers.
Workaround:
Perform a full sync or use 'tmsh modify sys dns name-servers replace-all-with' or 'tmsh modify sys dns search replace-all-with'.
Optionally, to get this setting to sync, modify the file /config/BigDB.dat to set realm=common for [DNS.NameServers] and [DNS.DomainName] and restart mcpd on all devices in the failover device group. However, this file may get overridden on a hotfix or upgrade.
596433-1 : Virtual with lasthop configured rejects request with no route to client.
Component: Local Traffic Manager
Symptoms:
Virtual with lasthop pool configured rejects requests which are sourced from MAC address which is not configured in the lasthop pool.
Conditions:
This issue occurs when the following conditions are meet:
- Virtual with lasthop pool.
- Connection sourced from MAC address which is not configured in the lasthop pool.
- Lasthop pool member is local to TMM.
- tm.lhpnomemberaction db key is set to 2.
Impact:
Connection is erroneously reset with no route to client.
Workaround:
- Change tm.lhpnomemberaction db key to 0 or 1 (behavior change).
- Add IP address for lasthop member which client is originating from to lasthop pool.
596067-1 : GUI on VIPRION hangs on secondary blade reboot
Component: TMOS
Symptoms:
After rebooting a VIPRION chassis, the GUI suddenly becomes unresponsive several minutes after the reboot.
Conditions:
It is not known exactly triggers this as it is a race condition that occurs on system start, but it is believed that Enterprise Manager making queries against the VIPRION for non-chunked statistics while the blade(s) has not fully started will trigger this condition.
Impact:
GUI becomes unresponsive
Workaround:
bigstart restart httpd will clear this condition if it occurs.
595921-3 : VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.
Component: Local Traffic Manager
Symptoms:
VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.
Conditions:
Configuration of a virtual server on a VLAN group that does not have a Self-IP configured.
Impact:
Traffic destined for the virtual server might be rejected with an ICMP unreachable sourced from a loopback address.
Workaround:
Use a Self IP address on the VLAN group.
595868 : HSB TX HGM lockup on 3900, 8900, and 10000-series platforms.
Component: TMOS
Symptoms:
HSB TX HGM lockup on 3900, 8900, and 10000-series platforms. Tmm will core with this error message in /var/log/ltm: "notice panic: hsb interface 2 DMA lockup on transmitter failure."
Conditions:
It is not known what triggers this condition.
Impact:
Traffic disrupted while tmm restarts.
595854 : An incorrect MSS can be sent in client SYN/ACK packet for an accelerated connection
Component: Local Traffic Manager
Symptoms:
A client may receive an incorrect MSS value in the SYN/ACK packet for a connection that is hardware accelerated and the flow is accelerated during TCP three way handshake.
Conditions:
A fastl4 profile with Offload State set to SYN.
This affects all platforms and versions of BIG-IP with HSB/ePVA hardware acceleration.
Impact:
BIG-IP advertises an MSS value that might be too large. This may cause problems if the server receives a packet that exceeds its MSS.
Workaround:
Configure the fastl4 profile's Offload State to EST.
595317-5 : Forwarding address for Type 7 in ospfv3 is not updated in the database
Component: TMOS
Symptoms:
The ospf nssa-external database is not updated when the global address on an interface that is used as a forwarding address is changed
Conditions:
remove the global address on the forwarding interface
Impact:
the packets will be sent to an incorrect interface.
Workaround:
clear ipv6 ospf process
595293-2 : Deleting GTM links could cause gtm_add to fail on new devices.
Component: Global Traffic Manager
Symptoms:
Once links are auto-discovered, if auto discovery is disabled and the links are deleted, they could become stuck in the Server > Virtual Server list, preventing new devices from joining the sync group. If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.
Conditions:
Links are auto-discovered
Auto discovery is disabled
The links are deleted
Impact:
If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.
Workaround:
None
594647-1 : No iControl functions to get and set master key.
Component: TMOS
Symptoms:
No iControl functions to get and set master key.
Conditions:
Using iControl with master key.
Impact:
Cannot get or set master key.
Workaround:
There is no iControl workaround.
594228 : Resetting mgmt interface statistics doesn't work on VE or VCMP
Component: TMOS
Symptoms:
$ tmsh reset-stats net interface mgmt
Doesn't reset mgmt interface statistics.
Conditions:
Only on VE or VCMP
Impact:
You cannot reset the management interface statistics, but this has no impact elsewhere in the system.
593536-3 : Device Group with incremental ConfigSync enabled can report "In Sync" when devices have differing configurations
Component: TMOS
Symptoms:
Devices do not have matching configuration, but system reports device group as being "In Sync".
Conditions:
Device Service Cluster Device Group with incremental sync enabled. A ConfigSync occurred where a configuration transaction failed validation, and then a subsequent (or the final) configuration transaction was successful.
Impact:
BIG-IP incorrectly reports configuration is in-sync, despite the fact that it is not in sync. All sorts of failures or odd behavior or traffic impact can result from this.
Workaround:
Turn off incremental sync (by enabling "Full Sync" / "full load on sync") for affected device groups.
593530-3 : In rare cases, connections may fail to expire
Component: Local Traffic Manager
Symptoms:
Connections have an idle timeout of 4294967295 seconds.
Conditions:
Any IP (ipother) profile is assigned to virtual server.
Impact:
Connections may linger.
Workaround:
None.
593396-4 : Stateless virtual servers may not work correctly with route pools or ECMP routes
Component: Local Traffic Manager
Symptoms:
Stateless virtual servers might not work correctly if the configured poolmember is reachable via a route pool or via several ECMP routes learned via dynamic routing.
Conditions:
- Stateless virtual server.
- Pool reachable via route pool or via ECMP routes.
Impact:
Traffic might be dropped.
Workaround:
Use other virtual server types to process this traffic.
593390-1 : Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.
Component: Local Traffic Manager
Symptoms:
If an iRule selects a profile using just its name, not the full path, the internal lookup might fail. This might cause a new version of the profile to be instantiated, leading to memory issues.
Conditions:
An iRule calls SSL::profile but does not supply the complete path (e.g., /Common/clientssl); rather, the iRule uses only the profile name.
Impact:
Higher memory usage than necessary.
Workaround:
Always have iRules select profiles using the complete path.
592620-4 : iRule validation does not catch incorrect 'after' syntax
Component: Local Traffic Manager
Symptoms:
iRule validation does not catch iRule with incorrect 'after' syntax, allowing an invalid iRule to be saved.
Conditions:
iRule with incorrect 'after' syntax. For example "after 5000 periodic" should be "after 5000 -periodic" (with a hyphen)
Impact:
Traffic handled by the iRule fails, generating the Tcl error 'invalid command name 'periodic' while executing 'periodic LB::reselect''.
Workaround:
Correct the syntax error.
592497-3 : Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.
Component: Local Traffic Manager
Symptoms:
While passing normal traffic, CPU utilization of one or more tmms suddenly goes to 100% as viewed by top and remains there indefinitely.
Conditions:
Idle timeout for tcp flows in FIN_WAIT_2.
Impact:
There is a rare occurrence in which tmm might result in 100% CPU busy.
Workaround:
None.
592194-1 : Rarely, an HSB transmitter failure occurs
Component: TMOS
Symptoms:
A very rare HSB transmitter failure occurs. This is indicated by the following message in the tmm logs:
panic: hsb interface 1 DMA lockup on transmitter failure.
Conditions:
Although the exact conditions for this issue are unknown, this might be related to a 5250 platform or to a configuration containing a vCMP guest.
Impact:
Reboot of the unit.
Workaround:
None.
591828-1 : For unmatched connection TCP RST may not be sent for data packet
Component: Advanced Firewall Manager
Symptoms:
When TCP connection times out (no entry in "show sys conn"), and subsequent data packet comes in (not SYN), The BIG-IP system does not send a RST to the client to reset the connection.
Conditions:
-- Both LTM and AFM modules provisioned.
-- TCP profile connection timeout set to 30s.
-- Reset on timeout set to "no" in TCP profile.
-- After connection timeout, send data packet to VIP.
Impact:
Client retransmits several times and then terminates TCP connection. There is no RST sent from BIG-IP to client for unmatched connection.
Workaround:
Enable the reset on timeout option to send TCP RST to client when connection times out.
Note: If the BIG-IP system reboots in the interim, client does not get TCP RST.
591733-1 : Save on Auto-Sync is missing from the configuration utility.
Component: TMOS
Symptoms:
The option to configure save-on-auto-sync is missing in the Device Management GUI.
Conditions:
Devices configured in a DSC configuration.
Automatic with Full or Incremental Sync is enabled.
You attempt to configure the save-on-auto-sync option from the GUI.
Impact:
You will need to have TMSH access to the BIG-IP system to perform this task.
Workaround:
You will need to have TMSH access to the BIG-IP system to perform this task.
591732 : Local password policy not enforced when auth source is set to a remote type.
Component: TMOS
Symptoms:
Local password policy not enforced when auth source is set to a remote type. Any non-default password policy change is not enforced for local users.
Conditions:
1) Some part of the local password policy has been changed from the default values, for example, changing the password minimum-length to 12 where the default is 6.
2) The auth source is set to a remote source, such as LDAP, AD, TACACS.
Impact:
The system does not enforce any of the non-default local password policy options.
For example, even if the minimum-length is set to 12, a local user's password can be set to something less than 12.
Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).
Workaround:
None.
591705-2 : Domain-name-strict has been deprecated, but is still present in GUI, GUI OLH, and TMSH CLI help.
Component: Global Traffic Manager
Symptoms:
Domain-name-strict has been deprecated. The default is now domain-name-check allow-underscore.
Upon loading a pre-existing configuration file, the following warning message will be logged in /var/log/ltm:
-- Warning generated : value strict is deprecated. Forcing to allow-underscore.
-- Configuration warning: value strict is deprecated. Forcing to allow-underscore.
Upon loading a pre-existing configuration file, a warning will also be displayed in the console:
value strict is deprecated. Forcing to allow-underscore.
Conditions:
Loading a pre-existing configuration file containing domain-name-strict.
Impact:
Although warnings are posted, the files are still loaded.
However, GUI, GUI OLH, and TMSH CLI help have 'strict' as an option, and which is not accurate.
Workaround:
Do not use the 'strict' options, even though they are listed.
591666-1 : TMM crash in DNS processing on TCP virtual with no available pool members
Component: Local Traffic Manager
Symptoms:
TMM crash when processing requests to a DNS virtual server.
Conditions:
The issue can occur if a TCP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.
Ensure datagram LB mode is enabled on UDP DNS virtuals.
591104-4 : ospfd cores due to an incorrect debug statement.
Component: TMOS
Symptoms:
ospfd cores due to an incorrect debug statement.
Conditions:
This occurs in NSSA configs when ASE OSPF debugging enabled in imish (for example, by running the command: debug ospf route ase). Affected configuration commands are (in imish):
debug ospf all.
debug ospf route.
debug ospf route ase.
Impact:
ospfd might crash, interrupting dynamic routing.
Workaround:
Do not enable debugging in ospf that includes 'route ase'.
590938-1 : The CMI rsync daemon may fail to start
Component: TMOS
Symptoms:
CMI starts an instance of the rsync daemon used for synchronizing file objects. If this daemon is not running, but left its PID file, then it will not restart.
Conditions:
The rsync daemon failed unexpectedly.
Impact:
Sync of file objects will fail with an error like this:
01070712:3: Caught configuration exception (0), Failed to sync files...
Workaround:
Delete the PID file, "/var/run/rsyncd-cmi.pid". Then look up the configsync-ip of the local device and run "rsync-cmi start 1.2.3.4", replacing 1.2.3.4 with the current device's configsync-ip.
590904-4 : New HA Pair created using serial cable failover only will remain Active/Active
Component: TMOS
Symptoms:
After creating a new sync-failover device group without network failover enabled, both devices remain Active.
Conditions:
Create a new sync-failover device-group without enabling network failover.
Impact:
Both device in the HA pair will be Active, which is unlikely to pass traffic successfully.
Workaround:
After adding the 2nd device to the sync-failover group, restart sod with "bigstart restart sod" on both devices.
590851-1 : "never log" IPs are still reported to AVR
Component: Application Security Manager
Symptoms:
IP addresses marked as "never log" are reported to AVR regardless of the flag
Conditions:
Always
Impact:
Extra, unwanted logging for IP addresses flagged as "never log"
Workaround:
N/A
590091-3 : Single-line Via headers separated by single comma result in first character second header being stripped.
Component: Service Provider
Symptoms:
Removing the first Via header strips the leading character from the second Via when headers are separated by a comma (',').
Conditions:
Multiple Via headers on single-line separated by a single comma (',').
Impact:
Leading character of 2nd Via header will be stripped e.g. 'SIP/2.0/TCP' becomes 'IP/2.0/TCP'.
Workaround:
None.
589862-3 : HA Grioup percent-up display value is truncated, not rounded
Component: TMOS
Symptoms:
The value displayed in "show sys ha-group detail" and "list sys ha-group" is shown as only the integer portion of the actual percent-up value.
Conditions:
When the number of "up" members in an HA Group results in a percent-up value that is not a whole number, the displayed value is truncated, not rounded.
Impact:
Incorrect display of the percent-up value. The score contribution is correct, and displayed rounded properly.
589856 : iControl REST : possible to get duplicate transaction ids when transactions are created by multiple clients
Component: TMOS
Symptoms:
When 2 iControl REST clients using the same username create transactions simultaneously, they can potentially get the same transaction id. This completely messes up both the client code execution.
Conditions:
Client requests to create transaction are close to each other in time.
Impact:
Transaction semantics are not followed, and unintended errors may occur
589400-5 : With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
Component: Local Traffic Manager
Symptoms:
With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
Conditions:
Congestion window is small relative to message size; abc is enabled; also might manifest when serverside MTU is greater than clientside MTU.
Impact:
Additional connection latency.
Workaround:
Enabling proxy-mss on the serverside TCP profile significantly reduces incidence of this problem in observed cases.
If init-cwnd is low, raising it might also help.
Disabling abc can also reduce the problem, but might have other negative network implications.
589338-1 : Linux host may lose ECMP routes on secondary blades
Component: TMOS
Symptoms:
As a result of a known issue, Linux host residing on the secondary blade may lose ECMP routes previously learned via a dynamic routing protocol.
Conditions:
- Multibladed chassis or vCMP guest
- ECMP routes learned via dynamic routing
- Restart of services or reboot of secondary blade
Impact:
ECMP Routes on Linux host of secondary blade lost.
This may cause an effect on host traffic, such as monitoring, remote logging, etc due to the lack of routing information
Workaround:
Restarting routing processes on the primary blade will cause the routes to propagate to the secondary blade.
589199 : CoS queue egress drop counts not reported in all drop counter stats.
Component: TMOS
Symptoms:
CoS queue egress packet drop counts are not exposed in the 'Drops' column for 'tmsh show net interface' for B2250, B4300 and 1x000 platforms. The CoS queue egress packet drop counts are however correctly reported via the 'drop_reason' and 'interface_stat' tmstat counters.
Conditions:
This occurs on B2250 and B4300 blades and on 1x000 platforms.
Impact:
CoS queue egress packet drop counts are not exposed via net interface reports, but are reported correctly via tmstat counters.
Workaround:
CoS queue egress packet drop counts can be viewed in tmsh using the following counters:
-- tmctl interface_stat.
-- tmctl drop_reason.
589118-2 : Horizon View client throws an exception when connecting to Horizon 7 VCS through APM.
Component: Access Policy Manager
Symptoms:
If APM is configured as PCoIP proxy against Horizon 7 VCS, the Horizon View client fails to retrieve the list of entitlements with an exception written in its logs.
Conditions:
APM as PCoIP proxy for Horizon 7 View Connection Server.
Impact:
Horizon View client cannot be used with APM to access Horizon 7.
Workaround:
You can use the following iRule to update the broker protocol version returned by APM to be 11.0 instead of 9.0.
when HTTP_REQUEST {
if { [HTTP::header "Origin"] ne "" } {
HTTP::header remove "Origin"
}
if { [ HTTP::method ] == "POST" && [ HTTP::uri ] == "/broker/xml" } {
set BROKER_REQUEST 1
HTTP::collect [HTTP::header Content-Length]
}
}
when HTTP_REQUEST_DATA {
if { [ info exists BROKER_REQUEST ] && [ regexp {<have-authentication-types[ \t\r\n]*>[ \t\r\n]*<name[ \t\r\n]*>[ \t\r\n]*saml[ \t\r\n]*</name>[ \t\r\n]*</have-authentication-types>} [HTTP::payload] ] } {
HTTP::respond 200 content {<?xml version="1.0" encoding="UTF-8"?><broker version="11.0"><set-locale><result>ok</result></set-locale><configuration><result>ok</result><broker-guid>1</broker-guid><authentication><screen><name>saml</name><params></params></screen></authentication></configuration></broker>} Content-Type text/xml
}
}
when HTTP_RESPONSE {
if { ! [ IP::addr [ IP::remote_addr ] equals 127.0.0.0/8 ] } { return }
set BROKER_RESPONSE 1
set content_length 0
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1048576
}
# Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
when HTTP_RESPONSE_DATA {
if { ! [ info exists BROKER_REQUEST ] || ! [ info exists BROKER_RESPONSE ] } { return }
regsub "<broker version=\"9.0\">" [HTTP::payload] "<broker version=\"11.0\">" payload
HTTP::payload replace 0 [HTTP::payload length] $payload
HTTP::release
}
589039-3 : Clearing masquerade MAC results in unexpected link-local self IPs.
Component: Local Traffic Manager
Symptoms:
BigIP advertises fe80::200:ff:fe00:0 as a selfip
Conditions:
masquerade MAC is from non-zero to zero
Impact:
May cause IP conflicts between HA devices
Workaround:
Restart tmm after setting masquerade MAC to none
589006-6 : SSL does not cancel pending sign request before the handshake times out or is canceled.
Component: Local Traffic Manager
Symptoms:
When TMM has many SSL handshake, for ephemeral key, SSL does not sign for ServerKeyExchange message. Then it is possible that sign request is pending on crypto SSL queue. Even the handshake is timeout or canceled, the sign request is still in the queue. This might cause memory accumulation.
Conditions:
When TMM has many SSL handshake, for ephemeral key, SSL should sign for ServerKeyExchange message.
Impact:
Even if the handshake times out or canceled, the sign request is still in the queue. This might cause memory accumulation.
Note: Although this issue was fixed in 11.5.4 HF3, the fix was reverted in 11.5.4 HF4, meaning that the issue is not fixed in 11.5.4 HF4.
Workaround:
None.
588946 : BIG-IP v11.5.4 successfully installs on 12250v platform but is not supported.
Component: TMOS
Symptoms:
You can install v11.5.4 on the 12250v platform, but are unable to license BIG-IP. This is because v11.5.4 is not supported on the 12250v platform.
Conditions:
Install BIG-IP v11.5.4 on a 12250v platform.
Impact:
BIG-IP v11.5.4 is not supported on the 12250v platform. Even though installation succeeds, it is not possible to license BIG-IP system.
Workaround:
Install a supported version of BIG-IP on the 12250v. Supported versions are 11.6.0 HF2 or later and 12.0.0 or later.
588646-4 : Use of Standard access list remarks in imish may causes later entries to fail on add
Component: TMOS
Symptoms:
The use of remarks in standard access lists in dynamic routing shell causes subsequent filters in the same ACL to fail to load.
Conditions:
Create a standard access list with a remark.
Add to the same list another entry to permit or deny a IP/range.
Impact:
The ACL does not load and error is returned.
Workaround:
No not use remarks in standard access lists or use an access list in the extended or named ranges.
588289-5 : GTM is Re-ordering pools when adding pool including order designation
Component: Global Traffic Manager
Symptoms:
GTM re-orders, including the "0" order when adding the pool with specific order designation.
Conditions:
This occurs when adding pools with a specified order.
Impact:
This changes the pool order unexpectedly which will affect Load balancing using global-availability.
587821-4 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
Component: TMOS
Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.
In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.
Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.
Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.
Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.
Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.
587705-6 : Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
Component: Local Traffic Manager
Symptoms:
Persist lookups fail for source_addr with match-across-virtual servers when multiple entries exist for the client, but pointing to different pools.
Conditions:
'Match_across_virtual' enabled. Multiple persistence entries for a client address exist, and some of these persistence entries point to poolmembers from different pools. Some of these poolmembers do not belong to any of the current virtual server's pools.
Impact:
Source address persistence fails for this client, even though there is a valid persistence entry that can be used.
Workaround:
None.
587698-1 : bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
Component: TMOS
Symptoms:
bgpd daemon crashes
Conditions:
bgp extended-asm-cap is configured before configuring
ip extcommunity-list standard with rt and soo fields.
Impact:
bgpd daemon crashes leading to route loss and traffic loss.
587668-4 : LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.
Component: TMOS
Symptoms:
Pressing the LCD checkmark button does not always bring up clearing prompt on VIPRION blades.
Conditions:
Pressing the LCD's checkmark button to clear an alert on VIPRION blades.
Impact:
Cannot clear the alert using the LCD.
Workaround:
Press the checkmark button followed by the left or right arrow buttons.
587617-4 : While adding GTM server, failure to configure new IP on existing server leads to gtmd core
Component: Global Traffic Manager
Symptoms:
gtmd core with SIGSEGV in selfip_needs_xlation.
Conditions:
No GTM server object configured with existent selfip.
Impact:
gtmd cores. GTM unable to respond to DNS queries. DNS traffic disrupted while gtmd restarts.
Workaround:
Configure the GTM server object with an existent selfip. For more information, see K15671: The BIG-IP GTM system must use a local self IP address to define a server to represent the BIG-IP GTM system at https://support.f5.com/csp/#/article/K15671
587457-1 : REST API does not allow modification of AFM address list
Component: TMOS
Symptoms:
You are unable to modify an existing address list with an API call. You can only overwrite the whole list.
Conditions:
You wish to modify an existing AFM address list using the REST API
Impact:
The only option is to replace the entire list.
586621-2 : SQL monitors 'count' config value does not work as expected.
Component: Local Traffic Manager
Symptoms:
SQL monitors 'count' config value does not work as expected.
Conditions:
SQL monitor in use with the 'count' config value specified. The 'count' value is intended to record the number of times the connection to the back-end database is re-used before it is disconnected. However, the value is not correctly recording the number in this release.
Impact:
SQL monitor might use a 'count' value that is incorrect.
Workaround:
Add 101 to the desired value. For example, if the desired count is '5', use '106' instead.
586348-3 : Network Map Pool Member Parent Node Name display and Pool Member hyperlink
Component: TMOS
Symptoms:
The Network Map was not displaying the correct node name and the link was taking you to an incorrect pool member.
Conditions:
Create a pool and pool member from a FQDN node. Add that pool to a virtual server. From the Network Map page the pool member link does not show the FQDN making it hard to tell what pool member it is. When you click on the pool member hyperlink it takes you to the incorrect pool member.
Impact:
This causes confusion because the pool members are difficult to identify without the FQDN and the link takes you to the incorrect pool member.
586138-2 : Inconsistent display of route-domain information in administrative partitions.
Component: Local Traffic Manager
Symptoms:
When IpAddress is displayed in GUI and TMSH, there exists some inconsistencies on how the route-domain of the address is displayed. This occurs for virtual servers and pool members.
Conditions:
IpAddresses configured for virtual servers and pool members outside the default-route-domain of the administrative partition.
Impact:
Although this is only a cosmetic issue, there might be confusion associated with the display inconsistencies.
Workaround:
None.
586080 : APM attempts to launch VMware View Linux Desktop from the webtop using HTML5 client which is not supported
Component: Access Policy Manager
Symptoms:
VMware View Linux Desktops have been introduced along with the newer HTML5 client which is not supported with BIG-IP APM 11.5.x.
However, if user gets entitled to a Linux Desktop when logging in to the APM webtop, they may attempt to launch it and APM will unsuccessfully try to use HTML5 client for it.
Conditions:
APM webtop configured for PCoIP Proxy case and VMware View Linux Desktop host assigned to the user.
Impact:
User may be confused being shown a desktop they cannot access.
Workaround:
Do not attempt to connect to Linux Desktops hosts as they are not supported in 11.5.x versions.
585097-4 : Traffic Group score formula does not result in unique values.
Component: TMOS
Symptoms:
In certain configurations, the Traffic Group score for a particular Traffic Group can be identical across devices in a device service cluster, resulting in the Traffic Group becoming Active on more than one device simultaneously.
Conditions:
The score is derived from the management-ip and other factors. If the device management-ips are not on the same /24 subnet, the score is not guaranteed to be unique.
The score can be observed with the tmsh "run cm watch_trafficgroup_device" command, and in some versions of BIG-IP, the "show cm traffic-group" command.
Impact:
When the problem occurs, Traffic Groups will be Active on multiple devices simultaneously. The problem can affect all Traffic Groups.
Workaround:
The only solution is to change the management-ip on one of the colliding devices. The workaround is not practical with DHCP, and in many other situations.
584948-4 : Safenet HSM integration failing after it completes.
Component: Local Traffic Manager
Symptoms:
tmm cannot load the Safenet library, and the following log entry is found in /var/log/auditd/audit.log:
denied { read } for pid=4936 comm="tmm" name="libCryptoki2_64.so" dev=dm-1 ino=1441838 scontext=system_u:system_r:tmm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file.
Conditions:
This occurs when there is at least one symlink in the shared/safenet/lunasa/lib/ directory.
The safenet-sync.sh script (used to replicate a functioning Safenet HSM installation to a newly-inserted secondary blade) and csyncd conspire to improperly install/fix permissions on the secondary blade if there are symlinks, which results in the Safenet HSM integration failing after it completes, until the user takes appropriate actions.
Impact:
Upon failover to secondary blade, the BIG-IP system will be unable to communicate with the configured netHSM.
Workaround:
Use chcon and chcon -h to fix any permissions issues. The --reference option can be used on any properly permissioned file in the same directory to do this quickly.
For example: chcon -h --reference=libcklog2.so libCryptoki2_64.so.
584788-3 : Directed failover of HA pair using only hardwire failover will fail
Component: TMOS
Symptoms:
Units configured in a HA pair using only hardwire failover will not be able to use a targeted failover.
Conditions:
HA pair configured without network failover but with a hardwire failover.
Failover is attempted using one of the 2 following methods:
Via GUI
Device Management -> Traffic Groups
check <traffic group>
click "force to standby"
again click "force to standby"
via tmsh
tmsh run sys failover standby device <peer device> traffic-group <traffic group name>
Impact:
Failover may fail with the following logs in /var/log/ltm
Mar 15 10:27:57 <hostname> notice sod[8214]: 010c0044:5: Command: go standby <traffic group name> <device name> GUI.
Mar 15 10:27:57 <hostname> notice sod[8214]: 010c002b:5: Traffic group <traffic group name> received a targeted failover command for <peer mgmt IP>.
Mar 15 10:28:00 <hostname> notice sod[8214]: 010c004b:5: Target device <traffic group name> is not responding, cannot failover.
Workaround:
Use an alternative failover method:
- Device Management > Devices > Force to Standby
- Device Management > Traffic Groups > [traffic Group name] > Force to Standby
- tmsh run sys failover standby # without device
584772-2 : ssldump may crash when decrypting bad records
Component: Local Traffic Manager
Symptoms:
ssldump crashes while decrypting.
Conditions:
Using ssldump to decrypt SSL which contains bad records.
Impact:
ssldump crashes making it difficult to decrypt SSL data.
584583-2 : Timeout error when attempting to retrieve large dataset.
Component: TMOS
Symptoms:
The Rest API can timeout when attempting to retrieve large dataset, such as a large GTM pool list. The error signature when using the Rest API looks like "errorStack":["java.util.concurrent.TimeoutException: remoteSender:127.0.0.1, uri:http://localhost:8110/tm/gtm/pool, method:GET "
Conditions:
Configuration containing a large number of GTM pools and pool members (thousands).
Impact:
If using the Rest API to retrieve the pool list, you may receive timeout errors.
583777-1 : [TMSH] sys crypto cert missing tab completion function
Component: TMOS
Symptoms:
When pressing the tab key for the tmsh command "sys crypto cert", it does not display existing certificate names. You must manually type the certificate name that you want to operate.
Conditions:
This occurs in tmsh:
root@(big7)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys crypto cert <------- press <tab>.
Options:
all | <------------ nothing shows up.
root@(big7)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys crypto cert <------- press <tab>.
Options:
all | <------------ nothing shows up.
Impact:
Not possible to select a certificate using tab complete.
Workaround:
Manually type the certificate name.
583754-4 : When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
Component: TMOS
Symptoms:
Executing 'show ltm persist persist-records' results in a blank error message.
Conditions:
TMM must be down.
Impact:
Non-obvious / unhelpful error message is generated, leading to customer confusion.
Workaround:
N/A
583700-4 : tmm core on out of memory
Component: Local Traffic Manager
Symptoms:
tmm memory increases quickly, then crashes on out of memory condition
Conditions:
It is not known exactly what triggers this, but it was observed on a hardware platform processing a large number of ECDH ciphers.
Impact:
Traffic disrupted while tmm restarts.
583477 : In Multidomain SSO, primary auth virtual may fail as a resource
Component: Access Policy Manager
Symptoms:
Multidomain SSO use case with two virtuals: vs1 and vs2. Both virtuals are configured as APM+LTM pools. vs1 is designed as the primary auth virtual
The expected result is that users can access resources on both virtuals. If they have not yet authenticated, they will be redirected to vs1 to authenticate.
The reported result was that sometimes an already authenticated user would be able to access the resources on vs2. But their cookie would be rejected by vs1, and they would be asked to authenticate again.
Conditions:
It is not known what conditions cause this to occur.
Impact:
Users may be asked to re-authenticate, even though they just did so.
Workaround:
Use an independent auth virtual that is not also a resource.
583475-3 : The BIG-IP may core while recompiling LTM policies
Component: TMOS
Symptoms:
In some rare and still unknown situations the BIG-IP Mcpd process may core when creating or modifying LTM policies. While the root cause of the crash is not fully understood at this time, one of the symptoms points to a nonexistent or invalid LTM policy.
Conditions:
Creating or modifying LTM policies.
Impact:
The BIG-IP control plane services restart thus affecting both, control plane and data plane functionality.
Workaround:
A possible workaround could be to attempt re-creating the LTM policy producing the crash under a different name. Avoid any special characters (or spaces) in the name of the LTM policy.
583084-3 : iControl produces 404 error while creating records successfully
Component: TMOS
Symptoms:
iControl produces 404 error while creating gtm topology record successfully.
Conditions:
Creating gtm topology record without using full path via iControl.
Impact:
Result code/information is not compatible with actual result.
Workaround:
Use full path while creating gtm topology record using iControl.
582595-1 : default-node-monitor is reset to none for HA configuration.
Component: TMOS
Symptoms:
default-node-monitor is reset to none for high availability (HA) configuration.
Conditions:
Scenario #1
Upgrading HA active/standby configuration, and reboot standby.
Where configuration consists of the following:
* ltm node with a monitor.
* ltm default-node-monitor with a different monitor.
Scenario #2
Given a HA active/standby configuration with an ltm default-node-monitor configured, set device-group sync-leader.
Impact:
Monitoring will stop after upgrading or setting sync-leader for all nodes that relied on the default-node-monitor.
Workaround:
Reconfigure a default-node-monitor.
582234-3 : When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.
Component: Local Traffic Manager
Symptoms:
When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.
Conditions:
A monitored pool member is initially disabled, and a config merge re-enables it
Impact:
Monitoring does not resume when pool member is re-enabled via config merge.
Workaround:
You can re-enable monitoring by running the following commands:
tmsh save sys config
tmsh load sys config
582207-6 : MSS may exceed MTU when using HW syncookies
Component: Local Traffic Manager
Symptoms:
Packets larger than the interface's MTU can be transmitted.
Conditions:
A SYN packet is received with an MSS that exceeds the interface's MTU.
Impact:
Potential packet loss.
Workaround:
Disable HW syncookie mode.
582084-4 : BWC policy in device sync groups.
Component: TMOS
Symptoms:
When there is a BWC policy created in global sync group and also a local one, then the configuration displays an error.
Conditions:
If BWC policy is created both in global sync and local.
Impact:
Configuration error, BWC policies will not be synced due to errors.
Workaround:
Ensure that BWC policy is in global sync only.
582003-3 : BD crash on startup or on XML configuration change
Component: Application Security Manager
Symptoms:
BD crash.
out of memory XML message in the bd.log.
The BD doesn't startup and keeps crashing upon startup.
Conditions:
Many XML profiles and relatively large XML configuration.
Impact:
ASM down, machine is offline.
Workaround:
Increase the XML available memory.
581865 : 6900, 8900, 8950, or 11050 platforms missing swap storage★
Component: TMOS
Symptoms:
No swap is available; observable via 'cat /proc/swaps'.
Conditions:
A 6900, 8900, 8950, or 11050 platform with RAID LVM, directly upgraded from a pre-10.2.4 version to version 11.x/12.x.
Impact:
No swap space is created during upgrade. Multiple unexpected issues might occur because there is no swap space available.
Workaround:
Newer systems have the swap storage created during initial format. You might also be able to first upgrade to version 10.2.4. Then, when upgrading to version 11.x/12.x, the process creates the swap during upgrade.
581851-5 : mcpd, interleaving of messages / folder contexts from primary to secondary blade
Component: TMOS
Symptoms:
MCPD on secondary blades restart with Configuration error.
Conditions:
Clustered system (VIPRION or vCMP guest). The issue occurs when the system interleaves commands from different contexts. For example, this might occur when one system requests continual persistence records resets, and another requests continual TCP statistics resets.
Impact:
Secondary blades restart services, resulting in performance degradation or failover.
Workaround:
Issuing commands as part of a transaction will help to reduce the chances of this issue but it may still be hit during the natural course of running commands on a single ssh instance in succession.
581840-2 : Cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.
Component: Device Management
Symptoms:
If trying to manage a BIG-IP version 11.6.1 or 11.6.1 HF1 with an administrator account named other than “admin”, this can fail.
Conditions:
This can occur with a BIG-IQ managing a BIG-IP version 11.6.1 or 11.6.1HF1 system with a different account than “admin”.
Impact:
You cannot manage BIG-IP version 11.6.1 or 11.6.1 HF1 through BIG-IQ.
Workaround:
Install 11.6.1 HF2 on the BIG-IP system, or use an administrator account named “admin” for managing the device.
581746-4 : MPTCP traffic handling may cause a BIG-IP outage
Component: Local Traffic Manager
Symptoms:
Occasional BIG-IP outages may occur when MPTCP traffic is being handled by a Virtual server.
Conditions:
MPTCP has been enabled on a TCP profile on a Virtual Server.
Impact:
A System outage may occur.
Workaround:
Do not enable MPTCP on any TCP profile
580832 : mcpd core during config push from Enterprise Manager
Component: TMOS
Symptoms:
During a config push from EM to BIG-IP, mcpd and chmand core.
Conditions:
It is not known what triggers this, but it was seen during a config push of over 100 users from Enterprise Manager to an HA pair.
Impact:
mcpd cores, system restart.
580225-4 : WEBSSO::select may crash tmm.
Component: Access Policy Manager
Symptoms:
The WEBSSO::select iRule command can cause TMM to crash if no arguments are passed in.
Conditions:
This occurs the command is used with no arguments.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
See the following DevCentral page related to WEBSSO::select - https://devcentral.f5.com/wiki/irules.websso__select.ashx
579694-3 : Monitors may create invalid configuration files
Component: TMOS
Symptoms:
Under certain conditions monitors created or edited in the GUI may save an invalid configuration to disk, causing errors when the configuration is reloaded.
Conditions:
Using the GUI to create/edit monitors.
Impact:
tmsh load sys config will fail.
Workaround:
Use tmsh to create or edit monitors.
If your configuration file already has an offending backlash, please manually remove the backlash.
579252-1 : Traffic can be directed to a less specific virtual during virtual modification
Component: Local Traffic Manager
Symptoms:
Traffic can be directed to an less specific virtual during virtual modification. It could also be dropped if there is no less specific virtual server.
Conditions:
net self external-ipv4 {
address 10.124.0.19/16
traffic-group traffic-group-local-only
vlan external
}
net self internal-ipv4 {
address 10.125.0.19/16
traffic-group traffic-group-local-only
vlan internal
}
ltm pool redirect-echo {
members { 10.125.0.17:7 }
}
ltm virtual fw {
description "less-specific virtual"
destination 10.125.0.0:any
ip-forward
mask 255.255.255.0
profiles { fastL4 }
translate-address disabled
translate-port disabled
vlans-disabled
}
ltm virtual redirect-echo {
description "enable/disable this one"
destination 10.125.0.20:echo
ip-protocol udp
mask 255.255.255.255
pool redirect-echo
profiles { udp }
vlans { external }
vlans-enabled
}
Impact:
Traffic can be directed to less specific virtual server
Workaround:
No known workaround at this time other than applying configuration changes in a manner that avoids doing them on a unit that is handling the traffic. Applying changes on the standby and then failing over and syncing or utilizing a maintenance window would be common schemes to achieve a separation between production traffic and configuration changes.
579035-1 : Config sync error when a key with passphrase is converted into FIPS.
Component: TMOS
Symptoms:
When a key with passphrase is converted to a FIPS key (that is, imported into the FIPS card) and a config sync is done, sync fails with an error saying that passphrase is specified but the key is not passphrase protected.
Conditions:
Converting a private key with a passphrase to FIPS key and then performing a config-sync.
Impact:
Config sync will fail.
Workaround:
Ensure that you only import FIPS keys that are not encrypted with a passphrase. For more information, see K15720: Certain tasks related to the management of SSL certificates do not support encrypted private keys (11.x) at https://support.f5.com/csp/#/article/K15720
578551-1 : bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot
Component: TMOS
Symptoms:
network 0.0.0.0/0 route-map Default is missing in bgp after a restart/reboot
Conditions:
"network 0.0.0.0/0 route-map Default" is configured in bgp
Impact:
The bgp doesn't have the same configuration after a restart/reboot. persistence of bgp protocol is not maintained leading to unexpected behavior of bgp
577440-3 : audit logs may show connection to hagel.mnet
Component: TMOS
Symptoms:
An iControl host header is improperly formatted with the name hagal.mnet
The request is properly delivered to the correct host but contains a badly addressed host header that is ignored.
If the authorization fails for the icontrol query then the audit log will contain this destination information which may be confusing.
Conditions:
Setting up device trust exercises this code path.
Impact:
No impact to functionality but is confusing for log interpretation.
Workaround:
There is not workaround
575848-3 : Traffic statistics on a SNAT object might not be updated if traffic is ePVA accelerated.
Component: TMOS
Symptoms:
Traffic statistics on a SNAT object might not be updated if traffic is ePVA accelerated.
Conditions:
SNAT object on a ePVA capable platform.
Impact:
Some traffic-related statistics (pkts/bytes in/out) are not updated.
Workaround:
To get these statistics, convert the global SNAT to an appropriate virtual server.
575368-1 : Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card
Component: TMOS
Symptoms:
When a UCS with FIPS keys is loaded after re-initializing the FIPS card, errors should be posted that the FIPS keys in the configuration that are now invalid. Instead, the configuration loads without any errors, and SSL handshake failures are seen when a clientSSL profile uses the FIPS key.
Conditions:
UCS file with FIPS keys is loaded after re-initializing the FIPS card.
Impact:
SSL handshake failures are seen when a clientSSL profile uses the FIPS key.
Workaround:
You can delete the FIPS keys, re-initialize the FIPS card, then install the needed keys.
575347-3 : Unexpected backslashes remain in monitor 'username' attribute after upgrade
Component: Local Traffic Manager
Symptoms:
The monitor 'username' attribute contains unexpected backslashes.
Conditions:
Upgrading from an earlier version with a configuration that contains a monitor 'username' attribute with at least one escaped backslash ('\\').
Impact:
Monitor probes contain excess backslashes which can lead to monitor failures.
Workaround:
Un-escape backslashes after upgrade by transforming '\\' sequences to '\'.
575176-4 : Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic
Component: TMOS
Symptoms:
In some scenarios UDP traffic can cause syncookie statistics to be incremented.
Conditions:
Virtual server with fastL4 profile with ePVA offload enabled.
Virtual server to handle UDP traffic.
Impact:
Statistics might be incorrectly incremented, and can lead to early syncookie activation if used in conjunction with TCP on the same virtual server.
575170-6 : Analytics reports may not identify virtual servers correctly
Component: Application Visibility and Reporting
Symptoms:
In certain configurations, Analytics statistics on virtual server activity may not be reported correctly.
Conditions:
This occurs for virtual servers that are configured in one of these ways:
1. Two virtual servers have the same IP-Port-RouteDomain setting, but they use different protocols (such as TCP for one and UDP for the other) or different sources.
2. A virtual server is defined with a masked IP address rather than an explicit address (for example, 10.10.10.0/24).
Impact:
As a result, Analytics reports show an Aggregated Virtual Server or an incorrect one instead of displaying the correct virtual servers.
Workaround:
None.
574263 : keys remain on FIPS card after deletion
Component: Local Traffic Manager
Symptoms:
Sometimes when 'delete sys crypto key all' is executed with 5K fips keys, the keys are deleted from mcpd but still exist on the fips card. Subsequent key creation may fail with error 'max capacity reached'
Conditions:
It is not known what causes this.
Impact:
Keys may remain on the FIPS card, and may prevent the creation of additional keys
574160-1 : Publishing DNS statistics if only Global Traffic and AVR are provisioned
Component: Application Visibility and Reporting
Symptoms:
AVR does not publish DNS statistics if LTM is not provisioned.
Conditions:
LTM is not provisioned.
Impact:
The DNS chart does not show statistics.
574052-5 : GTM autoconf can cause high CPU usage for gtmd
Component: Global Traffic Manager
Symptoms:
The autoconf feature of GTM can cause high CPU utilization (~90%) under certain situations.
In large configurations of LTM vses that contain "." (dot) in the name.
Conditions:
Large configuration of LTM VS that contain "." in the name have the name converted ("." is replaced by "_") and the LTM VS name is saved to the config.
This causes the matching algorithm in autoconf to spend many CPU cycles walking the list of VS to find a match.
This problem is caused by large numbers of VSes on a GTM Server. (10k VSes on 10k Server is less of an issue
than 10k VSes on 1 GTM Server)
Impact:
CPU usage is high, which may impact monitoring and LB decisions.
Workaround:
There are some mitigations. The preferable (for performance
and stability) are listed first.
1. Rename the virtual servers on the LTM to remove the "."
This would require deleting the GTM configuration and
rediscovering it and recreating pools.
2. Turn off autoconf.
Run autoconf once to populate the config, then turn it
off.
3. Reduce the frequency of autoconf. It will still cause
a high CPU usage scenario, but it will be less frequent.
Versions 12.0.0 and higher do not convert the "." to "_". So that problem is eliminated for new configurations.
If a customer upgrades to 12.0.0 and the config still contains VS names that were previously converted, they still may run into high CPU usage.
Upgrading to 12.0.0 alone does not fix this issue, a reconfig would be necessary.
574020-1 : Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')
Component: Local Traffic Manager
Symptoms:
Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}').
Conditions:
This issue occurs when the following conditions are met:
-- Safenet HSM installation.
-- Password contains special metacharacters (!#{}').
Impact:
Script fails to work properly, and fails to properly install/configure the HSMs, requiring manual intervention. Performing the operation manually is very complex, because the user must account for both tmsh and shell quoting, which the some user environments might not have.
Workaround:
Change password, or manually run tmsh command to define the /sys crypto fips external-hsm object (using proper shell quoting).
573031-2 : qkview may not collect certain configuration files in their entirety
Component: TMOS
Symptoms:
If the following files exceed 5M in size, they will be truncated when collected by qkview:
/config/partitions/*/bigip.conf
/config/partitions/*/BIG-IP_base.conf
/config/BIG-IP_gtm.conf
Conditions:
Any of the listed files exceeds 5 Mbytes.
Impact:
Fault diagnosis may be affected.
Workaround:
Create a qkview, and examine the qkview_run.data file. If this file indicates that any of the listed files has been truncated, manually copy that file from the BIG-IP device.
572887-5 : DNS doesn't work properly on Ubuntu 15.10 when using f5fpc CLI client
Component: Access Policy Manager
Symptoms:
DNS doesn't work properly on Ubuntu 15.10 when using f5fpc CLI client. This happens because f5fpc fails to patch /etc/resolv.conf on Ubuntu 15.10 release.
Conditions:
/etc/resolv.conf, Ubuntu 15.10, f5fpc CLI client and network access establishment.
Impact:
DNS doesn't work properly on Ubuntu 15.10
572655-3 : Request Logging profile Template textarea wrapping set to soft wrap
Component: TMOS
Symptoms:
The Template field in the Request Logging profile adds line break characters to long values.
Conditions:
This occurs when there is a long string of text in the Template field for the Request Logging profile, for example, $DATE_NCSA [REQUEST] - [$HOST:$VIRTUAL_PORT] - $VIRTUAL_POOL_NAME - [SRC_PORT:$CLIENT_PORT] - $NCSA_COMBINED.
Impact:
The data stored has line break characters in it at every location where the text wraps inside the Template text box.
Workaround:
There is a partial workaround, depending on the length of the string and the width of your screen. Adjust the width of the Template field by clicking and dragging the lower-right corner of the field. The line breaks the system adds occur only when the text wraps inside the box when you save the profile (by pressing Finished on a new profile or Update on an existing one).
572546 : Assigning address list with 1000+ entries to 1000+ rules policy results in MCP errors
Component: Advanced Firewall Manager
Symptoms:
If the size of an address list is too big, and that address list is used in 1000+ rules, it will cause MCP error when saving the config.
Conditions:
Assigning address list with 1000+ subnets to 1000+ rules
Impact:
The configuration fails to save.
572234-4 : When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.
Component: Local Traffic Manager
Symptoms:
When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. This is the MAC address of Linux's tmm0 or tmm interface.
Conditions:
The traffic destination is the BIG-IP Linux host, e.g. big3d iQuery server.
The traffic is proxied via fastL4, e.g. ConfigSync "Local Address" is set to None.
The return route is a pool route.
The traffic is interrupted, e.g. a router between the iQuery server and the client is switched off for several seconds.
Impact:
The traffic is sourced from invalid ethernet MAC 00:98:76:54:32:10.
The iQuery connection cannot continue.
Workaround:
Increase the lasthop module's TCP idle timeout.
echo 121 > /proc/sys/net/lasthop/idle_timeout/tcp
572180-3 : httpclass containing escaped backslashes are stripped on migration to LTM policy★
Component: Local Traffic Manager
Symptoms:
When upgrading or installing a UCS file with http class profiles values containing escaped backslashes will have the escaped backslashes stripped from the value.
Conditions:
A http class profile with values containing escaped backslashes. This occurs on upgrades through 12.0.0.
Impact:
The escaped backslashes will be removed and then the policy will not correctly match.
Workaround:
Edit the policy and add backslashes back in.
572142-1 : Config sync peer may fail to monitor newly added pool member after it is added via sync
Component: Local Traffic Manager
Symptoms:
If a pool member in a sync group is removed and another member added and then synced to the peer, the monitor state on the peer may be erroneous.
Conditions:
2 or more devices in a device group
A pool member is deleted, and another is added, then a full config sync is performed
Impact:
Monitoring does not happen. If the pool member should be marked down by the monitor, it may indicate as being up. You may need to do a system restart to get monitoring to resume properly.
Workaround:
Suggested workaround:
Here’s a way that should avoid any possible downtime:
1. Do the node replacement on box A. Do not sync.
2. Do the node replacement on box B. Do not sync.
3. This will cause a sync conflict, and its resolution will require a full load. This is intentional. Force a sync.
The result of that final sync will be that mcpd sends no changes to the relevant nodes on the receiving device.
572015-4 : HTTP Class profile is upgraded to a case-insensitive policy★
Component: Local Traffic Manager
Symptoms:
If you upgrade to version 11.4.0 through 12.0.0, and your configuration contains a HTTP Class profile, the generated policy will be case-insensitive.
Conditions:
HTTP Class profile
Impact:
Generated policy does not match on the same conditions as original HTTP Class profile.
Workaround:
Manually edit generated policy
571635 : VIPRION B2100 or B2150 blade Optic OPT-0016-00 is ON during BIG-IP system boot sequence causing errors with connected equipment
Component: TMOS
Symptoms:
When a VIPRION B2100 or B2150 blade boots, there is a brief window during which the transmitter on the optics module is enabled, but the accompanying initialization of the Broadcom switch has not yet occurred. during this window (~20 seconds) random data may be transmitted which may be reported as errors by the link partner.
Conditions:
VIPRION B2100 or B2150 blade is powered or rebooted or when the user performs a 'bigstart restart'.
Impact:
This has a minor impact. In most cases link is functional after the system fully initializes, although error counts may show up on the link partner.
Workaround:
If link fails to come up, attempt "bigstart restart bcm56xxd" to restart the Broadcom daemon. However, this will have no impact on errors seen by peer equipment.
You can determine the type of hardware using the command: tmsh show sys hardware. 'Type' is A109 for VIPRION B2100 blades and A113 for VIPRION B2150 blades.
571482-1 : Unbalanced double-quotes may merge lines upon config save-then-load★
Component: Local Traffic Manager
Symptoms:
Unbalanced double-quotes used in the configuration will cause load failure, or will merge subsequent configuration lines until a balancing double-quote character is found. For example, an improper expression may be used to configure a monitor 'recv' value that results in an unbalanced (odd number) of double-quote characters, such as "R\\"eceive" (note three double-quote characters, resulting in an unbalanced string).
The string is considered unbalanced with an odd number of double-quote characters, regardless of escaping (such as double- or triple-backslash escaping).
Conditions:
An odd count of double-quotes are used for a configuration value, resulting in an unbalanced string.
For example, configuring a monitor 'recv' value as "R\\"eceive" results in an unbalanced string (notice three double-quotes, an odd number).
Impact:
The configuration will fail to load, as it is improperly formed. In some cases the configuration may successfully load, but the unbalanced string will cause newline(s) to be implicitly escaped until a balancing double-quote is found; this will merge subsequent lines to the unbalanced line, resulting in the consumed lines to not be considered as configuration values, but as the merged continuation of the unbalanced line.
Workaround:
Modify configuration values that use double-quotes to be balanced (i.e., configuration items should have an even-number of double-quoted characters, even if they are escaped).
571424 : Topology Records: Longest Match Sorting in Unexpected Order
Component: TMOS
Symptoms:
The UI or TMSH only includes a create in a transaction. However, validation modifies an attribute (the order in this case) of another record, so both a create and a modify command is included in the transaction sent to TMM and other devices.
Conditions:
Create a GTM configuration with 3 topology regions.
Create 3 topology records with the 'Request Source' (LDNS) as one of the regions.
This results in 3 topology records with orders of 1, 2, and 3.
Delete the topology record with the order of 2.
Add another topology record with a region as the 'Request Source'.
Note that while the UI or TMSH only includes a create in the transaction, a create and a modify is included in the transaction sent to TMM, etc.
Impact:
If there is another GTM in the sync group, it receives a transaction with both a create and a modify. This results in additional validation on the 2nd system.
Workaround:
None.
571333-3 : fastL4 tcp handshake timeout not honored for offloaded flows
Component: TMOS
Symptoms:
When a VIP is configured with a fastl4 profile that enables full acceleration and offload state to embryonic, and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the "idle timeout" value of the fastl4 profile, but it should be set to the "tcp handshake timeout" instead.
Conditions:
1. Configure fastl4 profile with ePVA=full, offload state=SYN, apply to network VS
2. Ensure ARP entry exists for server node (static arp, ping, etc.) to satisfy requirements for offloading initial SYN
3. Send over SYN packet from client to server via VS
Impact:
The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value.
Workaround:
Set the offload state to "established"
570570-2 : Default crypto failure action is now "go-offline-downlinks".
Component: Local Traffic Manager
Symptoms:
Previously, if a crypto accelerator encountered a failure, the default action was "failover". Now, the default behavior is "go-offline-downlinks".
Conditions:
Failed crypto accelerator.
Impact:
BIG-IP with failing crypto accelerator on a chassis blade may remain in standby as primary blade.
568795-4 : Dedup Cache Refresh may fail to re-initialize WOM endpoint
Component: Wan Optimization Manager
Symptoms:
WOM endpoints are not always re-initialized
correctly when for dedup cache refresh operations:
tmsh modify wom remote-endpoint all dedup-action cache-refresh
Conditions:
WOM
Impact:
iSession tunnels do not establish.
Workaround:
bigstart restart
568743-2 : TMM core when dnssec queries to dns-express zone exceed nethsm capacity
Component: Local Traffic Manager
Symptoms:
tmm crashes, and in /var/log/ltm you see entries indicating "Signature failed":
err tmm1[16816]: 01010216:3: DNSSEC: Signature failed (signature creation) for RRSET (host0530.f5test.net, 1) with key /Common/myZSK2, generation 1.
Conditions:
This can occur when a dns-express zone generates more responses than the Thales can sign. The excess requests are queued and tmm can core.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
568347-3 : BD Memory corruption
Component: Application Security Manager
Symptoms:
An Enforcer crash occurs and UMU errors may appear in the bd.log file.
Conditions:
N/A
Impact:
Traffic goes down while the Enforcer goes back up.
567862-2 : intermittent SSL traffic failure with Safenet HSM on BIG-IP chassis and appliance
Component: Local Traffic Manager
Symptoms:
BIG-IP intermittently has SSL traffic failures with HSM. This symptom happens on both chassis and appliance. The general error messages are logged with
"FIPS acceleration device failure: fips_poll_completed_reqs: req: 44 status: 0x1 : Cancel"
Conditions:
When Safenet HSM is used with BIG-IP.
Impact:
SSL traffic is failing.
Workaround:
"bigstart restart pkcs11d" might mitigate this issue.
567774-3 : ca-devices and non-ca-devices addition/deletion has been removed from restart cm trust-domain Root
Component: TMOS
Symptoms:
The properties 'ca-devices' and 'non-ca-device' are available in the 'restart' command but are not valid.
Conditions:
None
Impact:
You should not use the restart command with the properties 'ca-devices' and 'non-ca-device'. It has to be used similar to the delete command.
Workaround:
A new tmsh command to reset a device trust was added:
'restart cm trust-domain Root' which operates exactly like 'delete cm trust-domain Root'. The properties 'ca-devices' and 'non-ca-device' are available in the 'restart' command but are not valid. These properties are not available in the 'delete cm trust-domain'. Workaround for customer is to not use these two properties when running the 'restart cm trust-domain' command or to use the 'delete cm trust-domain'
566507-1 : Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment
Component: TMOS
Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.
Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.
Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.
Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.
564899 : During shutdown, csyncd may dump core
Component: Local Traffic Manager
Symptoms:
When csyncd exists during shutdown, it occasionally might leave a core dump.
Conditions:
This occurs during shutdown.
Impact:
None. csyncd is shutting down anyway; it just does so in an unclean manner. This is a cosmetic condition and does not indicate an issue with the system.
Workaround:
None.
564634-2 : Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool
Component: Local Traffic Manager
Symptoms:
Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool.
Conditions:
Remove a monitor from a pool using tmsh edit commands.
Impact:
bigd still monitors the pool.
Workaround:
None.
563933-3 : [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs
Component: Local Traffic Manager
Symptoms:
A and AAAA RRsets in the additional section are dropped.
Conditions:
When dns64-additional-section-rewrite is 'v4-only' or 'v6-only'.
Impact:
Failure to include the additional RRs results in additional lookups by the client which could be glue records for a resolver.
Workaround:
Set dns64-additional-section-rewrite is 'any'.
563687-1 : [DNS] dns64 behavior does not comply with RFC about how to treat RCODEs other than 'NO ERROR'
Component: Local Traffic Manager
Symptoms:
GTM/BIG-IP DNS forwards AAAA response with and RCODE other than 3 to the client, instead of sending an A query to the server.
Conditions:
dns64 profile configured.
Impact:
The client application fails even there is an A GTM/BIG-IP DNS server available.
Workaround:
None.
563651-1 : Web application does not work/works intermittently via Portal Access after upgrading BIG-IP to any new version.★
Component: Access Policy Manager
Symptoms:
Web application does not work/works intermittently via Portal Access after BIG-IP upgrading to any new software version.
Conditions:
-- Web application via Portal Access.
-- any modern browser like Chrome, Firefox, Safari or MS Edge.
-- After upgrading of BIG-IP.
Impact:
Various unexpected behaviors. For example, a custom intranet application link might experience intermittent failures through rewrite. This occurs because Portal Access does not support Storage areas (localStorage, sessionStorage). This might impact web-applications with content previously populated in Storage areas.
Workaround:
Possible workaround:
-- Clear browser cache manually after upgrading.
563587 : Javascript error in Safari browser when working with framed Cross-Domains website
Component: Application Security Manager
Symptoms:
ASM Client-Side Human User Indicator (CSHUI) script injected into a page with frames, and there are frames pointing to a domain that that is different from the top window frame, Safari browser throws out javascript error similar to the following:
Blocked a frame with origin "http://172.16.32.64" from accessing a frame with origin "http://172.16.38.211". Protocols, domains, and ports must match.
Conditions:
-- CSHUI with framed Cross-Domains website in Safari.
-- Frames on the page point to a domain that that is different from the top window frame.
Impact:
Javascript error in Safari browser.
Workaround:
None.
563560-2 : Intermittent iStats reset
Component: TMOS
Symptoms:
iStats will intermittently be reset back to zero.
Conditions:
An event that causes iStats to be archive, such as removing an iStat, removing a configuration object that has an iStat or removing a custom-stat repeatedly may cause a reset.
Impact:
The iStat values will be reset to zero and then resume incrementing.
Workaround:
Avoid removing iStats or other events that trigger the resets.
563135-2 : SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt
Component: Access Policy Manager
Symptoms:
When the SWG Explicit Proxy is configured to perform a 407 Authentication Request, if the client accesses a non-standard HTTP port (e.g. http://www.example.com:8080) the first request after authentication will fail.
Conditions:
SWG Explicit Proxy configured
HTTP 407 Authorization configured in Per-Request Policy for authentication
Client requests a non-standard HTTP port in request
Impact:
The first request after authentication will fail.
Workaround:
If the user refreshes their browser request, subsequent requests will work as expected.
562292-3 : Nesting periodic after with parking command could crash tmm
Component: Local Traffic Manager
Symptoms:
If an iRule contains a periodic after command, and within this there is another periodic after command whose contents park, it can lead to tmm crashes.
Conditions:
A periodic after command is used, and within this there is another periodic after command whose contents park.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not nest after commands with parking command.
561595-1 : Guest user cannot see Event Correlation details
Component: Application Security Manager
Symptoms:
Guest user cannot see Event Correlation details.
Conditions:
Log in as Guest
Impact:
Limited read access for guest users.
Workaround:
For guest user - there is no workaround, but if it is possible to log in as another user - then everything works.
561444-2 : LCD might display incorrect output.
Component: TMOS
Symptoms:
Incorrect LCD display due to garbled messages received from LCD panel.
Conditions:
This occurs in various situations. Multiple messages sent to LCD and user interaction on LCD seem to reproduce the issue.
Impact:
LCD may display incorrect data.
Workaround:
The LCD usually corrects itself eventually, but to restore it immediately to a good state, run the following command: bigstart restart fpdd.
560685-3 : TMM may crash with 'tmsh show sys conn'.
Component: Local Traffic Manager
Symptoms:
Although unlikely, the 'tmsh show sys conn' command may cause the tmm process to crash when displaying connections.
Conditions:
Although the conditions under which this occurs are not well understood, this is a rarely occurring issue.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
The only workaround is to not issue the command: tmsh show sys conn.
560231-2 : Pipelined requests may result in a RST if the server disconnects
Component: Local Traffic Manager
Symptoms:
If a HTTP client sends multiple pipelined requests before a full response is received, the HTTP filter will buffer them, and send them one at a time to the server.
If the server ends via a "Connection: Close" the HTTP filter will ignore this, and continue to send the next buffered request.
If the server then sends a FIN packet while that buffered request is in progress, the HTTP filter will send a RST packet to the client.
Conditions:
Multiple concurrent pipelined HTTP requests, and a back-end server that closes a connection while some requests are still buffered.
Oneconnect is not used.
Impact:
The client will receive a RST instead of a FIN packet.
Workaround:
There are two work-arounds.
1) Enable one-connect.
2) via iRule. If a "Connection: close" header exists in the HTTP_RESPONSE event, then HTTP::close may be used to cleanly shut the connection down.
559916 : Corrupt MCP message causes crash in MCPConnection::sendMessage
Component: TMOS
Symptoms:
MCPd produces a core from both blades of 2 blade guest after running 'tmsh show sys conn' a few times.
Conditions:
Unknown
Impact:
Failover
Workaround:
None.
559911 : Nondescriptive error when an application template upload fails on iApp load.
Component: TMOS
Symptoms:
Nondescriptive error when an application template upload fails on iApp load. The system posts a message similar to the following:
Loading configuration... /tmp/upload_template.tmpl Syntax Error:(/tmp/upload_template.tmpl at line: 1) "PK" unexpected argument
Conditions:
Uploading an incorrect file (e.g., a zip file instead of an iApp template).
Impact:
Difficult to determine the problem.
Workaround:
None.
559837-7 : Misleading error message in catalina.out when listing certificates.
Component: TMOS
Symptoms:
GUI logs 'Table not found' in catalina.out when some exceptions are returned before/at table creation. The exceptions are the actual cause of the failure.
java.sql.SQLException: Table not found: SSL_CERTIFICATES_0_1652477104084229 in statement [DROP TABLE ssl_certificates_0_1652477104084229].
Conditions:
This occurs when listing certificates, and exceptions are returned.
Impact:
1. Throws table creation exceptions when randomly generated table name contains invalid character ('-').
2. Misleading 'Table not found" message in catalina.out.
Workaround:
Refreshing the page might fix the invalid table name issue because doing so generates a new table name. In some situations a restart of tomcat and httpd may be required.
559584-4 : tmsh list/save configuration takes a long time when config contains nested objects.
Component: TMOS
Symptoms:
A configuration containing a number of nested objects takes a long time to list or save. For example, the tmsh listing time for a ~2 MB config can exceed 30 seconds.
Conditions:
Following is an example of nested objects in a config. If the config contains thousands of such virtual servers, it might take longer than 30 seconds to run either of the following commands: -- tmsh list ltm virtual. -- tmsh save config.
ltm virtual vs {
destination 10.10.10.10:http
ip-protocol tcp
mask 255.255.255.255
profiles { ::: nested object
http { }
http_security { }
tcp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vs-index 26
}
.
Impact:
When commands take longer than 30 seconds to complete, iControlREST times out.
Workaround:
None.
559571 : Temporary negative bit-count on mgmt interface after LBH reset
Component: TMOS
Symptoms:
Temporary negative bit-count on mgmt interface after LBH reset.
Conditions:
Reset stats and an AOM reset.
Impact:
Minimal. After some traffic is passed via the mgmt interface, it comes back into the positive.
Workaround:
None.
559554-3 : CHD congestion control can have erroneous very large cwnd.
Component: Local Traffic Manager
Symptoms:
At times, CHD congestion control can store a very large congestion window, resulting in release of data well beyond that warranted by network conditions.
Conditions:
The client advertises a receive window less than 1 MSS, and CHD tries to decrease the window.
Impact:
Possible network congestion.
Workaround:
Change congestion control algoirhtm from CHD.
559402-2 : Client initiated form based SSO fails when username and password not replaced correctly while posting the form
Component: Access Policy Manager
Symptoms:
Client initiated form based SSO fails when the username and password are not replaced correctly in post request. The reason for this is that client initiated form based SSO and browser urlencode special character in username/password differently. and the case sensitive comparison fails to find match between both these urlencoded values. So sso module adds the username password to the token again. This results in password attribute/value pair appears twice with both the f5-sso-token and the real password and so it fails
Conditions:
When the password contains special charaters like [ or ]
Impact:
SSO fails with password attribute/value pair appears twice with both the f5-sso-token and the real password in the token and so it fails
Workaround:
No workaround
559100-1 : Unable to Import Certificate to a partition subfolder, message: Name cannot contain '/' nor '\'.
Component: TMOS
Symptoms:
UI prevents importing to sub-partitions a certificate with a forward slash in the name.
Conditions:
Create a sub-partition such as /Test/MyPartition and import a certificate with name /Test/MyPartition/myCertificate to target the /Test/MyPartition.
Impact:
Import operation fails. The system posts the following error: Name cannot contain '/' nor '\'. User cannot use the GUI to import a certificate in a sub partition.
Workaround:
For a certificate with a forward slash in the name, use tmsh to import it to a sub partition.
559080-2 : High Speed Logging to specific destinations stops from individual TMMs
Component: TMOS
Symptoms:
High Speed Logging to specific destinations stops from individual TMMs. The flows appear to have very large idle times. Attempts to delete the flows sets the idle time to zero, but does not kill the flow.
Conditions:
This appears to be the result of a failure on the part of the log destination (for example, a log server) wherein the server's TCP stack ACKs a FIN request from the TMM, but does not follow through with a matching FIN or RST. The logging code expects another timeout (essentially a FIN-WAIT2 timeout), but never receives one because the flow has already been marked as expired. As a result, the flow goes into a state in which it appears to be viable but is not actually delivering.
Impact:
Logs are silently lost.
Workaround:
Create an additional virtual server to act as a proxy for the log server, and sent the logs to this virtual server. This essentially uses the TMM itself as a sanitizing proxy.
559048 : "Request violation" details are blank in /var/log/asm
Component: Application Security Manager
Symptoms:
"Request violation" details are blank in /var/log/asm
Conditions:
ASM provisioned
Impact:
"Request violation" details are blank in /var/log/asm
Workaround:
bigstart restart asm
558893-1 : TMM may fail to forward FTP data connections when multiple PORT/EPRT commands are used in succession referring to the same IP/PORT
Component: Local Traffic Manager
Symptoms:
TMM may fail to forward FTP data connections when PORT/EPRT commands are used in succession referring to the same IP/PORT.
Conditions:
FTP Virtual server configured with an FTP profile that does inherit-parent-profile disabled.
A client to request EPRT and then PORT commands referring to the same IP/PORT.
Impact:
TMM may reset the connection in some cases.
Workaround:
Change the ftp profile to enable the inherit-parent-profile option.
557513 : Monitor description containing escape characters could get double-escaped
Component: Local Traffic Manager
Symptoms:
When creating a monitor whose description contains escape characters, they get double-escaped.
Example:
root@(v11-5-01)(cfg-sync Disconnected)(Active)(/Common)(tmos)# create ltm monitor http http_foobar description \@\#\$\@\#\$\@\#\$\@\#\$\@\#\$
root@(v11-5-01)(cfg-sync Disconnected)(Active)(/Common)(tmos)# list ltm monitor http http_foobar
ltm monitor http http_foobar {
defaults-from http
description "@\\#\\$@\\#\\$@\\#\\$@\\#\\$@\\#\\$"
Conditions:
Creating monitors with escape characters in the description
Impact:
Description contains extra backslashes.
557452-3 : Messages logged when the CAN daemon (cand) receives unsolicited data
Component: TMOS
Symptoms:
When the log filter is configured to filter at the 'Informational' log level, the logs can get filled with 'request for unsolicated data' messages. These messages appear in the log every 20 seconds.
Conditions:
This occurs when using a remote syslog logging filter with the 'Severity' field set to 'Informational'.
Impact:
Logs fill with messages. These messages are related to communication with the CAN daemon (cand), and are completely benign, so you can safely ignore them.
Workaround:
Change the remote syslog logging level to 'Notice'.
557155-1 : BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
Component: TMOS
Symptoms:
BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
Conditions:
Sustained high packet rate with a very small payload.
Impact:
Traffic through the guest stops until the guest/BIG-IP system is reset. However, this issue is reproduced during a test that over provision a 2-vCPU guest and is unlikely to happen in normal operation.
Workaround:
Try ones of the following workarounds (first on is the most preferred and so ):
1. Increase guest memory.
2. Significantly reduce the value of the content in '/sys/module/unic/rx_queue_size'. For example running the following command substantially decreases throughput: echo 1048576 > /sys/module/unic/rx_queue_size.
3. Set panic on OOM. Try this as the last option.
sysctl vm.panic_on_oom=1
557079 : 'gtmd' daemon is not visible in daemon-ha list command
Component: TMOS
Symptoms:
On the VIPRION B2250 blade, running tmsh list sys daemon-ha does not show gtmd even though gtmd is provisioned and running as confirmed by tmsh show sys service gtmd
Conditions:
This ocurs on VIPRION B2250 blades.
Impact:
gtmd not listed in daemon-ha table.
555464-1 : HA channel flapping will cause SessionDB memory leak on standby due to unexpired entries
Component: TMOS
Symptoms:
SessionDB memory leak on a standby in the HA pair due to HA channel flapping causing failure of expiry messages.
Conditions:
SessionDB in use, HA channel errors
Impact:
Slow memory leakage on the standby
Workaround:
Alleviate the HA flapping and then restart the standby.
555343-2 : tmm may crash in fastl4 tcp virtual server
Component: Local Traffic Manager
Symptoms:
tmm may crash if receives a fragmented packet in a fastl4 tcp virtual server.
Conditions:
fastl4 tcp virtual server
fragmented packet arrives
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Enable option "Reassemble IP Fragments" in the fastl4 profile.
554774-3 : Persist lookup across services might fail to return a matching record when multiple records exist.
Component: Local Traffic Manager
Symptoms:
Persist lookup across services might fail to return a matching record when multiple records exist.
Conditions:
Persistence profile with 'match-across-services' enabled, and the configuration contains multiple records that correspond to the same pool.
Impact:
Connection routed to unexpected pool member.
Workaround:
None.
554659-1 : Configurable maximum message size limit for restjavad
Component: Device Management
Symptoms:
if the client issues a requests to iControl REST that results in a large amount of data (approx 200 MB), restjavad goes into an out-of-memory condition when attempting to serialize the response prior to returning it to the client.
Conditions:
A message is received by restjavad that is larger than the total free heap space. The most common cause is that the system sends a board query to icrd, which returns a very large response (approx 200 MB).
Impact:
restjavad becomes unresponsive until it is rebooted.
Workaround:
This fix exposes the maximum message size limit and allows a Network operator to change it by posting to a new configuration worker. An example is included below. The actual value varies by installation - load, average message size etc. Set it too low and the clients will receive 5xx errors even though there is sufficient memory. Set it too high and dangerously-large messages do not get dropped and might cause an out-of-memory exception. 5 MB is a recommended starting value.
An example of setting the maximum message body size to 5kB (5000 bytes) on a machine called 'green.' The password needs to be changed appropriately.
curl -s -k -u admin:PASSWORD -H "Content-Type: application/json" -H
'Connection: keep-alive' -X PUT
"https://green/mgmt/shared/server/messaging/settings/8100" -d
'{"maxMessageBodySize": "5000" }'.
554444-5 : LTM Policy resets connection when removing non-existant HTTP header
Component: Local Traffic Manager
Symptoms:
Customer might notice that certain HTTP requests would be prematurely terminated without seeing a response.
Conditions:
This occurs when an LTM Policy is defined to remove an HTTP header from a request or response, but the request or response does not contain the specified header.
Impact:
The connection gets reset, client does not see response.
Workaround:
As a possible mitigation, if the HTTP header to be removed has narrowly-defined expected value, it may be possible to add a condition that effectively tests for the existence of a header. For example, instead of unconditionally removing the Server: header from a response, a condition could be added to check whether the Server: header contains "Apache", or even if it contains the letter 'a', or even any letter or number.
554295-5 : CMP disabled flows are not properly mirrored
Component: Local Traffic Manager
Symptoms:
A client connection to a virtual server configured for 'cmp-enabled no' and 'mirror enabled' will be dropped if the standby unit is promoted to active.
Conditions:
The virtual server is configured for 'cmp-enabled no' and 'mirror enabled' on multiple BIG-IP appliances peered in a high availability configuration.
Impact:
Mirroring does not work as expected on BIG-IP appliances.
Note: CMP is required on VIPRION chassis, so this expectation applies only to appliances.
Workaround:
Do not disable CMP on virtual servers that are mirrored.
553830-3 : Use of OneConnect may result in stalled flows
Component: Local Traffic Manager
Symptoms:
Stuck serverside flows that do not expire
Conditions:
Serverside flow expires while clientside is closing while OneConnect is being used.
Impact:
Excessive memory usage, tmm can crash.
Workaround:
Disable OneConnect. This can also be mitigated by ensuring the server-side idle timeout is not set lower than the client profile's fin-wait timeout while using OneConnect.
553614-2 : modification to parent clientssl CKC does not consistently reflected in the child clientssl profile
Component: Local Traffic Manager
Symptoms:
If cert is modified in the parent client-ssl profile, and inherit-certkeychain is set TRUE in the child client-ssl profile, we will add the parent CKC(cert-key-chain) to the client-ssl profile instead of changing it to the same value as the parents.
Conditions:
1. Set inherit-certkeychain to TRUE in the child client-ssl profile.
2. Change the Parent CKC value.
Impact:
Parent cert-key-chain is added to the client-ssl profile instead of changing it to the same value as the parent's value. Certificate validation can fail if it is not in the chain.
Workaround:
1. Manually fix the CKC of child client-ssl profile.
or
2. set the "inherit-certkeychain = False" in the client-ssl profile.
553521-2 : TMM crash when executing route lookup in tmsh for multicast destination
Component: Local Traffic Manager
Symptoms:
tmsh show net route lookup 224.0.0.1
will crash TMM.
Conditions:
always
Impact:
Traffic disrupted while tmm restarts.
Workaround:
avoid route lookups of multicast destinations from tmsh. It should be possible to use ip route show instead. tmsh still should work for unicast routes.
553446-2 : Interface bfd session does not appear in configuration file or in show running-config
Component: TMOS
Symptoms:
When a Bi-Directional Forwarding Detection (BFD) session is configured for an interface, the bfd session command does not appear in the show running config or in the configuration file. However, running show bfd session command shows that a session is configured.
Conditions:
Interface bfd session between two nodes.
Impact:
Cannot determine whether a bfd session is configured. Further, because it is not save in the configuration file, the bfd session configuration is lost when the system restarts the protocol.
Workaround:
None.
552797 : Login/logout using Safari presents 'server drop connection' message.
Component: Access Policy Manager
Symptoms:
Logging in to the BIG-IP system using Safari browser and then click the "Logout" button, the system posts an error similar to the following:
Safari can not open the page because server drop connection.
Conditions:
Logging in to the BIG-IP system using Safari browser and then click the "Logout" button.
Impact:
Minimal. The error stays for 30 seconds, and then the page refreshes, posting the expected logout page.
Workaround:
None.
552585-2 : AAA pool member creation sets the port to 0.
Component: TMOS
Symptoms:
When the AAA server pool member is created (for Radius mode BOTH and for AD), the port is set to 0 (Any) as there are more than one ports for that pool member.
Conditions:
Create AAA pool member while creating an AAA RADIUS server or Active Directory server. The created pool member does not support the ability of having multiple port numbers and for that reason is updated with 0 (Any) as the port number for the pool member. If the user continues to modify using the Admin UI, the port changes made using tmsh will be overwritten again to 0.
Impact:
AAA pool member port is set to 0 (Any) rather than the port specified in the GUI. This is correct as the pool member does not support more and 1 port number.
552571 : DWA 8.5 with Safari on MAC OS X 10.11 : check names not works
Component: Access Policy Manager
Symptoms:
For Domino Web Access 8.5 with Safari on Mac OS X 10.11, check names does not work.
Conditions:
Steps to Reproduce:
1. Create new message.
2. Enter the beginning of recipient name and press Check Names.
3. If there are some users whose names start with the same substring, a screen displays with possible names; select one of them.
Steps 3 fail with APM reverse proxy.
No windows pop up with possible name.
Impact:
User unable use 'check names' functionality.
Workaround:
There is no workaround at this time.
552278 : Inconsistent behavior on IP TTL handling between ePVA and tmm for Fast L4 flows.
Component: TMOS
Symptoms:
Fast L4 proxy operates in TTL decrement mode. That means that for Fast L4 software-transformed flows (that is, no PVA acceleration) the system decrements TTL by 1 during the transform. In comparison, for the ePVA assisted flows, the system operates in preserve mode (no TTL change).
Conditions:
For all ePVA assisted flows.
Impact:
Inconsistent behavior on IP TTL handling between ePVA and tmm for Fast L4 flows: TTL is not decremented for ePVA assisted flows, but TTL is decremented for flows without hardware acceleration.
Workaround:
Disable hardware acceleration to see TTL decrements.
551849-2 : If 1 tmm gets more than 1 Mpps then the 1m stats in dos_stats can be wrong
Component: Advanced Firewall Manager
Symptoms:
If 1 tmm with AFM DoS gets more than 1 Mpps then in the dos_stats, where stats_1m is calculated (previous 60s average pps) can be wrong. This can cause the DoS attack to be detected sooner than it should.
Conditions:
AFM DoS configured and provisioned. Any 1 tmm gets more than 1 Mpps of a certain kind for which we've configured DoS attack detection - and this could cause the 1 minute average stats to be wrong.
Impact:
The state will be wrong and AFM could detect a DoS attack before it actually reaches the configured threshold.
Workaround:
None.
551635-1 : pccd crash when loading firewall config with mixed IPv4 and IPv6 addresses in the same rule
Component: Advanced Firewall Manager
Symptoms:
pccd crash when loading firewall config with mixed IPv4 and IPv6 addresses in the same rule
Conditions:
If firewall config contains rules with mixed IPv4 and IPv6 addresses in the same rule (either as source addresses or destination addresses), pccd may crash
Impact:
pccd crash.
Workaround:
Separate different address family addresses into separate rules. In other word, each firewall rule should contain only IPv4 or OPv6 addresses.
551454-2 : Edge client sends repeated HTTP probe to captive portal probe URL for mis-configured server
Component: Access Policy Manager
Symptoms:
Edge client sends repeated HTTP probe to captive portal probe URL for mis-configured server. This has no functional impact on end user.
Conditions:
End user specifies incorrect VPN server URL in edge client
Impact:
None. This has no functional impact on end user.
Workaround:
Specify correct server URL in edge client
550926-6 : AFM rule with "unknown" source Geo-entity stops functioning when another entity (geolocation or otherwise) is added to the same list of addresses in the rule
Component: Advanced Firewall Manager
Symptoms:
When an AFM rule is configured to "unknown" geographic location, the rule stops functioning when another entity (geolocation or IP address) is added to the same list of addresses in the rule.
Conditions:
Configure an address list of AFM rule with "unknown" source Geo-entity and at least one other entity (geolocation or IP address).
Impact:
Confusing, inconsistent, and apparently broken behavior.
Workaround:
Do not configure "unknown" geographic locations as one of the entities in an address list. Known geographic locations work correctly.
550653 : Errant DNS Express database log message.
Component: Global Traffic Manager (DNS)
Symptoms:
Upon initial system configuration or whenever the DNS Express database is recreated, the log message "Failed to reload dns-express db (Open)." may display in the ltm log for a short period of time. The message indicates that tmm attempted to load the database before it was written to disk. This error message is only of concern if it is persistent.
Conditions:
This error message may occur upon initial system configuration or if the DNS Express database has been regenerated.
Impact:
There is no impact to the system.
550204-1 : Any AFM Management Port rules disappear from iptables upon 'bigstart restart iptables'
Component: Advanced Firewall Manager
Symptoms:
Any AFM Management Port rules disappear from iptables upon 'bigstart restart iptables'.
Conditions:
-- Issuing the command: bigstart restart iptables.
-- AFM configured.
Impact:
AFM Management Port rules disappear from iptables.
Workaround:
Before issuing the command 'bigstart restart iptables' issue the following command:
/sbin/iptables-save > /etc/sysconfig/iptables
550133 : OPSWAT fails for Mac OS and Sophos AV version 9.4
Component: Access Policy Manager
Symptoms:
OPSWAT fails for Mac OS and Sophos AV version 9.4
Conditions:
Update Sophos Antivirus software to v9.4.0.
Impact:
AV Check fails.
Workaround:
None.
549569-1 : tmm may crash in the case of mem alloc fails.
Component: Local Traffic Manager
Symptoms:
tmm may crash in the case of mem alloc fails.
Conditions:
mem alloc that occurs with incompletely constructed RX queues.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
548611-2 : Memory protection strategies can conflict
Component: Local Traffic Manager
Symptoms:
The TMM has three mechanisms to protect memory usage when under pressure: the sweeper responds to low memory with a variety of strategies such as killing idle flows; memory reaping is activated to restore memory to the system; and tcp random early drops are activated if configured.
Since these are all targeting the same memory levels by default, it's possible that all three activate and victimize more flows than required.
In addition, a flaw in the random early drop logic could cause unpredictable behavior.
Conditions:
Always.
Impact:
More flows are victimized than necessary when under memory pressure. One symptom is a large number of random early drops, and hovering right near the sweeper's low-water mark causing new flows to encounter the random early drop limits nearly immediately.
Workaround:
The sweeper's low-water mark can be adjusted, along with the tm.tcpmemorypressure.hiwater and tm.tcpmemorypressure.lowater variables so that they are not all at the same location; this can alleviate most symptoms of this issue.
548175-3 : Idle timeout may be tcp handshake timeout on CMP demoted Fast L4 virtual servers.
Component: TMOS
Symptoms:
In certain circumstances, CMP demoted Fast L4 virtual servers may intermittently and incorrectly use the tcp handshake timeout instead of the configured idle timeout.
Conditions:
- CMP demoted Fast L4 virtual servers.
Impact:
Connections may be reset earlier or closed at an unexpected time.
Workaround:
Ensure that the virtual server is not CMP demoted. To do so, do one of the following:
-- CMP-enable the virtual server.
-- Ensure that any iRules that CMP-demotes the virtual server are corrected. See SOL13033: Constructing CMP-compatible iRules at https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13033.html
547692-1 : Firewall-blocked KPASSWD service does not cause domain join operation to fail
Component: Access Policy Manager
Symptoms:
KPASSWD service runs on tcp/464 and udp/464. If both of these ports were blocked, BIG-IP would not be able to properly set the machine account password for the created machine account. However, there is a bug on BIG-IP as well, which fails to report this failure back to the administrator.
As the machine account itself was successfully created on ActiveDirectory side without the correct password, and BIG-IP's failure to report the KPASSWD failure problem, the domain join operation seems had worked perfectly.
However, since the password information is never set on ActiveDirectory side, this causes this machine account effectively unusable because BIG-IP would never be able to establish a working SCHANNEL with ActiveDirectory server because of this password mismatch.
creation is LDAP (+ Kerberos GSS-API with SASL binding), the machine account itself is generated. Furthermore, as password setting for machine account is not allowed to be performed by administrator, this situation obfuscate the fact the KPASSWD was failing as AD server never receives thus AD never logged any failure on this matter, while BIG-IP fails to detect the KPASSWD failure, and so as administrator's user experience goes, everything seems perfectly worked for domain join.
Conditions:
Out of DNS, LDAP, KERBEROS, KPASSWD services which are required for domain join operation, only KPASSWD is blocked.
Impact:
Created machine account is effectively unusable due to password mismatch, and BIG-IP would never be able to establish a working SCHANNEL, this renders NTLM authentication feature to be not working.
Workaround:
Allow KPASSWD to reach ActiveDirectory server
546231 : Aced crashed occasionally while shutting down
Component: Access Policy Manager
Symptoms:
An aced core file might be generated when it tries to terminate.
Conditions:
Any time aced process tries to exit due to, among others:
1. Receive SIGTERM signal;
2. MCP query or process notification error;
Impact:
There is no impact to normal aced service. This crash only happens when aced is trying to shutdown.
Workaround:
No workaround available
545946-3 : Vlangroup may have its MAC address set to 02:00:00:00:00 on first configuration load★
Component: TMOS
Symptoms:
Transparent/translucent Vlangroup may have its MAC address set to 02:00:00:00:00 on either the first configuration load after an upgrade or on a manual mcpd db clear/reload.
Conditions:
Transparent/Translucent vlangroup configured.
Upgrade to later version (11.3.0 through 12.1.0) or manually delete mcpd DB binary.
Impact:
Vlangroup MAC address is incorrect and can adversely affect traffic transversing the vlangroup.
Workaround:
Reload configuration or alter vlangroup configuration: e.g: set back and forth between transparency modes.
545856 : Java VM crash while monitoring DB
Component: Local Traffic Manager
Symptoms:
The Java VM crashed while attempting to monitor the proper functioning of a DB
Conditions:
Unknown
Impact:
One known occurrence. Failure affects a single attempt at monitoring the DB.
Workaround:
Based on the information available, this failure is not persistent. A single attempt at monitoring the DB failed and proper functioning resumed without intervention.
545799-3 : Dashboard fails to export derived throughput history
Component: TMOS
Symptoms:
Dashboard fails to export derived throughput history.
Conditions:
Exporting derived throughput history in the Dashboard.
Impact:
The derived stats are not included in the export file.
Workaround:
The derived stats can be calculated from the exported raw stats.
545796-1 : [iRule] [Stats] iRule is not generating any stats for executed iRules.
Component: Local Traffic Manager
Symptoms:
iRule is not generating any stats for executed iRules when the rule is removed/edited and then re-added to the virtual server.
Conditions:
This occurs when the following steps are taken:
1. Move/edit an iRule that is attached to a virtual server.
2. Pass traffic to the virtual server.
3. Add the iRule back to the virtual server.
Impact:
No iRule usage stats available.
Workaround:
None.
545214-4 : OSPF distance command does not persist across restarts.
Component: TMOS
Symptoms:
When ospfd is restarted, the value configured for the OSPF distance command is lost.
Conditions:
The distance command is configured in OSPF and the ospfd process is restarted.
Impact:
The distance command does not function as configured, which affects OSPF behavior.
Workaround:
None.
544958 : Monitors packets are sent even when pool member is 'Forced Offline'.
Component: Local Traffic Manager
Symptoms:
If you have a pool member associated with more than one virtual server and the pool member is marked Forced-Offline, the pool monitor will continue to function if the monitor is assigned to both pools.
Conditions:
This applies to pools containing identical members, with pool monitoring configured, and the pool members are Forced Offline.
Impact:
Monitors packets are sent even when pool member is 'Forced Offline'.
Workaround:
None.
544033-1 : Fragmented ICMP Echo to Virtual Address may not receive response
Component: Local Traffic Manager
Symptoms:
In a very specific scenario, a response to an IPv4 ICMP Echo to a Virtual address may not reach back to the originator.
Conditions:
- Client network MTU is lower than the BIG-IP system's ingress VLAN's MTU.
- Client ICMP Echo is larger than Client's MTU and fragmented.
Impact:
Response is not received at client.
Workaround:
In certain version 11.x/12.x environments, it may be acceptable to disable PathMTU discovery.
If it is, this can be worked around by disabling the following DB Key:
tmsh modify sys db tm.pathmtudiscovery value disable
Note this workaround is not possible in BIG-IP software versions 10.x. 10.x does not have a workaround.
543344-2 : ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event
Component: Access Policy Manager
Symptoms:
When a BIG-IP system is configured with explicit HTTP proxy, ACCESS iRule does not work reliably in HTTP_PROXY_REQUEST. The issue happens when the current ACCESS iRule searches the associated session ID from the connection itself in these ways: either the session ID is embedded in the request, or the connection has been processed by ACCESS previously. When neither condition is satisfied, then current ACCESS iRule cannot find the associated session ID.
Conditions:
ACCESS iRule such as ACCESS::session data get/set, ACCESS::session exists, session ID is not provided by the caller, and caller expects the session ID to be resolved internally.
Impact:
Whenever ACCESS iRule commands cannot find the associated session ID, ACCESS iRule commands are processed as if the caller provided an empty session ID in its arguments. As a result, ACCESS::iRule commands return an empty result.
Workaround:
If possible, use ACCESS_ACL_ALLOWED as the event for the iRule, when the session ID is known. This would work for a BIG-IP system configured for reverse proxy or forward proxy.
542636 : APM logon page copyright should show the current year
Component: Access Policy Manager
Symptoms:
APM logon page shows copyright valid to 1999-2014.
Conditions:
-- APM logon page.
-- Running v11.5.3.
Impact:
Incorrect copyright date.
Workaround:
Go to customization, select the profile, and change footer text.
542292-3 : GUI might cause MIB files to be uncompressed when downloading from GUI with Chrome.
Component: TMOS
Symptoms:
In certain circumstances the BIG-IP GUI might cause MIB files to be served uncompressed, but with tar.gz extension.
Conditions:
Use Chrome to download BIG-IP MIB files from the GUI.
Impact:
MIB files are uncompressed.
Workaround:
Do not attempt to uncompress the MIB files further if downloaded with Chrome. Simply untar and use as normal. Renaming the file may help avoid further confusion.
542191-3 : Snmpd V1 and V2c view based access.
Component: TMOS
Symptoms:
SNMP v3 allows for 'views' to be created. These views can be a union of multiple sub-branch OID access config statements. Users/groups can then be assigned to a view.
Conditions:
If more that one snmpd view is specified per community string the second view is not accessible. Note: A view is a portion of a MIB tree defined by an OID.
Impact:
The BIG-IP system does not support view configuration. If multiple views are created using the lines: rouser USER [noauth|auth|priv [OID]], the system adds only one of them to the snmpd.conf file.
Workaround:
Multiple views with the same community string are not supported.
542009-3 : tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message.
Component: Local Traffic Manager
Symptoms:
tmm might loop and get killed by sod when the system tries to process an invalid-message-length MPI message. You might notice the following in /var/log/ltm prior to the core:
notice MPI stream: connection to node nodedadress expired for reason: Internal error (bad magic) (mpi_proxy.c:664)
Conditions:
This is an internal condition related to TMMs passing messages between each other. The cause of the invalid internal message is unknown.
Impact:
tmm might loop, using 100% of CPU, and eventually get killed by sod.
Workaround:
None.
541916 : tmm segfault: hud_process_upper
Component: Local Traffic Manager
Symptoms:
The tmm fails with a segmentation fault in hud_process_upper.
Conditions:
This is a rarely occurring issue whose causes are not well understood.
Impact:
The tmm fails and restarts.
Workaround:
None.
541693-1 : Monitor inheriting time-until-up and up-interval from parent incorrectly via GU
Component: TMOS
Symptoms:
Monitors inherit incorrect time-until-up and up-interval from parent.
Conditions:
Create a parent monitor with non-default time-until-up and up-interval values. Using the GUI, create a child monitor.
Impact:
The child monitor's time-until-up interval value is set to default (0). The up-interval value is incorrectly inherited from the parent.
Workaround:
Set the time-until-up value for the child to the desired value.
541622-3 : APD/APMD Crashes While Verifying CAPTCHA
Component: Access Policy Manager
Symptoms:
APD (pre v12.0.0) or APMD (v12.0.0) crashes in libcurl function when verifying CAPTCHA
Conditions:
This issue shows up when multiple sessions are being verified for CAPTCHA at SimpleLogonPageAgent.
Impact:
Authentication service will be disrupted until APD/APMD is up again.
541320-4 : Sync of tunnels might cause restore of deleted tunnels.
Component: TMOS
Symptoms:
After a full load sync, tunnels may be spuriously added to the default route domain for the partition that contains them.
Conditions:
Viewing tunnels after a full load sync.
Impact:
This might result in a deleted tunnel being restored to the configuration.
Workaround:
None.
539832-2 : Zebos: extended community attributes are exchanged incorrectly in BGP updates.
Component: TMOS
Symptoms:
1. BGP is not sending extended community attributes in BGP Updates to its neighbors in versions prior to 11.6.0.
2. BGP is unable to accept new BGP UPDATE messages that contain extended communities from its neighbors in version 11.6.0 and later.
3. On the sending neighbor, the route-map is reapplied to the prefix every time the connection is torn down by the neighbor, resulting in an ever increasing extended community list.
Conditions:
Configure BGP extended community attribute.
Impact:
Loss of/incorrect info related to extended community attribute.
Workaround:
None.
539199-2 : HTML filter is truncating the server response when sending it to client
Component: TMOS
Symptoms:
The response to the client is truncated
Conditions:
When a server sends a compressed response to a flow that has html profile. It seems like compressed response may not be a prerequisite - it might just be bringing out the issue better due to asynchornous nature of inflating
Impact:
the response is truncated when it reaches the client.
Workaround:
None.
539026-2 : Stats refinements for reporting Unhandled Query Actions :: Drops
Component: Local Traffic Manager
Symptoms:
There are five drop down sections for Unhandled Query Actions:
Allow
Drop
Reject
Hint
No Error
but in statistics page, there are only four Unhandled Query Actions:
Drops
Rejects
Hints
No Errors
Drops refers to the dropped packets for the system, not specifically for Unhandled Query Actions. It would be more clear if there were one dropped packets stats for the system, and another specifically for Unhandled. And also add stats for Allow packets under Unhandled.
Conditions:
Statistics pages for Unhandled Query Actions :: Drops.
Impact:
May be confusing to determine what the statistics mean.
Workaround:
None.
539018-2 : TMM stack trace when killed by monitoring process when stuck in loop always logged in parent TMM thread log file.
Component: Access Policy Manager
Symptoms:
TMM stack trace when killed by monitoring process when stuck in loop always logged in parent TMM thread log file instead of looping TMM thread log file.
Conditions:
TMM stuck in a loop and aborted by monitor process.
Impact:
Unclear which TMM thread was looping and resulted in crash and failover.
537213-3 : Second push is required after deactivating Active Security Policy and Sync flag indicates "In Sync" status
Component: Application Security Manager
Symptoms:
Changes made to security policies are not synced to peer. The sync status says "In sync" but the policy changes have not been made.
Conditions:
This occurs when making changes to security policies with policies on each device in a sync-only ASM device group.
Impact:
Changes are not propagated to the other devices in the sync-only device group, yet the sync status says it is in sync (the sync-failover group will say changes are pending). If you perform a second sync, the changes are pushed to the other devices.
Workaround:
Performing a second sync will push the changes to the other devices.
537209-1 : Fastl4 profile sends RST packet when idle timeout value set to 'immediate'
Component: Local Traffic Manager
Symptoms:
When a virtual is configured with a Fastl4 profile and the idle timeout value is set to 'immediate', traffic is handled improperly and a RST is issued.
Conditions:
A virtual is processing traffic that contains a Fastl4 profile with idle timeout set to 'immediate'.
Impact:
Traffic is Reset on a virtual where it should properly handle the traffic.
Workaround:
Avoid using the 'immediate' setting for the idle timeout value on a Fastl4 profile.
536724 : Policy Sync Status stuck at initiated syncing to subgroup after doing to parent group
Component: Access Policy Manager
Symptoms:
Policy sync status of source device gets stuck at "Initiated" and never transitions to completed.
Conditions:
1. Create two sync-only device groups so that one contains all the members of the other.
2. Initiate a policy sync to the bigger group.
3. Initiate a policy sync to the smaller group.
Impact:
Policy sync cannot complete and status remains "Initiated".
536563-4 : Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.
Component: Local Traffic Manager
Symptoms:
Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets.
Conditions:
This occurs when the existing connection is closing while waiting on an ACK to the last FIN.
Impact:
Unexpected RSTs (Clientside).
Workaround:
None.
535904-3 : BD crashes when attempting to access a closed connection
Component: Application Security Manager
Symptoms:
The Enforcer Application system generates a BD core file to the /shared/core directory.
Conditions:
One or more of these features is turned on - Session tracking, web scraping, ICAP, ASM irules. The client side or the server side pre-maturely closes the connection.
Some load happens on this traffic.
Impact:
The Enforcer Application system may temporarily fail to process traffic.
Workaround:
N/A
535857-1 : When binary database is not present, during mcp load, unexpected creation of VLAN membership in 'cist' STP singleton
Component: Local Traffic Manager
Symptoms:
When user removes a VAN from an STP instance, it appears in stp instance 0. This is by design.
Conditions:
Deleting a VLAN from an STP instance.
Impact:
Minor: VLANS deleted from an STP instance do not "disappear", they are instead added to STP instance 0.
535714 : Policy creation error after resolving LSO in policy sync for a big policy
Component: Access Policy Manager
Symptoms:
An error dialog popup with title "Policy Creation Error" and text " Request timeout Status text communication failure" after resolving LSOs and clicking on "finish" button.
Conditions:
- Import or create a big policy, e.g. 2.7MB for the .conf and 1.6MB for the resources in the res directory, 1100 ACLs with 9600 ACL entries in them.
- Initiate a policy, resolve LSOs and click "finish"
Impact:
GUI won't recover.
Workaround:
Running following shell command from console:
bigstart restart tomcat
535122-7 : tmsh create sys ssl-cert command does not add .crt extension.
Component: Local Traffic Manager
Symptoms:
"tmsh create sys file" command (and also iControl REST) does not add appropriate extension while creating key/cert/csr/crl
Conditions:
when using tmsh command
"tmsh create sys file"
Impact:
the key/cert/csr/crl file extentions are missing, and the created ssl certificate can not be archived. It displays "Not found" error while trying to do archive in GUI.
Workaround:
Workaround is to have .crt extension in the file name while importing the certificate using tmsh.
534890-3 : When using session tickets, the session id sent might be incorrect
Component: Local Traffic Manager
Symptoms:
Under some circumstances, when SSL session is resumed using session tickets, the BIG-IP system might send an incorrect session id.
Conditions:
Session tickets are enabled.
Impact:
The session id sent might be incorrect
Workaround:
Do not enable session tickets.
534373-1 : Some Text on French Localized Edge client on windows has grammatical error
Component: Access Policy Manager
Symptoms:
Grammatically incorrect text is displayed in Edge Client UI localized for French language.
Conditions:
French Localized version of Edge Client is used.
Impact:
Branding.
Workaround:
None.
533900-2 : Extra Proxy on Image Size Change
Component: WebAccelerator
Symptoms:
Using AAM with image optimization, if an image which is large enough to be stored in datastor is replaced with one that is small enough to fit into the small object cache, AAM will proxy to the OWS one additional time before starting to serve the image from cache.
Conditions:
AAM, image optimization, and a change in image size on the OWS.
Impact:
One additional proxy after the larger image is replaced with the smaller one.
Workaround:
None.
533790-2 : Creating multiple address entries in data-group might result in records being incorrectly deleted
Component: TMOS
Symptoms:
Using the GUI to create multiple address entries in data-group might result in records being incorrectly deleted
Conditions:
Creating multiple address entries in data-group
Impact:
Cannot add/remove IP addresses from existing data groups without affecting existing IP addresses through GUI.
Workaround:
Use TMSH to add/remove IP addresses from existing data groups.
532915-2 : No validation error attempting to modify a record in an external data-group using iControl SOAP.
Component: TMOS
Symptoms:
As a result of changes to data-groups between versions 10.x and 11.x, external data-groups are not allowed to have modified records. This was fixed in tmsh, but not propagated to iControl SOAP.
Conditions:
Attempt to modify a record in an external data-group using iControl SOAP.
Impact:
No validation error.
Workaround:
None.
532904-1 : Some HTTP commands fail validation when it is in a proc and the proc is called from another proc
Component: Local Traffic Manager
Symptoms:
The following HTTP commands fail validation:
HTTP::uri
HTTP:version
HTTP::header
HTTP::method
Validation fails with the following error:
HTTP::uri command in a proc in rule (<the rule>) under event at virtual-server (<the virtual>) does not satisfy cmd/event/profile requirement.
Conditions:
Command is in a proc and the proc is called from another proc.
Impact:
Config load fails.
Workaround:
Directly call the proc from an iRule, instead of from the proc.
530927-1 : Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed
Component: TMOS
Symptoms:
If a trunk is created from interfaces that have lower than max speed (e.g., 100full-duplex on 1GbE links) adding a new interface fails.
When this occurs, the system posts an error similar to the following:
01070619:3: Interface 1.4 media type is incompatible with other trunk members.
Conditions:
Interfaces use a lower speed then their capacity.
Trunk is created where the highest speed of any of the members is this reduced speed.
Interface, also lowered, is added to the trunk.
Impact:
Interface cannot be added to the trunk.
Workaround:
Remove all interfaces, readd them all at the same time.
530877-6 : TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances.
Component: Local Traffic Manager
Symptoms:
A specific combination of configuration options might cause iRule processing to run the CLIENT_ACCEPTED event twice.
If the iRule contains a suspending command, the system may eventually stop accepting connections to any TCP virtual servers with that have the Verified Accept option enabled.
Conditions:
This occurs when all of the following conditions are met:
- Standard Virtual Server is configured.
- Virtual Server is configured with a TCP profile in which Verified Accept is enabled.
- Client sends the initial data to be sent on the ACK of the three-way-handshake.
Impact:
Depending on the scenario, this might:
- Result in the specific connection being reset.
- Eventually result in TMM being unable to process any further connections to virtual servers with Verified Accept enabled.
Workaround:
You can use the following workarounds:
- Disable Verified Accept in the TCP profile.
- Modify the iRule to run the commands in the CLIENT_ACCEPTED event once, by setting a variable and checking whether the variable has been set on subsequent runs.
530530-4 : [mcpd] TMSH "range" filter for 'show sys log' fails to work as expected
Component: TMOS
Symptoms:
TMSh 'show sys log' is not working expected with 'range' filter.
Conditions:
Use range filter for 'tmsh show sys log'.
Impact:
tmsh could not filter log correctly with 'range' filter.
Workaround:
Specify a range at least 8 hours of designated time.
530266-2 : Rate limit configured on a node can be exceeded
Component: Local Traffic Manager
Symptoms:
Rate limit configured on a node is not honored and is exceeded. The excess per second can be as much as 10 (100%) when the limit is configured as 10.
Conditions:
More than 1 tmm needs to be there. Rate limit needs to be configured on the node.
Impact:
Node rate limit feature does not work as intended.
Workaround:
Rate limit can be shifted from the node to pool member and it works.
530102-3 : Illegal meta characters on XML tags -★
Component: Application Security Manager
Symptoms:
After upgrading from 11.4.1 to 11.6.0, 11.6.1 or 12.0.0, you see a lot of "Illegal meta character in value" false positives on your XML content. The flagged character are valid within XML (<, >, /, :, etc.) and the affected URLs are associated with legitimate XML profiles via header-based content profiles.
From the security event report, one can see that the invalid characters are for the global UNNAMED wildcard parameter and that the request is a multipart POST.
Conditions:
XML profile is assigned to the wildcard URL and having Header-Based Content profile.
Impact:
False positive violations could happen on the parameter enforcement (as it's not a parameter content but XML).
Workaround:
N/A
529535-3 : MCP validation error while deactivating a policy that is assigned to a virtual server
Component: Application Security Manager
Symptoms:
When deactivating a security policy via REST, and the policy is assigned to a virtual server, then BIG-IP reports the following error:
----------------------------
"MCP Validation error - 01071726:3:
Cannot deactivate policy action '/Common/<VS_name>'. It is in use by ltm policy '/Common/<L7_policy_name>'.",
----------------------------
However, the security policy becomes inactive and remains assigned to virtual server.
This will cause the virtual server to stop processing network traffic, and there will be the following errors in 'bd.log':
----------------------------
BD_MISC|ERR |Jun 24 12:53:35.698|17566|src/acc_reject_policy.c:0165|Account id 10 has no reject policy configured. Cannot get data
----------------------------
Conditions:
ASM provisioned, with a security policy assigned to a Virtual Server, then the security policy is deactivated via the REST API
Impact:
An inactive security policy remains assigned to a Virtual Server
Workaround:
Deactivate the security policy via GUI at:
'Security :: Application Security : Security Policies : Active Policies':
528987-2 : Benign warning during formatting installation
Component: TMOS
Symptoms:
The system posts a benign warning during formatting installation: warning: array conf_write could not find data disk.
Conditions:
This occurs during formatting installation.
Impact:
This is a benign error message that does not indicate an issue with the system. You can safely ignore it.
Workaround:
None needed. This is a cosmetic message.
528894-4 : Config sync after sub-partition config changes results extra lines in the partition's conf file
Component: TMOS
Symptoms:
Config sync after sub-partition config changes results extra lines in the partition's conf file.
Conditions:
Make changes under any partition except /Common and then config sync without overwrite.
Impact:
/config/partitions/partition_name/bigip_base.conf in the partitions folder has trunk and ha-group configuration. /config/bigip_base.conf no longer has the trunk and ha-group configuration.
Workaround:
'Sync Device to Group' with 'Overwrite Configuration' enabled.
528424-2 : IE11 on Windows 10 doesn't show tooltips/toast notifications when Network Access changes state
Component: Access Policy Manager
Symptoms:
Tooltips/Toast notification are not displayed when Network Access changes state (Connect, Disconnect, Reconnect, etc). Beginning with Microsoft Windows 8, tooltips are replaced by Toast Notifications; Windows does not convert tooltips to toast notification for F5 WebComponent in Windows 10.
Conditions:
The problem occurs under these conditions: Internet Explorer 11.
Windows 10.
Networks Access changes state.
Impact:
User is not notified about state change.
Workaround:
To enable tooltips, in Group Policy change this setting:
"User Configuration \ Administrative Templates \ Start Menu and Taskbar \ Disable showing balloon notifications as toasts" to Enable.
528343-1 : Loading cli preference that does not contain the user attribute will fail
Component: TMOS
Symptoms:
The cli preference config objects under certain circumstances can be saved without a user attribute. The loading of such a cli preference will result in error "Loading a preference requires user name specified".
Impact:
Loading scf, ucs configuration will fail
Workaround:
Remove the cli preference that does contains the user from the configuration (/config/bigip_user.conf or SCF) and reload.
528295-9 : Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.
Component: TMOS
Symptoms:
A 10.x UCS containing LTM virtual servers with ARP set to disable. Loading the 10.x UCS on 11.4.x or later system leads to the ARP and ICMP echo setting value being flipped each time the load occurs.
Conditions:
Reloading a 10.x UCS containing virtual servers on 11.4.x or later system.
Impact:
ARP and ICMP echo setting value being flipped each time the load occurs. Note that the ICMP echo virtual field will be flipped even if ARP is enabled.
Workaround:
Delete the LTM virtual servers on the 11.x/12.x version system prior to re-loading the 10.x UCS.
528198-1 : reject in iRule event FLOW_INIT may not respond with a RST
Component: Local Traffic Manager
Symptoms:
reject in iRule event FLOW_INIT currently does not respond with a RST
Conditions:
iRule on a tcp virtual IP which has reject in FLOW_INIT event.
Impact:
RST is not sent
Workaround:
If licensed/provisioned for AFM, "ACL::action reset" can be an option.
528083-3 : On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
Component: TMOS
Symptoms:
On shutdown, SOD very infrequently cores due to an internal processing error during the shutdown.
Conditions:
System shutdown. Unable to reproduce the issue reliably, so conditions for the crash are unknown
Impact:
Since the core happens on shutdown, operation on the device is not affected, but a core file may be generated.
Workaround:
None
527907-3 : TCP reject Virtual Servers may not respond with TCP reset
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, reject Virtual servers configured with IP protocol TCP may not respond to TCP SYN packets with a TCP RST; silently dropping them.
All-protocols and UDP reject virtual servers are unaffected.
Conditions:
- Virtual Server, type Reject
- Virtual server ip-protocol only TCP.
Impact:
TCP SYN packets are silently dropped.
Workaround:
Use all-protocols or use a standard VIP and reject via iRule.
527720-3 : Rare 'No LopCmd reply match found' error in getLopReg
Component: TMOS
Symptoms:
An error message similar to the following might be logged at rare intervals while the BIG-IP system is operating normally:
warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.
This message might be followed by a log message similar to one of the following:
err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0.
err chmand[32142]: 012a0003:3: GET_STAT failure (status=0xffffffff) page=0x%20 reg=0x50.
This message might be followed by a log message similar to the following:
warning chmand[5847]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.
Conditions:
This problem might occur rarely on the BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances, and on VIPRION 2100, 2150, and 2250 blades.
Impact:
This problem might occur if the response to a request to read the status of the hardware registers for the management interface is delayed beyond the normally-expected timeout value. When this problem occurs, status of the management interface might be reported incorrectly, which might cause the management interface to flap momentarily. In this scenario, subsequent requests typically complete successfully, at which point status of the management interface is again reported normally, and expected functionality restored.
Workaround:
None.
527206-4 : Management interface may flap due to LOP sync error
Component: TMOS
Symptoms:
An error that occurs while reading the management interface registers might cause incorrect interpretation of the management interface state, which might cause the management interface to flap.
Example error sequence:
-- warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.
-- err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0 : File mgmtif/BourneMgmtIfSvc.cpp Line 357.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x7 expected=0x5.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is DOWN.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is UP.
Conditions:
This problem might occur rarely on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades.
Impact:
The management interface on the affected blade or appliance might be down for several seconds, 15 seconds being a typical interval.
Workaround:
None.
527119-2 : Iframe document body could be null after iframe creation in rewritten document.
Component: Access Policy Manager
Symptoms:
End users report being unable to use certain page elements in chrome (such as the Portal Access menu), and it appears that Javascript has not properly initialized.
Conditions:
The body of a dynamically created iframe document could be initialized asynchronously after APM rewriting. The issue is specific to Chrome browser and results in JavaScript errors on the following kind of code:
iframe.contentDocument.write(html);
iframe.contentDocument.close();
<any operation with iframe.contentDocument.body>
One of applications known to contain such code and fail after APM rewriting is TinyMCE editor.
Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access.
Workaround:
Revert rewriting of the document.write call with a post-processing iRule.
The workaround iRule will be unique for each affected application.
527058 : TMM Crash, at AVR lookup mechanism
Component: Application Visibility and Reporting
Symptoms:
TMM crash at high stress at lookup mechanism
Conditions:
Rare cases, at high stress, and when AVR is being used.
Impact:
Traffic disrupted while tmm restarts.
526774-3 : Search in FW policy disconnects GUI users
Component: Advanced Firewall Manager
Symptoms:
GUI disconnects due to a timeout when doing search on the active rules page with a large number of context objects.
Conditions:
wildcard search in active rules page with lots of objects causes GUI to hang
Impact:
Makes the BOX unusable
Workaround:
The query to search for matches was optimized to omit context objects that did not have any rules.
526708-1 : system_check shows fan=good on removed PSU of 4000 platform
Component: TMOS
Symptoms:
Running system_check on a 4000 platform with one PSU removed will still show status FAN=good; STATUS=good
Conditions:
This applies only to the BIG-IP 4000 platform.
Impact:
Fan shows status of 'good' when the PSU is removed. Reading the power supply status in the system_check output will show the PSU as down.
526642-5 : iRule with HTML commands inside can be attached to Virtual server without HTML profile
Component: TMOS
Symptoms:
If iRule with HTML commands inside is attached to Virtual server which has not HTML profile, this iRule may fail with 'Unknown error' message in the log.
Conditions:
- iRule with HTML commands
- Virtual server without HTML profile
- the iRule is attached to this server
Impact:
iRule does not work as expected
Workaround:
If Virtual server uses iRule with HTML commands, this server should use HTML profile.
525847-1 : SNMP manager doesn't accept community name in double quotes in packet capture.
Component: TMOS
Symptoms:
When configuring SNMP trap via tmsh sys snmp v2-traps (trap2sink directive) or v1-traps (trapsink directive) commands, the community name contains double quotes in packet capture. This causes a problem as SNMP manager doesn't accept the trap because of the community mismatch.
On the other hand, if traps are configured using tmsh sys snmp traps (trapsess directive), community name doesn't contain double quotes, which is an expected behavior.
Conditions:
Use tmsh sys snmp v2-traps or tmsh sys snmp v1-traps to configure SNMP traps.
Impact:
Community name contains double quotes in packet capture, which causes the SNMP manager to reject the trap because of the community mismatch.
Workaround:
Use tmsh sys snmp traps.
525133-2 : Restarting TMM or failover offline causes causes bigd 'emerg logger' error message
Component: Local Traffic Manager
Symptoms:
Stopping and starting the tmm causes bigd to restart with an 'emerg logger' error message. The restart is expected behavior, but the error-level message is not.
Conditions:
On active unit run one of the following commands:
-- bigstart restart tmm.
-- bigstart stop tmm;bigstart start tmm.
-- bigstart stop tmm;bigstart start.
-- tmsh run sys failover offline.
Impact:
bigd restarts and a message is logged to the console similar to the following: emerg logger: Re-starting bigd. Traffic monitoring ceases until TMM restart is complete. For the failover offline, impact is limited as unit is sent offline.
Workaround:
None.
524606-2 : SElinux violations prevent cpcfg from touching /service/mcpd/forceload
Component: TMOS
Symptoms:
'cpcfg' fails when copying configurations to an adjacent boot location.
Conditions:
11.5.3 and 11.6.0 installed on two boot locations
Impact:
'cpcfg' cannot be used
Workaround:
re-install software to target volume. configuration will be properly rolled forward as final step in software installation
524277-3 : Missing power supplies issue warning message that should be just a notice message.
Component: Local Traffic Manager
Symptoms:
Missing power supplies issue warning message in /var/log/ltm when the message should be just a notice.
Absent power supplies should be notice level, not warning level since this is a normal acceptable way of running a system.
Conditions:
Running chassis with absent power supplies, or with power not applied, will cause ltm to issue warning messages.
Impact:
Extra logging.
Workaround:
Ignore missing power supply warning messages.
524193-3 : Multiple Source addresses are not allowed on a TMSH SNMP community
Component: TMOS
Symptoms:
If multiple source addresses are specified on a TMSH snmp community command (add, modify,delete, replace-all). Only the first address will be saved.
Conditions:
Specifying multiple source addresses are specified on a TMSH snmp community command.
Impact:
The command is accepted, but only the first address will be allowed snmp access.
Workaround:
Add an additional source address to another snmp community object that has the same community string.
524185-1 : Unable to run lvreduce
Component: TMOS
Symptoms:
Unable to run lvreduce command due to missing program 'blockdev'. (The missing program 'blockdev' is part of the util-linux-extras package.)
Conditions:
Attempting to reallocate disk resources when upgrading a vCMP system.
Impact:
Cannot reallocate the vmdisks app volume.
Workaround:
Acquire the /sbin/blockdev executable from a different BIG-IP device running version 11.6.0-HF6 or 12.x, and install it on the BIG-IP device affected by this issue.
Note: If the receiving system is a multi-blade VIPRION, you must install the file on each blade.
If you do not have a suitable donor device available, you can contact F5 Support, who will be able to supply the executable to you.
Note: Using a blockdev executable from another source is not recommended.
524123-4 : iRule ISTATS::remove does not work
Component: TMOS
Symptoms:
When an iRule invokes ISTATS::remove to remove an iStat, the iStat is not removed.
Conditions:
Invoking the ISTATS::remove command from an iRule.
Impact:
The value of the iStat remains defined.
Workaround:
Use istats-triggers and iCall scripts to invoke the iStats command line tool indirectly.
523992-6 : tmsh error map not included in /etc/alertd
Component: TMOS
Symptoms:
tmsh error map is not included in /etc/alertd.
Conditions:
File /etc/alertd/bigip_tmsh_error_maps.h missing.
Impact:
The tmsh error maps include certificate expiration warnings (i.e., BIGIP_TMSH_TMSH_CERT_EXPIRED, BIGIP_TMSH_TMSH_CERT_WILL_EXPIRE). This information is used to create alerts. Not having the map makes it difficult to create alerts for tmsh related errors (e.g., certificate expiration warnings).
Workaround:
None.
523985-2 : Certificate bundle summary information does not propagate to device group peers
Component: TMOS
Symptoms:
Certificate summary information about individual certificates in a bundle does not propagate to device group peers after a config sync.
Conditions:
A certificate file is create in a folder synced to a device group.
Impact:
Certificate information about the bundle is not displayed on peers. However, the bundle itself is intact and available.
Workaround:
None.
523797-4 : Upgrade: file path failure for process name attribute in snmp.★
Component: TMOS
Symptoms:
The upgrade operation might fail to update the file path name for snmp.process_name, causing a validation error.
Conditions:
Upgrade from 10.x. to 11.5.1 or later.
Impact:
The upgrade operation does not remove the parent path name from process-monitors, which might cause a validation error.
Workaround:
Edit the process name path in /config/BIG-IP_sys.conf to reflect the location. For more information, see K13540: The BIG-IP system may return inaccurate results for the prTable SNMP object at https://support.f5.com/csp/article/K13540.
523522-2 : In a device group, installing a UCS (on any one of the peers in group) does not propagate the ASU file (that is bundled with UCS) to other peers
Component: Application Security Manager
Symptoms:
In a device group, after installing a UCS file (on any one of the peers in group), an inconsistent state of Application security update version is achieved between peer machines.
Conditions:
ASM is provisioned.
Device group with ASM sync enabled.
Install UCS file with a bundled ASU version different then the currently installed.
Impact:
An inconsistent state of ASU version is achieved between peer machines.
Workaround:
Manually trigger ASU update/install from:
Security > Security Updates > Application Security
522620-2 : BIG-IP continues to monitor APM AAA pool with old monitor after monitor changed
Component: Local Traffic Manager
Symptoms:
BIG-IP APM continues to use old monitor (in addition to new monitor configuration) for APM AAA pool after the monitor type is modified.
Conditions:
APM AAA pool's monitor configuration is modified via the APM GUI.
Impact:
BIG-IP APM continues to use old monitor (in addition to new monitor) to monitor pool members for an AAA pool.
Workaround:
Once a system is affected by this issue, the misbehavior can be resolved by doing the following:
Save and re-load the configuration to correct the incorrect information in mcpd:
tmsh save sys config partitions all && tmsh load sys config partitions all
522304-1 : Some password policy changes are not reflected in /etc/shadow when synced in a CMI device group
Component: TMOS
Symptoms:
Some password policy settings (maximum and minimum durations, expiration warning) are reflected in /etc/shadow when a user's password is changed. In a CMI device group, changes to password policy are correctly synced, but the settings reflected in /etc/shadow are not.
Conditions:
CMI device group configured; maximum or minimum duration, or expiration warning, settings of password policy are used; user password is changed.
Impact:
Password policy may not be enforced consistently across all devices.
Workaround:
None.
522124-1 : Secondary MCPD restarts when SAML IdP or SP Connector is created
Component: Access Policy Manager
Symptoms:
Secondary MCPD restarts when the admin creates APM SAML IdP Connector (or SP Connectors) from attached metadata on the primary blade.
Conditions:
BIG-IP chassis with multiple blades where the configuration includes APM SAML IdP Connector or SP Connector created from attached metadata file.
Impact:
Secondary slot's MCPD restarts.
522024-4 : Config sync of SecurID config file fails on secondary blades
Component: TMOS
Symptoms:
After uploading a new SecurID config file using the GUI, mcpd restarts and fails to sync the file to the secondary.
Conditions:
If APM is provisioned, and upload a new SecurID config file via the GUI. This can also happen on device group peers.
Impact:
The secondary blade restarts mcpd, which in turn restarts several other daemons. The secondary blade never receives the config file, so if it becomes primary, it does not have the correct configuration.
Workaround:
Use tmsh: tmsh modify apm aaa securid secureid-name config-files modify { sdconf.rec { local-path /path/to/sdconf.rec } }.
521828-1 : CMI device credentials (device name or password) containing XML special charactersresults in peer discovery error
Component: TMOS
Symptoms:
When attempting to set up CMI device credentials (device name or password), an error message can result if the device name (of the current device, or the newly specified name for the target device) or the administrator password (for the target device) contains certain characters.
The error message has this format:
java.io.IOException: Could not read response from server: ParseError at [row,col]:[1,225] Message: Element type 'bigip2' must be followed by either attribute specifications, '>' or '/>'.
Conditions:
The list of characters is any XML special character (less than, greater than, or ampersand).
Impact:
Failure to set up CMI sync.
Workaround:
For the device name, these characters are illegal and a different device name should be chosen. If the current device has any of the specified characters, you can use the command 'mv cm device source-name target-name' to change the name of the device.
There is no workaround if the relevant character is in the password field, except to change the password.
521822-1 : referer header in request is not completely deflated at gateway, f5-w-dobledot paths are not reduced
Component: Access Policy Manager
Symptoms:
Referer header received by backend contains in the path component(s) 'f5-w-doubledot'.
Conditions:
There were doubledot components in referer URL (for example: '../../test.html').
Impact:
Backend can be confused after receiving referer header with different value.
Workaround:
Custom iRule can be used to fix referer header value; no general iRule exists.
521329-3 : CGNAT - Rare TMM core with Deterministic NAT
Component: Carrier-Grade NAT
Symptoms:
Under some circumstances TMM may core when using deterministic NAT due to a divide by zero error.
Conditions:
CGNAT using deterministic NAT mode and persistence enabled. This error only occurs if a previous connection created an address persistence entry using the second address.
This crash is dependent on both the configuration and the traffic.
When the number of subscriber addresses that disaggregates to a TMM is not evenly divided by the number of translation addresses that disaggregates to the same TMM, connections from one or more subscribers may be assigned to blocks from two translation addresses. Depending on the exact address ratio, there may be only one port using the second address.
Due to an off-by-one error, the number of ports available for the second address may be set to zero when it should be set to one. This causes the divide by zero fault.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
520732-2 : XML policy import adds default entities if the relevant element list (in policy xml doc) is specified and empty
Component: Application Security Manager
Symptoms:
Default entities (File types, Parameters, URLs, Cookies, Signatures, Redirection Domains and Brute Force Log-In URLs) are added to the policy upon XML policy import.
Conditions:
ASM policy with entities of some type (File types, Parameters, URLs, Cookies, Signatures, Redirection Domains and Brute Force Log-In URLs) deleted (all entities of that type).
Export it to XML and then import that XML back - the default entities are added.
Impact:
XML policy import adds default entities if the relevant element list (in policy XML doc) is specified and empty.
Workaround:
The relevant element list (in the policy XML doc), that is specified and empty, should be completely removed (from the policy XML doc).
520604-6 : Route domain creation may fail if simultaneously creating and modifying a route domain
Component: Local Traffic Manager
Symptoms:
Failure trying to create and modify a route domain in a single operation.
Conditions:
Performing create and modify operations in the same transactions, as can be done using tmsh and iControl.
Impact:
Transaction fails. Even though an ID is passed in with the create method, the system posts an error similar to the following: 01070734:3: Configuration error: route-domain Name /Common/test_rd_200 is non-numeric, so an ID must be specified.
Workaround:
Perform create and modify operations in different transactions.
520038-2 : Added/updated signatures are added to certain corrupted Manual user-defined sets.
Component: Application Security Manager
Symptoms:
Signature set may contain signatures which are not supposed to be part of the set.
Conditions:
Corrupted manual user-defined signature sets can no longer be created after the fix for Bug 441075. However, pre-existing corrupted manual sets will not be corrected by roll-forward/upgrade from a version prior to the fix.
Impact:
Requests may get blocked due to attack signatures which are actually not supposed to be in the policy.
Workaround:
As a workaround, to prevent signatures from being added to these Signature Sets in the future, use the following SQL:
----------------------------------------------------------------------
DELETE FROM PLC.NEGSIG_SET_FILTERS where set_id in (SELECT set_id FROM PLC.NEGSIG_SETS where flg_is_manual = 1)
----------------------------------------------------------------------
Alternatively, delete the affected Signature Set and re-create as manual.
519011-1 : Auditor role: Exporting the Request Log
Component: Application Security Manager
Symptoms:
Users with the Auditor role cannot export from the Request log.
Conditions:
Users with Auditor role trying to export from the Request log.
Using a software version 11.5.x or 11.6.x.
Impact:
Cannot export from the Request log.
Workaround:
None.
518959 : BIG-IQ Discovery of an 11.5.2 EHF1-19 BIG-IP fails
Component: Application Security Manager
Symptoms:
If you use a BIG-IQ device to discover a BIG-IP device running version 11.5.2 EHF1-19, the discovery fails with the message
"Error querying iControl Rest for ASM Policy - Response Pages in."
Conditions:
BIG-IQ deployed, and attempting to discover a BIG-IP running 11.5.4 HF 1-19.
Impact:
BIG-IQ discovery will fail with error.
Workaround:
Delete one of the installation volumes on the BIG-IP system and re-install the BIG-IP hotfix. For example, these are the tmsh commands to remove the volume and install the hotfix:
# tmsh delete sys software volume HDx.y
# tmsh install sys software hotfix Hotfix-BIG-IP-whatever-hotfix.iso volume HDx.y create-volume reboot
where 'HDx.y' is a (any) desired target software volume.
After the boot, run the following commands:
# /usr/share/ts/bin/add_del_internal add rest_api_extensions 1
# tmsh restart sys service asm
Wait for the BIG-IP device to become 'Active' again and then restart the discovery process from the BIG-IQ system.
517756-1 : Existing connections can choose incorrect route when crossing non-strict route-domains
Component: Local Traffic Manager
Symptoms:
After modifying the BIG-IP system's routing table, traffic for some existing connections might be interrupted because an incorrect route starts being used.
Conditions:
After a routing table modification, routes might be reselected for a portion of connections through the BIG-IP system. When a connection crosses non-strict route-domains, the routing table from a route-domain that is different from the route-domain used during connection start-up may be used.
Impact:
This might lead to traffic following a different path to the destination and traffic interruption. New connections will work properly, this only affects existing connections.
Workaround:
None.
517609-1 : GTM Monitor Needs Special Escape Character Treatment
Component: Global Traffic Manager (DNS)
Symptoms:
When searching received data for bytes that are regex metacharacters such as $ (dollar sign), . (period), ? (question mark), etc., the search string typically requires backslash characters to escape these. Such escaped characters result in non-matching behavior in GTM monitors without warning in the GUI. The GUI also validates Perl (non-POSIX) character classes such as \d rather than [:digit:], but these Perl extensions do not search properly.
Conditions:
Any running GTM monitor.
Impact:
If a GTM monitor's expression contains regex Perl extension character classes or escaped regex metacharacters, a member's status might be incorrectly labeled.
Workaround:
When escaping a regular expression metacharacter, an \x5C can be entered as a substitute for a backslash. If searching for whitespace or digits, use [:space:] and [:digit:] rather than \s and \d.
For example, searching for 'HTTP/ 1.1' in a GTM HTTP monitor, you can enter the search expression HTTP/ 1\x5C.1, which the regex compiler interprets as 'HTTP/ 1\.1', to search for the period character rather than interpreting the period ( . ) as the 'any non-null byte' metacharacter.
517589-1 : 'array' command not functional from within MOS context
Component: TMOS
Symptoms:
The array command does not produce correct results.
Conditions:
MOS shell
Impact:
array cannot be managed
Workaround:
manage the array from TMOS
517578-2 : statsd crash when failed to open stats files
Component: TMOS
Symptoms:
When certain errors occur trying to open stats files, the statsd daemon could crash calling tmidx_free.
Conditions:
Something like permissions, file descriptor exhaustion, etc. that could lead to an error opening stats files.
Impact:
The statsd daemon crashes leaving a core file and a gap in collecting systems stats and historical stats.
Workaround:
none
517456-2 : Resetting virtual server stat increments cur_conns stat in clientssl profile
Component: Local Traffic Manager
Symptoms:
When there are active connections on the virtual server, resetting its virtual server stat through tmsh reset-stats ltm virtual virtual_name, doubles the client ssl profile cur_conns/cur_native_conns/cur_compat_conns.
Conditions:
- SSL virtual server.
- Active connections on the virtual server.
- Virtual server stat reset which active connections are occurring.
Impact:
Invalid statistics values on the client ssl profile stats.
Workaround:
None.
517393-5 : Spurious RTO Detection Triggers Early Exit from Fast Recovery.
Component: Local Traffic Manager
Symptoms:
When Fast Retransmit follows a spurious RTO, detection of the spurious RTO can overwrite Fast Recovery state and trigger premature exit. Spurious RTO detection can trigger crashes. Otherwise, in certain configurations, there can be an very slight decrease in performance.
Conditions:
A step change in delay causes a spurious TCP RTO, accompanied by significant packet reordering and additional packet loss.
Impact:
Possible crashes. Otherwise, a very small decrease in performance in certain configurations.
Workaround:
Disable Early Retransmit.
517202-3 : Microsoft Internet Explorer may fail SSL handshake
Component: Local Traffic Manager
Symptoms:
Clients using Microsoft Internet Explorer get intermittent "page cannot be displayed" errors while accessing LTM virtual servers.
Internet Explorer versions 10 and 11 may fail SSL handshake when the ServerKeyExchange message sent by BIG-IP acts as TLS server with a DHE ciphersuite (e.g., DHE-DSS-AES256-SHA, includes a field dh_Y (g^x) that, for 1024 DH that BIG-IP uses, fits in 128 or fewer bytes. In 1 dh_Y out of 256 dh_Y will fit into 127 bytes, sending dh_Y tightly packed into 127).
This is a Internet Explorer issue. Its existence probably stems from the fact that DSA cert is required (which is rare on the public internet) and that the cert must be DSA 1024+SHA1, which provides substandard security. Note: ECDHE does not exhibit this problem.
Conditions:
-- LTM client-ssl virtual server.
-- Clients using Internet Explorer versions 10 and 11.
Impact:
Some websites fail to load for these clients.
Workaround:
Disable DHE cipher suites in client-ssl profile, as follows:
* 'DEFAULT:!EDH' to permanently remove DH-based ciphersuites.
* 'DEFAULT:-EDH:DEFAULT+EDH' to move them to the end of the preference list.
516540-2 : devmgmtd file object leak
Component: TMOS
Symptoms:
Under certain circumstances, devmgmtd might leak file descriptors.
Conditions:
This might occur when attempting to add a device to trust by specifying a hostname instead of an IP address, where this hostname is not valid.
Impact:
devmgmtd may restart, logging an error that it has 'too many open files'. Although the failed reaction is correct (restarting because there is an existing error condition), the system presents an error message that does not indicate the issue.
Workaround:
None.
516280-1 : bigd process uses a large percentage of CPU
Component: Local Traffic Manager
Symptoms:
With a very large number of monitors, the bigd process can consume more than 80% CPU when a slow HTTP server returns an error.
Conditions:
~8000 HTTP/HTTPS monitors, and a slow HTTP server returns a 500 error.
Impact:
bigd process uses a large percentage of CPU.
Workaround:
None.
516200-5 : HTML5 Receivers for Storefront 2.5 and 2.1 are not working on Google Chrome 40+
Component: Access Policy Manager
Symptoms:
Google Chrome version 40+ shows JavaScript errors when using HTML5 Receivers for Storefront 2.5 and 2.1.
Conditions:
APM is configured for Citrix proxy or replacement and HTML5 Receivers for Storefront 2.5 or 2.1 are used.
Impact:
HTML5 Receivers for Storefront 2.5 or 2.1 can't be used.
Workaround:
Need to edit the HTML5 receiver files as suggested by Citrix.
http://discussions.citrix.com/topic/361040-storefront-21-html5-broken-on-chrome-v40/
1) Edit SessionWindow.html file at "C:\Program Files\Citrix\Receiver StoreFront\HTML5Client\src\SessionWindow.html"
2) Find <meta http-equiv="content-security-policy" content="default-src 'none';
3) Add child-src directive <meta http-equiv="content-security-policy" content="default-src 'none'; child-src 'self';
516167-4 : TMSH listing with wildcards prevents the child object from being displayed
Component: TMOS
Symptoms:
The tmsh list command is attempted with an identifier that specifies use of wildcard match character (*) , the results returned may not print the nested objects contained within the parent object.
For example, the list ltm pool* command will print all pools that begin with the word pool, but will fail to list the profiles that are within the pool.
Conditions:
tmsh list with a wildcard character specified for parent object.
Impact:
Missing details of nested objects when tmsh list is invoked with wildcard character (*) specified in the object identifier
Workaround:
None.
515915-3 : Server side timewait close state cause long establishment under port reuse
Component: Local Traffic Manager
Symptoms:
When server TCP connection is under timewait closing state.
if a new client connection is initiated toward server under the BIG-IP SYN-Cookie mode, the server respond with ACK instead of SYN+ACK for the SYN received.
BIG-IP drops this ACK and retransmit the SYN, till timed out.
Conditions:
FastL4 is under SYN-Cookie mode and the previous server connection is under time wait close state and new client connection is reusing the port to get to the same server TCP connection.
Impact:
longer establishment time and retry.
515764-3 : PVA stats only being reported on virtual-server and system-level basis.
Component: TMOS
Symptoms:
The VLAN/interfaces stats do not include PVA stats. PVA stats are reported on a per-virtual-server including virtual server plus pool and pool members.
Conditions:
Viewing PVA stats.
Impact:
Interfaces stats only count TMM software traffic stats, and do not include PVA traffic stats. Although this is by design, it makes it difficult to monitor per-VLAN throughput on their devices.
Workaround:
Retrieve pool member PVA stats for server-side PVA stats on the associated VLANs. Also look at PVA stats in the virtual server stats for client-side PVA stats. Note: On the client side, the virtual server might be configured to run on multiple VLANs, so the client-side details are not included in the stats.
515562-2 : Sweep and flood may crash if it is enabled when AFM is not licensed or provisioned.
Component: Advanced Firewall Manager
Symptoms:
When AFM is not not licensed or provisioned, the user might still be able to enable Sweep and Flood.
Conditions:
Enable Sweep and Flood vector when AFM is not not licensed or provisioned.
Impact:
TMM might crash.
Workaround:
Avoid configuring Sweep and Flood vectors when AFM is not licensed or provisioned
515190-1 : Event Logs -> Brute Force Attacks can't show details after navigating to another page
Component: Application Security Manager
Symptoms:
After using the pagination mechanism on the Brute Force Attacks screen, the user is unable to open the attack details.
Conditions:
Navigate to another page on Event Logs -> Brute Force Attacks
Impact:
The user is unable to see the brute force attack details.
Workaround:
N/A
514431-2 : [TMSH][GTM] Add validation for special characters like Ctrl+k for gtm object names
Component: Global Traffic Manager
Symptoms:
GTM objects display ^K characters, cannot be assigned to other objects
When editing bigip_gtm.conf using the CLI, it is possible to use some characters in server, virtual server, and pool names. These characters can be saved to the config as a space or as a special character. Characters include ^K ^B, ^N, ^L.
Conditions:
Editing bigip_gtm.conf using CLI.
Impact:
1. Config is not displayed properly.
2. Odd problems happen when object has such names, for example, it fails to add virtual server to a server with such names, in 11.5.1 and 11.4.1 virtual servers cannot be assigned to pools, pools to wideips etc.
Workaround:
Do not use such characters (CTRL+) for objects.
513887-6 : The audit logs report that there is an unsuccessful attempt to install a mysql user on the system
Component: Application Security Manager
Symptoms:
There are "/usr/sbin/useradd" and "/usr/sbin/groupmod" related errors in '/var/log/auditd/audit.log'
Conditions:
Provisioning AFM and/or APM after ASM is already provisioned.
Impact:
"/usr/sbin/useradd" and "/usr/sbin/groupmod" related errors in '/var/log/auditd/audit.log'
no other impact
Workaround:
none
513787-2 : CSRF doesn't apply web application callback registered as XMLHttpRequest.onload in IE8-10
Component: Application Security Manager
Symptoms:
Since Javascript is executed on client side. When it comes to page render, javascript errors might break your page.
Conditions:
Using Internet Explorer 8-10 with CSRF ASM enabled.
Impact:
Since Javascript is executed on client side. When it comes to page render, javascript errors might break your page.
Workaround:
N/A
512885-1 : https monitor fails to work with MD5 with RSA as signature hash algorithm
Component: Local Traffic Manager
Symptoms:
https monitor fails to work with server that has MD5 with RSA as signature hash algorithm
Conditions:
https monitor, server using MD5 with RSA.
Impact:
https monitor fails
Workaround:
configure the back end server to use another cipher
512853-3 : Kerberos SSO fails if KDC is not specified
Component: TMOS
Symptoms:
When you configure single sign-on (SSO) using Kerberos, and you do not fill in the KDC field on the configuration page (Access Policy > SSO Configurations > Kerberos) , you may encounter an error. The error may be similar to: <Date> slot2/BIGIP1 err websso.0[29236]: 014d0005:3: Kerberos: can't get TGT for host/svcf5kerberos.corpdev.apdev.local@CORPDEV.APDEV.LOCAL - Cannot contact any KDC for realm 'CORPDEV.APDEV.LOCAL' (-1765328228)
Conditions:
This occurs if you do not specify a value for KDC when configuring SSO with Kerberos.
Impact:
SSO fails
Workaround:
Has a workaround, administrator should edit /etc/krb5.conf file manually and set option
dns_lookup_kdc=true
Note that this workaround is:
not synced across cluster
not backed up
not audited
not upgrade safe
not re-provision safe
may revert during other maintenance operations
512130-5 : Remote role group authentication fails with a space in LDAP attribute group name
Component: TMOS
Symptoms:
Remote role group authentication fails if there is a space in attribute name of remote-role role-info.
Conditions:
This occurs when the auth remote-role role-info attribute name contains a space character.
Impact:
LDAP authentication fails.
Workaround:
Remove space characters from LDAP attribute group name.
Another option is to use '\20' in place of spaces in the remote-role's role-info member-of attribute, for example:
memberOf=CN=Some Big Group,CN=Users,DC=DOMAIN,DC=COM
becomes:
memberOf=CN=Some\20Big\20Group,CN=Users,DC=DOMAIN,DC=COM
512000-2 : Event Log Filter using Policy Group isn't accurate
Component: Application Security Manager
Symptoms:
Request Log - filter by policy group does not work.
Conditions:
At least one policy group created and used.
Impact:
Request Log - filter by policy group does not work.
Workaround:
N/A
511985-2 : Large numbers of ERR_UNKNOWN appearing in the logs
Component: Local Traffic Manager
Symptoms:
There are times when LTM Policy subsystem attempts to execute particular actions, which fail and result in LTM Policy writing an error to the logs with an error type of ERR_UNKNOWN.
Conditions:
While not limited only to the ASM module, this has been observed when ASM is active and experiencing high traffic volumes. The logging of ERR_UNKNOWN occurs when filters and plug-ins experience failures (such as out of memory) and react by initiating a reset of the connection. When these filters and plug-ins return an error to LTM Policy, LTM Policy logs ERR_UNKNOWN, as it should.
Impact:
This is a case of unnecessary logging, and there is no adverse effect other than a higher-than-normal amount of logging.
Workaround:
None.
511868-2 : Management port loses connectivity during AOM reset
Component: TMOS
Symptoms:
After resetting AOM, you are unable to connect to the BIG-IP management port.
Conditions:
This occurs immediately after resetting AOM and during the AOM reboot.
Impact:
Unable to connect to the management port
511865-2 : [GTM] GTM external monitor is not correctly synced in GTM sync group without device group
Component: Global Traffic Manager
Symptoms:
GTM external monitor is not correctly synced in GTM sync group without device group.
Conditions:
This occurs when the following conditions are met: 1. GTM systems exist in the same GTM sync group but not in the same device group. The GTM external monitor refers to non-default system file.
Impact:
The GTM external monitor is not synced correctly and configuration fails on the peer GTM system. The system posts an error similar to the following: err iqsyncer[20361]: 011ae104:3: Gtm config sync result from local mcpd: result { result_code 17237778 result_message '01070712:3: Values (/Common/bad_external_monitor.sh) specified for external monitor parameter (/Common/external_test 2 RUN_I=): foreign key index (to_file) do not point at an item that exists in the database.' }
Workaround:
Configure both GTM systems in the same GTM sync group and the same device group.
511782-9 : The HTTP_DISABLED event does not trigger in some cases
Component: Local Traffic Manager
Symptoms:
HTTP_DISABLED is not triggered by the HTTP::disable iRule command, requests using the CONNECT method, and Web-sockets traffic.
Conditions:
If the HTTP filter is switched into pass-through mode by the HTTP::disable command, CONNECT requests, or via Web-sockets traffic.
Impact:
The HTTP_DISABLED event does not trigger.
Workaround:
This issue has the following workaround: -- For HTTP::disable, add the logging code within HTTP_DISABLED after that iRule command. -- For CONNECT, use an iRule to match the method in HTTP_REQUEST, and check that 200 Connected is returned as the status in HTTP_RESPONSE. If so, invoke the logging code within HTTP_DISABLED. -- For Web-sockets, use an iRule to match the 101 Switching Protocols status code in HTTP_RESPONSE. If this happens invoke the logging code that is also within HTTP_DISABLED.
511385 : <SecurID Soft Token Messages> are not translated
Component: Access Policy Manager
Symptoms:
<SecurID Soft Token Messages> are not translated
Conditions:
Always in case of SecurID soft token error.
Impact:
Minimal. They are valid customization entries in English and could be translated by admin.
Workaround:
Customization has entries for this, so they are translatable
511324-4 : HTTP::disable does not work after the first request/response.
Component: Local Traffic Manager
Symptoms:
The HTTP::disable command does not work correctly after the first request is complete. If called during the second request (or response), then the connection is reset with an error message.
Conditions:
HTTP::disable is called in a request after the first. The pass-through data reaches the server-side before the server-side HTTP filter expects it.
Impact:
The connection is reset.
Workaround:
None.
511006-2 : Virtual address is advertised to ZebOS (as visible via imi shell) while unavailable.
Component: TMOS
Symptoms:
OSPFv2 does not advertise Virtual Addresses upon monitor state changes.
Conditions:
Dynamic routing must be configured. Virtual address is not associated with a virtual server.
Impact:
Route availability inappropriately advertised. The virtual address shows is advertised in ZebOS as available when it is not.
Workaround:
None.
510951-2 : Status of connection limited pool is reported incorrectly
Component: Local Traffic Manager
Symptoms:
Status of connection limited pool or member is shown as available, even if the nodes have a connection limit and the limit has been met or exceeded.
Conditions:
Node connection limit is reached on all nodes.
Impact:
Misleading status indicator - virtual server and pool reports UP and nodes report DOWN.
Workaround:
None.
510728-4 : Create and Delete buttons should be disabled for Security :: Protocol Security : Security Profiles : DNS when accessed as Firewall Manager.
Component: Advanced Firewall Manager
Symptoms:
Create and Delete buttons should be disabled for Security :: Protocol Security : Security Profiles : DNS when accessed as Firewall Manager.
Conditions:
User with role of Firewall Manager and accessing
Security :: Protocol Security : Security Profiles : DNS
Impact:
Firewall Manager has extra abilities not considered in scope for the role. Therefore a validation error will be thrown similar to the following: "01070822:3: Access Denied: user (username) does not have create access to object (dns_security)"
510436-4 : TMM logs carry a generic hostname at startup
Component: TMOS
Symptoms:
During startup, TMM processes the log with the tmm process name for a hostname until the system initializes enough to get the BIG-IP system's configured host name.
Conditions:
This occurs during startup when the system writes messages to the log.
Impact:
It might not be possible to determine the source of a given TMM startup log for consolidated off-box logs from many BIG-IP systems.
510395-2 : Disabling some events while in the event, then running some commands can cause tmm to core.
Component: Local Traffic Manager
Symptoms:
If an event is disabled inside the event itself, and then a Tcl command that executes asynchronously is executed, TMM can core.
Conditions:
An event is disabled from inside the event, and then a parking command is issued.
Example:
when HTTP_REQUEST {
if { $a == $b } {
event disable HTTP_REQUEST
}
after 100
log local0. "foo"
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable events as the last command before exiting the event. For example:
when HTTP_REQUEST {
if { $a == $b } {
event disable HTTP_REQUEST
return
}
}
509677-2 : Edge-client crashes after switching to network with Captive Portal auth
Component: Access Policy Manager
Symptoms:
When switching to a network with Captive Portal authentication, the Edge-client becomes unresponsive.
Conditions:
- Captive Portal uses https logon page
- Network switching done by unplugging network cable from NIC or disconnecting from wireless network (not disabling network
interface).
Impact:
Edge-client crashes
Workaround:
N/A
508556-2 : CSR missing SAN when renewing cert in GUI
Component: TMOS
Symptoms:
When using the GUI to renew a CA certificate that contains a subject alternative name (SAN), the SAN field is missing in the generated CSR.
Conditions:
Using the GUI to renew a CA certificate that contains a SAN.
Impact:
The resulting CSR does not contain a SAN value.
Workaround:
Use tmsh. For example: tmsh create sys crypto csr abc key abc.key subject-alternative-name DNS:ddd.nnn.sss common-name cn
508341-3 : Scheduled-reports are not syncing the 'first-time' value on a sync group
Component: Application Visibility and Reporting
Symptoms:
Creating a scheduled-report on a sync or sync-failover group configuration.
Conditions:
Having a DSC configuration and trying to create a scheduled report.
Impact:
This issue may cause other devices in sync group to send reports before the first-time they assigned to.
507899-2 : Custom APM report - Assigned IP field shows 'IPv4' instead of assigned IP value
Component: Access Policy Manager
Symptoms:
In a custom APM report, the Assigned IP field shows IPv4 instead of the assigned IP value.
Conditions:
This affects only 11.5.x and 11.6.x releases. If user creates a custom report with 'Assigned IP' as a field and runs the report, the content of Assigned IP is the IP type rather than the correct IP.
Impact:
The report content is not correct.
Workaround:
Use one of the built-in reports, All Sessions or Current Sessions, to get the correct content for the Assigned IP field.
507554-2 : Uneven egress traffic distribution on trunk with odd number of members
Component: Local Traffic Manager
Symptoms:
If a trunk on a BIG-IP appliance or VIPRION chassis is populated with a number of members that is not a power of 2, the resulting distribution of egress traffic may be noticeably uneven.
For example, in a VIPRION chassis with 3 blades each having 5 ports assigned to the trunk (total of 15 ports), one of the ports on one of the blades may send noticeably more traffic than the other ports.
Conditions:
This problem occurs on the following F5 hardware platforms:
-- BIG-IP 10000-series and 12000-series appliances.
-- VIPRION B4300 and B2250 blades.
Impact:
Sub-optimal distribution of traffic across available trunk ports.
Workaround:
Configure the members of the trunk to always contain a number of members which is a power of 2 (2, 4, 8, 16).
507493-1 : Cannot reset counter for rules of Management Port and Global
Component: Advanced Firewall Manager
Symptoms:
Cannot reset counter for rules of Management Port and Global
Conditions:
Firewall rules for Global context and for Management port
Impact:
Users unable to reset counters for these rules.
506548-1 : Mgmt port does not link with correct speed or duplex when using fixed media on AOM-based platforms
Component: TMOS
Symptoms:
Statically configured port speeds and duplex disables port autonegotiation
Conditions:
Connect the mgmt interface to a remote switch port that is set to auto negotiate and set the mgmt interface media to something other than 'auto'.
Alternatively, the condition may be encountered when the mgmt interface is set to autonegotiate speed and duplex but the remote switch port may be set to static values.
In both cases, a high amount of collisions and dropped packets can be oversed on the mgmt interface.
Impact:
Link may not establish. As a result, the mgmt interface might not be connected. The link may establish but can be in a mismatched state where neither side agrees on speed and/or duplex.
Connectivity can occur over the console port to restore interface settings.
Workaround:
Make sure the mgmt interface media setting is 'auto' when connecting to autonegotiating switch ports. Make sure the mgmt interface's static configuration aligns with the connected switch ports when using static switch port configurations.
506423-1 : [GTM] [ZoneRunner] Silent failure when adding a resource record is not successful
Component: Global Traffic Manager
Symptoms:
Silent failure on unsuccessful creation of resource record.
Conditions:
Create a resource record which will not be successful and for which NAMED does not return an error.
For example: Adding DS record via Zone Runner when subdomain delegation is not configured.
Impact:
Record does not get added with no errors returned by SoneRunner
Workaround:
None.
505323-3 : NSM hangs in a loop, utilizing 100% CPU
Component: TMOS
Symptoms:
NSM daemon hangs in an endless loop searching recursive nexthop in a trie. This causes NSM to be unresponsive.
Conditions:
Configure BGP with recursive nexthop.
Impact:
Dynamic routing fails to be responsive to imish commands, and NSM might not update routes.
Workaround:
None.
505123-6 : sysObjectID returns 'unknown' platform on the VIPRION 4400
Component: TMOS
Symptoms:
Querying for sysObjectID on VIPRION 4400 returns 'unknown' (.1.3.6.1.4.1.3375.2.1.3.4.1000):
# snmpwalk -v 2c -c community big-ip sysObjectID
SNMPv2-MIB::sysObjectID.0 = OID: F5-BIGIP-SYSTEM-MIB::unknown (# snmpwalk -v 2c -On -c community big-ip sysObjectID
.1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.3375.2.1.3.4.1000.)
Conditions:
This occurs when running 'show sys hardware' on the VIPRION 4400.
Impact:
The snmpd call incorrectly identifies the BIG-IP system as unknown.
505003 : SSLv3 is disabled by default on the management interface of BIG-IP on AWS Marketplace
Component: TMOS
Symptoms:
SSLv3 has known security issues. To make BIG-IP more secure on AWS, it is disabled by default on the management and data interfaces. This can cause legacy client connections which require SSLv3 to fail.
Conditions:
SSLv3 disabled on management interface of BIG-IP on AWS Marketplace.
Impact:
Legacy client connections that require SSLv3 might fail.
Workaround:
F5 does not recommend changing the default SSL profiles, but they can be configured per K13171: Configuring the cipher strength for SSL profiles (11.x), https://support.f5.com/csp/article/K13171, and K17370: Configuring the cipher strength for SSL profiles (12.x - 13.x), https://support.f5.com/csp/article/K17370.
504917-2 : In ASM Manual Sync Only group, policies do not stay deleted or inactive on secondary after sync is pushed
Component: Application Security Manager
Symptoms:
An inactive ASM policy on a sync target is suddenly re-activated.
Conditions:
This occurs when ASM manual sync is configured, and a policy is de-activated or deleted. The time stamp of the policy does not get updated, so the active policy will take precedence and re-activate it.
Impact:
If the user deactivates or deletes a policy on one device and then pushes the ASM config to the other device, the policies will end up being reactivated (or recreated as a default policy) on the other device.
Workaround:
The workaround is to make a change to Policy one of the machines before de-activating it, to update its timestamp to newer than the other machine.
504021-3 : lsn-pool member routes not properly propagated to routing table when lsn-pool routing-advertisement is enabled
Component: Carrier-Grade NAT
Symptoms:
lsn-pool with route-advertisement enabled does not have routes properly propagated to the routing-table.
Conditions:
when route-domain routing protocol is enabled after lsn-pool route-advertisement is enabled and lsn-pool member added.
Impact:
route entries for lsn-pool members with route-advertisement enabled.
Workaround:
Either 1) restart tmrouted after enable routing-protocol for the desired route-domain. 2) toggle routing-advertisement on lsn-pool after enable routing-protocol for the desired route-domain.
503960-5 : The requested unknown (1936) was not found.
Component: TMOS
Symptoms:
mcpd restarts leaving the message "The requested unknown (1936) was not found"
Conditions:
The conditions for this bug are somewhat unknown. Older versions of Big-IP have a simple lookup for display names. This display name table only has a select few configuration items in it, where everything else returns "unknown". So any configuration error that is generated from using a type that is not defined in the table could potentially lead to this error.
Impact:
MCPD restarts, causing system-wide restarting of daemons.
503951-1 : AFM policies not synced
Component: Advanced Firewall Manager
Symptoms:
During configuration sync you notice that AFM policies are not enforced on one of the devices, and you see errors in /var/log/ltm:
crit tmm1[25043]: 015e0001:2: pktclass: pktclass_blobs not initialized.
Conditions:
It is not known exactly what triggers this, but it is encountered during system initialization.
Impact:
Policies do not sync and the sync does not recover.
503795-3 : [LTM] [DNS] [LOG] debug log information is logged even when "dnscacheresolver.loglevel" set to higher than debug
Component: Local Traffic Manager
Symptoms:
The BIG-IP system logs debug log information when 'dnscacheresolver.loglevel' is set to higher than debug.
For example, 'dnscacheresolver.loglevel' is set to notice.
Conditions:
'dnscacheresolver.loglevel' log level is set to higher than 'debug'.
Impact:
Although it might be difficult to determine the severity of the logging information, there is no known negative impact on the system.
Workaround:
This issue has no workaround at this time.
503125-2 : Excessive MPI net traffic can cause tmm panics on chassis systems
Component: Local Traffic Manager
Symptoms:
Excessive MPI net traffic can cause tmm panics on chassis systems.
Conditions:
This occurs on chassis systems with excessive internal traffic resulting from abnormal load distribution or excessive session DB usage. The session DB usage can be the result of modules or of custom iRules that store session data.
Impact:
Temporary outage and possible failover when using HA. The source conditions will also continue on the new active device, which can cause repeated failovers. When this occurs, the tmm logs will contain messages similar to: notice MPI stream: connection to node 127.20.3.24 expired for reason: TCP retransmit timeout
Workaround:
If affected by this when using iRules to create custom keys and data, this can be partially mitigated by consolidating multiple keys and using smaller key lengths as possible. This is affected by the amount of data stored as well, but large keys can exacerbate the issue.
502129-1 : Hash Cookie Persistence interacts poorly with persistence iRules
Component: Local Traffic Manager
Symptoms:
Persistence may fail to work correctly if hash persistence is selected via an iRule persist command. Later requests could then use the hash cookie value as the name of the persistence cookie to inspect.
Conditions:
Cookie persistence is configured, and then overridden by cookie hash persistence by an iRule persist command.
Impact:
Persistence may fail to work correctly when the persist iRule command overrides from cookie to hash-cookie persistence.
502016-3 : MAC client components do not log version numbers in log file.
Component: Access Policy Manager
Symptoms:
Some client components do not log version numbers in the log file.
Conditions:
Mac client components.
Impact:
Lack of version numbers in the log file.
Workaround:
None.
501984-1 : TMM may experience an outage when an iRule fails in LB_SELECTED.
Component: Local Traffic Manager
Symptoms:
When an iRule fails in LB_SELECTED, it is possible for TMM to crash. The TMM failure is an intermittent, timing-related issue..
Conditions:
Using iRules with a rule for when LB_SELECTED is operating on a node/pool member.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
501947-1 : Cannot delete keys/certificates whose names start with 0 (zero).
Component: TMOS
Symptoms:
Cannot delete keys/certificates whose names start with 0 (zero).
Conditions:
Trying to delete a key/certificate who names start with 0.
Impact:
Trying to delete a key/certificate whose name starts with 0, the GUI shows the confirm delete page, but there is no key or certificate listed, and after clicking delete again, the system displays the key/certificate list page, with the key/certificate still there.
Workaround:
Use tmsh or iControl to delete keys/certificates whose names start with 0 (zero).
501418-3 : OSPF: Multiple ECMP default routes not distributed to TMM
Component: TMOS
Symptoms:
TMM route table does not use both ECMP routes for the default route.
Conditions:
When using ECMP and OSPF.
Impact:
Does not use both equal-cost routes to route traffic.
Workaround:
None.
500402-1 : 'Data publisher not found or not implemented' mcpd error message when iRule is loaded from tmsh.
Component: Local Traffic Manager
Symptoms:
'Data publisher not found or not implemented' mcpd error message when iRule is loaded from tmsh. The system posts the following mcpd error message in ltm log when an iRule is loaded from tmsh: err mcpd[5834]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (6589).
Conditions:
When merging config files, the error message may show up in system log.
Impact:
There is no functional impact observed.
Workaround:
Manually edit and merge config files.
499750-2 : ClientHello includes the _SHA256 cipher in the TLS1.0
Component: Local Traffic Manager
Symptoms:
Sometimes, the BIG-IP system sends the _SHA256 cipher in the ClientHello message of TLS1.0.
Conditions:
This occurs when using the _SHA256 cipher in clientssl and serverssl profiles.
Impact:
Depends on the peer implementation. Sometimes the Peer SSL responds with an Alert message and refuses to establish a connection.
Workaround:
None.
499719-3 : Order Zones statistics would cause database error
Component: Global Traffic Manager (DNS)
Symptoms:
'General database error retrieving information' error in GUI.
Conditions:
This occurs when using the GUI to view Statistics for DNS zones.
Impact:
Not able to view Statistics from GUI for DNS zones.
Workaround:
Use tmsh to view Statistics for DNS zones.
499694-3 : LTM v10.2.x to v11.x upgrade misses partition name on node specific monitor★
Component: TMOS
Symptoms:
When upgrading from v10.2.x to v11.x, the node monitor name does not acquire full path or partition information. Similarly, creating a node with a monitor via TMSH, the node monitor name does not show partition information; however, configuring a node via GUI does add partition information.
If a node with a specific none monitor is later forced down and then re-enabled, the node will remain in a marked down by monitor state.
Conditions:
Upgrade from v10.2.x to v11.x.
Impact:
For nodes that have a specific monitor of "none", if the node is forced down and then re-enabled via tmsh or the node list in the GUI, the node will be marked down by the monitor. If the node is re-enabled from the node properties page in the GUI, this issue does not occur.
For other monitor types or pool and pool member monitors, the issue is cosmetic.
Workaround:
Load sys config base, then load sys config. Then in both the GUI and TMSH add partition info to the node monitor.
499615-14 : RAM cache serves zero length documents.
Component: Local Traffic Manager
Symptoms:
RAM cache serves zero length documents.
Conditions:
Forcing caching in an iRule.
Impact:
RAM Cache will cache a HEAD response, if an iRule is configured to force it to do so. This causes RAM cache to serve zero length documents.
Workaround:
If the HTTP operation is a HEAD request, do not cache the response.
499431-3 : Validation missing to check that all keys/certificates are removed from the clientSSL profile★
Component: Local Traffic Manager
Symptoms:
Using iControl, the user will be able to remove all the keys/certificates associated with a clientSSL profile. If this remains in the configuration and the system is upgraded to a version that validates that there are no empty keys or chains, the config will fail to load and you will see this error signature in /var/log/ltm:
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all" - failed. -- 01070315:3: profile <Client SSL profile> requires a key Unexpected Error: Loading configuration process failed.
Conditions:
Using iControl to remove keys and certificates from a clientSSL profile. This issue may not be seen initially if the clientSSL profile is not in use. It could be seen later when upgrading to a version that performs validation against empty keys and chains, such as an upgrade from 11.5.1 to 11.6.0.
Impact:
The configuration will fail to load.
Workaround:
SSL profiles with no keys or certificates are invalid profiles. Make sure you fully delete all profiles if this is your intention. Also be careful not to delete the key and certificate using iControl and leaving the profile that way.
499404-2 : FastL4 does not honor the MSS override value in the FastL4 profile with syncookies
Component: Local Traffic Manager
Symptoms:
FastL4 does not honor the MSS override value in the FastL4 profile when syncookies are in use. This can lead to cases where the advertised MSS value in the SYN/ACK is larger than the MSS override value.
Conditions:
The FastL4 profile specifies a non-zero MSS override value and syncookies mode is active.
Impact:
The wrong MSS value is advertised during 3WHS.
Workaround:
None.
499348-3 : System statistics may fail to update, or report negative deltas due to delayed stats merging
Component: TMOS
Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.
The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.
Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This can occur when the system is spawning/reaping processes on a frequent basis (e.g., a large number of external monitors).
This can also occur if iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server, as this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis.
Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.
Workaround:
This issue has two workarounds:
1. Reduce the frequency of changes in the statistics data structures, which depends on what is triggering them. For instance, reduce the frequency of configuration changes, or the use of 'SSL::profile' in iRules (if those are the trigger), or reduce the number/frequency of processes being spawned by the system (if that is the trigger).
2. Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. This can be done by setting the 'merged.method' DB key to 'slow_merge' using the following command:
tmsh modify sys db merged.method value slow_merge.
498490-2 : Incorrect overlapping status shown when a rule in a rule list has the same name as a rule not in that list
Component: Advanced Firewall Manager
Symptoms:
An incorrect overlapping status (redundant or conflicting) is shown when a rule in a rule list has the same name as a rule not in that list.
Conditions:
Identical rule names in both in the Rule List and outside the rule list.
Impact:
Potentially misleading presentation.
Workaround:
use different rule names
498433-2 : Upgrading with ASM iRule and virtual server with no websecurity profile★
Component: Application Security Manager
Symptoms:
If you have an iRule that uses "ASM::*" assigned to a virtual server with no websecurity profile, when trying to upgrade from BIG-IP version 11.4.0 to any newer version, the upgrade fails, and you receive the following error message:
-----------------
ASM::disable in rule (iRule_name) requires an associated WEBSECURITY profile on the virtual server (virtual_server_name).
-----------------
Conditions:
On version 11.4:
1) Have an iRule that uses ASM::*, e.g.
when HTTP_REQUEST {
ASM::disable
}
2) Create a virtual server and associate an ASM policy with it via CPM (L7) policy
3) Assign the iRule to the VS
4) Remove the CPM policy from the VS
Now upgrade to any newer version
OR
Save the ucs and try to manually install it on any newer version
Impact:
Fails to upgrade.
Fails to install ucs.
Workaround:
Prior to upgrading and/or saving the ucs, for all virtual servers that have no websecurity profile assigned to them, remove all iRules that contain 'ASM::*' actions.
498150-1 : "General database error retrieving information" appears on Self Ip Security page after removing a rule and refreshing the page
Component: Advanced Firewall Manager
Symptoms:
The error "General database error retrieving information" appears on the Self IP Security page after removing a rule and refreshing the page.
Conditions:
Error occurs after deleting a rule from the Self IP Security page
Impact:
The user must refresh the page to continue configuring that feature.
Workaround:
You can navigate again to Network :: Self IPs : self_ip_name : Security when this issues occurs. The issue does not stop the user from deleting the rule itself.
497424-1 : Policy name field appears on Rule creation page even if Policy is selected
Component: Advanced Firewall Manager
Symptoms:
The Policy name field appears on the Rule creation page even if the Policy is selected, requiring the user to reselect the policy.
Conditions:
This occurs when creating a rule for a policy and applying it to a context.
Impact:
This is a cosmetic issue and has no functional impact.
Workaround:
Reselect the desired policy.
497004-2 : Policy field is not marked as containing errors when we try to create Rule without Policy
Component: Advanced Firewall Manager
Symptoms:
Policy field is not marked as containing errors when we try to create Rule without Policy. The error message "01070712:3: Invalid primary key on fw_policy_rule object - path is empty." is returned without explicitly calling out the policy field omission.
Conditions:
create rule without policy
Impact:
User confusion and frustration due to unclear feedback from UI validation.
Workaround:
Always fill out policy field when creating rules.
496663 : iRule object in non-Common partition referenced from another partition breaks upgrade/config load★
Component: TMOS
Symptoms:
iRule object in non-Common partition referenced from another partition results in upgrade/configuration load failure in 11.x/12.x.
Conditions:
This occurs when upgrading/loading a configuration containing an iRule in one non-Common partition that references an object in another non-Common partition. A configuration of this type can be saved only using pre-11.x versions of the software.
Impact:
The config upgrade fails, and the UCS/configuration files cannot be loaded. The system posts an error message similar to the following: 'myucs.ucs' failed with the following error message: 'Rule [/UNCOMMONPARTITION/RULEABC] error: Unable to find rule_object (...) referenced at line xyz: [element]'.
Workaround:
None.
496155-1 : tmsh show ltm persistence persist-records sometimes shows an incorrect number of entries on VIPRION chassis
Component: TMOS
Symptoms:
tmsh show ltm persistence persist-records sometimes shows an incorrect number of entries on VIPRION chassis.
Conditions:
When there are multiple slots on a VIPRION chassis, and the command is executed on a secondary from the primary.
Impact:
Results are not reported correctly in tmsh. Results display a fluctuating number of src ip persistence entries.
Workaround:
Specify the virtual server name in the tmsh command directly, instead of running the command for all virtual servers.
496038-1 : system_check shows stale chassis fan tray data after the chassis is removed
Component: TMOS
Symptoms:
After a chassis fan tray is removed, the system_check utility still shows the stale data from time before the removal.
Conditions:
Remove chassis fan tray
Impact:
There is a warning in the ltm log when the chassis fan tray is removed. So, the impact of the system_check inconsistency is small.
Workaround:
None.
495242 : mcpd log messages: Failed to unpublish LOIPC object
Component: TMOS
Symptoms:
The system posts the following message in the mcpd log: Failed to unpublish LOIPC object.
Conditions:
This is an intermittent issue that occurs on standby systems in High Availability configurations. In this case, the system is attempting to remove a file/directory that does not exist. Either it has already been removed or it was not created.
Impact:
The system posts the following error: err mcpd[7143]: 010716d6:3: Failed to unpublish LOIPC object for (loipc_name.1417443578.297505208). Call to (shm_unlink) failed with errno (2) errstr (No such file or directory). This is a benign error that can be safely ignored.
Workaround:
None.
495227-4 : tmsh displays wrong cert expiration date on 'show gtm iquery' (later than Jan 18 2038).
Component: TMOS
Symptoms:
When displaying iQuery stats in tmsh, the expiration date of the certificate appears to be in the past.
Conditions:
Certificate expiration date is beyond Jan 18, 2038 (Max epoch represented by signed 32 bit int).
Impact:
The certificate remains valid. This is a cosmetic issue only.
Workaround:
None.
495128-3 : Safari 8 continues using proxy for network access resource in some cases when it shouldn't
Component: Access Policy Manager
Symptoms:
If a client machine uses proxy and Network Access does not specify any proxy, then Safari should not use proxy for some Network Access resource after the Network Access tunnel is created. However, Safari does so.
This problem occurs with Safari 8. Other versions of Safari and other browsers work as expected in our testing.
Apple has been notified: rdar://problem/18651124
Conditions:
The problem occurs when all of these conditions exist:
1. OS = Mac OS X Yosemite.
2. Configuration = Client machine has local proxy configured and Network Access on BIG-IP system access policy does not specify any proxy.
3. Action = Accessing Network Access resource after tunnel is created.
Impact:
As a result, some Network Access resource might be unavailable.
Workaround:
There is no workaround at this time.
494977-1 : Rare outages possible when using config sync and node-based load balancing
Component: Local Traffic Manager
Symptoms:
In rare circumstances it is possible for tmm to experience an outage when processing traffic and using config sync. This is rare and appears to be related to a combination of config sync and processing traffic shortly after the tmm is brought online.
Conditions:
Using config sync and node-based load balancing. This has only been observed early in traffic processing during a config sync; it does not appear to be related to how long the tmm has been online (e.g., online and not processing traffic or online in standby does not seem to make any difference; however, issuing a config sync and failing over at the same time might cause this to occur.)
Impact:
Interruption in service or HA failover.
494435 : Failed to sync connectivity or rewrite profile created from non-default profile
Component: Access Policy Manager
Symptoms:
Policy sync fails with error status "Created failed on target" on target devices.
Conditions:
1. Create a connectivity or rewrite profile from the default one.
2. Create another child profile using the one created above as parent.
3. Create a virtual server, with the child connectivity and/or rewrite profile, and an access policy.
4. Initiate a policy sync for the access profile.
Impact:
Policy sync function fails.
Workaround:
To work around the problem, create connectivity or rewrite profile, only use the default profile as parent; or, have the non-default parent profile sync first to target devices.
494333-1 : In specific cases, persist cookie insert fails to insert a session cookie when using an iRule
Component: Local Traffic Manager
Symptoms:
The 'persist cookie insert' and 'persist cookie rewrite' iRule commands fail to set session cookies.
Conditions:
A persistence cookie profile with a timeout of zero must be applied. If either command is used without an explicit timeout, LTM will fail to set a session cookie.
Impact:
TMM sets a cookie that expires using timeout of 180 instead of a session cookie.
Workaround:
Explicitly specify a 0 for the cookie timeout in the iRule.
494084-3 : Certain rapidly-terminating UDP virtuals may core on standby
Component: Local Traffic Manager
Symptoms:
Based on an internal race condition, it is possible for certain flows to cause cores on standby BIG-IPs when using connection mirroring on layer 7 VIPs. This does not apply to use of mirroring on Performance or Performance (HTTP) virtuals.
Conditions:
Standard UDP virtual using connection mirroring.
Impact:
Restart of the standby tmm. No connections are affected, though if packets are set to require acknowledgements from the standby there may be a brief delay in processing for some or all connections.
493250-3 : BGP disabling graceful-restart in ZebOS does not persist and is automatically enabled
Component: TMOS
Symptoms:
The ZebOS command to 'disable' BGP graceful-restart works temporarily, but is reset to 'enable' after system restart.
Conditions:
Setting BGP graceful-restart to enable and restarting the system.
Impact:
Cannot disable graceful-restart past a restart operation.
492352-4 : Mismatch ckcName between GUI and TMSH can cause upgrade failure
Component: Local Traffic Manager
Symptoms:
Make the ckcName of clientssl_certkeychain same as TMSH.
Case 1: clientssl_certkeychain includes key/cert
TMSH uses <key-name> as ckcName
GUI uses <key-name>.key as ckcName
Case 2: clientssl_certkeychain includes key/cert/chain
TMSH uses <key-name>_<chain-name> as ckcName
GUI uses <key-name>.key as ckcName
The fix is making GUI same as TMSH.
Conditions:
Use GUI to create one SSL profile, then upgrade it.
Impact:
The upgrade failure since the mismatch ckcName between GUI and TMSH.
491165-3 : Legal IP addresses sometimes logged in Attack Started/Stopped message.
Component: Advanced Firewall Manager
Symptoms:
Sometimes legal IP addresses are logged as attack started/stopped messages.
Conditions:
AFM licensed and provisioned and Sweep & Flood Vector enabled.
Impact:
Logging.
Workaround:
N/A
490139-3 : Loading iRules from file deletes last few comment lines
Component: Local Traffic Manager
Symptoms:
Loading iRules from the iRules file deletes last few comment lines immediately preceding the closing bracket.
Conditions:
This occurs when loading an iRule file from versions prior to 11.5.1.
Impact:
Although the comments are removed, this does not affect iRule functionality.
Workaround:
Put comments in places other than immediately above the closing bracket.
490121-2 : Incorrect reporting of PVA current and maximum connection with SERVER_CONNECTED event
Component: Local Traffic Manager
Symptoms:
PVA current and maximum stats are incorrectly reported when using a FastL4 profile with a SERVER_CONNECTED iRule event. For each connection that is established, the current connection count is incremented twice and decremented only once when the connection is terminated. This leads to a lingering connection, which skews the stats.
Conditions:
A fastL4 virtual with a SERVER_CONNECTED iRule event.
Impact:
The current and maximum PVA stats are incorrectly reported.
Workaround:
This issue has no workaround at this time.
489572-1 : Sync fails if keys are created and deleted in same transaction.
Component: Local Traffic Manager
Symptoms:
Sync fails if you create/import an SSL key and delete it before triggering manual sync, and ltm logs contain messages similar to the following:
Standby:
-- err mcpd[7339]: 01070712:3: Caught configuration exception (0), Failed to sync files..
-- err mcpd[7339]: 01071488:3: Remote transaction for device group /Common/test to commit id 42 6079477704784246664 /Common/test failed with error 01070712:3: Caught configuration exception (0), Failed to sync files...
Active:
-- err mcpd[6319]: 0107134a:3: File object by name (/Common/test.key) is missing.
Conditions:
This occurs when BIG-IP systems are not configured to sync configuration automatically and incremental synchronization is enabled (these are the default configuration), and one or more keys are created and deleted before performing a sync from Active to Standby.
Impact:
Sync fails.
Workaround:
If you create a key, make sure to sync before deleting it. If a system is already in this state, perform a full sync / "Overwrite Configuration" sync as described in https://support.f5.com/csp/#/article/K13887.
489499-1 : chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd
Component: TMOS
Symptoms:
chmand fails to register for unsolicited LOP events, meaning that asynchronous alerts from lopd will not seen or reported by chmand. A message is seen in /var/log/ltm that contains the phrase, "failed to register for LOP at <address>"
Conditions:
Occurs when chmand has been re-started after it has already synchronized once with lopd.
Impact:
Asynchronous events from lopd will not be reported or handled, such as fan tray removal/insertion and PSU removal/insertion. Alerts that are driven by system_check through polling sensor values and comparing them to specified limits, however, will still be operational.
Workaround:
Re-start lopd:
# bigstart restart lopd
489217-2 : "cipher" memory can leak
Component: Local Traffic Manager
Symptoms:
When performing SSL handshakes, memory usage can increase. Examining "cipher" memory in the "memory_usage_stat" may show large amounts of "cipher"memory allocated.
Conditions:
BIG-IP performing SSL handshakes.
Impact:
Memory usage increases until no more memory is available.
488921-3 : BIG-IP system sends unnecessary gratuitous ARPs
Component: Local Traffic Manager
Symptoms:
The BIG-IP system sends unnecessary gratuitous ARPs for its virtual IP addresses and self IP addresses.
Conditions:
When the virtual server status transitions from online to offline status or vice versa.
Impact:
The BIG-IP system sends out a large number of unwanted gratuitous ARPs if the virtual server changes its status rapidly. If devices connected to the BIG-IP system have rate limits configured, the devices might start ignoring the ARPs sent by the BIG-IP system, which might cause the devices to miss the critical gratuitous ARPs sent on HA failover. This might affect HA functionality.
488610-1 : Navigating to iApps :: Templates :: MyTemplate :: Properties in the GUI presents a blank page
Component: TMOS
Symptoms:
Navigating to iApps :: Templates :: MyTemplate :: Properties in the GUI presents a blank page.
Conditions:
This occurs when there are more than 150 applications using the same template.
Impact:
Cannot edit the iApp template.
Workaround:
Recommendation is to copy the iApp template to a different name and assign half of the application services to that new template.
488262-5 : moving VLAN from route-domain being deleted in the same transaction can cause errors
Component: TMOS
Symptoms:
Error can occur when removing VLAN(s) from route-domain, and deleting the said route-domain in the same transaction can cause errors.
Conditions:
In a transaction, removing the VLAN membership from route-domain, and deleting the same route-domain.
Impact:
Transactional deletion of route-domain and route-domain VLAN membership changes in the same transaction.
Workaround:
Perform route-domain VLAN changes, and route-domain deletion in different transaction.
486735-3 : Maximum connections is not accurate when TMM load is uneven
Component: Local Traffic Manager
Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections virtual server.
Conditions:
This occurs when the load disaggregated to available TMMs is uneven.
Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in higher-than-expected maximum connections.
Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.
485352-2 : TMM dumps core file when loading configuration or starting up
Component: TMOS
Symptoms:
TMM dumps core file when configuration file is being loaded or when TMM is starting up.
Conditions:
This error happens when there is no APM license installed.
Impact:
Traffic disrupted while tmm restarts.
485164-3 : MCPD cores when the Check Service Date in the license is not current.
Component: TMOS
Symptoms:
MCPD cores when the license has not been reactivated, causing the Check Service Date to be before the release date, and there are modified default profiles in the config.
Conditions:
A license with a check Service Date before the release of the current version and a config with modified default profiles.
Impact:
The BIG-IP system does not function.
Workaround:
Reactivate the license prior to upgrade.
484013-3 : tmm might crash under load when logging profile is used with packet classification
Component: Advanced Firewall Manager
Symptoms:
When tmm is under heavy load it may run out of memory and crash under certain conditions.
Conditions:
This occurs when the following conditions are met:
1. Packet classification is enabled
2. Security logging profile is used with 'log translation fields' option enabled.
3. Fast flow forwarding is enabled on forwarding virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
To work around this, do one of the following:
-- Disable 'log translation fields' in the security logging profile.
-- Disable fast flow forwarding.
483840-1 : Serial number of a blade is not cleared in show command after it is moved
Component: TMOS
Symptoms:
In a partially populated chassis, if a blade is moved from one slot to another, the serial number is still shown in the previous slot from this command:
guishell -c "select slot_id, serial_number from chassis_slot"
The stale serial number is also visible in the user interface.
Conditions:
In a partially populated chassis, a blade is moved from one slot to another.
Impact:
This issue is not harmful, but displays incorrect information.
Workaround:
The brute-force workaround is to reboot chassis.
483653-3 : In some traffic situations, virtuals using SSL can excessively buffer client data instead of closing the TCP window
Component: Local Traffic Manager
Symptoms:
In some traffic situations, TMM can excessively buffer client data instead of closing the TCP window. This buffering occurs based on internal race conditions that are not directly controllable. This occurs only when the BIG-IP is providing SSL termination or origination.
In extreme circumstances with a slow connection, this could ultimately lead to out of memory situations.
Conditions:
The virtual must be providing SSL termination and/or origination.
Impact:
Increased memory usage, possibly leading to tmm crashing.
483242-3 : GUI LTM Profile ClientSSL unable to recognize certificates/key with short names.
Component: TMOS
Symptoms:
LTM ClientSSL profile unable to detect certificate/key files with short names.
Conditions:
When you have a certificate/key file with a short name like 'app', the ClientSSL profile is unable to find the file.
Impact:
You may be unable to select the desired certificate/key.
Workaround:
Use tmsh to assign certificate/key to ClientSSL profile.
481869-1 : Certain blade failure events may result in a 10+ second delay in failover occurring
Component: Local Traffic Manager
Symptoms:
For certain blade failures scenarios the HA score on the remaining blades does not update, and thus a failover does not occur, for at least ten seconds. This is because the remaining blades wait for a ten second timeout period before marking the powered-off blade as down.
Conditions:
A blade is powered off via the serial console or the 'bladectl' command, or the blade is physically removed from the chassis, and the chassis is configured in an HA pair where the loss of a blade should result in a failover.
Impact:
The expected failover will not occur for at least ten seconds
Workaround:
There is no workaround for this issue.
480982-3 : pkcs11d with a high thread count can result in high CPU utilization
Component: Local Traffic Manager
Symptoms:
When pkcs11d is set to use a very high thread count, CPU utilization can increase dramatically.
Conditions:
The thread count for pkcs11d is set higher than the default.
Impact:
Less CPU available for other processes.
Workaround:
Do not set the db variable for pkcs11d thread count (/sys crypto fips external-hsm num-threads) higher than the default.
480903-3 : AFM DoS ICMP sweep mitigation performance impact
Component: Advanced Firewall Manager
Symptoms:
In AFM DoS, the performance of ICMP Sweep Vector Mitigation brings down the performance of the BIG-IP system.
Conditions:
ICMP Traffic levels at 4 million pps from ~100 Src IP addresses, with the AFM DoS Sweep vector enabled to mitigate ICMP traffic.
Impact:
Slower performance of the BIG-IP system. A lot of CPU is used to mitigate the AFM DoS Sweep vector.
Workaround:
Do not enable the AFM DoS Sweep vector for ICMP Traffic when the attack rate is over 4 Million pps.
479888-1 : BCM debug logging cannot be turned off once enabled
Component: TMOS
Symptoms:
Log messages continue to appear after being disabled.
Conditions:
This occurs when the BCM daemon loglevel is increased to debug and a non-zero mask is set.
Impact:
Unexpected log messages. The volume of logs from bcm56xxd debug can be overwhelming and being unable to stop them risks filling the filesystem where they are logged.
Workaround:
Restart bcm56xxd daemon. Note: Restarting this daemon affects traffic.
479872-2 : Corresponding protocol profiles must exist on both clientside/serverside
Component: Local Traffic Manager
Symptoms:
Virtual servers configured without protocol profiles on both the clientside and serverside do not pass traffic.
Conditions:
This occurs on virtual servers configured without protocol profiles on both the clientside and serverside.
Impact:
Attempts to connect to the virtual server might result in RSTs ('no local listener'), or the virtual address might not respond to ARP if there are no other functional virtual servers on the same virtual address. Virtual servers affected by this issue do not pass traffic.
Workaround:
If a protocol profile with a context (clientside or serverside) is specified when defining a virtual server, ensure that a protocol profile is specified for the peer context.
479773-2 : SR C1800930 - GUI crashs - and SQL errors
Component: Device Management
Symptoms:
The WebUI is unusable as it can take 30 seconds to a minute to load different pages. Other times the user will get the "service restarting" message. They have tried multiple browsers and changed the maximum connections to the config utility from 20 to 50 and back to 20 when that didn't help.
Conditions:
The customer says that he can get it to occur by having 3 users log into the config utility and then click around randomly until it crashes.
Impact:
GUI inaccessible
Workaround:
Work around is available by removing the following from the httpd.conf:
--------------
# If DCOEP is defined then enable the related configuration.
<IfDefine DCOEP>
...
</IfDefine>
--------------
This can be done by modifying the template /defaults/config/templates/httpd.tmpl.
479262-1 : 'readPowerSupplyRegister error' in LTM log
Component: TMOS
Symptoms:
The 'readPowerSupplyRegister error' is logged in LTM log when DC PSU loses its power.
Conditions:
When a DC powered PSU loses its power, the system logs 'readPowerSupplyRegister error' messages in the LTM log. This occurs because PSU data is not available without power.
Impact:
The 'readPowerSupplyRegister error' messages occur because PSU data is not available without power. When the system is in this state, you can safely ignore these messages.
Workaround:
None. You can safely ignore this error message in this case.
477992-1 : Instance-specific monitor logging fails for pool members created in iApps
Component: Local Traffic Manager
Symptoms:
Errors when enabling Debug Monitoring for an iApp-created pool member and disabling strict updates for the iApp.
Conditions:
Create pool members via an iApp, and attempt to enable logging on the pool member.
Impact:
Instance-specific monitor logging fails for pool members created in iApps. The log is never created. The system posts error messages in /var/log/ltm stating the log file cannot be opened.
Workaround:
If logging is required, bigdlog is available. To enable logging, run the following command: tmsh modify sys db bigd.debug value enabled.
477897-1 : After modifying the protocol profile on an SCTP virtual, the logs may contain error messages
Component: Local Traffic Manager
Symptoms:
Error messages are logged in the tmm and ltm logs:
/var/log/tmm:
<13> Sep 4 10:07:29 localhost notice hudfilter_init: 'proxy' is not a bottom-level filter.
/var/log/ltm
Sep 4 10:07:29 localhost err tmm1[14942]: 01010008:3: Proxy initialization failed for /Common/sctp_echo
Sep 4 10:07:29 localhost err tmm[14942]: 01010008:3: Proxy initialization failed for /Common/sctp_echo
Conditions:
Modify an SCTP virtual by changing the protocol profiles so that the client-side and server-side profiles are are both the same profile.
Impact:
The only impact is that an ominous error message is logged.
477700-2 : Detail missing from power supply 'Bad' status log messages
Component: TMOS
Symptoms:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, no detail is included which indicates which characteristic of the power supply's state is resulting in a 'Bad' overall status for the power supply.
In this scenario, the message logged at default logging level contains information similar to the following:
... crit chmand[...]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV03G): Bad
Conditions:
BIG-IP 2000-/4000-/5000-/7000-/10000-series appliances or VIPRION B2100-/B2200-series blades, in which one or more installed power supplies triggers an internal hardware sensor alert indicating a 'Bad' power supply status.
Impact:
Unable to diagnose cause of 'Bad' power supply status at default logging level to determine whether the probable cause is due to a power supply hardware fault or a possible external power source issue.
Workaround:
If power supply errors continue to be logged:
1. Set the libhal logging level to 'Debug':
tmsh mod sys db log.libhal.level { value "Debug" }
2. Let the system run in this configuration for at least a few minutes to collect a number of chmand error logs, such as:
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x3 pin:0x2 action:0xd
... debug chmand[...]: 012a0007:7: Received Sensor Alert: sensor id 0x16f slot 0xff
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x1 pin:0x2 action:0x3.
3. Set the libhal logging level back to 'Notice':
tmsh mod sys db log.libhal.level { value "Notice" }
4. Take a qkview or an archive of /var/log/ltm, and engage F5 Professional Services for further analysis.
476708-9 : ZebOS using BGP ECMP may not correctly update the ECMP paths when one of the paths goes down and comes back up
Component: TMOS
Symptoms:
ZebOS using BGP equal-cost multi-path routing (ECMP) might not correctly update the ECMP paths when one of the paths goes down and comes back up.
Conditions:
This occurs when a downstream ECMP link is disabled such that one of the two equal-cost paths becomes unavailable, and is then enable.
Impact:
ECMP does not function as desired because both available paths are not utilized. This can only be recovered by clearing the BGP connection on the affected ECMP path.
Workaround:
None.
476616-1 : Set active fails after accept learning suggestion for illegal metachar Policy with encoding iso-8859-1
Component: Application Security Manager
Symptoms:
The GUI reports the following error: Could not apply configuration; Set active failed.
Conditions:
-- Policy is configured for an application language like iso-8859-1 or iso-8859-15.
-- Learning suggestions that stem from multi byte UTF-8 parameter values (Illegal Meta Character in Value) are accepted.
Impact:
Set active fails. Policy changes cannot be applied.
Workaround:
Go to Parameters list and for each parameter with override 'Allow' for the metachar 'ÿ' remove the override completely: choose the override, click on '>>' and click on update.
476544-1 : mcpd core during sync
Component: TMOS
Symptoms:
mcpd can run out of memory and core when a device in a sync group is sending an extremely high volume of sync messages.
Conditions:
The exact cause of this is unknown, and it has been seen very rarely with a large sync in a sync group. Large incremental syncs could be a symptom of other things happening between the devices which could trigger the core.
Impact:
mcpd cores and restarts if it runs out or memory. Only through inspection of the core file can this condition be detected.
Workaround:
None.
476405-2 : BFD IPv6 session display command in IMI shell display the wrong remote port number.
Component: TMOS
Symptoms:
'show bfd session detail' command displays the wrong BFD port number of 13784 or 14784 for IPv6 BFD sessions. This is a cosmetic issue. TMM uses the correct port numbers of 3784 or 4784 for single/multihop sessions respectively.
Conditions:
BFD configured using IPv6 addresses. Display session state via IMI shell command 'show bfd session detail'
Impact:
Wrong port number is displayed. No functional impact as the right port numbers are used.
Workaround:
None.
475896-3 : 'tmsh load /sys config from-terminal' (or from file) with a reference to an external file fails
Component: TMOS
Symptoms:
'tmsh load /sys config from-terminal" or "tmsh load /sys config file' for objects that have references to external files (such as external monitors, ifiles, SSL certs, data groups) will fail.
Conditions:
This occurs when running the command 'tmsh load /sys config from-terminal' or 'tmsh load /sys config from-terminal' on an object that references a file external to the configuration (using source-path or cache-path).
Impact:
The system posts an error similar to: Failed: name (/Common/external_monitor_name) cache path expected to be non empty. This error prevents using cut and paste to configure certain configuration objects.
Workaround:
To work around this issue, you can add the appropriate stanzas to the bigip.conf file manually and do a full load of the configuration, upload the external files individually through the GUI, or use the 'tmsh create sys file' command.
475728-1 : BCM56xxd might restart due to parity errors
Component: TMOS
Symptoms:
The TMOS daemon bcm56xxd may restart due to parity errors.
Conditions:
Under rare conditions, the bcm56xxd process may restart due to parity errors. This issue only affects the following hardware platforms:
BIG-IP 6900 (D104)
BIG-IP 8900 (D106)
BIG-IP 8950 (D107)
BIG-IP 11000 (E101)
BIG-IP 11050 (E102)
BIG-IP 5000 series (C109)
BIG-IP 7000 series (D110)
BIG-IP 10000s/10050s/10200v/10250v (D113)
VIPRION blade B2100 (A109)
VIPRION blade B2150 (A113)
VIPRION blade B2250 (A112)
VIPRION blade B4100 (A100)
VIPRION blade B4200 (A107)
VIPRION blade B4300 (A108)
VIPRION blade B4340N (A110)
Note: The bcm56xxd process is the switch driver daemon for the BIG-IP system.
Impact:
bcm56xxd re-initializes the internal switch, which might briefly affect data traffic. The system might report memory parity errors in different tables within bcm56xxd by posting log messages similar to the following: info bcm56xxd[8127]: 012c0016:6: unit 0 L2_ENTRY_ONLY entry 120673 parity error. -- info bcm56xxd[8127]: 012c0012:6: Exiting on parity errors. -- notice mcpd[7108]: 01070406:5: Removed publication with publisher id BCM56xxPublisher. -- info bcm56xxd: 012c0013:6: BCM56xxd starting. debug=0, foreground=1, packet=1, bcm_debug=0x7, soc_debug=0x0
Workaround:
None.
475556-7 : Custom X-forwarded-for headers should take prioriy over xff headers
Component: Advanced Firewall Manager
Symptoms:
If a HTTP flow has both an X-Forwarded-For (XFF) header and a custom header containing the true client IP, the IP in the XFF header will take priority.
Conditions:
Both X-forwarded-for and custom headers are marked and used. A Request arrives with both X-forwarded-for and a custom header.
Impact:
wrong source IP is listed. May apply wrong irules, wrong ip intelligence etc.
Workaround:
N/A
475363-5 : Empty or invalid configuration, or during exception in NTLM, handling might not work as expected.
Component: Access Policy Manager
Symptoms:
When the system encounters an empty or invalid configuration, or during exception in NTLM, handling might not work as expected.
Conditions:
Empty DC list configured in the NTLM configuration.
Impact:
NTLM authentication won't work correctly.
Workaround:
Fix the configuration - make sure that DC list is not empty.
474532-7 : TMM may restart when SLO response is received on SLO request URL (.../post/sls)
Component: Access Policy Manager
Symptoms:
The BIG-IP system expects to receive SLO responses on a particular URL:
(.../post/slr). TMM may restart when SLO response is received on an SLO request URL (.../post/sls).
Conditions:
The BIG-IP system is configured as SAML SP or IdP.
SLO response is received on SLO request URL.
Impact:
TMM reboots and is temporarily unavailable.
Workaround:
There are two workarounds:
1. Reconfigure another SAML party to send SLO messages to a proper URL.
2. Disable SLO
474215-2 : Period characters in GTM virtual server naming★
Component: Global Traffic Manager
Symptoms:
The period and colon characters in GTM virtual server names are converted to underscores ( _ ) after upgrading to version 11.x.
Conditions:
Upgrading from version 10.x to version 11.x.
Impact:
Production monitoring when your production GTM systems are upgraded.
Workaround:
None.
474149-3 : SOD posts error message: Config digest module error: Traffic group device not found
Component: TMOS
Symptoms:
SOD posts error message: Config digest module error: Traffic group device not found.
Conditions:
In a failover device group, if a peer device (non self device) has gone through a management IP address change, SOD fails to clean up the old IP address from its internal storage, so the system subsequently and incorrectly behaves as if there is a 'configuration data inconsistent' error.
Impact:
System posts the message: notice sod[8118]: 010c0062:5: Config digest module error: Traffic group device not found.
This causes the HA failover next-active device selection to fall back to the static (IP-based) selection algorithm, which in Device Service Clusters with more than 2 devices, may cause a device other than the intended device to take over services.
Workaround:
Restart sod or reboot the device to restore correct failover functionality. This will cause a failover of any traffic groups currently Active on the device.
To restart sod, at the command line run bigstart restart sod
473641-2 : Missing a tunnel FDB endpoint configuration in VXLAN tunnels could result in memory leak
Component: TMOS
Symptoms:
For VXLAN tunnels with flooding type "multipoint" and "none", if a tunnel FDB endpoint is missing in the configuration and that endpoint sends traffic to the BIG-IP, memory leak could occur when the BIG-IP receives the traffic.
Conditions:
Missing a tunnel FDB endpoint in the configuration.
Impact:
Memory leak could occur.
Workaround:
Ensure that a tunnel FDB endpoint is configured if that endpoint is expected to send traffic to the BIG-IP.
473488-7 : In AD Query agent, resolving of nested groups may cause apd to spin
Component: Access Policy Manager
Symptoms:
Access policy daemon (apd) consumes approximately 100% CPU and puts a heavy load on the network sometimes when resolving nested groups in AD Query. The AD Group Cache updates in a loop.
Conditions:
This issue occurs when the user belongs to a parent domain, and is a member of a group that belongs to a sub-domain.
For example, user belongs to parent.com,
group belongs to child.parent.com;
the user is a member of the group. The
"fetch nested groups" option is enabled for AD Query.
Impact:
The impact of this issue is that the user will be unable to resolve nested groups and unable to finish AD Query.
Workaround:
There is no workaround at this time.
473485-7 : Fixed a few issues in HTTP Auth module
Component: Performance
Symptoms:
1. possible buffer overflow when session var CookieClientData is >8K
2. inappropriate use of mc_get_session_var in agent that may cause apd crash
3. per-request memory leak of cookies struct
Conditions:
1. session variable CookieClientData is > 8K
2. apd may crash unexpectedly when HTTP Auth agent cannot get session variable
3. When HTTP Auth agent is configured for an Access Policy apd might leak memory per-request
Impact:
apd might crash
apd might leak memory per-request
473415-2 : ASM Standalone license has to include URL and HTML Rewrite★
Component: TMOS
Symptoms:
After an upgrade to 11.6.0, the system now reports 'URI Translation (Not Licensed)', yet the license package has not changed. There was no issue when running 11.4.1 with an ASM Standalone license and using the URL Rewrite functionality with URI Translation (under Local Traffic :: Profiles :: Services :: Rewrite).
Conditions:
This occurs when the following conditions are met:
-- Running 11.6.0.
-- ASM Standalone license.
-- URL Rewrite functionality with URI Translation.
Impact:
An ASM Standalone license generated for 11.6.0 does not include ltm_rewrite_uri. Therefore, regardless of what is configured in a rewrite profile, the profile is inoperative when assigned to a virtual server.
Workaround:
None available.
473213-5 : Emergency alert treated as critical on the 10000s, 10200v, 10250v, and 10350vN platforms.
Component: TMOS
Symptoms:
Failed system fan emergency alert is exhibited as critical alert at LED and LCD screen.
Conditions:
A failure of a system fan on the 10000s, 10200v, 10250v, and 10350vN platforms causes this issue to appear.
Impact:
This is a relatively minor event. Although the alarm is reported as critical, it should be treated at an emergency level and not critical.
Workaround:
None.
473212-2 : Systems which do not use RAID show confusing RAID status on the LCD
Component: TMOS
Symptoms:
The front panel LCD displays confusing RAID information on some systems which do not use RAID. On the front panel LCD, a RAID Status menu indicates that the single drive installed is Undefined. For systems configured in this way, you can safely ignore this display because the system is not using the RAID interface.
Conditions:
This occurs on some early 6900 and 8900 platforms, and 7000, 10000, and 12000 series platforms that shipped with a single SSD.
Impact:
This issue is cosmetic, and does not indicate a functional issue.
473088-7 : Virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile
Component: TMOS
Symptoms:
The BIG-IP system does not allow you to configure a virtual server with RequestAdapt/ResponseAdapt profiles along with a OneConnect profile. If you attach a ClientSSL profile, however, the configuration is allowed, which is incorrect behavior.
Conditions:
Create a virtual server, add tcp, request-adapt, and one-connect profiles along with ClientSSL.
Impact:
This unsupported configuration might have many unknown side effects in TMM.
Workaround:
Do not configure a virtual server with one-connect and requestadapt or responseadapt profiles.
472581-1 : Cannot use 'default' as the FIPS security officer password.
Component: TMOS
Symptoms:
Trying to use 'default' as the FIPS security officer password results in an invalid encryption error from the fips-util.
Conditions:
Trying to use 'default' as the FIPS security officer password.
Impact:
You cannot use the word 'default' as the security officer password. Although this is expected behavior, the error message posted does not provide a relevant explanation. The system posts errors similar to the following: -- Invalid encrypted password. -- Failed to set security officer's password: 1073742342. -- Failed to create security domain. -- INITIALIZATION FAILED! -- The FIPS device is NOT operational. In version 11.1.0 and earlier, the error was similar to the following: -- Creating crypto user and crypto officer identities. -- password should not be default. -- Failed to set security officer's password.
Workaround:
Use a password other than the word 'default'.
472310-3 : BIG-IP may report getLopSensorData warnings at boot time or when changing a PSU
Component: TMOS
Symptoms:
When booting a BIG-IP device, or performing a hot swap operation of one of its power supplies, the following kind of log messages may be displayed for a brief time:
localhost warning chmand[7059]: 012a0004:4: getLopSensorData: LopDev: sendLopCmd: Lopd status: 1 packet: action=1 obj_id=115 sub_obj=0 slot_id=ff result=24 len=0 crc=6576 payload= (error code:0x24)
localhost warning chmand[7059]: 012a0004:4: getLopSensorData: LopDev: sendLopCmd: Lopd status: 1 packet: action=1 obj_id=16f sub_obj=1 slot_id=ff result=1 len=0 crc=acaf payload= (error code:0x1)
These messages should not persist, and when a real error occurs it should be accompanied by additional warnings and alerts from the system.
Conditions:
The condition occurs when the sensor monitoring process tries to obtain information from power supply model types that are supported but not actually installed. It does this until it discovers the actual model type installed, or that no power supply is installed. The specific conditions under which this is likely to happen are when the BIG-IP software is re-started or a power supply is changed while the system is running.
Impact:
A few additional log messages that indicate a warning when there is no legitimate failure.
Workaround:
None. This is cosmetic.
472308-2 : Management IP address change interaction with HA heartbeat / failover traffic
Component: TMOS
Symptoms:
When the management IP address changes (either as a result of enabling mgmt-dhcp, or the leased address changing), the system does not synchronize this updated address to other devices in the failover device group / trust domain. (That is, the system does not trigger an update to the device_trust_group.)
Conditions:
This occurs on HA configurations.
Impact:
This can cause disruption in an HA environment. The sod process discards any HA heartbeat traffic it receives (e.g., traffic over the self IP addresses) that does not contain a 'known' cluster_mgmt_ip.
Workaround:
None.
471825-6 : Add 'Date:' header in email message generated by APM Email agent to comply with RFC 5322.
Component: Access Policy Manager
Symptoms:
Emails sent by Email agent, when received by certain SMTP servers, contain an empty body. Email needs to comply with RFC 5322 and should include the Date: header.
Conditions:
Certain SMTP servers (new Microsoft hosted email service) send an empty email body when the Date: header is missing from the email message
Impact:
Empty email body received.
Workaround:
None.
471288-9 : TMM might crash with session-related commands in iRules.
Component: Local Traffic Manager
Symptoms:
TMM might crash with session-related commands in iRules.
Conditions:
This occurs when the following conditions are met:
1) session/table command.
2) client_closed/server_closed iRule.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Avoid using client_closed and sever_closed iRules at same time, in a virtual server using session/table command in iRule.
471001-3 : Standby responds to traceroute on mirror enabled forwarding virtual server
Component: Local Traffic Manager
Symptoms:
Standby responds with ICMP time exceeded message on mirror enabled forwarding virtual server.
Conditions:
This occurs when the following conditions are met: HA configuration, IP forwarding virtual server, mirroring enabled, non-floating self IP address, simultaneous flood of ICMP packet to both active and standby systems.
Impact:
Standby responds with ICMP time-exceeded message.
Workaround:
Disable mirroring in forwarding virtual server, or remove non-floating self IP address on standby system.
470559-2 : TMM crash after traffic stress with rapid changes to Traffic capturing profiles
Component: Application Visibility and Reporting
Symptoms:
Rare condition of TMM crash due to traffic stress with rapid changes made to Traffic capturing profiles.
Conditions:
1. Traffic capturing feature is on, under heavy traffic.
2. Modifications are being made to traffic capturing configuration.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Turn off traffic capturing feature, or minimize making changes to the Traffic capturing profile while under heavy load.
469974-4 : APM New Session performance graph displays incorrect timed out/error value
Component: Access Policy Manager
Symptoms:
The timed out/error value shown in the APM New Session performance graph is supposed to show only the count for sessions that were terminated due to inactivity or error while in the access policy evaluation state. However, it also includes sessions that were timed out after they passed access policy evaluation. As a result, the timed out/error value is larger than the actual value.
Conditions:
If sessions are timed out in established state, the stats will show up in the New Session graph.
Impact:
N/A
Workaround:
None
469549-1 : User Modification Denied error on initial bootup★
Component: TMOS
Symptoms:
Upon reviewing the log file in /var/log/ltm, a user may see the following error:
err mcpd[8105]: 01070820:3: User Modification Denied: User (root) may not change the role of system account (admin)
Conditions:
This happens only during the first reboot after a software install. If the error is seen again, the audit log should be checked.
Impact:
There is no known impact at this time.
Workaround:
None.
469366-1 : ConfigSync might fail with modified system-supplied profiles
Component: TMOS
Symptoms:
A config sync operation might fail with a parent-profile-not-found error message, despite the fact that the parent profile is present in the running configuration of both systems.
Conditions:
On the sync target (the system receiving the configuration, and the one that reports a sync failure), a system-supplied profile (e.g. /Common/serverssl) has been modified, and is present in /config/bigip.conf.
Impact:
An administrator is unable to synchronize system configurations. The system might post messages similar to the following example: '01020036:3: The requested parent profile (/Common/serverssl) was not found.'
Workaround:
One of the following: 1. Manually replicate the changes on the base profile to the system that is sourcing the config sync.
2. Undo the changes to the base profile on the system that is receiving the config sync (to do so, save the configuration, manually remove the base profile from /config/bigip.conf, and then re-load the configuration), and then perform a force sync operation. 3. Perform a sync in the other direction.
Important: Performing a sync in this direction overrides any unsync'd changes on the other system.
469071-2 : TMM segfault in mpctp_switch_conns
Component: Local Traffic Manager
Symptoms:
TMM segfault in mpctp_switch_conns
Conditions:
This can occur is mptcp is configured and there is an invalid tcp session.
Impact:
tmm restarts
Workaround:
Do not configure mptcp in the tcp profile.
468710-3 : Using non-standard lettercasing for header name results in misleading error during commit of transaction
Component: TMOS
Symptoms:
As part of adding commands to a transaction for iControl REST call, the header name to be used is "X-F5-REST-Coordination-Id." However, if you mix the letter casing to something else, such as: "x-f5-rest-coordination-id" then when you commit this transaction you will get this misleading error: "there is no command to commit in the transaction."
Your command and transaction will succeed, but the error implies it did not.
Conditions:
Using the non-standard letter casing for that header name during the iControl REST call to add commands to a transaction.
Impact:
It looks like the transaction failed, when in fact, it may have succeeded.
Workaround:
Use the proper letter casing for that header name as shown above.
468559-1 : Config fails to load after upgrade to 11.5.1 when iApp requires PSM module.★
Component: TMOS
Symptoms:
Protocol Security Module (PSM) provisioning was removed in 11.5.0. Upgrading a config fails to load after upgrade to 11.5.1 when an iApp requires PSM module.
Conditions:
Upgrade to 11.5.1 when an iApp requires PSM module.
Impact:
The upgrade fails as the configuration fails to load.
Workaround:
Remove PSM from the list of enabled modules from affected iApp templates before upgrading.
468478-6 : APM Portal Access becomes unresponsive.
Component: Access Policy Manager
Symptoms:
APM Portal Access becomes unresponsive.
Conditions:
Using APM Portal Access with application cookies that require more than 32 KB of storage.
Impact:
APM Portal Access becomes unresponsive and rewrite plugins consume 100% of the CPU.
Workaround:
None.
468083-1 : An LB_FAILED iRule that references an undefined value can cause Traffic Management Microkernel (TMM) failover.
Component: Local Traffic Manager
Symptoms:
If an LB_FAILED iRule calls HTTP::respond and references an undefined value, then Traffic Management Microkernel (TMM) can crash or failover.
The following is in the ltm logfile showing the undefined value reference:
Jun 19 11:10:04 bigip1 err tmm[9515]: 01220001:3: TCL error: /Common/rule_lbpickfailed <LB_FAILED> - can't read "value": no such variable while executing "log local0. "$value doesn't exist""
Conditions:
The following have to be configured in order for this to reproduce:
1. An http profile with web acceleration and http compression enabled:
profiles {
/Common/http { }
/Common/optimized-acceleration { }
/Common/tcp { }
/Common/wan-optimized-compression { }
}
2. An LB_FAILED iRule that calls HTTP::respond and references an undefined value:
when LB_FAILED {
HTTP::respond 200 content "content"
log local0. "$value doesn't exist"
}
Impact:
The TMM crashes.
Workaround:
Fix iRule by not referencing an undefined value within LB_FAILED.
467703-3 : Management interface sending erroneous IPv6 MLD or IPv4 IGMP packets
Component: TMOS
Symptoms:
The BIG-IP management interface may erroneously send IPv6 Multicast Listener Discovery (MLD) Listener Query or IPv4 Internet Group Management Protocol (IGMP) Membership Query packets.
Conditions:
Any platform that uses Linux interface 'mgmt' as opposed to 'eth0'. This is applicable for all platforms except the following: 1600, 3600, 3900, 6900, 8900, 8950, 11000, 11050, VE (Virtual Edition guests), and vCMP (vCMP guests hosted by BIG-IP platforms).
Impact:
No production traffic impact, but extra management traffic.
Some switches may report an IGMP or MLD error when connected to the mgmt port.
Workaround:
Disable the unwanted MLD and IGMP packets by doing the following: echo 0 > /sys/class/net/mgmt/bridge/multicast_snooping.
This is applicable for all platforms except the following: 1600, 3600, 3900, 6900, 8900, 8950, 11000, 11050, VE (Virtual Edition guests), and VCMP (vCMP guests hosted by BIG-IP platforms).
467589-1 : Default cron script /usr/share/mysql/purge_mysql_logs.pl throws error.
Component: WebAccelerator
Symptoms:
The /usr/share/mysql/purge_mysql_logs.pl script that ships with the new install (and is run hourly via cron) throws an error. The script is meant to be exited if AAM, ASM and PSM are not provisioned, but the check is not done appropriately and it continues execution, failing later.
Conditions:
BIG-IP system with no AAM, ASM, and PSM provisioned, when running the script /etc/cron.hourly/purge_mysql_logs.pl (linked to /usr/share/mysql/purge_mysql_logs.pl)
Impact:
The script gives false output and attempts to execute invalid actions. The system posts the following error: Usage: $class->connect([$dsn [,$user [,$passwd [,\%attr]]]]) at /etc/cron.hourly/purge_mysql_logs.pl line 27.
Workaround:
Provision AAM, ASM, or PSM. Or modify the script using the following procedure:
Remount /usr partition as RW:
# mount -o remount -rw /usr
Edit /usr/share/mysql/purge_mysql_logs.pl and change the original check:
unless( $provisioned_am || $provisioned_asm || $provisioned_psm ) {
exit 0;
}
to:
unless( $provisioned_am == 1 || $provisioned_asm == 1 || $provisioned_psm == 1 ) {
exit 0;
}
467195-1 : Allow special characters importing SSL Key and Certificate except backslash.
Component: TMOS
Symptoms:
GUI validation does not allow for special characters in the SSL Key and Certificate names. Whereas tmsh allows for special characters.
Conditions:
Import an SSL Key or Certificate with a name that contains a question mark, colon, at sign, exclamation mark, ampersand, or pound sign (hashtag): ?:@!&#.
Impact:
Cannot use the GUI to manage Key or Certificate created in tmsh with special characters in their name.
Workaround:
Use tmsh to manage the Key or Certificate.
466875-3 : SNAT automap may select source address that is not attached to egress VLAN/interface
Component: Local Traffic Manager
Symptoms:
Egress packets have a source address that is not associated with the VLAN or interface.
Conditions:
Occurs when the following conditions are met:
- Virtual utilizes SNAT automap.
- There exists a route matching a self-ip on interface A to a VLAN on interface B.
Impact:
Packets may not be routed properly.
Workaround:
Use SNAT pool instead of automap.
466116-4 : Intermittent 'AgentX' warning messages in syslog/ZebOS log files
Component: TMOS
Symptoms:
When routing protocols ospfv2, ospfv3, bgp, rip, ripng are configured to exchange routing information, the system posts agentx-related warning messages in the syslog/zebos log files similar to the following:
<date+time> warnings: <protocol> : AgentX: process_packet (<state name> state), ...
<date+time> warnings: <protocol> : AgentX: requested pdu : 1
Conditions:
This occurs when a BIG-IP system is configured for SNMP traps on the ZebOS routing protocols.
Impact:
These warning messages are cosmetic and may be logged intermittently, possibly resulting in a large number of messages.
466017-1 : Tab-completion does not work for TCP/HTTP profiles with ltm virtual profiles
Component: TMOS
Symptoms:
Tab-completion does not work for TCP/HTTP profiles with the command: ltm virtual profiles.
Conditions:
This occurs with TCP and HTTP profiles when using Tab-completion in tmsh.
Impact:
Cannot use Tab-complete with TCP or HTTP profiles.
Workaround:
Type the profile name out completely, instead of using tab-completion to complete the name of the profile.
465927-1 : Response is halted or reset when the request has an ignore profile
Component: Application Security Manager
Symptoms:
Response is halted for some seconds or doesn't arrive at all (fin or rst)
Conditions:
The request has a "do nothing" profile.
Request is a POST.
This happens more frequently if the response size is large.
Impact:
Response to that request is halted for some seconds or doesn't arrive at all (fin or rst)
Workaround:
Change the content profile of that URL. Note that this workaround may cause false positive attack signatures and/or other false positive.
464874-1 : Client may legitimately send a range request for the cached JS/CSS content which is no longer valid.
Component: WebAccelerator
Symptoms:
When JS/CSS minification feature is turned on, some client may legitimately send a range request for the cached JS/CSS content which is no longer valid due to content size reduction by the feature. In that case, TMM may spin out of control, and eventually be killed by SOD.
Conditions:
Client retrieves the JS/CSS content from WAM and get the unminified content.
Turn on JS/CSS minification.
Client issues range request for the JS/CSS content using the content size it knows about, which is prior to minification.
WAM will try to serve to content with the range request, which technically is no longer valid due to content size shrinkage.
Impact:
TMM becomes unresponsive and SOD will kill it.
Workaround:
Turn off JS/CSS minification
464870-6 : Datastor cores and restarts.
Component: TMOS
Symptoms:
Datastor cores and restarts. This occurs potentially because of generational issues, object replacement from archive, and the possibility that an object was deleted in the interim.
Conditions:
Traffic patterns that shift from low to moderate velocity with strong tiling to decoherent, high velocity traffic can cause this to occur when request queuing is turned on.
Impact:
Temporary cache outage. The cache must then be completely reseeded. A datastor core file is written, and datastor is restarted.
464650-2 : Failure of mcpd with invalid authentication context.
Component: TMOS
Symptoms:
MCPd cores.
Conditions:
It is not known what triggers this core.
Impact:
Mcpd restarts
Workaround:
None.
464437-2 : Quickly repeated external datagroup loads might cause TMM crash.
Component: Local Traffic Manager
Symptoms:
TMM crashes while loading an external datagroup that has already been loaded.
Conditions:
External datagroup is already loaded, and is then re-loaded.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
To avoid this issue, wait a few seconds between load and reload the same external data group.
464252-3 : Possible tmm crash when modifying html pages with HTML profile.
Component: TMOS
Symptoms:
With certain combinations of append_to_tag/prepend_to_tag rules and input fragments, HTML profile could get stuck in an infinite loop.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove HTML profile from virtual server.
Or, modify profile rules in a way that would not cause loop.
463216-1 : 'tmsh load sys config gtm-only' resets link assignments
Component: Global Traffic Manager (DNS)
Symptoms:
Loading configuration clears the link assignments displayed in the UI.
Conditions:
GTM is provisioned and a GTM server, virtual server, and link are configured.
If the config is loaded then any link assignments will no longer be displayed in the UI.
Impact:
This is a cosmetic bug. The control plane loses that information on a load and it never gets updated.
Workaround:
Making a non-functional change to the server or link (e.g. the description) should cause GTM to update the links in the control plane (mcpd).
462881-2 : Configuration utility allows for mismatch in IP protocol and transport profile
Component: Local Traffic Manager
Symptoms:
tmsh allows configuration of a virtual server with mismatched ip-protocol and transport-layer profile. For example, ip-protocol tcp with a UDP profile or ip-protocol udp with a TCP profile, or ip-protocol any with a TCP profile.
Conditions:
Configure a virtual server with mismatched ip-protocol and transport-layer profiles (e.g., ip-protocol udp, profiles { tcp }).
Impact:
Traffic reaching a misconfigured virtual server can crash tmm, resulting in an outage.
Workaround:
Configure virtual server with matching ip-protocol and transport-layer profile.
462258-3 : AD/LDAP server connection failures might cause apd to stop processing requests when service is restored
Component: Access Policy Manager
Symptoms:
AD/LDAP server connection failures might cause APM apd to stop processing requests when service is restored.
These symptoms accompany the problem:
- Too many file descriptors open by apd.
- 'Too many open files' error messages in the log file.
- Running qkview to gather diagnostic data reveals the information similar to the following in 'netstat -pano' from qkview:
tcp 270 0 127.0.0.1:10001 10.10.225.85:53212 ESTABLISHED 12191/apd off (0.00/0/0)
tcp 269 0 127.0.0.1:10001 10.10.225.4:56305 ESTABLISHED 12191/apd off (0.00/0/0)
tcp 272 0 127.0.0.1:10001 10.10.57.10:57508 CLOSE_WAIT 12191/apd off (0.00/0/0)
tcp 0 0 127.1.1.1:56230 127.7.0.1:389 ESTABLISHED 12191/apd keepalive (1909.72/0/0)
The last line with timer 'keepalive (1909.72/0/0)' indicates that apd has been waiting for a response for too long. Other lines with Recv-Q '272' indicate that apd is not reading incoming requests as expected (specifically, that the internal worker queue is overloaded because all threads are waiting for the one hanging thread to be processed).
Conditions:
This occurs between the connect and search phases of the AD/LDAP server connection operation, most likely when a AAA Server is configured to use pool as a backend. In this case, apd can always connect locally to layered virtual server, but the pool monitor has a server availability check interval, so a lag in the request to an unavailable server might cause apd to hang.
Impact:
Potential connection failures to backend server.
461818-2 : Occasional extreme large value reported for tmm-info five-min-avg-usage-ratio
Component: TMOS
Symptoms:
The command tmsh -m show sys tmm-info field-fmt occasionally shows an invalid value such as:
five-min-avg-usage-ratio 184467440737093465
Conditions:
This occurs under normal operation.
Impact:
Faulty displayed value with zero functional impact.
460176-3 : Hardwired failover asserts active even when standalone
Component: TMOS
Symptoms:
In BIG-IP software versions 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.6.0, and 12.0.0, the serial failover 'Active' signal is asserted even if the unit is not configured to be in a high availability (HA) pair. A unit can become Standalone if the configuration is reset, or if a return merchandise authorization (RMA) is performed. If the serial cable is still connected to its peer, then the HA peer may defer the Active status to the Standalone system, which does not actually take over and process traffic.
Conditions:
Serial cable failover in-use between two members of an HA pair.
Impact:
Traffic is interrupted when the Active unit transitions to Standby.
Workaround:
During an RMA, the serial cable failover can be temporarily disabled on the Active unit by issuing the following command:
tmsh modify sys db failover.usetty01 value disable
459994-3 : tmm may crash if default gateway pool contains members that it cannot route to
Component: Local Traffic Manager
Symptoms:
tmm may crash in an invalid routing setup
Conditions:
create gw pool member that is unreachable and not local on any subnet
Impact:
Traffic disrupted while tmm restarts.
Workaround:
do not create invalid routing setup
458450-3 : The ECA process may produce a core file when processing HTTP headers
Component: Access Policy Manager
Symptoms:
The ECA process may produce a core file when processing HTTP headers.
As a result of this issue, you may encounter one or more of the following symptoms:
In the /var/log/apm file, you may observe log messages similar to the following example:
notice eca[20847]: 01620010:5: ** SIGSEGV **
notice eca[20847]: 01620010:5: fault time: < date >
The ECA process generates a core file in the /var/core directory.
Conditions:
This issue occurs when all of the following conditions are met:
-- The BIG-IP APM system is configured with the ECA log level of debug.
-- The ECA process receives and attempts to process an HTTP cookie header, where the cookie value is greater than 1023 characters.
Impact:
The ECA process temporarily stops processing traffic and then restarts.
Workaround:
Do not enable the debugging log.
To work around this issue, you can revert the log level setting for the ECA (log.eca.level) process back to the default of Notice. To do so, perform the following procedure:
Impact of workaround: Debug logging is disabled for the ECA process.
Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh
Type the following command:
modify /sys db log.eca.level value Notice
Save the configuration change by typing the following command:
save /sys config
To exit the tmsh utility, type the following command:
quit
457252-2 : tmm crash when using sip_info persistence without a sip profile
Component: TMOS
Symptoms:
Tmm crashes. You see the following in /var/log/ltm:
notice hudfilter_init: filter 'SIPP' init failed.
Conditions:
Configuring a virtual server with sip_info persistence but a sip profile is not assigned.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Make sure you configure a sip profile on any virtual that has sip_info persistence configured.
457149-1 : Remotely authenticated users may still obey local password policy
Component: TMOS
Symptoms:
If a local password policy with password expiry is set, even remotely authenticated users are subject to the password policy. This may disallow users whose password has been remotely authenticated but who have an expired password.
Conditions:
Local password policy is set, but remote authentication used.
Impact:
some users may be locked out after the password policy expires their password.
Workaround:
Do not use a local password policy with remote authentication.
457034-3 : Multipath TCP (MPTCP): TMM crash in stockpile management
Component: Local Traffic Manager
Symptoms:
The tmm may core when using MPTCP.
Conditions:
This issue occurs under conditions of MPTCP heavy usage.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time.
456378-1 : On a virtual server with the ipother profile assigned, iRule firing on CLIENT_ACCEPTED with discard or reject action may cause TMM to core
Component: Local Traffic Manager
Symptoms:
When using ipother profile, if there is an iRule that fires on CLIENT_ACCEPTED that contains a discard or reject action, TMM is going to failover.
Conditions:
Virtual server with ipother profile and an iRule firing on CLIENT_ACCEPTED with discard or reject action.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use CLIENT_DATA as the firing event for the iRule. Will have the same expected result when discarding the connection.
456376-2 : BigIP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32
Component: Advanced Firewall Manager
Symptoms:
BigIP does not allow IPv4-mapped-IPv6 notation (with prefix length greater than 32) in tmsh or GUI.
Conditions:
Usage of IPv4-mapped-IPv6 addresses.
Impact:
This issue prevents you from specifying an IPv4-mapped-IPv6 blocked to be configured in AFM firewall rule (and possibly other AFM configurations as well)
Workaround:
A partial workaround exists for customers wishing to drop the v4-mapped-v6 block. While it is not possible to do so in an AFM rule by specifying :ffff:0.0.0.0/96 there is DoS db variable to do so - dos.dropv4mapped
456047 : Explicit links lost after adding server IP addresses using GUI
Component: Global Traffic Manager (DNS)
Symptoms:
When using the web user interface to add server IP addresses to an existing Global Server Load Balancing (GSLB) server, any existing server IP addresses that have an explicit link configured are lost.
Conditions:
This occurs after adding a new IP address to the server. This can be examined by using tmsh to list the server and its associated explicit link.
Impact:
If a link goes down, everything on the link goes down, so it is possible that unexpected resources will go down, if the GTM servers or virtual servers lose their explicitly defined links. Preliminary testing suggests that when these explicit links are lost, GTM might auto-match the server IP addresses (or virtual servers) to a different link, and this link might be different from the one the user explicitly configured.
Workaround:
When configuring servers that are using explicit links, using tmsh (not the web UI) to edit the server properties, prevents explicit links from being erased.
455389-6 : Multiple content type headers detection
Component: Application Security Manager
Symptoms:
ASM bypass techniques were found during Pentest.
Conditions:
Send traffic with multiple content type headers.
Impact:
Causes ASM to misbehave within the headers request parser, and fails to detect the relevant requests' content type.
Workaround:
N/A
455020-3 : RTSP profile idle timeout is not applied if it is longer than the TCP profile timeout
Component: Carrier-Grade NAT
Symptoms:
The minimum of the Real Time Streaming Protocol (RTSP) and TCP profile timeouts is applied to the RTP and RTCP connflows associated with an RTSP connection.
Conditions:
This problem can leave UDP connflows for RTP and RTCP open for a shorter time period than desired.
Impact:
The shorter timeout (either RTSP profile or TCP profile) is used for the idle timeout on RTP and RTCP flows associated with an RTSP connection.
Workaround:
To workaround this issue configure both the TCP and the RTSP profile so that the idle timeout periods are the same.
454961-2 : Removal of AFM inline rules
Component: Advanced Firewall Manager
Symptoms:
All inline rules have been removed from AFM as of this release. All new rules must be created in policies. An update script is available to move current inline rules to policies.
Conditions:
This occurs on upgrade to 11.6.0 or later.
Impact:
Inline rules are no longer supported.
Workaround:
Management port rules are excluded, and are still configured inline. In place of inline rules, users should create firewall policies which are attached by reference to firewall contexts as necessary.
During an upgrade, existing inline rules associated with these contexts are moved into new auto-generated policies. These auto-generated policies are prepended with VersionUpgradeAutoGenPolicy- to simplify identification. Auto-generated policies are automatically enforced on the respective context to which the previous inline rules apply.
If you have HA pairs, auto-generated policies that are applied to non-floating self IPs are usable only for that self IP, and are not synced among HA peers. This behavior replicates the previous behavior for inline rules applied to non-floating self IPs. Other auto-generated policies are not affected. However, if a policy generated for another context is later applied to a non-floating self IP, the sync for that policy will be permanently disabled.
452660-3 : SNMP trap engineID should not be configsynced between HA-pairs
Component: TMOS
Symptoms:
When configuring an engine_id for a SNMPv3 trap destination, the engine_id was synchronized to all HA peers.
Conditions:
All
Impact:
Received SNMPv3 traps would appear as if they originated from the same Big-IP system after failover to a backup Big-IP.
Workaround:
Workaround is to disbale configsync (change 'yes' to 'no') on engine_id in /defaults/config_base.conf. However, you must first remount the /usr partition to modify the file and then run tmsh load. For more information on remounting the /usr partition, see SOL11302: The /usr file system is mounted in read-only mode
at https://support.f5.com/kb/en-us/solutions/public/11000/300/sol11302.html
452443-3 : DNS cache resolver cannot send egress traffic on a VLAN with src-ip or dst-ip cmp hash configured
Component: Local Traffic Manager
Symptoms:
DNS cache resolver or validating resolver does not function properly and fails to resolve DNS requests.
Conditions:
BIG-IP system is using non-default cmp hashes configured on its egress VLANs.
Impact:
It is difficult to both use non-default cmp hashes on system VLANs and use a DNS cache resolver on the same BIG-IP system.
Workaround:
Configure a separate VLAN for the cache resolver's use that uses the default cmp hash. Set the system's default route to direct resolver traffic to this VLAN. This VLAN can be placed in a new route domain, if other features require route domain zero's default route pointing elsewhere.
451705-1 : Illegal metachar override can be added to policy which prevents Apply Policy★
Component: Application Security Manager
Symptoms:
Illegal metacharacter override can be added to the security policy. This subsequently prevents the security policy from being applied.
This can be see in /var/log/asm.1_transformed:
----------------------------------------------------------------------
Feb 25 11:35:25 bigip2 info perl[10112]: 01310053:6: ASMConfig change: Parameter P3 [update]: Overridden Value Meta-characters were set to 0x3f - allowed.
Feb 25 11:35:31 bigip2 info perl[10112]: 01310053:6: ASMConfig change: Parameter P9 [update]: Overridden Value Meta-characters were set to 0x3a - allowed, 0x7fffffff - allowed.
----------------------------------------------------------------------
Conditions:
When upgrading from 11.3 to 11.5, and when importing your exported policy, it produces an error and failed to roll forward.
Impact:
This subsequently prevents the policy from being applied. It could not apply configuration; set active failed.
Workaround:
N/A
451479-4 : ConfigSync over IPv6 fails due to wrong rsync formatting
Component: TMOS
Symptoms:
ConfigSync over IPv6 fails due to wrong rsync formatting.
Conditions:
Config sync is enabled on IPv6.
Impact:
Config sync over ipv6 can not be used. /var/log/ltm logs show following error logs: -- err mcpd[5269]: 01071392:3: Background command '/usr/bin/rsync --rsync-path=/usr/bin/rsync -at --blocking-io /var/named/config/ rsync://fd88:8888:1:f5::1/var_name' failed. The command exited with status 10.
-- err mcpd[5269]: 01071392:3: Background command '/usr/bin/rsync --rsync-path=/usr/bin/rsync -at --blocking-io /config/big3d/ rsync://fd88:8888:1:f5::1/big3d' failed. The command exited with status 10.
Workaround:
Use config sync over IPv4.
451458-6 : The leasepool stat query should only return primary blade data.
Component: TMOS
Symptoms:
The SNMP and "leasepool show" command are not working.
Conditions:
Both single and HA Chassis configuration with lease pool.
Impact:
SNMP and "leasepool show" command does not return good leasepool stats.
Workaround:
There is no workaround to this issue.
451083-1 : Citrix Wyse clients when working with StoreFront in integration mode
Component: Access Policy Manager
Symptoms:
APM does not support Citrix Wyse clients when working with StoreFront in integration mode.
Conditions:
Using APM with Citrix Wyse clients when working with StoreFront in integration mode.
Impact:
Citrix Wyse clients are unable to connect to APM.
Workaround:
Use the following iRule: priority 1
when HTTP_REQUEST {
set string [HTTP::header value Cookie]
if {$string contains "NSC_AAAC=xyz"}{
regsub {NSC_AAAC=xyz;?} $string {} tmp
regsub {NSC_DLGE=xyz;?} $tmp {} result
HTTP::header replace Cookie $result
}
}
450765-1 : tmm segfault: hud_mptcp_handler HUDCTL_PERFORM_METHOD
Component: Local Traffic Manager
Symptoms:
TMM segmentation fault in hud_mptcp_handler when servicing HUDCTL_PERFORM_METHOD.
Conditions:
This happens when "tmsh show sys conn" command issued with connections in "forwarding" state.
Impact:
The tmm will crash and restart.
Workaround:
Do not issue "tmsh show sys conn" command.
450671-1 : BIG-IP UDP virtual server may not send ICMP Destination Unreachable message Code 3 (port unreachable).
Component: Local Traffic Manager
Symptoms:
A BIG-IP UDP virtual server may not send an ICMP Destination Unreachable message Code 3 (port unreachable). As a result of this issue, you may encounter the following symptoms:
-- Client applications may not respond or appear to hang.
-- When attempting to troubleshoot the connectivity issue from remote devices, no ICMP diagnostic data is available from the BIG-IP system.
Conditions:
This issue occurs when the following condition is met: All pool members for the UDP virtual server are unavailable.
Impact:
In versions 11.3.0 through 11.4.1, the system silently drops the request. In versions 11.5.0 and later, the system sends back the ICMP message with type 13 ('administratively filtered').
Workaround:
None.
450241-4 : iControl error when discover ASM from EM
Component: Application Security Manager
Symptoms:
iControl request for iControl:ASM/Policy::get_list() fail
EM connections fail to ASM devices
Conditions:
iControl fails to call to the ASM portion of iControl, and produces an error message.
<faultstring
xsi:type="xsd:string">Exception caught in ASM::urn:iControl:ASM/Policy::get_list()
Exception: Common::OperationFailed
primary_error_code : 0 (0x00000000)
secondary_error_code : 0
error_string : Unset policy</faultstring>
Impact:
Discovery and refreshing devices fails, and EM cannot manage devices with ASM.
Workaround:
This issue has no workaround.
450136-6 : Occasionally customers see chunk boundaries as part of HTTP response
Component: Access Policy Manager
Symptoms:
Occasionally, users see chunk boundaries as part of HTTP response if the virtual server is configured with rewrite profile variant and some other profiles.
Conditions:
Virtual server with rewrite profile variant and some other profiles like OneConnect and NTLM could cause HTTP response to be double-chunked.
Impact:
End users may see random characters displayed on their web pages, or the page may fail to render because it contains invalid HTML markup.
Workaround:
To workaround this problem, use an iRule to rechunk the HTTP response always.
447570-1 : tmm sigsegv
Component: Traffic Classification Engine
Symptoms:
A tmm crash was encountered during normal operation.
Conditions:
It is not known all of the conditions that trigger this, but it is related to use of the internal string cache in certain deployments such as PEM and LTM's DNS resolver.
Impact:
Traffic disrupted while tmm restarts.
447542-3 : TMM crashes at startup when reprovisioning.
Component: TMOS
Symptoms:
TMM crashes at startup when reprovisioning.
Conditions:
Although there are several potential causes for this issue, they are difficult to quantify. For example, when provisioning stops the tmm, subsequent processing that finishes the provisioning activity might restart some daemons.
Impact:
TMM crashes on startup because it cannot obtain the memory allocated. In the specific case of provisioning failure, and depending on the modules being provisioned the system might post messages similar to the following:
-- err mcpd[7608]: 01070066:3: Publication not found in mcpd for publisher Id WAMD_McpInvalidation_Publisher.
-- err mprov:1265:: 'Reserving huge memory failed (desired amount: 6295 pages [12590 MiB], allocated: 4248 pages [ 8496 MiB].'
-- err mprov:1265:: 'Resource reallocation could not be completed - A reboot is necessary for provisioning to complete.'
Workaround:
Reboot the system.
446713 : Initial boot from non-Primary blades causes daemon restarts and error messages on VIPRION B4300/B4300N blades and on the VIPRION C2200 chassis.
Component: TMOS
Symptoms:
Initial boot from non-Primary blades causes daemon restarts and error messages on VIPRION B4300/B4300N blades and on the VIPRION C2200 chassis. Messages posted might appear similar to the following:
-- snmpd[7175]: custom mib initialization completed. total 0 custom mib entry registered.
-- snmpd[7175]: Turning on AgentX master support.
-- restorecond: Reset file context /etc/mtab: system_u:object_r:etc_t:s0-system_u:object_r:etc_runtime_t:s0
-- sflow_agent[8639]: sflow_mcp.cpp::556:
sflow_agent[8639]: Processed max messages (201) in a loop.
Conditions:
This happens on each blade except blade1 (which is the Primary).
Impact:
When this occurs, the system posts various error messages and the daemon restarts.
Workaround:
Reboot. Subsequent reboots do not cause the daemon restarts.
446526-6 : TCP virtual server/UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules might cause TMM crash.
Component: Local Traffic Manager
Symptoms:
When a TCP virtual server, or a UDP virtual server without datagram-LB mode enabled, runs an iRule which suspends itself, and the traffic that virtual server is handling is destined for the DNS cache, subsequent responses attempting to execute an iRule crash TMM because the first response is suspended. Those subsequent responses should be queued before attempting to execute the iRule.
Conditions:
Configuration contains TCP virtual server, or a UDP virtual server without datagram-LB mode enabled running DNS cache and suspending iRules.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Enable datagram-LB mode on the UDP profile. There is no workaround in the case of TCP.
446187-6 : Manual start of a BIG-IP APM service may trigger 100 percent CPU utilization.
Component: Access Policy Manager
Symptoms:
As a result of this issue, you may encounter the following symptoms:
-- BIG-IP iHealth lists Heuristic H465125 on the Diagnostics :: Identified :: High screen.
-- The BIG-IP APM service that you started causes system CPU utilization to increases over time, and eventually to consume all available CPU.
-- Users may be unable to access the BIG-IP APM access profiles.
-- When you view the Configuration utility, dashboard CPU consumption continually increases.
-- In the /var/log/ltm log file, you may observe log messages similar to the following examples.
notice chmand[6792]: 012a0005:5: Cpu utilization over 300 seconds is 100%, exceeded log level 80%
notice chmand[6792]: 012a0005:5: Cpu utilization over 300 seconds is 100%, exceeded log level 80%
Conditions:
This issue occurs when all of the following conditions are met:
-- The BIG-IP service is already running.
-- You manually start the BIG-IP service from the command line either directly or by using bigstart.
-- The BIG-IP service is running one of the following services:
aced, acctd, apd, eam, rba, or websso
Impact:
The user may be unable to access the system, and the BIG-IP APM system may stop responding.
Workaround:
Never start any daemon manually.
The proper way to start, stop, and restart daemons on the BIG-IP system is to use the bigstart utility:
bigstart start daemonname
bigstart stop daemonname
bigstart restart daemonname
442532-3 : Log shows "socket error: resource temporarily unavailable"
Component: Access Policy Manager
Symptoms:
Response could not be sent to remote client. This happens rarely with huge access policy configuration. We could not reproduce the issue.
Conditions:
Conditions leading to this issue are not yet known.
Impact:
Box still works okay. Reconnect works.
Workaround:
This issue has no workaround at this time.
442199-4 : HA group must be set up before running ccmode★
Component: TMOS
Symptoms:
HA peer discovery process fails when running ccmode.
Conditions:
This occurs if the ccmode utility (for installations requiring Common Criteria compliance) is run prior to set-up of an HA group.
Impact:
Unable to set up HA group. In the GUI, upon attempting the Peer Discovery step, the system returns an iControl connection failure error.
Workaround:
There are two workarounds: -- Create all HA groups before running the ccmode utility. -- Complete the following process on both systems prior to initial HA setup or before adding a new device:
1. Run the fommand: tmsh modify sys httpd ssl-protocol "all -SSLv2".
2. Run the command: tmsh save sys config.
3. Perform HA-setup/device-addition.
4. Return the httpd ssl-protocol option to the value that conforms to Common Criteria requirements. To do so, run the following two commands:
a. tmsh modify sys httpd ssl-protocol "all -SSLv2 -SSLv3".
b. tmsh save sys config.
441913-5 : Empty Webtop when large number of resources assigned to access policy.
Component: Access Policy Manager
Symptoms:
When a large number of resources (more than 25) is assigned to an access policy with full a webtop, the system displays an empty webtop when accessed the second time.
Conditions:
Large number of resources assigned to access policy.
Impact:
Failed to display large number of resources on webtop when accessed second time.
Workaround:
To work around the problem, you can only use fewer resources.
441482-3 : SWG is seen on platforms with less than 8 GB of memory
Component: TMOS
Symptoms:
Although there is a tmsh provision command shown for Secure Web Gateway (SWG) on platforms with less than 8 GB of memory, running the command fails because there is no support for SWG on those platforms.
Conditions:
This applies to certain BIG-IP appliances that have less than 8 GB of memory, and to vCMP and VE guests with less than 8 GB of memory allocated. (For memory information, see the Platform Guide for your platform.)
Impact:
Provisioning fails with a message similar to the following: Provisioning failed with error 1 - 'Memory limit exceeded. 5656 MB are required to provision these modules, but only 3964 MB are available.'
Workaround:
Do not attempt to provision SWG on platforms with less than 8 GB of memory.
441297-2 : Trunk remains down and interface's status is 'uninit' after mcpd restart
Component: TMOS
Symptoms:
Trunk down and interface's status is 'uninit' and log files indicate mcpd restarted.
Conditions:
This occurs upon mcpd restart on 2000/4000 series platform.
Impact:
Failover as a result of mcpd restart. Trunks are unable to pass traffic. The interface that report the status 'uninit' are able to pass traffic after mcpd and related services restart; the message is cosmetic only.
Workaround:
Run the command: tmsh restart sys service pfmand. The restart of pfmand helps update the interface status, which in turn helps update the trunk status.
441079-4 : BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved
Component: Local Traffic Manager
Symptoms:
The BIG-IP system is modifying the source port on NAT connections.
Conditions:
This occurs when NAT is configured on the BIG-IP system. This occurs on BIG-IP 2000/4000 hardware platforms.
Impact:
This impacts any applications where the source port is expected to be preserved.
Workaround:
None.
441075-6 : Newly added or updated signatures are erroneously added to Manual user-defined signature sets.
Component: Application Security Manager
Symptoms:
You encounter unexpected violation when you assign a user defined signature to an unblocking signature set.
Conditions:
This occurs when the signature is added to another blocking signature set simultaneously.
Impact:
'Unexpected' violation occurs
Workaround:
N/A
440562-3 : TMM cores dumps due to an iSession "valid event" assertion failure
Component: Wan Optimization Manager
Symptoms:
An APM network access tunnel abort causes TMM to core dump due to an iSession 'valid event' assertion failure.
Conditions:
An APM network access tunnel is aborted.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
440505-5 : Default port should be removed from Location header value in http redirect
Component: Access Policy Manager
Symptoms:
Browser recognizes page loaded with URL without default port and page loaded after receiving Location header that contains rewritten URL with default port included in it as different pages and loads page twice.
Conditions:
Resource is loaded through Portal Access; page is loaded after receiving Location header with default port included in rewritten part; navigation occurs to this page without default port in domain part (for example, to anchor in this page).
Impact:
Resource is loaded twice and this can possibly change behavior of backend.
Workaround:
This issue has no workaround at this time.
440431-4 : Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands.
Component: Local Traffic Manager
Symptoms:
Response Logging generates a blank $HTTP_STATUS response when used with certain iRule commands.
Conditions:
This issue occurs when the following condition is met:
A virtual server with Response Logging configured has an iRule assigned that uses either the HTTP::respond or HTTP::redirect command.
The Request Logging profile gives you the ability to specify the data and format for HTTP requests and responses that you want to include within the log file. Parameters, such as $HTTP_STATUS, are used to specify information that is included within the log file. The HTTP::respond and HTTP::redirect iRule commands allow you to customize the response sent to the client and are intended to run immediately when triggered. Therefore, no further processing of response data should occur. As a result, the system logs blank status information when using the $HTTP_STATUS parameter within the Request Logging profile for Response Logging.
Impact:
The system logs invalid information. As a result of this issue, you may encounter the following symptom: -- BIG-IP iHealth lists Heuristic H465653 on the Diagnostics :: Identified :: Medium screen. If $HTTP_STATUS is used within the Response Logging template, the output will be blank.
Workaround:
To work around this issue, you can use the iRule to generate the required logs, rather than the Request Logging profile. If an iRule is calling HTTP::respond or HTTP::redirect, you can log directly from that iRule using the log iRule command, and record parts of the old response, or the new one, depending on what is required.
439680-4 : BIG-IP as SP fails to report unsupported key transport algorithms when processing encrypted assertions
Component: Access Policy Manager
Symptoms:
A BIG-IP system configured as a Service Provider (SP) supports only rsa-oaep for key transport (http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p).
When the BIG-IP system configured as SP receives a SAML assertion with an unsupported encryption algorithm (for example, rsa-1_5 for key transport instead of rsa-oaep), the BIG-IP system fails to report that algorithms are unsupported, and proceeds to the decryption phase, which fails.
The only issue here is the error reported does not directly point to the cause of failure which makes troubleshooting more difficult.
Conditions:
A BIG-IP system configured as an SP receives a SAML assertion that is encrypted or contains encrypted attributes.
Impact:
Troubleshooting could take longer.
Workaround:
There is no workaround.
439540-5 : Connection to a Self IP to network HSM may not be established after the BIG-IP system reboots.
Component: Local Traffic Manager
Symptoms:
SSL connections or DNSSEC operations that utilize a key stored on the network HSM may fail.
Conditions:
The BIG-IP system is configured to use a network HSM.
The BIG-IP system connects to the network HSM using a Self IP address.
The BIG-IP system is rebooted or all of the BIG-IP services are restarted.
Impact:
Traffic interruptions for SSL connections or DNSSEC operations that utilize a key stored on the network HSM until manual corrective action is taken.
Workaround:
Restart the pkcs11d process. The command is "tmsh restart sys service pkcs11d".
439490-8 : System does not reconnect to SafeNet HSM if connection is interrupted
Component: Local Traffic Manager
Symptoms:
The BIG-IP system does not reconnect to SafeNet HSM if the connection is interrupted. That means that SSL connections that utilize a key stored on the network HSM fail.
Conditions:
This occurs when the BIG-IP system is configured to use a SafeNet network HSM and the connection between the BIG-IP system and the network HSM is interrupted.
Impact:
When this occurs, the system experiences traffic interruptions for SSL connections that utilize a key stored on the network HSM until manual corrective action is taken.
Workaround:
To work around this issue, restart the pkcs11d process using the command 'tmsh restart sys service pkcs11d'.
439461-5 : Citrix Receiver for Linux is unable to receive full applications list.
Component: Access Policy Manager
Symptoms:
Citrix Receiver for Linux shows only a part of applications list when connecting to APM.
Conditions:
APM is configured for Citrix Replacement and Citrix Receiver for Linux is used.
Impact:
Citrix Receiver for Linux shows only a part of applications list.
439399-4 : Discrepancy between Throughput and Detailed Througput data
Component: TMOS
Symptoms:
Discrepancy between Throughput and Detailed Throughput graphs.
Conditions:
Conditions leading to this issue include vCMP guest with ePVA virtual servers in guest.
Impact:
The impact of this issue is a discrepancy between Throughput and Detailed Througput graphs.
Workaround:
This issue has no workaround at this time.
439330-7 : Javascript: getAttribute() returns mangled event handlers
Component: Access Policy Manager
Symptoms:
All event handlers in HTML page are rewritten by APM. If some script uses getAttribute() call to obtain event handler code, it gets rewritten code. This may lead to incorrect results.
Conditions:
HTML page with event handlers defined.
Impact:
If a script uses event handler source code, it might work incorrectly.
438548-3 : Please avoid name "none" for branch rules
Component: Access Policy Manager
Symptoms:
Access policy visual policy editor item created with a branch caption of "none" cannot be opened or edited properly after being exported and re-imported.
Conditions:
A branch caption of "none" for an access policy visual policy editor item.
Impact:
Any access policy action.
Workaround:
In visual policy editor: Before you export an access policy, check for elements with caption "none" in branch rules and change the caption.
To avoid this issue, refrain from using the name "none" for branch rules.
438045-4 : Web Services signature verification failed.
Component: Application Security Manager
Symptoms:
Upload client certificate to BIG-IP causing validation to fail.
Error "Validation failed. Please upload valid .PEM file" appears.
Conditions:
Configured a Web Service Security in XML profile. We have imported both client and server certificates in to the ASM certificate pool and require the validation of a signed XML message sent from the server.
Impact:
Web Services signature verification failed.
Workaround:
This issue has no workaround at this time.
437703-6 : LTM policies do not accept special characters in HTTP header names
Component: Local Traffic Manager
Symptoms:
LTM policies do not accept special characters in HTTP header names.
Conditions:
This occurs when trying to use a '$' character in a header name.
Impact:
The system posts a validation error. For example, for the value $WSRA, the system posts the following message: 01071748:3: Policy '/Common/ft1_pool_select', rule 'notvar2'; invalid name, value '$WSRA'.
Workaround:
None.
436674-2 : The msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime values contained in SNMPv3 trap message may be incorrect after the SNMP agent reboot.
Component: TMOS
Symptoms:
After the reboot of the SNMP agent (snmpd), the SNMPv3 trap messages generated from the BIG-IP may contain the incorrect msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime values. After that, msgAuthoritativeEngineBoots value will also be out of sync with the engineBoots value in /config/net-snmp/snmpd.conf.
Conditions:
Configure SNMPv3 trap destination on the BIG-IP system and observe the msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime values in the generated trap messages. Reboot the SNMP agent (e.g., 'tmsh restart sys service snmpd') and observe these values again in the subsequent SNMPv3 trap messages.
Impact:
Some SNMP monitoring servers (e.g., SpectroSERVER) can lose the ability to poll the BIG-IP system. When the BIG-IP system sends out the incorrect values, the monitoring server thinks the information has been spoofed and it loses the ability to poll the BIG-IP until manual intervention.
Workaround:
This issue has no workaround at this time.
435555-4 : Cannot load UCS from different BIG-IP system using Secure Vault
Component: TMOS
Symptoms:
If a BIG-IP system uses in Secure Vault to encrypt secure fields, you cannot load that UCS to another BIG-IP system.
Conditions:
This occurs when a UCS originates on a BIG-IP system whose secure fields are encrypted using Secure Vault. The reason is that the Master Key to the Secure Vault has been encrypted with the Unit key of the originating BIG-IP system. The Unit key is unique to each system.
Impact:
UCS load fails.
435419-3 : Install of partial epsec file causes mcpd to crash, followed by multiple cores.
Component: Access Policy Manager
Symptoms:
Install of partial epsec file causes mcpd to crash, followed by multiple cores.
Conditions:
-- Attempt to upload a current epsec file.
-- Upload stalls and appears hung.
-- Close the web browser used for uploading epsec.
-- Attempt to install the partially uploaded file.
Impact:
mcpd crashes, followed by multiple cores.
Workaround:
Upload the epsec file completely, and try the installation again.
435055-2 : ECDHE-ECDSA ciphers with hybrid certificate (RSA signed EC cert)
Component: Local Traffic Manager
Symptoms:
ECDHE-ECDSA cipher does not work with hybrid certificate (RSA signed EC cert).
Log files may indicate SSL handshake error or a 'no shared ciphers' error.
Conditions:
Using a hybrid certificate (RSA signed EC cert).
Impact:
ECDHE-ECDSA cipher does not work with hybrid certificate (RSA signed EC cert).
Workaround:
None.
434517-9 : HTTP::retry doesn't work in an early server response
Component: Local Traffic Manager
Symptoms:
If a HTTP_RESPONSE event fires due to the server sending an early response (i.e. a response before the entire request has been sent), then HTTP::retry does not work correctly.
Conditions:
Client begins sending a request. The server responds before that request is completely sent. A HTTP::retry is called in the HTTP_RESPONSE event.
Impact:
Typically, early server responses are error conditions.
Workaround:
HTTP::respond or HTTP::redirect may be used at the cost of an extra client-side request.
433972-12 : New Event dialog widget is shifted to the left and Description field does not have action widget
Component: Access Policy Manager
Symptoms:
When you access Microsoft SharePoint 2013 through APM and use a rewrite profile, the rewritten New Event dialog box is shifted to the left and action widgets are not displayed above the Description field.
Conditions:
The problem occurs in Internet Explorer 11 with meta http-equiv='X-UA-Compatible' content='IE=10'.
Impact:
SharePoint 2013 malfunctions.
Workaround:
You could potentially use an iRule to mitigate the problem.
433752-8 : Web applications might rewrite their event handlers
Component: Access Policy Manager
Symptoms:
Web applications might rewrite their event handlers.
Conditions:
If a web application edits event handlers dynamically.
Impact:
Event handlers might become corrupted.
Workaround:
None.
433572-2 : DTLS does not work with rfcdtls cipher on the B2250 blade
Component: Local Traffic Manager
Symptoms:
DTLS does not work with rfcdtls cipher on the B2250 blade.
Conditions:
This occurs as a result of hardware acceleration offload on the B2250 blade when using dtls on vCMP.
Impact:
DTLS does not work with rfcdtls cipher on the B2250 blade
Workaround:
None.
433323-11 : Ramcache handling of Cache-Control: no-cache directive in Response
Component: Local Traffic Manager
Symptoms:
Previously, when a Cache-Control header from the OWS contained a no-cache directive, RAM Cache mistakenly interpreted that the same as a no-store directive.
Conditions:
Configure a virtual server with HTTP caching.
Impact:
Failure to cache a cachable document.
Workaround:
This issue has no workaround at this time.
433243-6 : SAML SSO might fail due to clock skew
Component: Access Policy Manager
Symptoms:
Other SAML Service Provider (SP) implementations might reject a SAML assertion generated by the BIG-IP system if the clock on the other system is running behind the clock on the BIG-IP system.
Conditions:
BIG-IP is configured as SAML IdP. SAML SP is implemented by another vendor. Other vendor's implementation does not have clock skew tolerance. SP's clock is behind IdP's clock.
Impact:
SAML SSO might fail.
Workaround:
Adjust the clock on SP system to the time that is set on the BIG-IP system that acts as the SAML Identity Provider (IdP).
433055-5 : BFD GTSM IMI shell commands don't work
Component: TMOS
Symptoms:
BFD GTSM IMI shell commands 'bfd gtsm enable' and 'bfd gtsm disable' commands are disabled and have no effect.
Conditions:
This problem shows up when BFD is configured, and attempt to configure GTSM feature of BFD.
Impact:
GTSM feature is not usable.
Workaround:
None.
432102-7 : HTML reserved characters not supported as part of SAML RelayState
Component: Access Policy Manager
Symptoms:
If the RelayState parameter includes HTML and XHTML special characters, then BIG-IP as IdP or BIG-IP as SP does not process them correctly, and does not send complete RelayState value to the Peer.
Conditions:
Using special characters
Impact:
SAML integration may not work properly with other products when configured RelayState parameter includes special characters.
Workaround:
To use reserved characters in HTML (",',&,<,>) as part of SAML RelaySate, convert them to their HTML entities (", ', &, <, >).
431810-6 : APMD process core due to missing exception handling in execute agents
Component: Access Policy Manager
Symptoms:
APMD cores due to a missing exception handling in APMD while executing access policy agent.
Conditions:
This occurs when using APM.
Impact:
APMD might core due to a missing exception handling in APMD while executing access policy agent.
431480-3 : Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
Component: Local Traffic Manager
Symptoms:
Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed.
Conditions:
The exact conditions that result in this error are unknown.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
This issue has no workaround at this time, but the system recovers without any user action.
429885-4 : Traffic that does not match any virtual or Self IP is dropped silently (without any logs or statistics)
Component: Advanced Firewall Manager
Symptoms:
When AFM is operating in Default Deny mode, traffic that does not match a Virtual or Self IP is dropped/rejected silently without any counter increment or logging (if global default drop logging is enabled).
Conditions:
VIP/SelfIP Default Action is set to Drop/Reject.
Global Default Action is set to Drop and global rule logging is enabled.
Traffic does not match any virtual or selfip.
Impact:
While there is no impact on the traffic that does not match virtual or Self IP (and is correctly being dropped), the issue is not updating any counters or logging (if enabled).
Workaround:
This issue has no workaround at this time.
429810-4 : 2000/4000 platforms can end up in indeterminate ARL/FDB state
Component: Local Traffic Manager
Symptoms:
2000/4000 platforms can end up in indeterminate ARL/FDB state under certain conditions.
Conditions:
This occurs when one of these platforms is subjected to a stream of frames arriving from one MAC address on two different ports on a VLAN simultaneously.
Impact:
The result is an indeterminate ARL/FDB state.
Workaround:
There is no workaround.
427924-8 : ipport hash type is not programmed in new blade
Component: TMOS
Symptoms:
When inserting a new blade in a VIPRION C2400 chassis, with UDP or TCP hash set to 'ipport', the new blade uses the 'port' hash instead. Rebooting the blade or restarting bcm56xxd and tmm causes the correct DAG (Disaggregator) hash to be used.
Conditions:
UDP or TCP hash algorithm changed from default (e.g. changed from 'port' to 'ipport'). -- UDP or TCP virtual servers configured. -- New blade inserted into chassis. New blade includes external interface to which traffic will arrive.
Impact:
Prevents adequate distribution of traffic within a chassis, which may disrupt traffic flows or reduce the traffic throughput of the BIG-IP system.
Workaround:
Reboot the new blade after it has been configured. Issue the 'bigstart restart' command (to restart the bcm56xxd and tmm modules and program the DAG with the correct hash type).
426274-1 : Firewall ACL Schedules may not work when configured with a daily schedule that starts before the specified start date and time
Component: Advanced Firewall Manager
Symptoms:
If the daily schedule for a rule starts before the start date and time specified in the schedule. For example, assume the current time is 2013-07-26 16:20:00. If you specify the following schedule and associate it with a rule, the rule will not get scheduled at all. tmsh modify security firewall schedule sched1 {date-valid-start 2013-07-26:16:24:00 date-valid-end 2013-07-26:16:29:00 daily-hour-start 16:23 daily-hour-end 16:27 }
Conditions:
The daily-hour-start needs to be configured to occur before the date-valid-start.
Impact:
The scheduled rule will not become active when configured in this manner.
Workaround:
As a workaround, make sure that date-valid-start is not before daily-hour-start. A working example, assuming the current time is 2013-07-26 16:20:00. Configure the date-valid-start to be the previous day: tmsh modify security firewall schedule sched1 {date-valid-start 2013-07-25:16:24:00 date-valid-end 2013-07-26:16:29:00 daily-hour-start 16:23 daily-hour-end 16:27 }
425339-2 : GUI shows incorrect number of members of pool in HA group after pool config is sync'ed from peer unit.
Component: TMOS
Symptoms:
GUI shows incorrect number of members of pool in high availability (HA) group after pool config is sync'ed from peer unit.
Conditions:
This is triggered when automatic sync is configured with incremental synchronization on a sync-failover device group. It will be visible on the HA Groups page in the Pools section after a configuration sync is performed from a device where the pool members were modified.
Impact:
The number of pool members listed in the HA Groups page is incorrect (e.g., shows 2 when it should show 1, 3 when it should show 2). Although this issue is cosmetic, it makes it difficult to configure the HA Group on the affected device.
Workaround:
The incorrect pool member display can be fixed on the affected device, by running the following tmsh command:
Impact of procedure: This command loads the saved configuration, so any in-memory changes (i.e., changes that have not been saved to disk) will be lost. Since the affected device is a sync target, and no other changes should have been made, it should be safe to run this command.
tmsh load sys config
424542-2 : tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments
Component: TMOS
Symptoms:
tmsh modify net interface commands with either invalid interface names, or invalid attribute names will appear to create new interfaces.
An invalid interface will show up in "show net interfaces"
Conditions:
Only happens on clustered or virtual environments, not on appliances.
Impact:
Cosmetic only - extraneous interfaces show up in tmsh show net interface.
Workaround:
guishell -c "delete from interface where name='12345/is_this_correct'"
423930-2 : GTM might mark down LTM virtual servers in NON-ZERO route domain named with special characters
Component: Global Traffic Manager
Symptoms:
LTM virtual servers that are in a NON-ZERO route domain that contain special characters in their name may be incorrectly marked down by GTM.
Conditions:
This occurs with LTM virtual servers with a '.' (dot) or '.' (semi-colon) in the name that are also in a non-Zero Route domain.
Impact:
GTM marks those LTM virtual servers down.
Workaround:
This workaround involves changing the GTM config. To make the config work properly, the GTM must be configured with 1 (one) server stanza for each route domain on the LTM system that has virtual servers. The following example configuration creates 3 virtual servers, 1 for each RD. Each server then discover and probe only the virtual servers in the route domain. (NOTE: Remove the 'expose-route-domains yes' option from the server stanza. If that remains 'on', then each server lists all of the virtual servers on the LTM, creating duplicates. Furthermore, the virtual servers in a given route domain that does not match the route domain of the server are marked down. For the following example: -- on server 10.5.76.239, in route domain 0, all the virtual servers in RD1 and RD2 will be red. -- on server 10.10.10.39, in route domain 1, all the virtual servers in RD0 and RD2 will be red. -- on server 10.10.11.39, in route domain 2, all the virtual servers in RD0 and RD1 will be red.) For example, if the LTM system is configured with the following self IP addresses (that is, 3 self IP addresses in default RD, RD1, and RD2):
net self 10.5.76.239 {
address 10.5.76.239/24
allow-service all
traffic-group traffic-group-local-only
vlan vlan-576
}
net self 10.10.11.39%2 {
address 10.10.11.39%2/24
allow-service {
default
}
traffic-group traffic-group-local-only
vlan vlan-3273
}
net self 10.10.10.39%1 {
address 10.10.10.39%1/24
allow-service {
default
}
traffic-group traffic-group-local-only
vlan vlan-3270
}
and virtual servers in each RD:
ltm virtual vs.rd0.dottest {
destination 10.5.76.39:http
ip-protocol tcp
mask 255.255.255.255
pool p1
profiles {
tcp { }
}
vlans-disabled
}
ltm virtual vs.rd1.dottest {
destination 10.10.10.39%1:http
ip-protocol tcp
mask 255.255.255.255
pool p1
profiles {
tcp { }
}
vlans-disabled
}
ltm virtual vs.rd2.dottest {
destination 10.10.11.39%2:http
ip-protocol tcp
mask 255.255.255.255
pool p2
profiles {
tcp { }
}
vlans-disabled
}
Then the GTM has to be configured as follows:
gtm server /Common/B3600-R18-S39-RD0.lab.ss.f5net.com {
addresses {
10.5.76.239 {
device-name B3600-R18-S39.lab.ss.f5net.com
}
}
datacenter /Common/DC1
monitor /Common/bigip
virtual-server-discovery enabled
}
gtm server /Common/B3600-R18-S39-RD1.lab.ss.f5net.com {
addresses {
10.10.10.39 {
device-name B3600-R18-S39.lab.ss.f5net.com
}
}
datacenter /Common/DC1
monitor /Common/bigip
virtual-server-discovery enabled
}
gtm server /Common/B3600-R18-S39-RD2.lab.ss.f5net.com {
addresses {
10.10.11.39 {
device-name B3600-R18-S39.lab.ss.f5net.com
}
}
datacenter /Common/DC1
monitor /Common/bigip
virtual-server-discovery enabled
}
423928-1 : syslog messages over 8 KB in length cause logstatd to exit
Component: TMOS
Symptoms:
Creating a syslog longer than 8 KB in length might cause logstatd to issue an exception and exit.
Conditions:
This occurs when the system processes a syslog message that is longer than 8 KB.
Impact:
logstatd exits and posts a message similar to the following: localhost emerg logger: Re-starting logstatd.
Workaround:
Configure syslog smaller than (or equal to) 8 KB using a command similar to the following in bigip_base.conf:
sys syslog {
include "options { ... log_msg_size(8192); };"
}.
423629-5 : bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted
Component: Local Traffic Manager
Symptoms:
bigd restarts once, and afterwards, subsequent pings from the monitor fails.
Conditions:
This can occur when assigning an ICMP monitor to a pool member, specifying a route domain that does not exist.
Impact:
For bigd, a single restart is actually harmless. The invalid config will cause monitor failures, since the route domain no longer exists, the pool member will be marked down.
423482-1 : Removing the gateway failsafe pool in web interface does not set the pool::gateway failsafe device property to none
Component: TMOS
Symptoms:
Removing the gateway failsafe pool in the web interface does not set the pool::gateway failsafe device property to none.
Conditions:
When the gateway failsafe pool is removed from web user interface, the pool maintains the prior gateway failsafe device. This is seen on listing the pool in tmsh.
Impact:
Creates confusion about the current pool::gateway failsafe device configuration.
Workaround:
The pool::gateway failsafe device property can be set to none using tmsh.
423061-1 : Creating an SNMP v3 user using the Configuration utility or tmsh adds passwords in plain text to the snmpd.conf file
Component: TMOS
Symptoms:
Creating or modifying SNMP v3 users using the GUI or tmsh adds passwords in plain text to the /config/net-snmp/snmpd.conf file.
Conditions:
You have created or modified an SNMP v3 user using the GUI or with the command 'tmsh modify sys snmp users ...'
Impact:
SNMP v3 user passwords are visible to those with root read access on the BIG-IP system until you run bigstart restart to restart the snmp process.
Workaround:
Run the command 'bigstart restart snmp' to restart snmp after creating or modifying SNMP v3 users. This results in encrypted passwords in the file.
422525-1 : Portal Acccess resources with proxy require hostnames to be resolvable to BIG-IP
Component: Access Policy Manager
Symptoms:
Portal Access resources with proxy host configured and no DNS record available to BIG-IP will be blocked by APM ACL. All requests to these resources will result in APM DNS error page.
Impact:
Some resources accessible only via proxy cannot be configured to work through APM Portal Access.
Workaround:
Use intranet DNS server for BIG-IP, or add resources behind proxy server to a DNS server configuration.
421797-2 : ePVA continues to accelerate IP Forwarding VS traffic even in Standby
Component: TMOS
Symptoms:
When the active BIG-IP unit in a redundant configuration becomes the standby unit after a failover event, the traffic sent to the virtual servers with hardware acceleration enabled will continue to be accelerated by the ePVA hardware on the original active unit (current standby unit). These offloaded flows will eventually be evicted after the failover switch period (16 second by default) though, and it does not affect the new active unit (original standby unit) to offload the flows to hardware for acceleration. As a result, accelerated traffic can still be observed on the standby unit.
Conditions:
When a failover event happens in a redundant configuration with virtual servers that have hardware acceleration enabled.
Impact:
No performance impact or traffic interruption. You might observe unexpected traffic on standby unit.
Workaround:
None. This is a cosmetic issue.
420645-5 : Firewall software check cannot detect state of ipfw on MAC OS X
Component: Access Policy Manager
Symptoms:
The Firewall software check cannot detect the state of ipfw software on MAC OS X. Also, because of some underlying issue, the HD encryption software check cannot detect encrypted locations by FileVault software on MAC OS X.
Conditions:
BIG-IP APM, Firewall software check, HD encryption software check.
Impact:
Firewall software check cannot detect state of ipfw on MAC OS X.
Workaround:
none
418734-3 : vCMP guest unit_key empty★
Component: TMOS
Symptoms:
A vCMP guest fails to load, and mcpd crashes on start-up. Running 'tmsh list vcmp guest' on the host reveals that sym-unit-key is empty or does not exist.
Conditions:
There are a number of ways that this can be encountered. The most common is an RMA replacement of a VCMP-capable blade, or when moving a ucs from one device to another device of the same type, if the device unit key becomes corrupted, or if the master key file (/config/bigip/kstore/master) becomes corrupted.
Impact:
Configuration of vCMP guest fails to load, mcpd crashes.
Workaround:
Remove the encrypted attributes from the config and reenter them in plaintext.
417711-1 : APM does not restore NLAD connections when the configuration is restored from an UCS file★
Component: Access Policy Manager
Symptoms:
After the upgrade, if the previous configuration used NTLM front end authentication, the functionality is not restored.
Conditions:
NTLM configured and UCS file is saved prior to restoring a dive to factory defaults.
tmsh load sys config default is run to restore the system to the default state
Impact:
NTLM auth will not work, and this error will appear in /var/log/apm:
err nlad[6921]: 01620000:3: <0x55b5db90> nlclnt[3c80a0a0a] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC
Workaround:
After the upgrade, manually delete the existing NTLM machine account configurations and then recreate them.
417045-2 : Error: 'err chmand[8873]: Error sending MCP system_information (err:1020003)
Component: TMOS
Symptoms:
Upon shutdown, the system posts the message 'err chmand[8873]: Error sending MCP system_information (err:1020003)’ to the ltm log.
Conditions:
This might occur intermittently when shutting down the system.
Impact:
This message is benign, and the system should power up correctly.
Workaround:
None.
416292-8 : MCPD can core as a result of another component shutting down prematurely
Component: TMOS
Symptoms:
During a small window of opportunity, mcpd can core if it is told to restart. This often occurs when another component has failed.
Conditions:
This issue generally occurs when another component has a problem which then initiates an mcpd restart.
Impact:
An mcpd core file is generated during shutdown, and it may initially appear as if mcpd coring was the cause of the restart.
404876-1 : Rule modifications reset active counters.
Component: Advanced Firewall Manager
Symptoms:
When an existing rule is modified or when it transitions from active to inactive due to scheduling, the associated hit counters are reset.
Conditions:
An exiting rule is modified or changes state from active to inactive (or vice versa) due to scheduling.
Impact:
Rule hit counters are reset and accurate hit counts across scheduling intervals/modifications are not possible.
402414-2 : Configured flow control not applied to Copper SFPs
Component: TMOS
Symptoms:
On affected platforms, flow control configured for an external interface is not applied if the interface is populated with a Copper SFP.
The 'tmsh list net interface' command may show the 'Flow Control' setting for the interface as the configured value (such as 'tx-rx').
However, the 'tmsh show net interface' command may show the 'Flow Control' setting for the interface as 'none', and the remote node connected to the interface in question may show no flow control on the connection.
Conditions:
This may occur with interfaces populated with Copper SFPs on the following BIG-IP and VIPRION platforms:
-- BIG-IP 10000-/12000-series appliances
-- VIPRION B4300-series blades
-- VIPRION B2250 blades
Impact:
No flow control as configured on affected interfaces.
Workaround:
To work around this issue:
1. Set flow control to none for the affected interfaces.
2. Set flow control to the desired value for the affected interfaces.
402115-3 : System does not report tmm memory with consideration of threading
Component: Local Traffic Manager
Symptoms:
Using the command 'tmsh show sys memory' may display zero usage for some entries.
Conditions:
This applies when using a platform that provides memory management per-process; this is all current hardware platforms, but does not apply to VCMP or VE.
Impact:
The division of memory usage may not be clear.
Workaround:
None. However, the information shows the most important value, which is the memory utilization of each process.
398657-16 : Active Session Count graph underflow
Component: Access Policy Manager
Symptoms:
On all platforms, the active session count might be significantly large at times likely due to a counter underflow.
Conditions:
N/A
Impact:
Wrong active session graphs are presented at certain times.
Workaround:
N/A
396273-4 : Error message in dmesg and kern.log: vpd r/w failed
Component: TMOS
Symptoms:
When running dmesg, you might see errors similar to the following: 0000:17:00.0: vpd r/w failed. This is typically considered a firmware issue on the device, and you can contact the card vendor for a firmware update.
This error can be seen in /var/log/kern.log as well.
Conditions:
This can occur whenever 'lspci -vv' (or 'lspci -vvv', e.g., during qkview generation) is executed.
Impact:
This is a benign firmware message, and you can safely ignore it.
Workaround:
There is no workaround, but this is not a functional issue.
390514-1 : SNMP_DCA_BASE monitor does not recognize Threshold and Coefficient★
Component: Local Traffic Manager
Symptoms:
The SNMP_DCA_BASE monitor does not return the correct weight.
Conditions:
This occurs when using the SNMP_DCA_BASE monitor. On version 10.x the threshold and coefficient values existed so this may be discovered after upgrading. For more information on configuring SNMP DCA see SOL14110: Creating a custom SNMP DCA or SNMP DCA Base monitor at https://support.f5.com/kb/en-us/solutions/public/14000/100/sol14110.html
Impact:
Dynamic load balancing does not work properly with the SNMP_DCA_BASE monitor.
385859-2 : iRule TCP::close on VIP with RAM cache can cause TMM restart
Component: Local Traffic Manager
Symptoms:
iRule TCP::close on VIP with RAM cache can cause TMM restart.
Conditions:
This occurs when using TCP::close in an iRule inside HTTP_REQUEST while RAM cache is configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable RAM cache.
384995-3 : Management IP changes are not synced to the device group.
Component: TMOS
Symptoms:
A device group shows a device as offline when it was previously working, and the device's management IP address has recently changed.
Conditions:
When the management IP is changed on a device in a trust domain, it is not updated in the device group even though its config sync IP is a SelfIP and config sync continues to work. Other devices show it offline under Device Management :: Devices.
Impact:
Incorrect device status displayed when looking at the device group.
Workaround:
To resolve this, the device that changed must be discovered from a device that is not changed.
Note: If you attempt to discover a device that is not changed from the device that is changed, the operation loses the hostname and other configuration objects.
378967-2 : Users are not synchronized if created in a partition
Component: TMOS
Symptoms:
Users in partitions attached to sync-only device groups do not sync to other devices in that device group.
Conditions:
There are users whose active partitions are attached to a sync-only device group.
Impact:
This affects sync-only device groups only, not the failover device group.
Workaround:
None.
376120-6 : tmrouted restart after reconfiguration of previously deleted route domain
Component: TMOS
Symptoms:
When a non-default route domain is configured for dynamic routing, then subsequently deleted and re-added, tmrouted might restart.
Conditions:
Non-default route domains in use.
Impact:
Dynamic routing for all route domains is interrupted.
375434-3 : HSB lockup might occur when TMM tries unsuccessfully to reset HSB.
Component: TMOS
Symptoms:
An HSB lockup might occur when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This failure can also result in a "DMA lockup on transmitter failure" reported in the TMM log files.
Conditions:
This occurs on HSB platforms that have AMD processors, which include the BIG-IP 6900, 8900, 8950, 11000, and 11050N platforms, and the VIPRION B4200 and B4200N blades.
Impact:
The HSB is non-functional and requires reinitialization. This occurs after the BIG-IP is rebooted, which is automatically triggered when this condition occurs.
Workaround:
None.
373949-3 : Network failover without a management address causes active-active after unit1 reboot
Component: TMOS
Symptoms:
A device in a Device Service Cluster may erroneously claim Active status when it is rebooted. This results in an Active/Active situation, which may resolve itself by causing a failover.
Conditions:
If a Device Service Cluster is configured with only self-IPs for unicast network failover communication, or if the management network between the peers is unavailable, the device may not detect that the peer is active when it is starting up. When using only self-IPs, communication with the peers is disrupted while the TMM is starting up.
Impact:
Unexpected failover may cause traffic interruption.
Workaround:
Configuring multiple redundant network failover paths, including the management network will reduce the possibility of this problem.
372139-2 : Manage Sessions are not showing correct current sessions on VIPRION chassis.
Component: Access Policy Manager
Symptoms:
Manage Sessions are not showing correct current sessions on VIPRION chassis.
Conditions:
This occurs using APM on VIPRION chassis.
Impact:
On the Admin Page, Access Policy, Manage Sessions, Current sessions is missing, which makes it difficult to find all the sessions to delete those sessions.
Workaround:
None.
370131-1 : Loading UCS with low GTM Autoconf Delay drops pool Members from config
Component: Global Traffic Manager
Symptoms:
Pool members loaded from the UCS are not in the configuration. If there are objects dependent on them, this may prevent the GTM config from loading completely.
Conditions:
GTM and LTM are enabled, Autoconf Delay is very low, there are GTM autoconfigured pool members from LTM virtual servers, and subsequently a UCS is loaded.
Impact:
GTM config loaded from the UCS might be overwritten and Pool Members might be lost from it.
Workaround:
bigstart stop gtmd during UCS load, or set the autoconf delay to be much higher than the time required to load the UCS.
369596-1 : show ltm pool doesn't show the most updated info
Component: TMOS
Symptoms:
'tmsh show ltm pool' command doesn't show the latest updates for connection and rate limits. The connection and rate limits do not get published to the UI until a monitor instantiates a state change on the pool member or node.
Conditions:
Configure a pool member or node to have connection or rate limits.
Impact:
Statistics displayed using tmsh may not be current.
Workaround:
First run "tmsh show ltm pool members' to trigger update.
Note: This does not impact the data path, it is only a UI issue.
369407-2 : Access policy objects are created inconsistently depending on whether created using wizard or manually.
Component: Access Policy Manager
Symptoms:
Network Access (NA) wizard policy incorrectly labels 'Advanced Resource Assign' as 'Resource Assign' in VPE.
Conditions:
This is evident when viewing the label following completion of the NA wizard.
Impact:
The label in the VPE is 'Resource Assign', where it should be 'Advanced Resource Assign'.
Workaround:
None.
369352-12 : No verification prompt when executing 'load sys config default' for resource administrator role
Component: TMOS
Symptoms:
When logged in as a resource administrator "load sys config default", which restores the configuration to factory defaults, doesn't prompt for verification as it should. If you execute the command from a normal administrator role you do get a prompt.
Conditions:
Login as a resource administrator
run "load sys config default"
restore begins without a verification prompt.
Impact:
System restore initiated without prompt when run as a resource administrator.
Workaround:
None.
368610-1 : TCP sends RST when regular close might succeed
Component: Local Traffic Manager
Symptoms:
A TCP connection closing due to a TCP::close iRule suddenly ABORTS with a "No Server Selected" RST cause.
Conditions:
iRules close the connection on an early TCL event, before a load balancing decision is made. There is no pool member available.
Impact:
The connection closes ungracefully.
366695-6 : Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed
Component: Global Traffic Manager (DNS)
Symptoms:
A "Manager" role has the ability to create/modify/delete GTM data centers, links, servers, prober pools, and topology objects from TMSH, but they do not have this permission in the database, so they get an error.
Conditions:
Someone of "Manager" roll attempts to create/modify/delete a GTM datacenter, link, server, prober-pools, or topology objects.
Impact:
Error message thrown
Workaround:
Error thrown is correct, but user's shouldn't be able to even get this far in tmsh.
360485-2 : Statistics for a lasthop pool member node may be inaccurate
Component: Local Traffic Manager
Symptoms:
Node statistics, especially after a statistics reset, may be too high for a node whose address is in a lasthop pool.
Conditions:
Lasthop pool configured.
Impact:
Inaccurate node stats. Cannot use conn limit on last hop pool member.
Workaround:
None.
352957-3 : Route lookup after change in route table on established flow ignores pool members
Component: Local Traffic Manager
Symptoms:
Established flows via Virtual Servers with iRules using the 'nexthop vlan addr' command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail after a route table change, even if the change does not affect any of the addresses used in the flow.
Conditions:
An iRule with 'nexthop vlan addr' on the CLIENT_ACCEPTED state is added to a virtual server with pool members and the address in the nexthop command is different from the gateway.
Impact:
A flow established before a route table change may fail if the destination was set in an iRule using 'nexthop'. New flows established after the route table change work as expected.
Workaround:
Modify iRule to fire 'nexthop' on every client packet. If the flow has been modified due to a route change, then the next client packet that fires 'nexthop' will correct it.
351130-2 : iApp templates are visible with only vCMP provisioned.
Component: TMOS
Symptoms:
iApp templates are visible with only vCMP provisioned. Depending on the iApp template, other modules must also be provisioned, for example, LTM, GTM, and so on, must be provisioned for certain iApp. Although template authors can templates even with only vCMP provisioned, the application does not work without the required modules provisioned.
Conditions:
This occurs when vCMP is provisioned as Dedicated and an author makes changes in an iApp with the assumption that the functionality is available because the iApp is visible.
Impact:
iApps are visible that are inappropriate for the provisioning. The system posts an error message if the user attempts to create an app from that template.
Workaround:
Provision the modules needed for the iApp to work.
343455-2 : HTTP state management (cookie) mechanism may detect wrong version
Component: Local Traffic Manager
Symptoms:
The http state management mechanism erroneously makes use of attribute case to determine the level of client/server support (i.e. RFC2109 vs RFC2965). As a result, various cookie handling routines (e.g. HTTP::cookie) may not work as expected.
Conditions:
HTTP::cookie does not function as expected.
Impact:
iRules may not function as expected.
341928-2 : CMP enabled virtual servers which target CMP disabled virtual servers can crash TMM.
Component: Local Traffic Manager
Symptoms:
TMM daemon crashes with accompanying log message: Assertion 'cmp dest set on incorrect listener type' failed.
Conditions:
A CMP enabled virtual targets (e.g. via 'virtual' iRule command) a CMP disabled virtual.
Impact:
Failover or network outage.
Workaround:
Avoid use of CMP disabled virtual servers.
337934-14 : remoterole: attributes ending in 'role' or 'deny' will be parsed incorrectly
Component: TMOS
Symptoms:
The remoterole configurations in which one of the attributes ends in 'role' will have that attribute truncated. Also this could happen with an attribute that ends in 'deny' and has a deny directive.
Conditions:
remoterole attributes ending in 'role'. May also happen with attributes ending in 'deny'.
Impact:
Parsing truncates attributes.
Workaround:
Do not use remoterole configurations in which one of the attributes ends in 'role' or one that ends in 'deny" that has a deny directive.
246726-3 : System continues to process virtual server traffic after disabling virtual address
Component: Local Traffic Manager
Symptoms:
A virtual address is defined as the IP address with which you associate one or more virtual servers. A virtual server is represented by an IP address and a service. The BIG-IP system continues to process traffic for virtual servers after disabling the related virtual address.
Conditions:
When a virtual address is disabled in LTM, TMM still processes traffic for the virtual IP addresses on that virtual address. For example, if you define virtual servers of 10.10.10.2:80, and 10.10.10.2:443 on the BIG-IP system, then 10.10.10.2 is the virtual address. If you disable the virtual address of 10.10.10.2, the BIG-IP system continues to process traffic for the virtual servers.
Impact:
Traffic is still processed.
Workaround:
Disable virtual servers instead. For more information, see SOL8940: The BIG-IP system processes traffic for virtual servers after disabling the virtual address, available here: https://support.f5.com/csp/#/article/K8940
225634-6 : The rate class feature does not honor the Burst Size setting.
Component: Local Traffic Manager
Symptoms:
The rate class feature does not honor a Burst Size setting other than the default of 0 (zero).
The Burst Size setting is intended to specify the maximum number of bytes that traffic is allowed to burst beyond the base rate configured for the rate class. When the burst rate is set to zero, no bursting is allowed.
Conditions:
When using a non-default Burst Size setting for a single rate class, the setting does not have the intended effect of allowing traffic to burst beyond the base rate configured for the rate class. When using a non-default Burst Size setting for a rate class referencing a hierarchical rate class (a child class referencing a parent class), traffic processed by the rate class may cause TMM to panic and generate a core file.
Impact:
Traffic does not burst beyond the base rate configured for the rate class. In the case of hierarchical rate classes, the BIG-IP may temporarily fail to process traffic.
Workaround:
To work around this issue, you can disable the Burst Size setting by changing the value to zero. To do so, perform the following procedure:
Impact of workaround: None.
Log in to the Configuration utility.
Click Network.
Click Rate Shaping.
Click the appropriate rate class.
Change the Burst Size to 0.
Click Update.
225094-2 : When changing expired password, user is dictionary restricted even with password policy disabled
Component: TMOS
Symptoms:
If you are required to change your password because it has exceeded the Max Duration setting in Password Policy, then even if Password Policy is disabled and root you will be required to meet the minimum length requirements.
For more information on configuring secure password policy, see SOL5962: Configuring a secure password policy for the BIG-IP system (9.x - 10.x) at https://support.f5.com/kb/en-us/solutions/public/5000/900/sol5962.html
This known issue contradicts the statement in SOL5962 that it does not apply to root; it does apply to root when the Maximum Duration limit is exceeded.
Conditions:
This occurs when the Max Duration setting in password policy has been exceeded.
Impact:
You will be required to meet the minimum length requirements even if the password policy has been disabled.
224903-4 : CounterBasedGauge64 MIB values do not work with Network Management Systems. The MIB should be Gauge32.
Component: TMOS
Symptoms:
CounterBasedGauge64 MIB values do not work with Network Management Systems. The MIB should be Gauge32.
Conditions:
CounterBasedGauge64 MIB values.
Impact:
CounterBasedGauge64 MIB values do not work with Network Management Systems.
Workaround:
None.
222409-3 : The HTTP::path iRule command may return more information than expected
Component: Local Traffic Manager
Symptoms:
The HTTP::path iRule command is intended to return only the path of the HTTP request. However, if the HTTP request specifies an absolute URI for the request URI, the HTTP::path command returns the entire URI, which includes not only the path, but also any protocol scheme, host name, and port included in the request URI value.
The first line of an HTTP request from a client to a server is referred to as the request line. The request line begins with a method token, followed by the request URI and the protocol version. A typical HTTP request line appears similar to the following example:
GET /dir1/dir2/file.ext HTTP/1.1
In this example, the method token is GET, the resource URI is /dir2/dir2/file.ext, and the protocol version is HTTP/1.1.
Conditions:
However, some clients (most notably proxies) may send an HTTP request for the same resource by specifying the absolute URI in the request, which appears similar to the following example:
GET http://www.example.org:80/dir1/dir2/file.ext
In this example, the method token is GET, the resource URI is http://www.example.org/dir2/dir2/file.ext, and the protocol version is HTTP/1.1.
Impact:
The HTTP::path iRule command should return the following path value for both requests:
/dir1/dir2/file.ext
However, since the HTTP::path command actually returns the value of the request URI, the entire absolute URI is returned for the request in the second example, which specifies the following absolute URI in the request URI:
www.example.org:80/dir1/duir2/file.ext
Note: Both requests in the example above conform to the HTTP request specification as defined in Section 5 of RFC2616: HyperText Transfer Protocol.
Note: For more information about the HTTP::path iRule command, refer to HTTP:path on the F5 Networks DevCentral website. A separate DevCentral login is required to access this content; you will be redirected to authenticate or register if necessary.
Workaround:
You can work around this issue by parsing the path element from the return value for the HTTP::path command. To do so, use the following iRule wherever HTTP::path is called:
when HTTP_REQUEST {
log local0. "Path: [URI::path [HTTP::path]]"
}
222034-5 : HTTP::respond in LB_FAILED with large header/body might result in truncated response
Component: Local Traffic Manager
Symptoms:
If HTTP::respond is called in LB_FAILED with large headers and/or body, the response might be truncated. The Content-Length header value is correct; it is the content itself that is truncated.
Conditions:
This issue occurs when all of the following conditions are met: -- HTTP::respond is used in the LB_FAILED event to return a large response. -- No other TCP data has been sent to the client.
Impact:
The response sent by the BIG-IP system will be truncated. For example, with slow-start enabled, and no data sent to the client yet, the response will be truncated after two packets. Other TCP profile configurations will truncate at different points.
Workaround:
To work around this issue modify the iRule. For example, instead of directly using HTTP::Respond inside of an LB_FAILED event, perform a 302 Redirect to another URI, which can then be handled by an unaffected event. For more information, see K9456: Using the HTTP::respond iRule command in the LB_FAILED event may result in truncated responses, available here: https://support.f5.com/csp/#/article/K9456.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/
- For additional information about hotfixes, please see the following Solution article:
- Managing BIG-IP product hotfixes (11.x - 13.x): K13123
